The ROI of Security Awareness Training

Technology-based security solutions like firewalls, endpoint detection, and response solutions, secure email gateways, desktop anti-virus, cloud-based malware, and spam filtering are essential elements of a security infrastructure. However, too many decision-makers neglect another important element that’s necessary to keep networks, data, applications, and financial resources safe: the human beings who interact with them.

Security awareness training is designed to bolster users’ ability to recognize threats like phishing attempts, unusual requests that purport to be from their company’s CEO, malicious advertising on web pages, and a host of other threats that are designed to trick users into doing something that can wreak havoc within an organization. Users who are well trained on security issues will be more skeptical and more careful about opening emails, clicking on social media links, or visiting web pages without first checking for clues about their validity.

This white paper reviews the results of an in-depth survey of organizations conducted by Osterman Research during May and June 2019. This paper discusses the financial justification for deploying a robust security awareness training program and demonstrates the significant return-on-investment (ROI) that can result.

See also: Planning for Office 365 Gaps  

Key insights from Osterman's research

Security decision-makers are concerned about a wide range of issues

The research found that decision-makers and influencers are concerned about a wide range of security issues, most notably phishing attacks, malware (including ransomware), and breaches of sensitive or confidential data. Larger organizations tend to be more concerned about these issues than smaller ones.
Security budgets are increasing

Security budgets at the vast majority of organizations have been increasing over time. Interestingly, at many organizations, a relatively small proportion of the total security budget is spent on anti-phishing technologies, despite the fact that phishing is regarded as the leading overall concern.

But security awareness training budgets are increasing even faster

On a per employee and per email user basis, security awareness budgets are growing at a significantly faster pace than overall security budgets. The growth in these budgets coincides with a significant increase in the monthly minutes of security awareness training that users receive, from an average of 17.6 minutes in mid-2018 to 26.0 minutes expected by mid-2020.

Decision-makers still view technology-based solutions as superior

We found that for phishing and business email compromise (BEC) attacks, decision-makers generally regard training as a better way to deal with these threats. However, for other types of security threats, technology-based solutions are generally viewed as superior to security awareness training.

Most users don’t get enough training

Almost one-third of users receive training about once each year or even less often. Another 29 percent receive security awareness training only two to three times per year. Only 39 percent of users receive training quarterly or more often.

Training dramatically improves users’ ability to recognize threats

Before security awareness training, IT and security teams had relatively little confidence in their users’ ability to recognize various types of threats. However, after users received training, the level of confidence in their knowledge and ability jumps dramatically – up to threefold in some cases.

Download this white paper, sponsored by Mimecast with research conducted by Osterman Research. Learn more about security awareness training and how businesses are addressing security threats.