Monte Carlo Analysis Reveals That Changing Employee Behavior Reduces the Risk of a Security Breach by 45% to 70%

By   ISBuzz Team
Writer , Information Security Buzz | Jan 19, 2015 05:02 pm PST

Wombat Security Technologies (Wombat) and the Aberdeen Group (Aberdeen) have joined forces to develop and release new industry research titled, “The Last Mile in IT Security: Changing User Behavior.” This new study will help organizations quantify risks related to cyber security attacks and the dramatic reduction in risk they can realize by implementing security education. Based on the fact-based Monte Carlo analysis, this study shows that changing employee behavioral responses to cyber threats such as social media, phishing and other popular attack vectors can reduce an organization’s risk by as much as 70%. Following a year of unprecedented cyber security breaches during which criminals often preyed upon the security naivety of employees, the new analysis by Aberdeen and Wombat clearly demonstrates the return for companies that invest in implementing an effective security awareness and training program.

Free Cyber Security Training! Join the revolution today!

While many companies have adopted an array of IT security technologies in an effort to reduce network, system, application and data security risks, less attention has been paid to perhaps the greatest evolving security threat: the end user. In spite of all of the technical controls deployed to prevent a breach, the root cause for many – if not most – reported security incidents are the errant actions of company employees. The new Wombat and Aberdeen research clearly demonstrates that investments in security awareness training can help businesses close this critical security gap.

Key takeaways from Aberdeen and Wombat’s “The Last Mile in IT Security: Changing User Behaviors” include the following:

·         Significant investments in security technology are diluted when there is a lack of investment in security awareness and training.

·         An investment in user awareness and training effectively changes behavior and quantifiably reduces security-related risks by 45% to 70%.

·         Monte Carlo modeling can help security professionals frame better-informed decisions and become strategic advisors to C-level leaders and their companies.

Other key findings:

·          While traditional security controls are partially effective in protecting data and systems, they cannot be 100% effective at preventing infections.

·          For an organization with $200M in annual revenue, there is an 80% likelihood that infections from employee behavior will result in total costs of $2.5M per year under the status quo and a 20% likelihood that the costs from errant employee behavior could exceed $8M.

·          The data incorporated in the model (combined from industry sources, Aberdeen research and Wombat’s own data) conservatively quantifies the business impact of infections that result from employee behavior such as the cost to respond, remediate and recover from infections; the cost incurred from time of infection to response and recovery; and the cost of security awareness and training solutions.

·          The research and findings can help security teams communicate more effectively with their business leaders about reductions in risk as opposed to merely the threat of attack.

“It’s important for security teams to communicate clearly about the risks that organizations are accepting when their employees’ response to cyber threats is not addressed,” said Derek Brink, VP and Research Fellow for Aberdeen Group, at Harte Hanks Company. “While the public disclosures of the past several months have provided some startling examples about what can happen when security awareness and training is ignored, Aberdeen and Wombat have developed this model to address the most basic and logical question that security teams so often struggle to address: How does an investment in changing end user behavior through innovative security education solutions actually reduce the organization’s risk?”

Wombat has deep roots in the security awareness and training market and is a recognized authority, having recently been named a leader in the Gartner Magic Quadrant for Security Awareness Computer Based Training, the Gold winner of the 2014 Global Excellence Awards in Tomorrow’s Technology Today for its Security Training Platform, and Bronze winner in the New Product category for its CyberStrength® knowledge assessment product.  To learn more about Wombat’s Security Education solutions, visit

To view the report, please download your copy of ‘The Last Mile in IT Security: Changing User Behavior.’

About Wombat Security Technologies

wombatWombat Security Technologies provides information security awareness and training software to help organizations teach their employees secure behavior. Their SaaS cyber security education solution includes a platform of integrated broad assessments, as well as a library of simulated attacks and brief interactive training modules. Wombat’s solutions help organizations reduce successful phishing attacks and malware infections up to 90%. Wombat is helping Fortune 1000 and Global 500 customers in industry segments such as finance, technology, banking, higher education, retail, and consumer packaged goods to strengthen their cyber security defenses.