Making the Case

An Effective Security Awareness Program is Essential not only to Compliance, but to Protecting Your Companys Reputation and Revenues

Introduction

No responsible enterprise would operate without rewalls, intrusion detection systems, and other technology-based controls to safeguard its information. But how are you addressing the ultimate security endpointthe human? What protection, if any, do your people get? Unfortunately, there is no rewall technology that can block a social engineering phone call or a phishing e-mail from a trusted source. Worse is a workforce that operates under a false sense of security, believing the enterprises technology is sufcient to protect its assets. You know its not. Yet how much attention does the human element get in the information security game plan? If your information security strategy is only as deep as your technology layer, then potential breaches are just one misguided click away. And those clicks happen. Annual threat reports reveal that the risks to business, partners, customers, and reputation are myriad, mounting, and material. In 2012 alone, 855 information security incidents compromised 174 million records. And according to Verizons recent data breach report1, 96% of the attacks were not at all difcult to perpetrate; most all found vulnerable human targets that were easily exploited. Thus the Verizon report concluded, ...a substantial amount of data loss and quite a few upset customers serve as reminders that humans can, in various ways, bring If youve decided to make the case for harm to the organization. As to a solution, the report writers investing in a security awareness program for are quick to add, We still favor well-thought out and well delivered ways to increase awareness. your organization, presenting a coherent and

data-based argument will be crucial.

Thor Olavsrud of CIO.com, agrees: Your sensitive data is only as secure as the weakest link in your organization, and in many cases the weak link is your employees. A properly established security awareness and training program can pay huge dividends. Indeed, a security awareness program ought to be integral to an information security strategyand ideally one that balances people, processes, and technologies in appropriate measures. Approaches that are heavy on technology, for example, might be able to defeat technology-based attack vectors, but they leave unprotected the operators who now constitute the bulk of the attack surface, both as to probability and potential consequences. If youve decided to make the case for investing in a security awareness program for your organization, presenting a coherent and data-based argument will be crucial. In the pages that follow, well provide you with the tools and information youll need to make that case. Well address the most pressing business drivers that will in turn drive your most compelling

arguments; well show you how security awareness can leverage huge savings even as it helps protect your organizations reputation; and well provide the answers youll need to put to rest the typical objections that will inevitably arise along the way. Finally, youll be able to make clear the case that a security-aware culture will make a substantial contribution to improving your organizations overall security posture.

Aligning the Security Awareness Program to Business Priorities

As you craft a security awareness strategy, adopting a perspective that includes both IT objectives and business priorities will prove indispensable. If your IT security proposals do not align with business objectives, you are sure to face an uphill budget battle. To remove resistance, youll need to speak the language of the executive leadership team. That means crafting a proposal that addresses their concerns, like preserving the companys reputation, minimizing the costs of noncompliance, preventing business disruption, and reducing the occasions for crisis communications. The good news is that a security awareness program helps in all Compliance costs are these areas. The key will be in how you position its specic value propositions to small, but the benets they the respective stakeholders.

yield are enormous.

Security, as the Forrester analysts say, is no longer embedded in IT. It is, in fact, diffused throughout the organization, from top to bottom. No function within the organization is immune to security risks. Security awareness must, therefore, become ingrained into your organizations culture. Take a look, for example, at a sampling of the many business functions that can be directly and positively impacted by the benets of a security awareness programor negatively impacted by the lack of one: Business Continuity and Disaster Recovery Financial Risk and Insurance Physical and Corporate Security General Counsel and Legal Human Resources IT Security Team Marketing, Sales, and Business Development Crisis Communications Customers Partners Shareholders

The last three warrant a closer look. Even a relatively small but newsworthy breach will spike customer churn rates, harm partner relationships, and damage shareholder value. Whats more, competitors will seize upon the opportunity to position your company as untrustworthy. All because of the untrained or careless action of a single employee. And with nearly all states requiring breach notication, missteps with customer data cant be kept under wraps.

Compliance Concerns ARE Business Concerns

For IT professionals, regulatory compliance is the biggest single driver behind the adoption of a security awareness programespecially as the list of requirements for many industries grows longer. While compliance with regulations is ITs top concern, others in your organization will have a very different take on the subject. Consider, for example, the following insights: The 2013 research2 conducted by (ISC) on global information security reported that 49% of all survey respondents (which included C-level executives) rated preventing damage to the organizations reputation as their top priority; it was a high priority for 83% of the respondents. The fear of non-compliance actually came in second to concern for company reputation. While the threat of regulatory nes and corrective actions remain the biggest motivator for the security spend (when viewed from the IT budget perspective), the business executives greatest fears are damage to reputation, business disruption, customer churn, revenue loss, and hits to productivityall typical consequences of non-compliance events.

Conversely, companies that are driven by a narrow, short-sighted view of compliance tend to focus on the cost of compliance with a view only to minimizing it. Such an orientation leaves the company exposed on several levels: The costs of non-compliance can dwarf the cost of the relatively inexpensive compliance measures (which include a security awareness program). Poor compliance measures (e.g., lack of a proper security awareness program) invite incidents. A check-the-box approach to compliance leaves the company with a very poor risk profile. The resulting risk exposure endangers the companys greatest assetits reputation. Consequently, unless the calculation of the total cost of compliance includes the costs of non-compliance (nes, restitution, civil actions arising from inadequate or no training or negligence in training), revenue losses from business disruption, customer churn, and other indirect and opportunity costs, your true risk exposure will be tremendously underestimated. Translating this reality to bottom line language for business executives will prove strategic: compliance costs are small, but the benets they yield are enormous. And one very important key to minimizing Executive management is burdened with major compliance costswhile simultaneously increasconcerns, from company reputation to customer churn. A proing the benets to businessis a proper security active security awareness program that is aligned specically awareness program. to business priorities can allay stakeholder fears by minimizing both the causes and consequences of business disruption. Exposing the Vulnerabilities The (ISC) report cited earlier also found that IT organizations are substantially less prepared today for both the prevention and the consequences of a security breach than they were two years ago. The three readiness attributes they investigated were: being prepared for a security incident; discovering a security breach; and recovering from a security incidentall of them markedly down from previous estimates. In all three areas, however, a proper security awareness program can make a signicant difference, from reducing incidents, to encouraging the reporting of incidents, to minimizing the consequences of incidentswith very little expense or overhead. The risk/reward tradeoff is substantial. According to research conducted by the Ponemon Institute, 51% of CEOs say their company experiences cyber-attacks hourly or daily. In fact, the number of targeted attacks has increased dramatically in the last two years. These increasingly sophisticated and determined attempts to gain access to sensitive information rely on a medley of attack vectors, including customized malware and highly targeted social engineering schemes. As one observer3 noted, Finding a gullible human in a targeted organization is often easier than nding a software vulnerability or an open network port, so attackers are quick to use social engineering as a key part of any exploit. So while your company might be deploying the latest security technology, the perpetrators are nding ways around it. And in the arms race between the bad guys and the security vendors, the employees who handle sensitive information are caught in the crossre. This is the new front where the battleand the breacheswill occur. Its also the last line of defense. If people are not fortied with proper security awareness training and reinforcement, then breaches are all but assured. And the potential consequences are severe: recent Symantec-sponsored research4 found an average 1.1 million identities were exposed per breach, while more than 400 million unique variants of malware continue to target high-level executives, senior managers, and R&D personnel. Moreover, a study5 by Forrester actually found that enterprise perceptions of incident likelihood were backed up by the incidents they actually experienced. In other words, people saw it coming. A majority of enterprises, the report reads, felt that employee-related accidents were the most likely sources. Theft or misplacement of an employee device was seen

Making

the Case

as likely or extremely likely by 58% of respondents, while the risk of accidental leakage by an employee was seen as nearly as risky (57%). Clearly, this is not a technology problem. In fact, even where technology might be a factor, 90% of all malware still requires human interaction before it can infect its target. Thats a people problem.

Costs in Dollars and Customers

So how does one quantify the cost of a breach? This is answered, at least in part, by research conducted by the Poneman Institute, whose 2013 study6 examined breaches at 54 organizations. Among the many ndings, they determined that the per-record cost of a breach was $188, with an average total incident cost of $5.4 million (a more Employee negligencea direct consequence of recent report7 published by Hewlett-Packard put security ignoranceis a primary cause of costly breaches. A the U.S. gure at $6.75 million). The ndings also small investment in a proper security awareness program can implicate employee negligence as one of the primitigate the substantial human liability factor while it protects mary causes of the breaches that occurred. Other valuable company information and revenues as well. illuminating highlights include: Lost business costs averaged more than $3 million, accounting for abnormal turnover of customers, increased customer acquisition activities, reputation losses, and diminished goodwill. Malicious or criminal attacks resulted in the highest per record data breach cost. Consistent with prior reports, data loss or exltration resulting from a malicious or criminal attack yielded the highest cost at $277 per compromised record, on average. In nearly all cases, direct, indirect, and opportunity costs were incurred from the theft of information, disruption to business operations, and revenue loss. Added to these were costs associated with detection, Giving Due Diligence its Due One of the greatest fears of the executive investigation, incident response, containteam is a data breach that is made worse by a charge of negligence. Rebecca ment, recovery, and after-the-fact response.
Herold, in her book, Managing an Information Security and Privacy Awareness and Training Program, provides a good portrait of the enterprise with respect to its information security values. In general, she writes, due diligence is providing demonstrated assurance that management is ensuring adequate protection of corporate assets, such as information, and compliance with legal and contractual obligations. One way she proposes that such due diligence be demonstrated is through an effective, executive-supported, information security awareness program. Herold continues, When considering due diligence, it follows that a standard of due care must be observed. Quite simply, this means that organizational leaders have a duty to ensure the implementation of information security and privacy even if they are not aware of the specic legal requirements. If leaders do not ensure that actions are taken to reasonably secure information and ensure privacy, and as a result others experience damages, it is possible both the organization and the leaders could face legal action for negligence. This certainly should motivate leaders to invest time, resources, and personnel in establishing an ongoing, effective, welldocumented information security and privacy awareness and training program.

Making

the Case

The annual CSI survey8 also tracks the loss of customers directly associated with a breach event. The most recent study found the average customer churn rate to be 3.7% (with a considerably higher 6% for pharmaceuticals, communications, and health care sectors). Indeed, there are many components of the total cost of a breach (Zurich9 provides a helpful resource in determining what yours might be). For a quick and dirty ballpark gure, simply multiply the costs by the number of records your organization keeps and youll have a pretty good estimate of exposure. For regulated industries, the Department of Justice also levies nes that average upwards

of $2M and restitution awards averaging in excess of $3Mper breach. Tellingly, the majority of the breached companies proled in the study did not have a security awareness program in place. And because the majority of incidents were attributed to human behaviors, the number of incidentsand their consequencescould have been prevented or greatly diminished with security awareness training. As Ponemon Institute research consistently shows, incident rates and their associated non-compliance costs are inversely proportional to the organizations level of security awareness. Want to minimize breaches and non-compliance costs? Institute a security awareness program! Whats more, the due diligence demonstrated by the presence of a robust security awareness program alone will dramatically improve the security posture, help mitigate potential nes, and preserve brand equity in the process.

Modeling the Security Risk Prole

In quantifying risks and assessing the ability to mitigate them, there are several formulas that can help. The NIST Special Publication 800-30 documentation provides a good start. It defines risk as the net negative impact of the exercise of a vulnerability, considering both the likelihood and the severity of occurrence. Reducing this to a simple calculation, we get Risk = Likelihood x Impact Severity. In applying these principles to security awareness, the keywords are telling: it is clearly established that humans present considerable vulnerability to information security; that risky behaviors leading to breaches are highly likely; and that such breaches bring severe consequences to the organization. Yet conventional models for building business cases based on ROI, IRR, and NPV are difcult to apply in areas where one seeks to prove a negativethat is, a nancial benet that is realized only when something doesnt happen. Consequently, most accountants tend to focus on the direct costs of compliance, ignoring the real and tangible costs of non-compliance. Fortunately, recently developed historical models, combined with your own risk assessments, will be sufcient to make a strong case for the security awareness initiative. One particularly powerful model is the Security Effectiveness Score (or Index)6. Developed by the Ponemon Institute, it is a well-established metric that denes an organizations ability to achieve security objectives. In short, the higher the score, the stronger the organizations security posture; the greater its ability to avoid a breach; and the lower the cost to mitigate a breach. The score is derived from an evaluation of 24 security management attributes that span a full range of information security issues. Of the 24 parameters evaluated, 75% of them are directly related to security-aware behaviors. And when these specic employee behaviors are addressed in a meaningful way to bring about a security-aware culture, the incidence and cost of non-compliance plummets.
The Security Effectiveness Score (SES) has been developed by PGP Corporation and Ponemon Institute in its annual encryption trends survey to dene the security posture of responding organizations. The SES is derived from the rating of 24 security features or practices. The SES provides a range of +2 (most favorable) to -2 (least favorable). Hence, a result greater than zero is viewed as net favorable.

The positive results of improving security awareness are both intuitive and well documented. The Security Effectiveness Score shows that when organizations spend a

dollar on compliance, they get far more than a dollars value in return in the form of signicantly reduced noncompliance costs. The converse is also true: companies that invest little in compliance and security awareness pay far more on the back end when breaches ultimately occur. Comparing the track records of companies with low levels of information security investment versus those with industry-typical levels tells the tale. A case in point is the healthcare sector, which on average allocates just 1-3% of the IT budget to all information security measures. This is in contrast to an industry-average gure of approximately 10%. Not surprisingly, a study11 commissioned by Symantec reported that the top ten industry sectors by data breaches was led by the healthcare sector, which accounted for 36% of all breaches. The number two sector was education, far behind with 16%. Healthcare leads by a massive margin, and with a security spend that is at or near the bottom. The old clich, spend a little, save a lot, has never rung more true.

Optimizing Your Security Awareness Spend

Well be the rst to admit that peer benchmarks on IT spending and allocations can be misleading. For example, a company might be spending an above average amount on information security, but be underperforming relative to another company that spends less. By the same token, a big budget can give an organization a false sense of security. Spending a dollar to check the box versus spending a dollar to actually realize good securityand reduce the cost of a data breach in the processare two very different things. The latter requires going beyond mere regulatory requirements. While one can generally correlate budget spend to security effectiveness, its not the whole story. An Because security risk proles are dominated by equally important consideration is how the dollars human vulnerabilities, even a small investment in security are spent, and the extent to which those dollars awareness can leverage huge gains. Moreover, by bolstering actually contribute to improving the security posthe human endpoint, the majority of your other information seture. For example, if a security awareness program curity measures will become more stable and reliable as well. consumed as much as 5% of your security budget, but addressed 30% of your risk, youd be miles ahead. Unfortunately, it is not unusual to nd budgets that spend $10 to protect something worth $5 and a nickel to protect something worth $1,000. Yet this is exactly what happens when compliance alone drives security budgets. In a revealing study,5 Forrester found that enterprises devote 80% of their security budgets to two priorities: compliance and securing sensitive corporate information, with the same percentage (about 40%) devoted to each. At rst blush, theres nothing startling here. But put that spend in the context of the actual value each allocation seeks to protect and the picture changes dramatically. The Forrester study continues, . . . . secrets [product plans, earnings forecasts, and intellectual property/trade secrets] comprise 62% of the overall information portfolios total valuethe business interestwhile compliance-related custodial data [customer, medical, and payment card information that becomes toxic when spilled or stolen] comprises just 38%, a much smaller proportion. Forresters conclusion? Investments are overweighed toward compliance. In other words, enterprises are spending the same amount to secure two different classes of assets that differ in value by 24%. The proportions are way out of line. Why does this matter? It matters because it is a signicant indication that information security budgets are not properly aligned to actual business value. But this state of affairs is not without reason. A recent report12 by Hanover Research (prepared for Tripwire, Inc.) revealed that, Executive and non-executives agree that building a culture of security within their organization is currently the most important [information security] capability. However, executives believe aligning security and business values, helping their business understand, and managing

Making

the Case

risk exposure are the most important security capabilities for upcoming years. In contrast, nonexecutive respondents [information security professionals] chose compliance with regulations, standards, and policies, in addition to building a culture of security as the most important capabilities of the future. This nding sheds tremendous light on the disparity Forrester discovered. Only by opening the door to a review of how the information security budget is allocatedwith a view toward aligning it to business objectivescan one begin to optimize that spend in proper balance. And the objectives of both parties can be met with a security awareness program that addresses both compliance issues and the security of corporate information. In the process, that program will contribute to improving 75% of the Security Effectiveness Score parametersa metric that is directly correlated to minimizing the impact of non-compliance. Thats signicant leverage for all the stakeholders. A good security awareness program truly does constitute basic blocking and tackling, and as such, it is essential to winning the high stakes game of information security and keeping the brand safe.

While most IT security professionals truly get it, their levels of enthusiasm for promoting security awareness are seldom matched by the executives on whom they depend for budget approvals. Consequently, weve spent a good bit of time here on aligning the need for security awareness to business objectives. But as you engage on a deeper level with the various stakeholders, there will inevitably arise a number of specic objections that stand in the way of a fully supported security awareness initiative. Here are a few of the more common objections you may hear, along with a few suggested responses.

Were good; our company has never had a breach Suggested response: Yes, we have been very fortunate! Lets hope our luck continues.
Recent industry data, however, shows we are falling behind the curve. In the face of so many threats, we must apply all due diligence to ensure that our vulnerabilities are not left to fate. I suggest we can be more proactive in supporting our business interests. We must continually step up and respond to new and emerging business threats to preserve shareholder value and maintain customer loyalty.

The cost is too great As with any investment, you must evaluate the risk and the return (as well as possible damages). Sometimes the great-

est risk to business is doing nothing new. The investment is modest: an effective security awareness program is likely to be fully covered for less than 1% of the typical enterprise IT budget. Focusing on the price alone ignores costs that can run many orders of magnitude greater, e.g., the direct, indirect, and opportunity costs associated with breaches or other forms of non-compliance. We can not only meet our compliance needs, but also help foster a security-aware culture that contributes real value to enhance brand reputation. Conversely, how much would it cost to replace all the customers that leave because we didnt keep their data secure?

Training is not effective at changing behavior You are right, sometimes; many training programs, and security awareness initiatives, fail to

meet expectations. We dont want this to happen to us (any longer). Just as we evaluate technologies, and appraise other business options, we have investigated and evaluated what has really worked to achieve the best results. Our solution is designed to deliver behavior change right from the start. We will deliver and reinforce our message throughout the year. We believe we can provide a best-of-class security awareness program that will help us achieve a security-aware culture, safeguard our customer data, and protect our business assets. By doing so, we can keep our employees focused on the important tasks of achieving our business goals and meeting our customer commitments.
(Note: We explore this objection in great detail in our series on the principles of adult learning, and we invite you to discover the real reasons why some programs fail, and what you can do to ensure success in your program.)

Making

Overcoming the Objections

the Case

Its not simply how much you spend, but how you spend it. The relatively small investment in security awareness will not only be more appropriately aligned with your actual threat landscape and vulnerabilities, it will make the rest of your information security spend more efcient.

Technology (rewalls, antivirus, etc.) is sufcient to provide information security These tools are very good at what they do, but only at

the levels they address: the network/host layers. Such technologies do not provide 100% coverage or any other guarantee. The problem now is that attackers circumvent these defenses and focus on the much softer targets: people. A good security strategy is a multi-layer strategyone that includes the human defensive layer. In fact, it is the last line of defense, and it is precisely those companies that have not reinforced this line that have experienced the most breaches and suffered the worst consequences. This current reality calls for an additional security layer in the form of a truly effective security awareness program.

We have no time to create and manage security awareness training You are correct; it takes effort to create and manage a truly ef-

fective security awareness program. There are many resources on the market that can help us reduce this effort and give us a head-start. A good security awareness program can be outsourced to a competent solution provider, effectively ofoading the burden. We currently purchase hardware, software, and services from competent outside vendors. We propose we do the same for our security awareness program. We can also supplement or adapt the program to t our needs. This is a highly specialized eld that requires a specic set of competencies to create a training solution that will actually work to bring about security-aware behaviors and culture. The time investment can be greatly reduced and the value greatly increased by leveraging existing programs to meet our business goals.

Our most recent audit found us to be fully compliant with data protection regulations You are correct; our security awareness training passed the recent audit. The box was checked. As we both know, there is usually more to meeting the spirit of the requirement than just checking the box. Many auditors are now looking at compliance training programs more closely. Im not sure how long it will be before our current program fails an audit. At the end of the day, we want a more secure organization. To achieve that goal, and reduce our risk, we need an effective security awareness program that will provide a foundation for true behavioral change. As has been shown numerous times and in numerous ways, a wide gulf separates regulatory compliance from true security awareness. The organization may save itself a ne, but leave the enterprise wide open to far greater potential consequences. Compliance-driven security is a low watermark where actual risk reduction is concerned. I suggest we take the next step and look at a implementing a program that will meet both the spirit and the letter of the law. We must continually step up and respond to new and emerging business threats to preserve shareholder value and maintain our customers trust.

Executive management (corporate) does not see the need Our goal is to help you (executive management) meet our business objectives.
We cant do that if our shareholders, employees, partners, and our customers dont trust us. It has taken years to build our reputation, but it can be lost in very short order. We want to eliminate any data security risk that could get in your way of growing the company and helping you meet our business commitments. A major data breach will require attention from management, IT, marketing communications, and other business units. Its a huge distraction and will cost us time, money, and resources. We must upgrade the human defensive layer to reduce our data security risk. An effective security awareness program will enable our people, and you, to succeed and meet your personal and business objectives.
(Note: This is perhaps the most common objection of all, and is indicative of a security awareness proposal that is not aligned with the business objectives).

Were too small to justify a security awareness program According to a recent Symantec research report11, 50% of attacks focused

on companies with less than 2,500 employees, and 18% of attacks were focused on organizations with less than 250 employees. Its possible that smaller companies are now being targeted as a stepping stone to a larger organization because they may be less well-defended. Targeted attacks are a risk for businesses of all sizesno one is immune. We believe we can provide a cost-effective security awareness program that will help us safeguard our customer data and protect our business assets. By doing so, our company can keep focused on the important tasks of achieving our business goals and meeting our customer commitments.

Conclusion
As we have shown, in the realm of information security, a companys Achilles heel is often its employees. Technology does very little to address this weakness. And the problem is only growing. Gartner forecasts that through 2016, the nancial

impact of cybercrime will grow 10 % per year due to the continuing discovery of new vulnerabilities. A security awareness program is one of the lowest cost/highest impact investments a company can make in not only getting ahead of the cybercrime power curve, but in protecting the business interests of the enterprise.

Sources
1. Verizon, Data Breach Investigations Report, 2012 2. (ISC), Global Information Security Workforce Study, 2013 3. Dark Reading, The Many Faces Of The Verizon Data Breach Investigation Report, April 23, 2013 4. Ponemon Institute, Cost of Data Breach, 2011 5. The Value of Corporate Secrets, Forrester Research, Inc. 6. Ponemon Institute, 2013 Cost of Data Breach Study. 7. Hewlett-Packard Enterprise Security, Rethinking Your Enterprise Security, 2013 8. Computer Security Institute, CSI Computer Crime and Security Survey, 2012 9. Zurich, Data Breach Cost, Part I: Risks, Costs and Mitigation Strategies for Data Breaches, 2012 10. Rebecca Herold, Managing an Information Security and Privacy Awareness and Training Program, CRC Press, 2010 11. Symantec, Internet Security Threat Report, Volume 18, 2013 12. CISO Pulse Survey Analysis, Hanover Research, Prepared for Tripwire, Inc., April 2013

About MediaPro

MediaPro is nationally recognized for producing award-winning, Web-based security and privacy training solutions that reduce risk by improving security-aware behaviors. Our best-of-class awareness materials will help you safeguard your customer data and protect your business assets. In addition to training and reinforcement products, MediaPro also develops custom data protection and compliance courseware. MediaPro has won over 100 prestigious awards for instructional excellence and its products are used by the most security-conscious companies in the world. For more information about our awarding winning security and privacy awareness products and services, please contact us at (800) 726-6951, email us at mp.info@mediapro.com, or visit us on the web at www.mediapro.com.

20021 120th Avenue NE, Suite102 | Bothell, WA 98011 | (425) 483-4700 | (800) 726-6951

Copyright 2013, MediaPro, Inc. All Rights Reserved.

Applying proven principles of adult learning to produce security-aware behavior