by Daniel J. Solove
It has long been difficult to quantify the ROI of data security awareness training.
But finally, I have been able to locate a number. According to a 2014 PricewaterhouseCoopers study: “The financial value of employee awareness is even more compelling. Organizations that do not have security awareness programs—in particular, training for new employees—report significantly higher average financial losses from cybersecurity incidents. Companies without security training for new hires reported average annual financial losses of $683,000, while those do have training said their average financial losses totaled $162,000.”
That’s slightly more than a $500,000 difference!
Part of this figure may be due to a correlation, as organizations with good data protection programs will have good training along with other good measures. But almost certainly, though, training plays a role.
Also in the same survey, “42% of respondents said security education and awareness for new employees played a role in deterring potential attacks.“
In another poll, 77% of IT professionals said that the workforce was weakest link in data security. AndŸ 89% of IT officials plan to increase workforce data security education.
I don’t know whether the value of training can ever be precisely quantified. But time and again, the facts show that the workforce is a tremendous source of vulnerability. Organizations can go to elaborate measures to force workforce members to engage in better data security practices, but forced measures can only go so far. People can often defeat them.
The cartoon below, which I created with the use of images drawn by the illustrator for my company, demonstrates the problem.
Education is a better alternative to many coercive measures.
But just because something is said in a training program doesn’t mean that people will do it. I’ve seen many training programs that fail to teach. They just throw out information to make sure that somewhere down the line, the organization can say: “But we told them not to do that!” There’s a lot more to good education than telling.
Done right, training works. And it pays off.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 860,000 followers.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter