Some really great thoughts. Krypt3ia is always worth a visit.

“To sum up here we have a lot of talk about the ROI of security measures like awareness training. Some say it is useless but I say it is not. In fact I would say that the current model of security awareness (i.e. once a year by powerpoint) is not enough. The reality is that people learn only by repetitive means. This is why we teach children times tables in school as well as innately children want to be read the same story over and over and over again. Our brain makes long term memory and learning by repetitive means. So yes, I would say our current model of awareness is useless because we are not really teaching anything to anyone by not doing it repeatedly and more than once a year.”

 

It is a cool fact taken from economy theories, that business value is also equalling reduced, or mitigated risks. If a risk is avoided, it is contributing to a company’s profitability, as a risk that has materialized is reducing profit. Given the fact that security breaches like that or Target cause stock prices to tumble, profits to vanish in thin air and reputation being lost, spending a fraction of those costs should be a no-brainer.

Nevertheless, in our beautiful, quarterly world, there is a visibility block to the ability to realize the virtue of precautions, until a breach has happened. And then, of course, there is no more abundance of profit to spend mitgation costs from …