As Aberdeen described in its research report, Security Awareness Training: Small Investment, Large Reduction in Risk (July 2017), senior business leaders rely on their organization’s security professionals to answer this question in a way that helps them to make a better-informed business decision about risk.
The answer is not to provide senior business leaders with the technical details of what phishing attacks are; how and why they work; who they target and why; who is behind them, and from where; publicly disclosed examples of organizations that have been affected; and detailed statistics about the latest technologies and trends. This kind of information is clearly appropriate for security professionals to understand, in their traditional role as subject-matter experts. But it does not describe risk.
In their dual role as trusted advisors to the senior business leaders (who actually own the risk), the security professional’s answer to this straightforward business question must be expressed in terms of the proper definition of risk: How likely are phishing attacks, and how much business impact could they have if they do occur?
Many security professionals perceive qualitative and pseudo-quantitative risk assessments as being easiest for senior business leaders to understand, but their value for making better-informed business decisions about risk is dubious at best: doing math on these values is meaningless, and leaders are left to make important business decisions based on an assessment of “yellow” or “72.” By default, most risk-based business decisions about security are made based solely on the intuition, judgment, and gut instinct of the senior business leaders.