The Total Economic Impact™ Of Everfox EverShield
Cost Savings And Business Benefits Enabled By EverShield
A Forrester Total Economic Impact™ Study Commissioned By Everfox, March 2025
The risks posed by trusted insiders — such as the potential consequences of employee negligence, intellectual property theft, information system damage or abuse, and employee harm — exist for all enterprises. By implementing Everfox’s EverShield solution to support an insider risk management program, organizations can monitor user activity, detect suspicious and unwanted behaviors, and act quickly to avoid negative outcomes such as financial loss, operations disruption, reputational damage, or workforce harm. Furthermore, organizations can use EverShield to deliver incremental business growth by avoiding unwanted employee resignation risks and improving customer trust.
EverShield monitors enterprise users and alerts threat analysts to risky, negligent, and concerning employee behavior. Security professionals and other cross-functional stakeholders of the insider risk management program can then quickly identify, investigate, and act on potentially negative events, which are users’ early warning signs on the critical pathway to insider risk.1 The solution is key to a comprehensive insider risk management program, whereby relevant teams in the organization agree to a set of policies and processes to reduce risk; increase trust; and deliver value to customers, shareholders, and employees.
Everfox commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study and examine the potential return on investment (ROI) enterprises may realize by deploying EverShield.2 The purpose of this study is to provide readers with a framework to evaluate the potential financial impact of EverShield on their organizations.
Return on investment (ROI)
205%
Net present value (NPV)
$9.30M
Registration Required To Continue
To better understand the benefits, costs, and risks associated with this investment, Forrester interviewed four decision-makers with experience using EverShield. For the purposes of this study, Forrester aggregated the interviewees’ experiences and combined the results into a single composite organization that is a North American organization with 30,000 employees and $10 billion in annual revenue.
Interviewees said that prior to using EverShield, their organization was exposed to insider risk threats including data loss, negligence, and malicious behavior. The loss of sensitive data was of particular concern, as it could result not only in legal and remediation costs but also reputational damage. Existing tools, such as data loss prevention solutions, lacked user behavior insight details, required substantial investigative resources, and resulted in slow reaction times, which made them insufficient for reducing insider risk.
After the investment in EverShield, the interviewees could better manage insider risk, scale their investigative capabilities, and react quickly to high-risk incidents. Key results from the investment included a reduction in the cost of negligence and other mistaken incidents; avoidance of unnecessary employee resignations; a reduction in unfair dismissal claims costs and costs associated with disgruntled employee sabotage; and improvement in customer retention and acquisition.
Key Findings
Quantified benefits. Three-year, risk-adjusted present value (PV) quantified benefits for the composite organization include:
- Reduced negligent and other mistaken incidents by up to 70%. By reducing behaviors such as accessing illicit sites, downloading or removing software, and sharing passwords, the composite organization reduces risk and remediation costs.
- Increased customer loyalty and acquisition leading to incremental profit of $2.4 million. By avoiding insider risk incidents and improving its overall security posture, the composite organization’s customer and partner trust improves, which in turn, incrementally increases revenue and profit.
- Avoided employee resignations valued at $1.8 million. The EverShield solution can quickly detect employee behavior that suggest they are stressed or otherwise unhappy, enabling the composite organization to take corrective action and thus avoid unwanted resignations. Vacancies are costly to fill, and employee departures are also potential triggers for other costly adverse insider acts.
- Avoided unfair dismissal claims costs of $1.6 million. The EverShield solution, particularly through its video recording feature, can provide the composite with incontrovertible evidence to quickly settle claims of unfair dismissal.
- Avoided disgruntled employee damage costs of $1.5 million. The EverShield solution can monitor employees with higher risk profiles, such as those who have resigned, and quickly identify behavior that may result in significant damages and/or disruption to the composite.
- Avoided data loss costs. Data exfiltration is a significant insider risk. The EverShield solution alerts the composite’s administrators to data download instances or other behaviors that could result in associated data loss costs.
Unquantified benefits. Benefits that provide value for the composite organization but are not quantified for this study include:
- Improved employee experience. Employees appreciate that the organization has visibility to quickly and fairly deal with inappropriate workplace behavior and implement policies and changes to increase security awareness and best practices.
- Improved employee behaviors. An insider risk program supports employee behavior change and improvement. The composite can use automated platform alerts to steer employees from unwanted, inappropriate, or otherwise risky behavior, alongside awareness and best practices training.
- Flexibility. Interviewees shared that the EverShield solution can be easily adjusted and changed as needed for different use cases and user groups. This flexibility provides the composite organization with the option to add modules and expand capabilities.
Costs. Three-year, risk-adjusted PV costs for the composite organization include:
- Licensing fees of $3.9 million. Licensing fees are based on the number of endpoints covered.
- Platform deployment and insider risk management program creation costs of $228,000. The composite incurs these upfront costs to deploy the platform and create the insider risk management program.
- Platform and program maintenance costs of $410,000. The composite adds one additional FTE for ongoing platform and program maintenance.
The representative interviews and financial analysis found that a composite organization experiences benefits of $13.83 million over three years versus costs of $4.53 million, adding up to a net present value (NPV) of $9.30 million and an ROI of 205%.
Key Statistics
-
Return on investment (ROI)
205%
-
Benefits PV
$13.83M
-
Net present value (NPV)
$9.30M
-
Payback
< 6 months
Benefits (Three-Year)
Reduction in negligent and other mistaken incidents Increased customer loyalty/acquisition Employee resignation avoidance Unfair dismissal claims cost avoidance Disgruntled employee damnage cost avoidance (excluding data) Data loss cost avoidance
TEI Framework And Methodology
From the information provided in the interviews, Forrester constructed a Total Economic Impact™ framework for those organizations considering an investment in EverShield.
The objective of the framework is to identify the cost, benefit, flexibility, and risk factors that affect the investment decision. Forrester took a multistep approach to evaluate the impact that EverShield can have on an organization.
-
Due Diligence
Interviewed Everfox stakeholders and Forrester analysts to gather data relative to EverShield.
-
Interviews
Interviewed four people at organizations using EverShield to obtain data about costs, benefits, and risks.
-
Composite Organization
Designed a composite organization based on characteristics of the interviewees’ organizations.
-
Financial Model Framework
Constructed a financial model representative of the interviews using the TEI methodology and risk-adjusted the financial model based on issues and concerns of the interviewees.
-
Case Study
Employed four fundamental elements of TEI in modeling the investment impact: benefits, costs, flexibility, and risks. Given the increasing sophistication of ROI analyses related to IT investments, Forrester’s TEI methodology provides a complete picture of the total economic impact of purchase decisions. Please see Appendix A for additional information on the TEI methodology.
Disclosures
Readers should be aware of the following:
This study is commissioned by Everfox and delivered by Forrester Consulting. It is not meant to be used as a competitive analysis.
Forrester makes no assumptions as to the potential ROI that other organizations will receive. Forrester strongly advises that readers use their own estimates within the framework provided in the study to determine the appropriateness of an investment in EverShield.
Everfox reviewed and provided feedback to Forrester, but Forrester maintains editorial control over the study and its findings and does not accept changes to the study that contradict Forrester’s findings or obscure the meaning of the study.
Everfox provided the customer names for the interviews but did not participate in the interviews.
Consulting Team:
Jan Sythoff
Drivers leading to the EverShield investment
Interviews
| Role | Industry | Region | Number of employees |
|---|---|---|---|
| Product owner (PO) and subject matter expert (SME), cyber investigations DevOps | Oil and gas | Global | 45,000 |
| Security operations manager | Service provider | North America | 38,000 |
| Senior associate, | Consulting services | North America | 35,000 |
| Director of enterprise risk | Nonprofit | North America | 10,000 |
Key Challenges
Most of the interviewees’ organizations had data loss prevention
capabilities within their cybersecurity department prior to investing in
Everfox. However, they had to use multiple applications and manual processes for
identifying, managing, and investigating cases. The process was inefficient and
ineffective in preventing data exfiltration cases, either malicious or through
negligence.
The interviewees noted how their organizations struggled with common challenges, including:
- Exposure to insider risk data loss. The biggest challenge that all interviewees highlighted was their risk exposure to insider data loss. One wanted to avoid a repeat of a bad experience, while another found evidence of data exfiltration through device forensics and wanted to proactively prevent future events. The PO and SME, cyber investigations DevOps in the oil and gas industry told Forrester, “Once the data is out the door, it is too late to retrieve it.”
- Time-consuming investigations and delayed reaction times. One of the interviewees’ organizations had already implemented an insider risk management program to comply with customer requirements, but it was time consuming for analysts to investigate the cases. The other interviewees’ organizations had data loss policies and tools in their cybersecurity programs, but the investigation processes were inefficient, manual, and time consuming. These processes were resource-intensive, and reactions to threats took time.
- Security compliance requirements. Customers, prospects, and partners of interviewees’ organizations sometimes required tighter security, including capabilities to manage insider risk. These requirements are particularly the case for opportunities related to defense, government, and other industries with high data sensitivity. Without an insider threat program, opportunities could be lost.
- Lack of data/case prioritization. Another issue interviewees highlighted was the lack of data or case prioritization. Investigations required analysis of thousands of email communications, time-consuming device forensics, and accessing multiple systems and applications to gather data. Some of the interviewees said that there was no urgency in the identified cases and wanted to identify and address high-risk cases more quickly.
Composite Organization
Based on the interviews, Forrester constructed a TEI framework, a composite company, and an ROI analysis that illustrates the areas financially affected. The composite organization is representative of the interviewees’ organizations, and it is used to present the aggregate financial analysis in the next section. The composite organization has the following characteristics:
- Description of composite. A North American-focused organization with 30,000 employees, all of whom are knowledge-based workers, with a ratio of endpoints to employees of one to one. Its annual global revenue is $10 billion. Many employees have access to sensitive data, and certain customers and prospects have increasingly stringent supplier and partner compliance and security requirements. Prior to investing in Everfox, the composite had a data loss prevention tool in its cybersecurity setup and two FTEs dedicated to insider risk management but had not implemented a formal insider risk management program.
- Deployment characteristics. The composite organization builds its insider risk management program prior to deploying the EverShield solution to ensure data and privacy compliance and achieve consensus about the approach from different teams, including leadership, HR, legal, and IT. Platform deployment occurs in multiple phases to ensure endpoints are functioning well and the network can manage the change in data traffic. The composite implements key use cases including data exfiltration, employees leaving, illicit site visits, software download or removal, corporate espionage, and harm to self.
Quantified benefit data as applied to the composite
Total Benefits
| Ref. | Benefit | Year 1 | Year 2 | Year 3 | Total | Present Value |
|---|---|---|---|---|---|---|
| Atr | Reduction in negligence and other mistaken incidents | $1,363,805 | $2,273,009 | $3,182,212 | $6,819,026 | $5,509,185 |
| Btr | Increased customer loyalty/acquisition | $270,000 | $1,080,000 | $1,620,000 | $2,970,000 | $2,355,147 |
| Ctr | Employee resignation avoidance | $712,500 | $712,500 | $712,500 | $2,137,500 | $1,771,882 |
| Dtr | Unfair dismissal claims cost avoidance | $637,500 | $637,500 | $637,500 | $1,912,500 | $1,585,368 |
| Etr | Disgruntled employee damage cost avoidance (excluding data) | $618,723 | $618,723 | $618,723 | $1,856,169 | $1,538,673 |
| Ftr | Data loss cost avoidance | $429,630 | $429,630 | $429,630 | $1,288,891 | $1,068,427 |
| Total benefits (risk-adjusted) | $4,032,159 | $5,751,362 | $7,200,565 | $16,984,086 | $13,828,682 | |
Reduction In Negligence And Other Mistaken Incidents
Evidence and data. All interviewees explained that by following the EverShield implementation and insider risk management program, their organization reduced negligence and other risky employee behavior.
- The senior associate, IRMP in consulting services explained: “We provide coaching to people who are sharing or keeping their passwords in an insecure manner. We can say to them, ‘Hey, here’s a tool you can use in a secure way to store passwords.’ We spent part of this year just finding those and getting them aligned with our best practices and how to keep and store their password, service accounts, and things of that nature. So overall, it’s reducing our risk.”
- The PO and SME, cyber investigations DevOps in the oil and gas industry told Forrester: “We also stop use of risky websites, like torrent download or adult sites, and see when employees remove software. This reduces the risk of viruses and other bad outcomes.”
Modeling and assumptions. To quantify this benefit, Forrester assumes the following about the composite organization:
- The estimated baseline number of negligent and other risky behavior incidents resulting in extensive costs is 10 (adjusted to exclude data exfiltration-related incidents (which are covered in the data loss cost avoidance benefit).
- The composite can reduce the number of such cases by 30% in Year 1, 50% in Year 2, and 70% in Year 3. It achieves this not only through automated messages and notifications but also through employee education and awareness programs to highlight risky behaviors and share best practices.
- The average cost per case is $505,113.
Risks. The impact of this benefit could be lower if:
- The baseline frequency of negligent and risky behavior was lower.
- The cost per incident was lower.
Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $5.5 million.
Reduction In Negligence And Other Mistaken Incidents
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| A1 | Baseline incidents of negligent and mistaken behavior (excluding data exfiltration) | Estimate | 10 | 10 | 10 | |
| A2 | Percentage reduction in incidents due to Everfox | Estimate | 30% | 50% | 70% | |
| A3 | Reduction in number of cases | A1*A2 | 3 | 5 | 7 | |
| A4 | Average cost per case | Assumption | $505,113 | $505,113 | $505,113 | |
| At | Reduction in negligence and other mistaken incidents | A3*A4 | $1,515,339 | $2,525,565 | $3,535,791 | |
| Risk adjustment | ↓10% | |||||
| Atr | Reduction in negligent and other mistaken incidents (risk-adjusted) | $1,363,805 | $2,273,009 | $3,182,212 | ||
| Three-year total: $6,819,026 | Three-year present value: $5,509,185 | |||||
Increased Customer Loyalty/Acquisition
Evidence and data. Some of the interviewees believed there was a positive impact on revenue following the EverShield implementation.
- The senior associate, IRMP in consulting services said: “We’re bound by every compliance requirement that’s out there: HIPAA, personally identifiable information (PII), PCI security standards, etc. Having an insider threat program when we go through an audit and having those defined processes in that standard in place, even our cybersecurity insurance, reduces our risk. So it’s all favorable.”
- The PO and SME, cyber investigations DevOps in the oil and gas industry said: “We are now seeing 25 to 30 intellectual property cases per month — it could be corporate espionage — [including] info about significant changes, M&A, divestments, and sensitive financial data. Even data around exploring new drilling sites.”
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
- Following the implementation of EverShield and the insider risk management program, the composite gains incremental revenue from improved customer retention (by avoiding cases of insider data loss), and increased customer acquisition (by implementing a higher security threshold that some customers and partners require to do business).
- Customers, partners, and prospects gradually experience the impact, so the composite experiences benefits beginning the second half of Year 1. Revenue increases 0.025% in Year 1, 0.1% in Year 2, and 0.15% in Year 3, totaling $2.5 million, $10 million, and $15 million respectively. While it was not possible for the interviewees to quantify this benefit, Forrester made a conservative estimate.
- The composite’s operating profit margin is 12%.
Risks. The impact of this benefit could be lower if:
- The revenue impact is lower.
- The revenue impact takes longer.
- The profit margin is lower.
Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $2.4 million.
Increased Customer Loyalty/Acquisition
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| B1 | Incremental revenue from increased customer loyalty/acquisition | Composite | $2,500,000 | $10,000,000 | $15,000,000 | |
| B2 | Profit margin | TEI methodology | 12% | 12% | 12% | |
| Bt | Increased customer loyalty/acquisition | B1*B2 | $300,000 | $1,200,000 | $1,800,000 | |
| Risk adjustment | ↓10% | |||||
| Btr | Increased customer loyalty/acquisition (risk-adjusted) | $270,000 | $1,080,000 | $1,620,000 | ||
| Three-year total: $2,970,000 | Three-year present value: $2,355,147 | |||||
Employee Resignation Avoidance
Evidence and data. Some of the interviewees told Forrester that their organization used the EverShield solution to avoid terminations.
- The director of enterprise risk at a nonprofit organization told Forrester that, “We have, on average, one case per year where we are able to refute allegations and save an employee termination and not lose that capacity.”
- The security operations manager at a service provider explained: “We have cases when employees were just stressed out and wanted to leave; we were able to talk to their manager […] to console them and get them back on the path where they’re happy. […] We want to retain those employees who are valuable.”
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
- It can identify and retain four employees that otherwise would not have stayed.
- The average fully-burdened annual salary for an average employee is $100,000.
- The average employee termination, recruitment, and training costs are 1.5 times an employee’s salary.
Risks. The impact of this benefit could be lower if:
- The number of avoided terminations is lower.
- The average employee salary is lower.
- The costs associated with employee termination are lower.
Results. To account for these risks, Forrester adjusted this benefit downward by 5%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1.8 million.
Employee Resignation Avoidance
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| C1 | Employee terminations avoided | Interviews | 5 | 5 | 5 | |
| C2 | Fully-burdened annual salary for an average employee | Composite | $100,000 | $100,000 | $100,000 | |
| C3 | Employee termination, recruitment, and training cost | 1.5x salary | $150,000 | $150,000 | $150,000 | |
| Ct | Employee resignation avoidance | C1*C3 | $750,000 | $750,000 | $750,000 | |
| Risk adjustment | ↓5% | |||||
| Ctr | Employee resignation avoidance (risk-adjusted) | $712,500 | $712,500 | $712,500 | ||
| Three-year total: $2,137,500 | Three-year present value: $1,771,882 | |||||
Unfair Dismissal Claims Cost Avoidance
Evidence and data. Interviewees highlighted they also received value from Everfox’s EverShield by avoiding costs related to unfair dismissal claims.
- The security operations manager at a service provider said: “We have the evidence if [an employee] does go to a termination hearing, and we’ve not lost one case yet. So then they have no unemployment compensation, so it saves money also.” The interviewee continued, “It’s hard to dispute video evidence such as what Everfox provided, especially when they have their face in the video camera.”
- The senior associate, IRMP in consulting services said, “If a lawyer can confront an individual early on in the process to say, ‘Hey, here’s exactly what we saw, when we saw it, and how we saw it,’ it can change the tone — they may be more willing to accept the severance package or to go away quietly.”
Modeling and assumptions. To quantify this benefit, Forrester made the following assumptions about the composite organization:
- It has a 5% employee involuntary termination rate.
- One percent of employees who were terminated involuntarily claim unfair dismissal, totaling 15 annually.
- Average avoided unfair dismissal costs totaled 50% of an employee’s average salary (i.e., $50,000).
Risks. The impact of this benefit could be lower if:
- The involuntary employee termination rate is lower.
- The number of employees claiming unfair dismissal is lower.
- The average cost per unfair dismissal claim is lower.
Results. To account for these risks, Forrester adjusted this benefit downward by 15%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1.6 million.
Unfair Dismissal Claims Cost Avoidance
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| D1 | Employees | Composite | 30,000 | 30,000 | 30,000 | |
| D2 | Involuntary employee turnover rate | Composite | 5% | 5% | 5% | |
| D3 | Involuntary terminations | D1*D2 | 1,500 | 1,500 | 1,500 | |
| D4 | Percentage of involuntary terminations claiming unfair dismissal | Composite | 1% | 1% | 1% | |
| D5 | Unfair dismissal claims | D3*D4 | 15 | 15 | 15 | |
| D6 | Average cost per unfair dismissal claim | 50% * C2 | $50,000 | $50,000 | $50,000 | |
| Dt | Unfair dismissal claims cost avoidance | D5*D6 | $750,000 | $750,000 | $750,000 | |
| Risk adjustment | ↓15% | |||||
| Dtr | Unfair dismissal claims cost avoidance (risk-adjusted) | $637,500 | $637,500 | $637,500 | ||
| Three-year total: $1,912,500 | Three-year present value: $1,585,368 | |||||
Disgruntled Employee Damage Cost Avoidance
Evidence and data. Most of the interviewees highlighted avoiding costs associated with unhappy employees who wanted to cause damage prior to leaving the organization. This sometimes included physical violence and harm to other employees.
- The security operations manager at a service provider said: “We were able to get rid of a disgruntled user before they deleted files and caused harm to a high-priced printer. That was one of the finds [with EverShield]. … They were planning to delete all the files on the file share which could have been fully recovered, but it would have taken time to restore them.”
- The security operations manager continued: “We have three cases that ended up in law enforcement’s hands that have been pending over the last three years resulting in criminal proceedings. It’s about getting rid of the riskiest user that’s breaking the law. … We use EverShield to track risky users that are fixing to resign and want to cause harm on the network.”
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
- Annually, there is one case of a disgruntled employee planning to damage the company.
- Forrester estimates the average damage cost to be $701,500. This cost could include physical damage, data deletion, or other actions that impact network functioning or data use and includes the associated disruption and damage repair.
Risks. The impact of this benefit may be lower if:
- The frequency of such events is lower.
- The average damage cost is lower.
Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1.6 million.
Disgruntled Employee Damage Cost Avoidance
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| E1 | Baseline disgruntled employee damage incidents (non-data exfiltration related) | Interviews | 1 | 1 | 1 | |
| E2 | Damage cost | Assumption | $701,500 | $701,500 | $701,500 | |
| E3 | Percentage reduction in incidents due to Everfox | Interviews | 98% | 98% | 98% | |
| Et | Disgruntled employee damage cost avoidance | E1*E2*E3 | $687,470 | $687,470 | $687,470 | |
| Risk adjustment | ↓10% | |||||
| Etr | Disgruntled employee damage cost avoidance (risk-adjusted) | $618,723 | $618,723 | $618,723 | ||
| Three-year total: $1,856,169 | Three-year present value: $1,538,673 | |||||
Data Loss Cost Avoidance
Evidence and data. One of the most important objectives for all interviewees was to reduce their organization’s risk of data loss from insiders.
- The security operations manager at a service provider told Forrester: “We stopped the data exfiltration of protected data on a USB device on multiple occasions. That risk if lost would be in the millions; one of them had 8,000 records and it was PII, so you can put a dollar amount to that.”
- The PO and SME, cyber investigations DevOps in the oil and gas industry said: “It’s very difficult to know what the cost could have been: $1 or $1 million? We estimated that for one of the bigger cases it was $5.1 million. We recover classified docs, USBs, etc. In one case, an employee tried to download the whole SharePoint site.”
- The senior associate, IRMP in consulting services said, “The big lift part of this is that you’re preventing exfiltration of corporate data.”
Modeling and assumptions. Forrester used data from its annual security survey3 to calculate the impact of this benefit on the composite. The survey included responses from 2,769 security decision-makers. A subsegment relevant to the composite, i.e., 80 respondents that are based in North America and work at organizations with over 20,000 employees whose organizations have experienced a breach in the last 12 months, are used to quantify this benefit.
- A 60% likelihood of at least one breach annually.
- The portion of breaches from internal events is 23%.
- The mean cumulative cost of breaches for an organization like the composite is $3.34 million. Note that this includes all related costs including remediation, lost revenue, and reputational and productivity impacts.
- A 98% risk reduction following the implementation of Everfox.
Risks. The impact of this benefit may be lower for the composite organization because:
- The security setup is maturer, reducing the likelihood of at least one breach.
- The cumulative cost of breaches is lower.
Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1.1 million.
Data Loss Cost Avoidance
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| F1 | Likelihood of at least one breach | Forrester security survey | 60% | 60% | 60% | |
| F2 | Portion of data breaches from internal events | Forrester security survey | 23% | 23% | 23% | |
| F3 | Mean cumulative cost of breaches | Forrester security survey | $3,344,000 | $3,344,000 | $3,344,000 | |
| F4 | Annual risk exposure to breaches addressable with Everfox | F1*F2*F3 | $461,472 | $461,472 | $461,472 | |
| F5 | Risk reduction from Everfox | Interviews | 98% | 98% | 98% | |
| Ft | Data loss cost avoidance | F4*F5 | $452,243 | $452,243 | $452,243 | |
| Risk adjustment | ↓5% | |||||
| Ftr | Data loss cost avoidance (risk-adjusted) | $429,630 | $429,630 | $429,630 | ||
| Three-year total: $1,288,891 | Three-year present value: $1,068,427 | |||||
Unquantified Benefits
Interviewees mentioned the following additional benefits that their organization experienced but were not able to quantify:
- Improved employee experience. Some of the interviewees believed the EverShield solution, along with the insider risk program, had improved the overall employee experience. Employees see leaders dealing with inappropriate behavior quickly and efficiently. They may also see that the organization has proactive policies to support employees who are stressed, unwell, or considering self-harm, improving trust. A better employee experience can positively impact factors such as employee turnover rates, productivity, sickness, and absenteeism.
- Improved employee behaviors. An important part of the insider risk program that all interviewees highlighted using it to support changes and employee behavior improvement. Specifically, automated reminders could steer employees from unwanted, inappropriate, or otherwise risky behaviors.
Flexibility
The value of flexibility is unique to each customer. There are multiple scenarios in which a customer might implement EverShield and later realize additional uses and business opportunities, including:
- Policy adjustment and updating. All interviewees highlighted the ease of changing and adjusting policies as a key platform benefit. They quickly address specific user groups when needed and use the tool to add and update use cases. The security operations manager in consulting services provided an example: “One other thing; a request of our leadership: We have added a dictionary file with all of our executives in it, then we’re monitoring for threats against those individuals. We are able to act quickly in such urgent cases.”
- Additional modules and functionality. Everfox EverShield includes several different components. Customers can add new modules or components when needed, delivering additional deployment flexibility. For example, analytics or user behavior insights are components that some of the interviewees’ organizations chose to add as their insider risk management programs matured. Everfox continues to develop the platform and add functionality.
Flexibility would also be quantified when evaluated as part of a specific project (described in more detail in Appendix A).
Quantified cost data as applied to the composite
Total Costs
| Ref. | Cost | Initial | Year 1 | Year 2 | Year 3 | Total | Present Value |
|---|---|---|---|---|---|---|---|
| Gtr | Licensing fees | $0 | $1,417,500 | $1,575,000 | $1,732,500 | $4,725,000 | $3,891,942 |
| Htr | Platform deployment and insider risk program creation | $228,096 | $0 | $0 | $0 | $228,096 | $228,096 |
| Itr | Platform and program maintenance | $0 | $165,000 | $165,000 | $165,000 | $495,000 | $410,331 |
| Total costs (risk-adjusted) | $228,096 | $1,582,500 | $1,740,000 | $1,897,500 | $5,448,096 | $4,530,369 | |
Licensing Fees
Evidence and data. Licensing fees depend on the number of endpoints on which organizations implement the platform. Everfox charges an annual fee per endpoint.
Modeling and assumptions.
- The composite implements the EverShield solution on the 30,000 endpoints; each employee uses one endpoint on average.
- The fee per endpoint is $45 in Year 1, $50 in Year 2, and $55 in Year 3. The rate increases as the composite adds additional platform capabilities.
Risks. There is a small risk that the cost per endpoint could be higher; prices change depending on region and timing.
Results. To account for these risks, Forrester adjusted this cost upward by 5%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $3.9 million.
Licensing Fees
| Ref. | Metric | Source | Initial | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|---|
| G1 | Number of endpoints | Composite | 30,000 | 30,000 | 30,000 | ||
| G2 | Everfox price per endpoint | Everfox | $45 | $50 | $55 | ||
| Gt | Licensing fees | G1*G2 | $0 | $1,350,000 | $1,500,000 | $1,650,000 | |
| Risk adjustment | ↑5% | ||||||
| Gtr | Licensing fees (risk-adjusted) | $0 | $1,417,500 | $1,575,000 | $1,732,500 | ||
| Three-year total: $4,725,000 | Three-year present value: $3,891,942 | ||||||
Platform Deployment And Insider Risk Program Creation
Evidence and data. Only one of the interviewees’ organizations had an insider risk management program prior to the EverShield investment; the other three had to invest time and resources in creating one. The platform deployment took most organizations a few weeks, with groups of endpoints being rolled out at a time.
- The senior associate, IRMP in consulting services said, “It probably took close to three months to build the program.”
- The PO and SME, cyber investigations DevOps in the oil and gas industry said: “For us it was a complex setup because of different laws and languages across our global footprint. It took 24 months for full deployment for eight people; if we were North America only, it would have taken three to six months.”
Modeling and assumptions. The composite organization spent six months creating the insider risk management program and deploying the EverShield platform.
- Program creation and platform deployment involved 30 FTEs, including members of the leadership team, HR, legal, and IT. Employees representing the workforce were also involved.
- On average, each of these 30 FTEs spend four hours per week over a six-month period.
- The average salary of those involved in program creation and platform deployment is $150,000, equivalent to an hourly rate of approximately $72.
Risks. It is possible that the cost will be higher for organizations like the composite if program creation and platform deployment:
- Involves more employees.
- Requires more time.
- Includes higher average salaries and hourly rates of involved employees.
Results. To account for these risks, Forrester adjusted this cost upward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $228,000.
Platform Deployment And Insider Risk Program Creation
| Ref. | Metric | Source | Initial | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|---|
| H1 | FTEs needed for platform deployment and program creation | Interviews | 30 | ||||
| H2 | Hours per FTE (4 hours per week for six months) | Interviews | 96 | ||||
| H3 | Fully burdened annual salary for employees involved in platform deployment and program creation | Composite | $150,000 | ||||
| H4 | Fully burdened hourly rate for employees involved in platform deployment and program creation | H3 / 2,080 | $72 | ||||
| Ht | Platform deployment and insider risk program creation | H1*H2*H4 | $207,360 | $0 | $0 | $0 | |
| Risk adjustment | ↑10% | ||||||
| Htr | Platform deployment and insider risk program creation (risk-adjusted) | $228,096 | $0 | $0 | $0 | ||
| Three-year total: $228,096 | Three-year present value: $228,096 | ||||||
Platform And Program Maintenance
Evidence and data. Each interviewee had different context from their prior situation. One already had an insider risk management program that was unsupported by specific technology. The others had some insider threat capabilities in their previous, broader cybersecurity setup. Furthermore, the size of the insider risk team depended on the extent of use cases to be covered.
Modeling and assumptions. The composite has two analysts dedicated to insider risk but lacks a formal program or platform. Following the program creation, as described above, one additional FTE is added to these two existing analysts, resulting in three dedicated analysts in the insider threat team. The average fully burdened annual salary for an analyst is $150,000.
Risks. The value of this benefit varies, depending on:
- The salary of the analyst could be higher.
- The total time required for platform and program maintenance could require more than one additional FTE.
Results. To account for these risks, Forrester adjusted this cost upward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $410,000.
Platform And Program Maintenance
| Ref. | Metric | Source | Initial | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|---|
| I1 | Additional FTEs for platform maintenance and program management | Interviews | 1 | 1 | 1 | ||
| I2 | Fully burdened annual salary for a platform and program maintenance analyst | Composite | $150,000 | $150,000 | $150,000 | ||
| It | Platform and program maintenance | I1*I2 | $0 | $150,000 | $150,000 | $150,000 | |
| Risk adjustment | ↑10% | ||||||
| Itr | Platform and program maintenance (risk-adjusted) | $0 | $165,000 | $165,000 | $165,000 | ||
| Three-year total: $495,000 | Three-year present value: $410,331 | ||||||
Consolidated Three-Year, Risk-Adjusted Metrics
Cash Flow Chart (Risk-Adjusted)
Total costs Total benefits Cumulative net benefits Initial Year 1 Year 2 Year 3-
The financial results calculated in the Benefits and Costs sections can be used to determine the ROI, NPV, and payback period for the composite organization’s investment. Forrester assumes a yearly discount rate of 10% for this analysis.
These risk-adjusted ROI, NPV, and payback period values are determined by applying risk-adjustment factors to the unadjusted results in each Benefit and Cost section.
Cash Flow Analysis (Risk-Adjusted)
| Initial | Year 1 | Year 2 | Year 3 | Total | Present Value | |
|---|---|---|---|---|---|---|
| Total costs | ($228,096) | ($1,582,500) | ($1,740,000) | ($1,897,500) | ($5,448,096) | ($4,530,369) |
| Total benefits | $0 | $4,032,159 | $5,751,362 | $7,200,565 | $16,984,086 | $13,828,682 |
| Net benefits | ($228,096) | $2,449,659 | $4,011,362 | $5,303,065 | $11,535,990 | $9,298,313 |
| ROI | 205% | |||||
| Payback | <6 months | |||||
Appendix A: Total Economic Impact
Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists solution providers in communicating their value proposition to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of business and technology initiatives to both senior management and other key stakeholders.
Total Economic Impact Approach
-
Benefits represent the value the solution delivers to the business. The TEI methodology places equal weight on the measure of benefits and costs, allowing for a full examination of the solution’s effect on the entire organization.
-
Costs comprise all expenses necessary to deliver the proposed value, or benefits, of the solution. The methodology captures implementation and ongoing costs associated with the solution.
-
Flexibility represents the strategic value that can be obtained for some future additional investment building on top of the initial investment already made. The ability to capture that benefit has a PV that can be estimated.
-
Risks measure the uncertainty of benefit and cost estimates given: 1) the likelihood that estimates will meet original projections and 2) the likelihood that estimates will be tracked over time. TEI risk factors are based on “triangular distribution.”
The initial investment column contains costs incurred at “time 0” or at the beginning of Year 1 that are not discounted. All other cash flows are discounted using the discount rate at the end of the year. PV calculations are calculated for each total cost and benefit estimate. NPV calculations in the summary tables are the sum of the initial investment and the discounted cash flows in each year. Sums and present value calculations of the Total Benefits, Total Costs, and Cash Flow tables may not exactly add up, as some rounding may occur.
Appendix B: Supplemental Material
Related Forrester Research
The Insider Risk Solutions Landscape, Q2 2024, Forrester Research, Inc., May 3, 2024.
Manage Insider Risk With Zero Trust, Forrester Research, Inc., July 6, 2023.
Appendix C: Endnotes
1 Source: Eric Shaw and Laura Sellers, Application of the Critical-Path Method to Evaluate Insider Risks. Studies in Intelligence, June 2015.
2 Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists solution providers in communicating their value proposition to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of business and technology initiatives to both senior management and other key stakeholders.
3 Source: Data analysis of data from Forrester Security Survey, 2024.
PDF
