Measuring ROI for DMARC

I’m pleased to be able to share work that Shostack & Associates and the Cyentia Institute have been doing for the Global Cyber Alliance. In doing this, we created some new threat models for email, and some new statistical analysis of

It shows the 1,046 domains that have successfully activated strong protection with GCA’s DMARC tools will save an estimated $19 million to $66 million dollars from limiting BEC for the year of 2018 alone. These organizations will continue to reap that reward every year in which they maintain the deployment of DMARC. Additional savings will be realized as long as DMARC is deployed.

Their press release from this morning is at here and the report download is here.

1 Comment on "Measuring ROI for DMARC"

  1. Dear Adan,

    We at Adversary (see further details about us below) admire your blog wanted to draw your attention to that we have now launched the first replica of the recent Facebook breach. Reason for this email is we thought you would find this interesting.

    The replica, called “OpenBook”, focuses on giving developers the opportunity to try for themselves how Facebook was hacked. The OpenBook application provides similar functionality to Facebook, including the vulnerabilities associated with the infamous “View As”, “birthday” features, token access and view messages of Page admins.

    The purpose of this application is to ensure developers better understand this vulnerability in a fun and engaging way, learn from the mistakes that were made. Effectively we offer this application free for developers and other enthusiasts to try out with our goal they write better more secure code in the future.

    Please see here information about the Facebook breach and the mission –

    If you have any questions or comments about this feel free to contact us.

    Thank you in advance.

    About Adversary
    Adversary is a subsidiary of the Icelandic information security company Syndis ( Adversary offers an online platform for cybersecurity training with emphasis on understanding software vulnerabilities. Trainees put themselves in the shoes of the attacker and learn why vulnerabilities arise and understand proper mitigation. The training is hands-on, providing more effective skills than passive knowledge. The platform uses gamification to further engage users. Topics for exercises are focused on OWASP Top 10 and PCI vulnerabilities. Exercises are continuously updated to be current and most relevant for helping mitigate risks early in software development cycles at companies.

    Managers are provided with tools to individually monitor progress, hence identifying improvement areas of their technical teams and also suitable as part of recruitment process. According to their specific needs, managers can define specific training campaigns for their teams, meet required certifications as ISO27001/PCI and it enables the company to save money by preventing costly and embarrassing breaches.

    Further information about the company and platform can be found on (

    Best regards,

    Árni S. Pétursson
    Head of Business Development
    Mobile: +354 865 2009

Comments are closed.