Stats & Trends
Jonathan Crowe
Sep 2017

Security False Positives Cost Companies $1.37 Million a Year on Average

Photo by David Trawin

New survey results indicate more than half of security alerts are false positives, companies waste an average of 425 hours each week chasing them.

As malware continues rapidly evolve and multiply, there is increasing pressure on organizations to do two things:

  1. Preemptively identify and block new and/or polymorphic threats
  2. Gain better visibility into system activity to detect in-progress or successfully completed attacks more quickly

To help organizations respond to the first challenge, many antivirus vendors and newer endpoint protection platforms (EPP) have been turning to machine learning to build predictive models that allow them to branch out from traditional file signature-based blacklisting and make increasingly informed decisions on whether the new software they encounter is good or bad.

Endpoint detection and response (EDR) solutions, meanwhile, have sprung up to help organizations address task #2, collecting and more and more data in the hopes of spotting indicators of compromise (IOC) and attack (IOA) earlier and more comprehensively. 

Both approaches represent meaningful steps forward in the ongoing fight against malware, but unfortunately neither are without their downsides or collateral costs. For one thing, EDR solutions contribute heavily to the ever-growing tsunami of data IT and security teams are already expected to parse (nearly 40% of organizations collect, process, and analyze more than 10 terabytes of data as part of security operations each month).

But more data isn't the only challenge. The majority of both EDR and EPP solutions also create more than their fair share of security alerts — something most IT and security pros say they need about as much as a hole in the head.  

After all, the majority of those alerts are false positives. 

False positives are one of the biggest hidden costs of endpoint security

According to a recent Ponemon study, on average, 55 percent of the endpoint security alerts enterprise organizations receive are considered unreliable and erroneous. As a result, those companies waste an average of 425 hours a week responding to and investigating false positives, costing them an average of $1.37 million, annually. 

Companies now waste an average of 425 hours a week responding to false positives. (Tweet this)

— "The Cost of Insecure Endpoints" (Ponemon)

That's up from an average of 395 hours a week wasted on false positives in 2015, according to another Ponemon study from that year. Over the span of two years, as protection has evolved, false positives have gotten worse. Why?

Part of the reason may have to do with the way threats have evolved. Not only are we continuing to see dramatic increases in both the volume and variety of malware samples being produced, attackers are also increasingly utilizing tactics that don't require dropping portable executable (PE) files to disk. 

As a result, endpoint security solutions are facing increasing pressure not only to be able to identify and block new executable files they've never seen before, but to be able to analyze and make judgement calls on much more — scripts, macros embedded in Office docs, in-memory processes, etc.

In other words, traditional endpoint security solutions are getting pushed out of their comfort zone. Their job has gotten significantly harder, and the answer for many vendors has been to turn to machine learning for help.  

Machine learning is undoubtedly a very powerful tool, and it clearly has helped vendors make marked improvements on their protection, but it means many things to different people, and it really all comes down to how it's being applied. It is very easy for models to become biased when the balance between good and malicious software they're trained on is off. Good software and malicious software are also evolving all the time, making the frequency in which models are updated also an important factor.

As vendors are iterating and getting their models up to speed, the tendency has typically been to err on the side of caution and more aggressive flagging. As a result, anything new or out of the ordinary is seen as suspicious. On one hand, that makes perfect sense. "Better safe than sorry" is what security is all about. But there is a line where false positives start having a disproportionate, disruptive impact on how organizations are able to effectively run, and in some cases, they can even have a detrimental "boy who cried wolf effect," reducing faith in alerts on the whole.  

3 in 10 IT pros admit to ignoring security alerts due to high volumes of false positives. (Tweet this)

— Cloud Security Alliance

According to our own recent survey we conducted with IT pros, the pain from managing false positives isn't limited to their time being wasted: 

  • 42 percent of companies have seen a noticeable drop in productivity from end users due to false positives (ex: time lost when the IT team has to reimage employee machines).

  • 55 percent of IT and security pros report increases in false positives has forced them to revisit their whitelisting and make it more complex.



Calculate how much false positives are costing your company 

While false positives have generally become considered a standard cost of strong security, there is clearly a line where that cost becomes untenable. 

Before you get locked into a(nother) multi-year commitment for a security product, make sure you've determined where that line is for you. To help, we've created a simple calculator that can help you put a dollar amount on the false positives you're currently seeing:

Download the Endpoint Security Hidden Costs Calculator (note: the link will download an excel file)

How Barkly avoids false positives

At Barkly, we employ a different approach to utlizing machine learning. We analyze each organization's unique software profile and deploy tailored protection models that maximize coverage and accuracy for that organization, specifically. It's a more responsive take on machine learning that results in the best of both worlds: stronger protection with fewer false positives and less noise at the same time. 

Find out more about how Barkly's responsive machine learning works by checking out our product page or seeing a demo in action

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.