Keeping in the computer space of the post Dave referenced, it is a very high probability your user base will receive socially engineered emails - in fact, I've received several in the past week, all from previous clients, sent from their own mail systems, and including previous correspondence we've had.  This is the cause: https://arstechnica.com/information-technology/2019/09/worlds-most-destructive-botnet-returns-with-stolen-passwords-and-email-in-tow/  Some of them have had to take their mail systems completely off-line.

There is a very low probability I would ever fall for one of those as I have been dealing with such stuff since email was basically invented, probably well over a million emails to date, and am well aware that you don't click on a link to download a file from somewhere (especially one with a goofy-looking "secure PDF" icon) or open an attachment without running it through a meta virus/malware engine (I recommend https://www.virustotal.com/gui/home/upload - you will be amazed how many payloads are missed if you are relying on one popular antivirus/malware engine).  In addition, my choice of OS also reduces the probability of damage and I call the client using a known phone number (not one in the suspicious email) if necessary.  And other measures I won't detail here.

However, if you have a bunch of younger or inexperienced employees (and don't forget, today's generation does not use email unless forced to for school or work), they are likely to bite on a "new purchase order" with previous email correspondence no matter how well you have trained them.  I just had to take an email security training module for the local university where I teach one class and I while it has good intentions, it's one of many training modules they throw at employees to check off boxes and, because of this, it means that the average user is just hitting Next to get through it as quickly as possible.

My point here is that it's a pretty good bet that if your firm is a small business without a dedicated IT staff and/or a sophisticated threat system to block these things that you are going to by successfully hit by this kind of threat.  And therefore, at the very least, you should at least have a plan to deal with it if you are.  The risk matrix here is very accurate.

However, that is not to say a Bayesian or other approach could not be more accurate or complementary.  My observation above about virus checkers is proof positive of the dangers of relying on one system/method and thinking you're set.   Analyze in multiple ways, understand the limitations of each, look to overlap/complement, and proceed with caution.

Rob Toreki