Measuring the ROI of Security Training

December 21, 2011 by Ian Palmer


Learn the best practices for developing a security awareness training program that is engaging. Engaging awareness programs have been shown to change more users’ behavior and are seen as an asset for your organization instead of annoyance. 


Marc Winner hasn’t come up with a way to precisely measure the return on investment for security training. What he does know for certain, however, is that the $100,000 or so that his company spends annually to keep employees on their toes is part of the price of operating in the web security space.

According to Winner, director of information technology and information assurance at WhiteHat Security, questioning whether or not to invest in security training is a bit like asking whether or not his Santa Clara, California-based company wants to stay in business. After all, clients, some of them Fortune 500 companies that stand to lose millions per successful attack, don’t want to work with service providers that fail to properly train their own staff.

“I don’t have a real hard number that I could say I put in 100k and my ROI was 250k,” he acknowledges, adding that all of the company’s workers receive security training specific to their job functions. “I don’t have that kind of a number. But I can say with a straight face that if I didn’t do it we wouldn’t be getting the [contracts] that we get.”

Winner started the formal security awareness program at WhiteHat in June 2010, or 18 months ago, to prepare for expected rapid growth. Since then, WhiteHat’s revenue has grown year-over-year by 50%. And the employee base, which was only 60 as recently as January 2010, now sits at 140.

Winner stresses that measuring the ROI for training isn’t as easy as it might appear to be. Victor Nappe, chief executive officer of SECNAP Network Security, agrees and also insists that regulations governing some industries actually override ROI considerations. Meanwhile, security analyst Karen Quagliata, Ph.D., acknowledges not only that measuring ROI is difficult, but also that certain laws make some types of training mandatory irrespective of ROI. She adds, however, that companies can still follow some general guidelines to do a better job of measuring ROI.
Can It Be Done?

Although measuring ROI can be a challenge, there are numerous formulas that companies can use to gauge the cost-effectiveness of their expenditures. One of the simpler formulas for determining ROI, which is defined on as “a performance measure used to evaluate the efficiency of an investment or to compare the efficiency of a number of different investments,” is demonstrated as follows:

         Financial Gain Amount
 ROI = -------------------------
       Complete Investment Amount

Based on this simple formula, a company that, for instance, invests a total of $1,000,000 and, as a result, earns $1,250,000, obviously realizes a gain of $250,000. After dividing the gain, or $250,000, by the amount invested on training, in this case $1,000,000, the result is an ROI of 25%.

While this and other more complex formulas might provide a good starting point, companies still have to figure out the cost of making repairs after a breach, the value of lost revenue and lost productivity stemming from downtime, and the cost of restoring damaged corporate reputations. It follows that companies that are better able to come up with the right numbers will be able to plug them into a suitable formula and then calculate the ROI of security training efforts.

Is Measuring ROI Always Necessary?

SECNAP, a boutique cyber security company based in Boca Raton, Florida, develops and provides next-generation IT solutions that enable businesses to operate securely and privately online.

According to CEO Nappe, whose company was founded in 2001 and has just under 50 workers, ROI, at the best of times, can be hard to nail down. Furthermore, laws governing some sectors are such that companies tend to be more focused on compliance to avoid possible fines and/or jail time than on ROI.

“In healthcare, where we’re actually very focused, the laws that are now being passed and [that] have been passed are so strong that the ROI is thrown out the window,” says Nappe, an Internet entrepreneur and e-commerce professional specializing in technology, mergers and acquisitions, and venture capital. He adds that this is the case because “by not having security you don’t only subject your company to [possible] fines, but you subject yourself to [possible] jail time as an officer of a healthcare records company…”

Some Guidelines

Having conducted research on security awareness for her doctorate in 2010, Dr. Quagliata, who lives in St. Louis, Missouri, and works in the financial services industry, says that the topic is near and dear to her heart.

While acknowledging that trying to measure the ROI of security training isn’t an easy task, she notes that there are at least two variables that companies need to consider if they are serious about determining the effectiveness of training.

“First, I think it needs to be tailored to your company’s needs,” says Dr. Quagliata. “It’s definitely not a one-size-fits-all mindset. For example, some industries are highly regulated such as financial services or the insurance industry and some are less regulated.”

Companies operating in industries where regulations clearly spell out penalties if security training is not provided ought to know exactly what they should be measuring, she says

“Another variable would be just know your risk,” she adds. “So that means know your environment, your company’s environment, and what kind of risk is there because what you’re trying to do is…translate your employees’ behavior into something that can be measured with a dollar sign. That’s a very hard thing to do. But the best way to do that is to quantify risks in your organization.”

This means conducting a thorough risk assessment, she explains. And, once this critical step is accomplished, companies also need to consider how much it would cost them if their systems are hacked, if their programmers have to go back and re-write code that’s not secure and if there is downtime related to an attack.

Getting answers to these questions will help companies to better generate a reliable ROI figure.

Posted: December 21, 2011
Articles Author
Ian Palmer
View Profile

A Canadian currently based in Ontario, Canada, Ian is a researcher for InfoSec Institute. Over the years, he has written for a number of IT-related sites such as, and