Security awareness

How measure the ROI of your security awareness program

December 18, 2019 by Megan Sawle

Everyone knows security awareness training is important, but how can organizations measure the success of their security awareness program? 

Osterman Research’s president and analyst Michael Osterman joined security awareness guru Lisa Plaggemier to discuss why everyone should measure the return on investment (ROI) of their security awareness program. In a webinar titled “The ROI of Security Awareness Training,” they looked at Osterman’s recent report, which looked at data from 230 organizations with security awareness programs, alongside Infosec’s own ROI calculator.

What is the ROI of security awareness training?

The ROI of security awareness training is defined as “the financial gain achieved as a result of the investment and implementation of a security awareness training program.”

While security awareness training doesn’t directly generate revenue, its financial gain is measured as the money saved through reduced cyber risk. 

You can read more about ROI calculation and Infosec’s calculator here.

3 security awareness training considerations

Michael and Lisa discussed the different factors that go into calculating security awareness training ROI. Here are three considerations.

1. Cost of routine security
The size of an organization is essential to calculating its cost of routine security practices, Michael explained.

“The mean, monthly hours that are spent disinfecting workstations and networks after an infection works out in smaller organizations to about $29.23 per user, per year. For larger organizations that cost drops to $5.28 per user, per year. Keep in mind these costs are going to vary widely in your particular situation based on the salaries of your IT staff, the frequency of training you provide, or the training you don’t provide.”

2. Remediating major events
The model assumed one major event occurred, which wipes out or shuts down a large segment of an organization’s network.

“If we look at the IT or security hours required to remediate just one of these major events, like a ransomware or a malware infection, we’re looking at a cost of $7.51 per user, per year, for smaller organizations,” Michael said. “For larger organizations it’s actually more expensive, $28.11 per user, per year, and that’s largely because these kinds of events tend to be much more impactful for a larger organization.”

3. Productivity losses
Productivity loss is a major factor in ROI calculation that tends to fly under the radar.

“Productivity loss is not a cost for which you’re going to be writing a check,” Michael said. “Some decision makers are a little bit resistant to considering productivity loss as a real cost of these kinds of events. We assume employees are going to make up the time on their own. They’ll work from home. They’ll stay in the office longer, but even if that occurs, you do have productivity loss that arises from security incidents. So you absolutely need to consider it as a key component of any ROI calculation.”

Opportunity cost of not having an awareness program

Despite what skeptics may think, security awareness training doesn’t suck up significant employee time and resources. Osterman’s report found that productivity loss from employee time spent in security awareness training is only about 15%. They also estimated that “the effectiveness of major attacks from having good security awareness training after an employee has been well trained on detecting phishing is 90%.”

Lisa further emphasized the benefits of security awareness training. 

“No matter how aggressive or conservative you are with the numbers, I can’t imagine a situation where you can’t show any ROI at all.”

Costs and returns of security awareness training

Companies without security awareness programs can incur massive costs. The EU’s recently implemented General Data Protection Regulation (GDPR) enacts strict regulations on data protection and privacy. In the U.S., all 50 states have data breach notification laws, and the California Consumer Privacy Act (CCPA) will impose similar regulations in the U.S. when it goes into effect in 2020. 

As Michael summed it up: “What we found in our research is that good security awareness training can dramatically reduce the likelihood of cyber threats becoming successful.”

Want to calculate your ROI? Check out Infosec’s calculator here and learn how much your organization will benefit from security awareness training.

Posted: December 18, 2019
Megan Sawle
View Profile

Megan Sawle is a communications and research professional with 10 years of experience in cybersecurity, bioscience and higher education. Megan leads Infosec’s research strategy, leveraging study findings to mature its cybersecurity education offerings and build awareness of cybersecurity diversity and skill shortage challenges. Since joining the team, she’s directed research projects on a wide variety of cybersecurity topics ranging from dark web marketplaces and phishing kits to the Workforce Framework for Cybersecurity (NICE Framework) and the importance of soft skills in cybersecurity roles. Megan is a University of Wisconsin-Stout graduate, an avid equestrian and (very) amateur mycologist.