The ROI of security awareness training
For organizations that have experienced a data breach or ransomware attack, the benefits of security awareness training couldn’t be more clear. But for organizations that only run security awareness training to remain compliant, or security teams that have never run an employee training program, these benefits may seem abstract. With many organizations facing understaffed IT and security departments with limited time and budget, it’s smart to ask, “Do the benefits of security awareness training outweigh the costs?”
We live in a data-driven world, and let’s face it. No evidence is more compelling than costs and returns. Measuring the financial return of technology isn’t a novel idea. In fact, according to Osterman Research, 88% of organizations already measure the ROI of their technology-based infrastructure. So why aren’t we doing the same to measure the return of security awareness training?
Thanks to new data, we can, and it’s easier than ever before. In this post, we break down the costs and benefits of running an employee training program and show you how to calculate the ROI of security awareness training at your organization.
Want to calculate your organization’s security awareness and training ROI now?
- What is security awareness training ROI?
- Calculate security awareness ROI
- Calculate your own ROI
What is security awareness training ROI?
The ROI of security awareness training quantifies the financial gain achieved as a result of the investment and implementation of a security awareness training program. Obviously, security awareness training does not generate revenue. Instead, financial gain is measured as the dollar value saved as a result of reduced cyber risk.
Why is security awareness ROI useful?
Because security awareness training is a preventative effort, it is too often seen as an immeasurable pursuit. In truth, there are dozens of ways to measure the impact of security awareness training and the behavior change it inspires. Security awareness ROI goes one step further by comparing the financial benefits and costs of running a program.
You can use the ROI of security awareness training as a tool to help you:
- Achieve leadership buy-in for a new security awareness training program
- Secure budget to start or expand an existing program
- Justify hiring awareness-focused security staff
Security awareness training defined
Security awareness training has two major components. The first is cybersecurity training courses. Security awareness training is a proactive approach to prepare employees for cyber attacks they are most likely to face. Security awareness courses typically include computer-based training modules, interactive exercises and assessments covering the core cybersecurity topics each employee should be familiar with.
The second component of security awareness training is simulated phishing training. Simulated phishing programs deliver realistic email templates to employees to see how they behave when a phishing email hits their inbox. Employees who click a phishing email or reveal sensitive information are delivered training in real-time to help them avoid phishing attacks in the future.
Although security awareness programs vary in style and complexity, the ROI calculations below refer to security awareness training that includes both awareness and phishing simulation training for every employee.
Does security awareness training really work?
The costs and benefits used to calculate the ROI of security awareness training are derived from the cyber risk reduction resulting from employee training. Because of this, it’s fair to ask how effective security awareness training really is at reducing cyber risk.
According to Osterman Research, employees who receive security awareness training are significantly better at recognizing security threats than those who have not received training.
Percentage of IT/security professionals reporting employees as “capable” or “very capable” of recognizing cyber attacks
Furthermore, with 32% of breaches involving phishing attacks (which are often indefensible by security tools) it is no surprise that NIST recommends security awareness training for every organization.
Based on data from Osterman Research, the security awareness ROI calculations below factor in the average cyber risk reduction for a trained, cyber-aware workforce. However you can adjust the risk reduction percentage as you see fit to produce the most accurate measure or ROI for your organization.
Step 1: measure your security costs
To measure the ROI of security awareness training, we must first measure the following costs:
- Costs from routine security practices
- Costs to remediate major security events
- Costs from employee productivity loss
Costs from routine security practices
These figures reflect the annual, per-user costs for IT/security staff to disinfect employee workstations.
Costs to remediate major security events
These figures reflect the annual, per-user costs for IT/security staff to remediate major malware or ransomware attacks.
Costs from productivity loss
These figures reflect the annual, per-user costs from lost productivity resulting from devices or networks being down as a result of an attack and subsequent remediation efforts.
The costs above are greatly influenced by the fully burdened salaries of both IT/security staff as well as general employees. When calculating costs, the differences between large (1,000+ employees) and small (50-99 employees) organizations comes from the efficiencies and economies of scale available at larger organizations.
Additional costs that can influence your calculation of security awareness ROI include:
- Regulatory fines
- Loss of revenue
- Loss of brand reputation
Because these costs are highly variable and difficult to predict, they are not included in this calculation of security awareness ROI. However, you are encouraged to include any additional anticipated costs in your calculations to provide the most accurate estimate of security awareness ROI at your organization.
Step 2: measure your security awareness training costs
The next step in measuring the ROI of security awareness training is calculating the following costs:
- Costs of a security awareness training platform
- Costs to implement an employee training program
- Costs for employees to complete training
Costs of a security awareness training platform
These figures reflect the annual, per-user costs from purchasing security awareness training content or user seats for a security awareness and training platform.
Costs to implement an employee training program
These figures reflect the annual, per-user costs for IT/security staff to build and run a security awareness training program.
Step 3: calculate the ROI of security awareness training
In the simplest terms, the ROI of security awareness training compares the financial benefit provided by the training program with all associated costs.
ROI = Net benefit / Costs
The ROI calculation below utilizes each of the costs outlined above to deliver the average ROI of security awareness training for large and small organizations.
Calculate your own ROI
You’ve seen how it’s done. Now it’s time to calculate the ROI of security awareness training at your organization. To make it easy, we built a security awareness ROI calculator to help you measure your organization’s return in seconds.
Our security awareness training ROI calculator is seeded with industry average data for large and small organizations. For the most accurate results, replace the default data with your estimates for as many variables as possible or adjust the values to run “what if” scenarios and see the corresponding results instantly.
Infosec IQ security awareness training
Are you in the market for a security awareness training and anti-phishing platform? Infosec IQ is a comprehensive security awareness and anti-phishing solution with over 2,000 training resources to prepare your employees for the cyber threats they face. Register for a free account and learn how Infosec IQ continues to provide positive returns for our clients.