The ROI of security awareness training
For organizations that have experienced a data breach or ransomware attack, the benefits of security awareness training couldn’t be more clear. But for organizations that only run security awareness training to remain compliant or security teams that have never run an employee training program, these benefits may seem abstract. With many organizations facing understaffed IT and security departments with limited time and budget, it’s smart to ask, “Do the benefits of security awareness training outweigh the costs?”
We live in a data-driven world, and let’s face it. No evidence is more compelling than costs and returns. Measuring the financial return of technology isn’t a novel idea. In fact, according to Osterman Research, 88% of organizations already measure the ROI of their technology-based infrastructure. So why aren’t we doing the same to measure the return of security awareness training and create the best security awareness training program?
Thanks to new data, we can, and it’s easier than ever before. In this post, we break down the costs and benefits of running an employee training program and show you how to calculate the ROI of security awareness training at your organization.
Want to calculate your organization’s security awareness and training ROI now?
What is security awareness training ROI?
The ROI of security awareness training quantifies the financial gain achieved as a result of the investment and implementation of a security awareness training program. Obviously, security awareness training does not generate revenue. Instead, financial gain is measured as the dollar value saved as a result of reduced cyber risk.
Why is security awareness ROI useful?
Because security awareness training is a preventative effort, it is too often seen as an immeasurable pursuit. In truth, there are dozens of ways to measure the impact of security awareness training and the behavior change it inspires. Security awareness ROI goes one step further by comparing the financial benefits and costs of running a program.
You can use the ROI of security awareness training as a tool to help you:
- Achieve leadership buy-in for a new security awareness training program
- Secure budget to start or expand an existing program
- Justify hiring awareness-focused security staff
Security awareness training defined
Security awareness training has two major components. The first is cybersecurity training courses. Security awareness training is a proactive approach to prepare employees for cyber attacks they are most likely to face. Security awareness courses typically include computer-based training modules, interactive exercises and assessments covering the core cybersecurity topics each employee should be familiar with.
The second component of security awareness training is simulated phishing training. Simulated phishing programs deliver realistic email templates to employees to see how they behave when a phishing email hits their inbox. Employees who click a phishing email or reveal sensitive information are delivered training in real-time to help them avoid phishing attacks in the future.
Although security awareness programs vary in style and complexity, the ROI calculations below refer to security awareness training that includes both awareness and phishing simulation training for every employee.
Does security awareness training really work?
The costs and benefits used to calculate the ROI of security awareness training are derived from the cyber risk reduction resulting from employee training. Because of this, it’s fair to ask how effective security awareness training really is at reducing cyber risk.
According to Osterman Research, employees who receive security awareness training are significantly better at recognizing security threats than those who have not received training.
Percentage of IT/security professionals reporting employees as “capable” or “very capable” of recognizing cyber attacks
Furthermore, with 32% of breaches involving phishing attacks (which are often indefensible by security tools) it is no surprise that NIST recommends security awareness training for every organization.
Based on data from Osterman Research, the security awareness ROI calculations below factor in the average cyber risk reduction for a trained, cyber-aware workforce. However, you can adjust the risk reduction percentage as you see fit to produce the most accurate measure or ROI for your organization.
Step 1: measure your security costs
To measure the ROI of security awareness training, we must first measure the following costs:
- Costs from routine security practices
- Costs to remediate major security events
- Costs from employee productivity loss
Costs from routine security practices
These figures reflect the annual, per-user costs for IT/security staff to disinfect employee workstations.
Costs to remediate major security events
These figures reflect the annual, per-user costs for IT/security staff to remediate major malware or ransomware attacks.
Costs from productivity loss
These figures reflect the annual, per-user costs from lost productivity resulting from devices or networks being down as a result of an attack and subsequent remediation efforts.
The costs above are greatly influenced by the fully burdened salaries of both IT/security staff as well as general employees. When calculating costs, the differences between large (1,000+ employees) and small (50-99 employees) organizations come from the efficiencies and economies of scale available at larger organizations.
Other costs
Additional costs that can influence your calculation of security awareness ROI include:
- Regulatory fines
- Lawsuits
- Loss of revenue
- Loss of brand reputation
Because these costs are highly variable and difficult to predict, they are not included in this calculation of security awareness ROI. However, you are encouraged to include any additional anticipated costs in your calculations to provide the most accurate estimate of security awareness ROI at your organization.
Step 2: measure your security awareness training costs
The next step in measuring the ROI of security awareness training is calculating the following costs:
- Costs of a security awareness training platform
- Costs to implement an employee training program
- Costs for employees to complete training
Costs of a security awareness training platform
These figures reflect the annual, per-user costs from purchasing security awareness training content or user seats for a security awareness and training platform.
Costs to implement an employee training program
These figures reflect the annual, per-user costs for IT/security staff to build and run a security awareness training program.
Costs to complete training
These figures reflect the annual, per-user costs from general employee time spent completing security awareness training.
Step 3: calculate the ROI of security awareness training
In the simplest terms, the ROI of security awareness training compares the financial benefit provided by the training program with all associated costs.
ROI = Net benefit / Costs
The ROI calculation below utilizes each of the costs outlined above to deliver the average ROI of security awareness training for large and small organizations.
As the data shows, security awareness training produces a massive return on investment for both large and small organizations.
Calculate your own ROI
You’ve seen how it’s done. Now it’s time to calculate the ROI of security awareness training at your organization. To make it easy, we built a security awareness ROI calculator to help you measure your organization’s return in seconds.
Our security awareness training ROI calculator is seeded with industry average data for large and small organizations. For the most accurate results, replace the default data with your estimates for as many variables as possible or adjust the values to run “what if” scenarios and see the corresponding results instantly.
See Infosec IQ in action
Infosec IQ security awareness training
Are you in the market for a security awareness training and anti-phishing platform? Infosec IQ is a comprehensive security awareness and anti-phishing solution with over 2,000 training resources to prepare your employees for the cyber threats they face. Register for a free account and learn how Infosec IQ continues to provide positive returns for our clients.
In this Series
- The ROI of security awareness training
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
- Top 5 ways ransomware is delivered and deployed
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness