Skip to main content

How to Calculate the ROI of Security Awareness Training

The growing number and magnitude of cyber attacks impacts organizations across all sectors, and cyber incidents remain among the top ranked business risks globally

Unfortunately, cybersecurity defenses are not keeping up with cyber threats. Although businesses worldwide spent an estimated $145 billion on cybersecurity in 2020, the costs of cybercrimes escalated—from an estimated $600 billion in 2018 to $945 billion in 2020. 

Many companies now realize that technical defenses alone are not enough to protect against cyber attacks. Even one mistake by an untrained employee can have serious consequences and result in a data breach. Many publicized security incidents during the past few years have demonstrated how even clicking on one wrong link can put a business at serious risk. 

Threat actors increasingly target employees for good reason. Research shows that 85% of successful data breaches involves employee actions. That figure amplifies the importance of implementing effective security awareness training, which empowers employees to defend your organization against these attacks and adopt resilient security habits.

But how do you assign a dollar amount to the return on investment (ROI) of security awareness training if you're measuring the effects of something that didn't happen?

There’s always uncertainty, and proactive security awareness training is like an insurance policy in the way it limits potential damages. You pay for something you might not need (although in today’s threat landscape, successful attacks are practically a given), but when you do, you’re grateful.

What Security Awareness Training Does for an Organization

An effective security awareness program can improve and reinforce employee behavior. This has a positive effect on ROI, as it not only ensures your organization performs cybersecurity best practices, but also alleviates the amount you need to spend on cyber threat mitigation. 

Ultimately, the main goal of a security awareness program is to build a culture of security. When employees are knowledgeable about potential threats they may encounter or vulnerabilities they may have accidentally exposed, they develop the skills needed to act appropriately to better defend the organization. This means the number of security incidents due to user error significantly decreases. And fewer incidents mean less time spent dealing with malware, ransomware, stolen credentials, and other cybersecurity issues. 

Continuous security awareness education, combined with regular phishing simulations, significantly increases the ability of employees to make proactive choices that adhere to more secure standards.

However, it doesn’t happen overnight—it typically takes at least several months to see the full impact of effective security awareness training. 

As a result, employees can’t be expected to learn everything they need to know about cybersecurity attacks, best practices, and good cyber hygiene in just one afternoon of training. Besides, new threats, scams, and vulnerabilities emerge all the time—which makes the need for ongoing security awareness training essential.

Close up of hands on a laptop.

Is a Security Awareness Program Worth the Cost? 

Determining the ROI of a security awareness program isn’t easy. It requires you to compare the cost of implementing a security awareness program against the cost of what will happen if you do nothing. It’s an inexact science. 

Let's first look at the costs associated with NOT having a security awareness program: 

Organizations have a 29.6 percent chance of experiencing a data breach in the next two years. Security awareness training, however, decreases the likelihood that you will be breached. The savings can be invaluable, as the average cost of a data breach is $4.24 million. Hidden costs must also be considered, such as lost opportunities, decreased productivity, and impact on brand reputation. 

For instance, according to the Center for Strategic and International Studies (CSIS), 26 percent of surveyed organizations say they experienced damage to their brand due to downtime as a result from a cyberattack. In many cases, experiencing a breach does such damage that a business has to close up shop for good. In fact, 60% of small and medium sized businesses are out of business within 6 months of experiencing a breach.

Of course, not ALL security incidents come with the hefty price tag of a data breach that shutters your business, but that doesn't mean the risk is negligible.

Unfortunately, many small and medium-sized businesses (SMBs) underestimate the costs associated with a cyber attack. One survey found that more than half of participating SMBs estimated they would spend less than $10,000 in damages after a successful attack. The reality is much different. Cybersecurity incidents cost businesses of all sizes an average of $200,000

While larger organizations might be able to absorb the cost, smaller organizations experience higher costs relative to their size, which can make it difficult to recover from an attack. 

4 Costs Associated to a Lack of Security Awareness Training 

1) The hours required to disinfect workstations and networks: If you're a constant target of attacks, your small IT team could spend the entire workweek just cleaning and reimaging infected endpoints. 

2) The hours required to remediate cyber attacks: It takes an average of 80 days to contain a data breach.  While not all cyber attacks are extensive or turn into a full-fledged data breach, remediation costs add up quickly, especially if your team is stretched thin and you need to bring in outside assistance.

3) Lost employee productivity due to cyber attacks: Your employees only have so many hours in a week. If they can't do their job because critical resources are not available, you're leaving money on the table. 

4) Legal and brand risk: After a successful cyber attack, your organization is at risk of fines, lawsuits, and lost revenue due to damaged customer trust. 

An effective security awareness program can significantly decrease the impact of cyber attacks on your bottom line. For SMBs especially, avoiding an attack  could be a matter of survival. But even for larger organizations that can absorb (some of) the cost, not having to divert budgets to deal with security incidents means more money available for growing their business.

So, that’s the cost of doing nothing. Now, let’s look at:

The Cost of Implementing and Maintaining an Effective Security Awareness Program 

Security awareness programs range in scope from simple online training modules to comprehensive strategies that include simulated phishing campaigns and penetration testing. Many security awareness solutions are priced by tiers, allowing you to access certain features or different amounts of content based on what you pay. Costs vary accordingly, and depend on factors such as the size of your organization. 

As you collect quotes from different security awareness solutions, be sure you understand what you’re getting at that price point and consider how much work you will have to do to implement and continue to run those tools in your organization. It is also very important to understand what will be effective for your organization and its unique needs. It’s safe to say that purchasing a once-a-year training course will be cheaper, but it’s unlikely it will help your employees keep security top of mind.

Similarly, if you choose a solution that makes you do all the work, your invoice could be lighter. However, the amount of hours your people are required to manage it can be costly, so that aspect needs to be evaluated.

Administrative Costs

In addition to the cost of the actual training, you need to calculate what you'll have to pay to run the program. As explained above, employees can’t absorb everything there is to know about security awareness in just one training session. Not to mention that ongoing threats require ongoing education. 

Security awareness is only effective if it's ongoing, and whether you administer it in-house or outsource it, you'll have to dedicate adequate resources to ensure it runs smoothly. This is where you want to be careful to calculate your true costs. Be sure to not only look at the price per user of the security awareness solution, but also be mindful of the time cost involved with whatever resource you dedicate to building out your security awareness program.

Not all security awareness solutions are created equally; some require an obscene amount of administrative time previewing content in their massive libraries, and can be the bane of an admin’s existence if they must sift through an endless sea of irrelevant content before  performing the rudimentary tasks of scheduling and delivering that content. 

Other solutions manage, schedule and deliver the content for you, providing valuable time savings. So, remember It’s not always only about the sticker price. It’s also important to properly evaluate the amount of time it will take to administer an effective program, and consider what that administrator could be doing if they had that time back.

Employee Time Spent Taking the Program

Security awareness doesn't mean employees will need to spend hours on end listening to presentations or watching training videos. Even a three-minute microlearning session can have a significant impact.  However, when considering how much time employees spend wrapped up in security awareness training, it’s also important to consider the value and importance of re-engagement. 

Woman sitting in front of her laptop.

According to studies made by German psychologist, Hermann Ebbinghaus, people retain more information and for longer periods when they re-engage with a topic on a cadence of more than once a month. On the flipside (forgetting), he determined that people otherwise forget 80% of what they learn in less than a month.

Evaluating how often you engage employees must be part of the cost equation. Like an annual piano lesson, a security awareness program conducted once a year or one with a phishing simulation tool that doesn’t educate employees is entirely ineffective. However, your ROI with a security awareness program will skyrocket when you engage with employees frequently enough to make their learning effective. It’s the true way to gain value from your program. 

Employee Time and Other Costs Saved by the Program

The time spent during security awareness training sessions is just a small fraction of the time employees inevitably spend redirecting their focus following a successful cyber attack. According to Osterman Research, security awareness training dramatically decreases the costs that organizations spend on tasks such as disinfecting workstations and repairing damages in the aftermath of a cyber attack. It found that: 

Small and mid-sized businesses (SMBs) get an ROI of 69 percent. 

Larger organizations see an ROI of 562 percent. 

As you carefully evaluate the ROI of security awareness, it’s also important to keep in mind that the longer you delay or stay with an ineffective tool, the longer you remain vulnerable.

Improve Your Security Culture with Arctic Wolf Managed Security Awareness 

Implementing an ongoing security awareness program doesn’t have to be intimidating and running an effective program doesn’t have to take up a lot of your time. Arctic Wolf, the leader in security operations, can help your employees become proactive and better prepared in the face of cyberthreats. Arctic Wolf® Managed Security Awareness® helps organizations build a strong security culture to help prevent cybersecurity incidents and data breaches. 

Delivered as a concierge service, our employee-centric security awareness training solution addresses the most common threats at the point of attack.

With Arctic Wolf, you can empower employees to identify risks, recognize threats, and avoid mistakes that could lead to high-cost security incidents. Managed Security Awareness generates a high ROI because it does the work for you and continually delivers new and fresh content that keeps security awareness top of mind so employees can better defend themselves and your organization.

About the Author

Nathan Caldwell has been a marketing leader in the tech world for nearly 10 years. He served as the producer and head of video marketing for one of the largest MSP software companies, where he was a keynote producer and coached tech leaders in executive speaking. In his latest adventure, he helped create Arctic Wolf’s Managed Security Awareness solution. When not fighting cyber bad guys Nathan loves to speak about his book, Empowering Kindness, and enjoys taking his four kids to theme parks.

Profile Photo of Nathan Caldwell