The growing number and magnitude of cyberattacks impacts organizations across all sectors, and cyber incidents remain among the top ranked business risks globally.

Security defenses, however, are not keeping up with cyberthreats. Although businesses worldwide spent an estimated $145 billion on cybersecurity in 2020, the costs of cybercrimes escalated—from an estimated $600 billion in 2018 to $945 billion in 2020.

Many companies now realize that technical defenses alone are not enough to protect against cyberattacks. Even one mistake by an untrained employee can have serious consequences and result in a data breach. Many publicized security incidents during the past few years have demonstrated how even clicking on one wrong link can put a business at serious risk.

Threat actors increasingly target employees for good reason. Research shows that  85% of successful data breaches involved employee actions. That figure amplifies the importance of  implementing effective security awareness training, which empowers employees to defend your organization against these attacks and adopt resilient security habits. But how do you assign a dollar amount to the return on investment (ROI) of security awareness training if you’re measuring the effects of something that didn’t happen?

An effective security awareness program will do two things for your organization:

  • Change the behaviors of your employees.
  • Change the amount you spend on cyberthreat mitigation.

Here’s what to consider when you try to gauge the ROI of security awareness training.


Fewer Security Incidents

The main goal of a security awareness program is to build a culture of security. When employees are knowledgeable about potential threats they may encounter or vulnerabilities they may have accidentally left exposed and develop the skills needed to defend against them, the number of security incidents due to user error significantly decreases. Fewer incidents mean less time spent dealing with malware, ransomware, stolen credentials, and other cybersecurity issues.

Continuous security awareness education, combined with regular phishing simulations, significantly increases the ability of employees to defend your organization and make proactive choices to adhere to more secure standards. However, it doesn’t happen overnight—it typically takes at least several months to see the full impact of effective security awareness training.


Let’s Talk About Money

Organizations have a 29.6 percent chance of experiencing a data breach in the next two years. Security awareness training, however, decreases the likelihood that you will be breached. The savings can be invaluable, as the average cost of a data breach is $3.86 million. Then, add hidden costs, such as lost opportunities, decreased productivity, and impact on brand reputation. For instance, according to the Center for Strategic and International Studies (CSIS), 26 percent of surveyed organizations say they experienced damage to their brand due to downtime as a result from a cyberattack.

Not all security incidents come with the hefty price tag of a data breach, but that doesn’t mean the risk is negligible. Unfortunately, many small and medium-sized businesses (SMBs) underestimate the costs associated with a cyberattack. One survey found that more than half of the surveyed SMBs estimated that they would spend less than $10,000 in damages caused by a successful cyberattack. The reality is much different. Cybersecurity incidents cost businesses of all sizes an average of $200,000.

While larger organizations might be able to absorb the cost, smaller organizations experience higher costs relative to their size, which can make it difficult to recover from an attack.

Is a Security Awareness Program Worth the Cost?

To determine your ROI, you can measure the cost of implementing a security awareness program and compare it to the cost of doing nothing.

Let’s first look at costs associated with implementing a program:

Cost of your security awareness program: Security awareness programs range in scope from simple online training modules to comprehensive strategies that include simulated phishing campaigns and penetration testing. Costs vary accordingly, and also depend on factors such as the size of your organization.

Cost of administering the security awareness program:In addition to the cost of the actual training, you need to calculate what you’ll have to pay to run the program. Security awareness is only effective if it’s ongoing, and whether you administer it in-house or outsource it, you’ll have to dedicate adequate resources to ensure it runs smoothly.

Time employees spend completing the security awareness program: Security awareness doesn’t mean employees will need to spend hours on end listening to presentations or watching training videos. Even a three-minute microlearning session can have a significant impact.

A security awareness program brings with it a number of expenses, but what are the consequences of not being adequately prepared?

Consider these typical costs due to a lack of security awareness training:


  • Hours required to disinfect workstations and networks: If you’re a constant target of attacks, your small IT team could spend the entire workweek just cleaning and reimaging infected endpoints.

  • Hours required to remediate cyberattacks: It takes an average of 73 days to contain a data breach. While not all cyberattacks are extensive or turn into a full-fledged data breach, remediation costs add up quickly, especially if your team is stretched thin and you need to bring in outside assistance.

  • Lost employee productivity due to cyberattacks: Your employees only have so many hours in a week. If they can’t do their job because critical resources are not available, you’re leaving money on the table.

According to Osterman Research, security awareness training dramatically decreases the costs that organizations spend on tasks such as disinfecting workstations and repairing damages done by a cyberattack. They found that:


  • Small and mid-sized businesses (SMBs) get an ROI of 69 percent.

  • Larger organizations see an ROI of 562 percent.

However, these ROI figures don’t take into account additional costs, including opportunity costs:

Legal and brand risk: After a successful cyberattack, your organization is at risk of fines, lawsuits, and lost revenue due to damaged customer trust.

An effective security awareness program can significantly decrease the impact of cyberattacks on your bottom line. For SMBs especially, avoiding a cyberattack could be a matter of survival. But even for larger organizations that can absorb (some of) the cost of an attack, not having to divert budgets to dealing with security incidents means more money available for growing their business.

Originally published on the Arctic Wolf blog, May 17, 2021.