Security Awareness Training

    ROI Analysis: Improving Resilience with Cybersecurity Awareness Training

    Forrester research underscores the ROI of cybersecurity awareness training as remote work increases risk.

    by Karen Lynch

    Key Points

    • Industry consensus finds cybersecurity awareness training to be one of the most cost-effective investments in defending against malicious attacks.
    • Research from Forrester and others breaks down the ROI in different scenarios.
    • Forrester’s model shows that regular training reduced risky behavior to only 2.5% of employees.

    What are the odds that someone in your company might fall for a scam email? How much could that cost your business? What would you pay to stop it from happening? These are the kinds of calculations that go into analyzing cybersecurity awareness training for its return on investment (ROI) — that basic unit of decision-making in the C-suite and boardroom.

    It’s not easy to answer these questions when a single, successful phishing email can lead to exposing millions of customer records or shutting down operations for days. But with the passage of time, experts have compiled mounting evidence and data to estimate the average ROI for security awareness training in different kinds of companies.

    What’s becoming clearer every day is that — done right — cybersecurity awareness training can be a relatively low-cost, high-impact investment. This article looks at market research into the ROI and related advice about implementing a cybersecurity awareness training program.

    This blog is the fourth in an ROI series featuring calculated at a total of 225% over three years across all five areas. That translates into $3.9 million in aggregate benefits versus a $1.2 million investment for licensing, security team training and a part-time system administrator. Forrester’s analysis provides an approach that organizations can apply to their own threats and cybersecurity responses.

    Employees Are Your Last Line of Defense

    In all likelihood, any phishing email that reaches an employee’s inbox has already run a gauntlet of security checkpoints and filters. But some scams get through even the most advanced email security systems, making your employees your last line of defense.

    Companies find this alarming for several reasons. Their businesses virtually run on email — now more than ever due to the surge in remote working. But email is the No. 1 delivery method for malware attacks.[1] And four out of 10 respondents in Mimecast’s “State of Email Security 2021” (SOES) survey say their employees don’t know enough to stop these attacks. In fact, insufficient training of non-technical employees was the biggest contributor to security incidents at a third of companies, according to another survey.[2]

    That’s where cybersecurity awareness training programs come in, including short educational videos and simulated phishing attacks. Industry consensus agrees that this kind of training is one of the most cost-effective ways to reduce the risk of breaches and other incidents.

    The Evidence-Based ROI of Cybersecurity Awareness Training

    In Forrester’s model company, 10% of malicious emails evade detection by security systems, and then 15% of untrained employees open them and take action, such as viewing an infected attachment, sharing sensitive details about their organization, or clicking on a link that installs malware on their device. Following cybersecurity awareness training, though, only 2.5% of employees take such steps. The result is an 83.3% reduction in risky behavior for a company where the average annual cost of email-based attacks is over $1.8 million.

    Another breakdown is included in an earlier report that Mimecast commissioned from Osterman Research. Costs in this analysis included annual cybersecurity training budgets ranging from $109 to $203 per employee, depending on the size of the company. Employees were spending an average of 26 minutes a month on training.

    After training, a typical midsize company demonstrated a 69% ROI, based on the direct costs of handling the relatively minor security incidents occurring throughout the year. The savings side of the equation included lower costs for disinfecting workstations and networks (down from $286 to $136 per user). Less quantifiable were the potentially larger costs of lost customers, harm to a company’s stock market valuation, regulatory fines and others.

    For bigger security incidents of $1 million and higher, which Osterman assumed to occur only every 20 years, its analysis calculated a 248% ROI on employee training for a midsize company — this time factoring in lost revenue and other impacts beyond remediation.

    Cybersecurity Awareness Training vs. the Odds

    The odds that risky employee behavior could trigger an incident at your company have only increased since the ROI research reported above. Phishing attacks have surged 63% since the COVID-19 pandemic began, according to the SOES report, and employees are clicking on three times more malicious emails than before, letting their guard down while working from home.

    Cybersecurity awareness training is arguably more critical than ever, and many vendors’ programs have been refocused on the new working environment. Yet many companies still train too infrequently for their employees to spot and safely deal with a cyberattack. And not all training programs are created equal, so results may vary.

    To get the best ROI from cybersecurity awareness training, here are five training tips that are particularly relevant to today’s remote working environment:

    • Make training relevant: Focus materials on your business and industry.
    • Keep it real: Provide practical, relatable examples of how phishing and other scams could impact people, including colleagues.
    • Get to the point: Make it easy for employees to give training their full attention with short, simple formats. Bonus points for engaging them with humor.
    • Explain yourself: Employees may worry that cybersecurity tools are actually monitoring productivity. Communicate the real purpose.
    • Focus on “repeat clickers”: Phishing simulations can help you identify who needs training most — and who doesn’t, so they can therefore “test out” of the program.

    The Bottom Line

    Recent research confirms that cybersecurity awareness training is one of the most cost-effective investments you can make to protect your business from malicious cyberattack. And using awareness training best practices can increase your program’s ROI.

    [1]2020 Data Breach Investigations Report,” Verizon

    [2]The Life and Times of Cybersecurity Professionals 2020,” Enterprise Strategy Group for the Information Systems Security Association

    [3]How to Get Employees Invested in Security Awareness Training,” Mimecast

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top