Here is how to calculate the return on investment (ROI) of educating your staff in security awareness campaign.
A study from the Department for Culture, Media, and Sport (DCMS) found that 39% of UK businesses suffered a cyber attack in 2022. The cost of these breaches is not insignificant. The DCMS report calculated that the financial impact of a single cyber attack cost a medium-sized business £19,400. When you consider that organisations are under daily threat from cyber attacks, this is a cause for concern.
Security Awareness Training is one of the measures that can reduce the likelihood of an attack happening or progressing. This translates to reduced costs of an attack. But is the risk of an attack worth the price of performing Security Awareness Training?
Items to Include When Calculating the ROI of Security Awareness Campaign
Before embarking on a calculation of ‘is security training worth it’ an inventory of included items is needed. A cyber security attack and/or data breach has many moving parts, each with tangible and intangible costs.
Here’s a look at some of the most likely costs of a cyber attack:
The Direct Financial Loss of a Cyber Attack
The direct impact of a cyber attack depends on both the cyber attack type and the organisation. For example, a ransomware attack may involve a ransom payment (although payment is not a recommended strategy). However, it is worth noting that ransom amounts have been increasing in recent years.
A report from Nordlocker found a 78% increase in the average ransomware payment bringing the ransom to a staggering $541,010 (£478,000).
Costs from a cyber attack can also include damage to IT systems, the time spent to remediate the attack, and class actions: in the UK, the number of class actions after a cyber attack increased by 120% between 2018 and 2020.
The average cost of a cyber attack should be factored into calculating the ROI of a security awareness campaign. However, this should also reflect the average number of attacks per year. According to the DCMS report, 31% of businesses and 26% of charities estimate they were attacked at least once a week.
Time and Work to Contain a Breach
One of the consequences of a cyber attack is difficulty locating the exploit chain and containing the damage. An IBM report on the cost of a data breach found that the average time to contain a breach in 2022 was 277 days. During this time, costs rack up.
You should include IT system downtime, IT support and estimated productivity losses in your ROI of a security awareness campaign calculation.
Reputation damage is intangible and, therefore, difficult to quantify. However, many factors come into play after a cyber attack resulting in a negative reputation. These include a general loss of trust that affects customers, share price, and the partner ecosystem.
This loss of trust is acute when customers leave a company after a breach. A YouGov and Okta study found that 88% of customers will stop using a company if they feel they cannot be trusted to protect their data.
Reputational damage is difficult to quantify and therefore add to an equation, but you may have some data on the loss of customers from business intelligence (BI) solutions.
Non-Compliance and Fines
Several data protection regulations, including PCI-DSS and GDPR, mandate or strongly encourage the use of Security Awareness Training. Therefore, if you can demonstrate that your organisation uses Security Awareness Training, any subsequent regulatory enforcement action should consider this.
However, when calculating the ROI of a security awareness campaign, the typical cost of a non-compliance fine in your sector should be factored in.
You can find the level of fines that could impact your company after a breach from the Information Commissioner’s Office (ICO). For example, the UK GDPR and DPA 2018 set the maximum fine of £17.5 million or 4% of annual global turnover.
According to a study by insurers Hiscox, 63% of UK businesses plan to purchase cyber insurance as part of their strategy. In addition, premiums may be lowered if you reduce risk by training employees in security awareness.
Add the cost of cyber insurance to your ROI of a security awareness campaign as part of your overall security strategy costs.
Other ROI costs include:
- The cost of the training package and any added features, such as phishing simulation training.
- Administration costs for running the program.
- Lost time due to an employee performing Security Awareness Training exercises.
How to Calculate the ROI of Cyber Security Training
Once you have the data, you can plug it into an ROI equation. Fortunately, someone has already researched how to generate an equation for Security Awareness Training.
An ROI equation in its simplest form looks like this:
R = Return (Benefit)
I = Investment (Cost)
However, as you have seen, calculating the R and I for security is more complicated as there are intangible costs such as reputational damage.
Fortunately, folks in the security industry have looked at the complexity of working out an ROI for security training investment. Michael Coden, for example, uses research from the Massachusetts Institute of Technology (MIT).
A study from MIT bases the calculation of cybersecurity incident costs on the steps that lead to a cyber security incident. This research has been used to develop a framework known as STACHT. Using this framework, Coden has developed an equation for the ROI of cybersecurity projects (such as security awareness training campaigns) that includes:
Probability of a Compromise (PC) = threats multiplied by vulnerabilities
Impact of a Compromise (IC) = asset multiplied by losses if a compromise occurs
Coden’s equation is used per project and indicates the likely ROI based on estimates.
A More Qualitative View of Security Awareness Campaign ROI
Be aware that calculating the ROI of performing Security Awareness Training may not come down to plugging data into an equation. Instead, just drawing up a list of potential costs and impacts from a cyber attack may be enough to demonstrate that Security Awareness Training is worth it.
Human beings continue to be the focus of cybercriminals; if there is any way to break this cycle, this will naturally lead to reduced risk and reduced costs.
An Osterman report described cyber security training as “essential” in preventing cyber-attacks. The report highlights the effectiveness of security training, with data showing, for example, that only 11% of employees could spot a phishing email before training, but after training, 64% were able to detect phishing attempts. Evidence such as this can be highly effective when working out the benefit of running a security awareness campaign.