Back
Cyber Security Training & Software for Companies | MetaCompliance

Products

Discover our suite of personalised Security Awareness Training solutions, designed to empower and educate your team against modern cyber threats. From policy management to phishing simulations, our platform equips your workforce with the knowledge and skills needed to safeguard your organisation.

Cyber Security eLearning

Cyber Security eLearning to Explore our Award-Winning eLearning Library, Tailored for Every Department

Security Awareness Automation

Schedule Your Annual Awareness Campaign In A Few Clicks

Phishing Simulation

Stop Phishing Attacks In Their Tracks With Award-Winning Phishing Software

Policy Management

Centralise Your Policies In One Place And Effortlessly Manage Policy Lifecycles

Privacy Management

Control, Monitor, and Manage Compliance with Ease

Incident Management

Take Control Of Internal Incidents And Remediate What Matters

Back
Industry

Industries

Explore the versatility of our solutions across diverse industries. From the dynamic tech sector to healthcare, delve into how our solutions are making waves across multiple sectors. 


Financial Services

Creating A First Line Of Defence For Financial Service Organisations

Governments

A Go-To Security Awareness Solution For Governments

Enterprises

A Security Awareness Training Solution For Large Enterprises

Remote Workers

Embed A Culture Of Security Awareness - Even At Home

Education Sector

Engaging Security Awareness Training For The Education Sector

Healthcare Workers

See Our Tailored Security Awareness For Healthcare Workers

Tech Industry

Transforming Security Awareness Training In The Tech Industry

NIS2 Compliance

Support Your Nis2 Compliance Requirements With Cyber Security Awareness Initiatives

Back
Resources

Resources

From posters and policies to ultimate guides and case studies, our free awareness assets can be used to help improve cyber security awareness within your organisation.

Cyber Security Awareness For Dummies

An Indispensable Resource For Creating A Culture Of Cyber Awareness

Dummies Guide To Cyber Security Elearning

The Ultimate Guide To Implementing Effective Cyber Security Elearning

Ultimate Guide To Phishing

Educate Employees About How To Detect And Prevent Phishing Attacks

Free Awareness Posters

Download These Complimentary Posters To Enhance Employee Vigilance

Anti Phishing Policy

Create A Security-Conscious Culture And Promote Awareness Of Cyber Security Threats

Case Studies

Hear How We’re Helping Our Customers Drive Positive Behaviour In Their Organisations

A-Z Cyber Security Terminology

A Glossary Of Must-Know Cyber Security Terms

Cyber Security Behavioural Maturity Model

Audit Your Awareness Training And Benchmark Your Organisation Against Best Practice

Free Stuff

Download Our Free Awareness Assets To Improve Cyber Security Awareness In Your Organisation

Back
MetaCompliance | Cyber Security Training & Software for Employees

About

With 18+ years of experience in the Cyber Security and Compliance market, MetaCompliance provides an innovative solution for staff information security awareness and incident management automation. The MetaCompliance platform was created to meet customer needs for a single, comprehensive solution to manage the people risks surrounding Cyber Security, Data Protection and Compliance.

Why Choose Us

Learn Why Metacompliance Is The Trusted Partner For Security Awareness Training

Employee Engagement Specialists

We Make It Easier To Engage Employees And Create a Culture of Cyber Awareness

Security Awareness Automation

Easily Automate Security Awareness Training, Phishing And Policies In Minutes

MetaBlog

Stay informed about cyber awareness training topics and mitigate risk in your organisation.

Calculating ROI of Security Awareness Campaigns

Security Awareness Campaign

about the author

Share this post

Here is how to calculate the return on investment (ROI) of educating your staff in security awareness campaign.

A study from the Department for Culture, Media, and Sport (DCMS) found that 39% of UK businesses suffered a cyber attack in 2022. The cost of these breaches is not insignificant. The DCMS report calculated that the financial impact of a single cyber attack cost a medium-sized business £19,400. When you consider that organisations are under daily threat from cyber attacks, this is a cause for concern.

Security Awareness Training is one of the measures that can reduce the likelihood of an attack happening or progressing. This translates to reduced costs of an attack. But is the risk of an attack worth the price of performing Security Awareness Training?

Items to Include When Calculating the ROI of Security Awareness Campaign

Before embarking on a calculation of ‘is security training worth it’ an inventory of included items is needed. A cyber security attack and/or data breach has many moving parts, each with tangible and intangible costs.

Here’s a look at some of the most likely costs of a cyber attack:

The Direct Financial Loss of a Cyber Attack

The direct impact of a cyber attack depends on both the cyber attack type and the organisation. For example, a ransomware attack may involve a ransom payment (although payment is not a recommended strategy). However, it is worth noting that ransom amounts have been increasing in recent years.

report from Nordlocker found a 78% increase in the average ransomware payment bringing the ransom to a staggering $541,010 (£478,000).

Costs from a cyber attack can also include damage to IT systems, the time spent to remediate the attack, and class actions: in the UK, the number of class actions after a cyber attack increased by 120% between 2018 and 2020.

The average cost of a cyber attack should be factored into calculating the ROI of a security awareness campaign. However, this should also reflect the average number of attacks per year. According to the DCMS report, 31% of businesses and 26% of charities estimate they were attacked at least once a week.

Time and Work to Contain a Breach

One of the consequences of a cyber attack is difficulty locating the exploit chain and containing the damage. An IBM report on the cost of a data breach found that the average time to contain a breach in 2022 was 277 days. During this time, costs rack up.

You should include IT system downtime, IT support and estimated productivity losses in your ROI of a security awareness campaign calculation.

Reputation Damage

Reputation damage is intangible and, therefore, difficult to quantify. However, many factors come into play after a cyber attack resulting in a negative reputation. These include a general loss of trust that affects customers, share price, and the partner ecosystem.

This loss of trust is acute when customers leave a company after a breach. A YouGov and Okta study found that 88% of customers will stop using a company if they feel they cannot be trusted to protect their data.

Reputational damage is difficult to quantify and therefore add to an equation, but you may have some data on the loss of customers from business intelligence (BI) solutions.

Non-Compliance and Fines

Several data protection regulations, including PCI-DSS and GDPR, mandate or strongly encourage the use of Security Awareness Training. Therefore, if you can demonstrate that your organisation uses Security Awareness Training, any subsequent regulatory enforcement action should consider this.

However, when calculating the ROI of a security awareness campaign, the typical cost of a non-compliance fine in your sector should be factored in.

You can find the level of fines that could impact your company after a breach from the Information Commissioner’s Office (ICO). For example, the UK GDPR and DPA 2018 set the maximum fine of £17.5 million or 4% of annual global turnover.

Insurance Premiums

According to a study by insurers Hiscox, 63% of UK businesses plan to purchase cyber insurance as part of their strategy. In addition, premiums may be lowered if you reduce risk by training employees in security awareness.

Add the cost of cyber insurance to your ROI of a security awareness campaign as part of your overall security strategy costs.

Other ROI costs include:

  • The cost of the training package and any added features, such as phishing simulation training.
  • Administration costs for running the program.
  • Lost time due to an employee performing Security Awareness Training exercises.

How to Calculate the ROI of Cyber Security Training

Once you have the data, you can plug it into an ROI equation. Fortunately, someone has already researched how to generate an equation for Security Awareness Training.

An ROI equation in its simplest form looks like this:

ROI = Calculating ROI of Security Awareness Campaigns

Where:

R = Return (Benefit)

I = Investment (Cost)

However, as you have seen, calculating the R and I for security is more complicated as there are intangible costs such as reputational damage.

Fortunately, folks in the security industry have looked at the complexity of working out an ROI for security training investment. Michael Coden, for example, uses research from the Massachusetts Institute of Technology (MIT).

A study from MIT bases the calculation of cybersecurity incident costs on the steps that lead to a cyber security incident. This research has been used to develop a framework known as STACHT. Using this framework, Coden has developed an equation for the ROI of cybersecurity projects (such as security awareness training campaigns) that includes:

Capture3

Where:

Probability of a Compromise (PC) = threats multiplied by vulnerabilities

Impact of a Compromise (IC) = asset multiplied by losses if a compromise occurs

Coden’s equation is used per project and indicates the likely ROI based on estimates.

A More Qualitative View of Security Awareness Campaign ROI

Be aware that calculating the ROI of performing Security Awareness Training may not come down to plugging data into an equation. Instead, just drawing up a list of potential costs and impacts from a cyber attack may be enough to demonstrate that Security Awareness Training is worth it.

Human beings continue to be the focus of cybercriminals; if there is any way to break this cycle, this will naturally lead to reduced risk and reduced costs.

An Osterman report described cyber security training as “essential” in preventing cyber-attacks. The report highlights the effectiveness of security training, with data showing, for example, that only 11% of employees could spot a phishing email before training, but after training, 64% were able to detect phishing attempts. Evidence such as this can be highly effective when working out the benefit of running a security awareness campaign.

Security Awareness Training for Third-Party Vendor

Other Articles on Cyber Security Awareness Training You Might Find Interesting