Calculating the Return on Security Awareness Training: What You Need to Know

It’s no secret that investing in security awareness training for your employees can be costly. In fact, even when the IT leaders in your organization understand the critical nature of such training and champion its cause, decision makers in the C-Suite might not be so easily convinced.

The key is making sure your C-Suite team understands what will be gained from implementing a security training program. And, perhaps more importantly, making it clear what the short- and long-term risks and damages are that can be avoided with the proper security training in place. Following are the key areas on which to focus when preparing your pitch for security awareness training, including how to calculate the return on investment (ROI).

Lack of Security: Calculating the Cost

Before you rush to use a formula to calculate the ROI, remember that your C-level executives will ask questions with a different mindset. Security Intelligence lists common questions that these individuals may ask during deliberations:

• How much could a lack of security potentially cost the business?
• What effect does security have on current organizational productivity?
• What is the potential impact of a catastrophic security breach?
• How would the recommended solutions impact productivity?
• Are these recommendations the most cost-effective solutions?

You should ensure your investment is considered on risk basis. How does a lack of security impact the business? According to the Ponemon Institute, the average cost of a data breach is $3.8 million, up 6.4 percent from 2017. And of course, the stakes continue to grow as data breaches increase in frequency and severity.

According to this same study, although the average cost to deploy security automation is $2.88 million, without cybersecurity solutions, a company could risk up to $4.43 million in breach costs. For some organizations, this is a number that could be detrimental to their business and their reputation. Beyond the finances, there are other consequences you could suffer without proper security:

• Your customers’ data, as well as that of your employees and the company’s, could be compromised all at once, as was the case with Equifax in 2017
• Intellectual property or trade secrets may be stolen
• Your company could be subjected to costly downtime
• The organization’s reputation could be irreparably damaged. According to Dataconomy, 90 percent of CEOs, striving to rebuild commercial trust after a breach is one of the most difficult tasks to achieve

With these consequences in mind and understanding the financial implications, now you can calculate an ROI through the lens of loss.

How to Calculate the Return on Your Security Investment

According to Security Intelligence, the computation is “only as good as the analytical efforts that go into the ROSI formula, which must include the cost of the security solution as well as the annual loss expectancy derived from risks.” The ROSI equation looks like this:

ROSI (%) = (ALE-mALE) – Cost of Solution ÷ Cost of Solution

How does it work? The equation quantifies an investment’s impact on the bottom line. It helps you earn support from C-level executives by defining what they can expect from the initial investment. What do the separate components mean?

To start, the ALE is the annual loss expectancy or the total loss from incidents involving security. You can find the ALE by multiplying the annual rate of occurrence or ARO by the SLE or single loss expectancy. The annual rate of occurrence is defined as the “probability of a security incident occurring within a year.” In contrast, the SLE is the “total financial loss from a single security incident.”

Modified annual loss expectancy or mALE is the annual loss expectancy plus the savings your security investment will provide. This number will “represent the percentage of threats halted by the security solution.” For example, your security solution has an average annual investment of $100,000 to fix 20 security incidents that result in $12,000 in data loss. The security solution you choose will block 99 percent of cyber-attacks from entering your organization. How does the equation look with these components?

ROSI = ((20 x 12,000) x .99 – $100,000) ÷ $100,000

This formula shows that the return of investment is 137.6 percent, or about $138,000 each year. To protect your organization from potential security threats that can cost thousands, if not millions of dollars, in downtime and data. This equation clearly shows the value of helping to prevent breaches with security awareness training.

As you pitch security awareness training to C-level executives, you must keep this ROI equation and the consequences of having poor security top of mind. With these numbers and facts, you can position yourself, and your organization, for success.

The original version of this article was first published on Inspired eLearning.