Today, data breaches and cyber-attacks are becoming so frequent that they aren’t a matter of “if” but “when,” making cybersecurity employee training a must.

It’s no secret that security awareness training is essential for protecting your company from cyber-attacks. But many organizations struggle to justify the expense of security awareness training programs, asking themselves whether the security awareness training return on investment is really worth it.

Read below to learn how to justify to your CFO how you can get up to a 2,600% ROI.

What Are the Experts Saying?

According to Gartner, security awareness training plays a vital role in helping employees learn how to identify and prevent this type of attack and a good training program is a cost-effective way of mitigating information security risk.

However, with CFOs cracking down on budgets, they’re starting to demand more transparency into the effectiveness of each purchase- especially as more companies are using data and analytics to track performance from their vendors (Come back later and read here how ThriveDX’s Security Awareness Training incorporates data-driven decisions.).

There are two types of Security Awareness Training Return On Investments we’ll address.

  1. Return On Investment From The Purchase
  2. Return On Investment From The Security Awareness Training Effectiveness

To begin, we’ll go over how it can add to the bottom-line.


  1. Return On Investment From the Purchase

Currently, experts recommend businesses spend a substantial amount on IT. Gallagher, a global insurance broker and consulting company, recommends 4% of a business’s revenue should go to IT. According to McKinsey & Company, organizations around the world spent around $150 billion in 2021 on cybersecurity, with spend growing by 12.4% annually.

What’s The Problem With Spending So Much?

Most of the spending is on infrastructure, yet the cyber attacks happen in the human layer: 93 to 97% of cyber attacks happen through human negligence.

So, what is the connection here? Addressing the human factor will deliver a higher ROI on a business’ other cybersecurity products.

How Does Security Awareness Training Increase Your Bottom-Line?

Investing in security awareness training products will result in cost savings from the breaches themselves. For example, of the 93 to 97% of cyber attacks that happen through human negligence, 35% of data breaches are attributed to human error (Federal Informations Systems Security Educators’ Association), and the average cost of a data breach is $4.35 million (IBM).

Let’s walk through the Return On Investment for using Security Awareness Training and how it might impact you. When you have a breach, this usually happens:

  1. Loss in Revenue: Generally Equal to 1 Day

When a breach happens, like a website going down or a loss to other key elements that prevent sales, it impacts revenue. To calculate the amount, go to your company’s 10K. Look at the Revenue Line from the year. Divide it by 365 (days in a year). If you make $365 million, that is $1 million lost in that day.

  1. Remediation Expenses

This is usually done on a consulting basis. Usually you need two Full Time Employees at $300 to $400 an hour, with a minimum of the two full time employees for four weeks, which is $100k.

  1. Ransom Payment

Although some stats vary, a conservative amount is usually greater than $250k.

Grand Total: $1 million + $100k + $250k = $1.35 million lost

Purchasing a $50k security awareness training, that prevents all of that from happening, will lead to 2,600% Return On Investment [(1,350,000 – 50,000)/50,000)) * 100).

2,600% Return On Investment

Therefore, why risk it? Here’s more information on how to justify a cybersecurity budget and more information on ThriveDX’s Security Awareness Training.


  1. Return On Investment From The Security Awareness Training Effectiveness

Next, now that we discussed the way to add more profits to your bottom line, let’s discuss the behavior change that reduces the amount of breaches, leading to a higher ROI.

More effective security awareness training methodologies are needed to prompt behavior change. However, the problem is it doesn’t matter if or how much a company invests in an intrusion detection system. This spend doesn’t guarantee a behavior change that leads to fewer incidents.



About DT Asia

DT Asia began in 2007 with a clear mission to build the market entry for various pioneering IT security solutions from the US, Europe and Israel.

Today, DT Asia is a regional, value-added distributor of cybersecurity solutions providing cutting-edge technologies to key government organisations and top private sector clients including global banks and Fortune 500 companies. We have offices and partners around the Asia Pacific to better understand the markets and deliver localised solutions.