Security Awareness Training: Measuring Real ROI
Security awareness training is frequently criticised as ineffective, yet the data tells a different story. The key is measuring the right outcomes and setting realistic expectations.
What the Research Shows
KnowBe4's analysis across thousands of organisations shows that baseline phishing susceptibility averages around 33% — roughly one in three employees will click a phishing link with no prior training. After 90 days of training and simulated phishing, this drops to 18%. After 12 months, it falls to approximately 5%.
Ponemon's research corroborates these findings, showing a 54% reduction in phishing clicks within six months and up to 86% within a year of consistent training programmes.
Calculating the Financial Return
If phishing accounts for an estimated $875K in annual loss expectancy (ALE) and training reduces phishing success by 60%, the annual loss reduced is $525K. Against a typical training programme cost of $35K for a mid-size organisation, the ROI is approximately 15x.
Making Training Effective
- Run regular phishing simulations, not just annual training
- Provide immediate feedback when users click simulated phishing
- Tailor content to role-specific risks (finance teams face different threats than developers)
- Track metrics over time to demonstrate improvement to leadership