How to Calculate ROI in Cybersecurity
Time is the most important (and expensive) asset every human being has.
So how can you make the most of your colleagues’ time?
Many organizations shy away from providing too much security education because if affects employee productivity and can be a costly business expense. On the flip side, some organizations provide too little security education and see this as a win since less time is being spent on tasks outside an individual’s role.
Each organization is different, and finding the right balance of training that doesn’t pull colleagues away from their roles requires a deep dive into how your colleagues perceive, feel and behave when faced with a cyber threat.
Typically, we recommend organizations spend 10-20 minutes on cybersecurity awareness education every quarter to keep key concepts top of mind depending on the maturity of your organization.
How To Show ROI For your Security Awareness Program
To show ROI for your security awareness program, you need to find the diminishing return point, where the low impact of additional training is not worth the cost of providing the education because your employees’ time is expensive, and the risk of an incident isn’t meaningfully reduced.
To start thinking about calculating the point of diminishing returns, first consider the cost of employee time:
Consider the average hourly rate across the organization
Multiply the average hourly rate by the amount of time spent on security awareness
Finally, multiply that number by the total number of employees employed at your organization
Second, consider how much additional risk reduction you can demonstrate for every additional 10, 30 or 60 minutes of time spent in training. By factoring in how the additional time can impact achieving your organization’s goals, you can identify the point where time invested intersects with targets being achieved.
This exercise requires you to be clear on what your goals for security awareness are and how you intend to measure the results.
Experimenting To Find The Right Education
Figuring out the right amount of security education for your organization requires continuous experimentation. It involves digging into some of the real and potential cyber threats targeting your organization, and determining if the current education being provided would empower your colleagues to recognize and report those threats.
Ask yourself, “is the education my organization is currently providing effectively targeting and lowering cyber risk?”
If you answer “no, there are some gaps in my current awareness education” then more time should be dedicated to providing the educational resources your colleagues need to best defend the organization. Or, you can experiment with changing some of the educational resources to see if that makes a difference in overall or targeted awareness.
If you answer “yes, my organization currently provides the right educational resources” then great! Your next step should be to look for ways that you can reduce the amount of time your colleagues spend on security education without affecting awareness.
For example, if your organization uses an hour worth of training and can reduce the time spent on education to 30 minutes without compromising the impact of risk reduction, it reduces the total cost of the program by half.
Driving better outcomes (risk reduction) in as little time as possible is only possible with effective education.
Effective education respects your colleagues by recognizing their time is valuable, helps you further engage them in the program and it saves your organization money by reducing the time employees spend outside of their role.
Ready To Start Experimenting?
In our 2023 Annual Report, we walk you through the steps of how to run a successful security awareness education experimentation with some examples of how we’ve run experiments.
Download the report to learn how you can provide the right education, at the right time and effectively reduce cyber risk: https://content.beauceronsecurity.com/state-of-cybersecurity-awareness-report