Return on investment (ROI) of cybersecurity training


Protection against cybersecurity threats come with a financial burden. Various analysts have looked at what the cybersecurity spend profile is, and it isn’t for the faint-hearted. According to Dark Reading, Gartner is expecting cybersecurity spend to reach $124 billion this year

But not taking care of security is also a costly business: the recent fines of $5 billion applied to Facebook and $123 million to Marriott are just the tip of the iceberg. Even without fines to worry about, average annual costs from cyber-attacks are around $4.7 million, according to Willis Towers Watson. Added to all of these tangible costs are the intangibles such as reputation damage. I could go on

AppSec/API Security 2022

In the Ninth Annual Cost of Cybercrime Study by Accenture, they found that “people-based attacks” were increasing at the fastest rate. It seems to make sense, therefore, that we place a budgetary emphasis on cybersecurity training. But can we demonstrate the need for security awareness for employees? Can we somehow quantify this decision rather than use a gut reaction to determine budget spent on cybersecurity?

In other words, is there a return on investment (ROI) equation we can use to calculate the cost/benefit of spending on cybersecurity training in our organization?

What does an ROI equation for cybersecurity training look like?

To create an equation for ROI, you need to look at the variables that equation would contain. In its simplest form, an ROI question is: 

ROI = 


R = Return (Benefit)

I = Investment (Cost)

The problem security professionals have is how to calculate R and I.

The ROI equation shown above is simply not detailed enough to cover the complexity of the variables that make up the world of cybersecurity threats and mitigation. 

Work has been done to attempt to create an ROI (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Chris Sienko. Read the original post at: