How do you calculate ROI on security awareness training?

Security awareness ROI is calculated as (avoided breach cost + insurance premium reduction + audit time savings - program cost) / program cost. Use IBM Cost of a Data Breach Report data for breach cost, Verizon DBIR for phishing-attributed breach probability and your broker's quote for premium reduction. Even with conservative assumptions, the ratio is typically above 10:1 for organizations with documented continuous programs.

What is the average ROI on phishing training?

Most credible models put phishing training ROI in the 10:1 to 50:1 range depending on industry and program maturity. Healthcare and financial services typically show higher ROI because their average breach cost is higher; retail and hospitality typically show lower (but still positive) ROI. ROI estimates that exceed 100:1 should be treated skeptically - they usually rest on assumptions about probability reduction that are not empirically supported.

What data sources should I cite for security awareness ROI?

Use the IBM Cost of a Data Breach Report for average breach cost by industry, the Verizon Data Breach Investigations Report for phishing-attributed breach percentages and Marsh or Aon broker reports for premium-reduction guidance. Avoid vendor-published 'industry benchmarks' as primary citations - they are marketing materials, not research. NIST CSF and ISACA materials are useful as governance framing but don't supply numeric ROI inputs.

Does cyber insurance premium reduction count as ROI?

Yes, and it is the single most defensible ROI input because it is observable. Brokers consistently report 5-15% premium reductions for organizations with documented continuous phishing simulation and automated remediation training. That number lands directly on the income statement and does not require probabilistic assumptions, which makes it the easiest line item to defend in front of a CFO.

How do I present ROI to a CFO who is skeptical of soft metrics?

Lead with the observable line items: insurance premium reduction (broker-quoted), audit hours saved (auditor-quoted) and incident response cost avoided (your last incident's actual cost). Include the probability-weighted breach cost as supplementary. A skeptical CFO will accept a model that is conservative on assumptions and grounded in named external sources; lead with named broker and auditor numbers, follow with the IBM and Verizon figures.

Should I include productivity loss in the ROI calculation?

Productivity loss from incident response is a legitimate ROI input but it's the hardest to defend with external data. If you include it, base it on your own historical incident response time logs rather than vendor estimates. A common conservative approach is to include only the IT and security team hours, which are easy to attribute and exclude business-user hours, which invite challenge.

How to Measure Security Awareness ROI (with Calculator)

By The Bait & Phish Team
ROI, Reporting, Finance

The hardest conversation a CISO has every year is not the renewal call with the carrier or the SOC 2 audit. It's the budget defense with the CFO. Security awareness training looks like a soft cost - recurring license fees, training hours from employees and a benefit that is, by definition, the absence of an event. The vendor pitch deck gets pushed back across the table with a single question: "what's the ROI?"

This is the model that survives the question. It uses only external sources a CFO will recognize, treats observable line items as primary and probabilistic ones as supporting and produces a number that is conservative enough to defend and meaningful enough to matter. There is no spreadsheet attached because the calculation is simple enough to do on a napkin - that's a feature, not a bug.

The ROI formula

The defensible model has four inputs:

A: Avoided breach cost (probability-weighted)
B: Cyber insurance premium reduction (observable)
C: Audit and compliance time savings (observable)
D: Annual program cost (observable)

ROI ratio = (A + B + C) / D. Net annual benefit = (A + B + C) − D.

Lead the conversation with B and C, because both are observable and quoted by external parties. Use A as supporting evidence with explicit assumptions stated. The ROI ratio that comes out of this model will land in the 10:1 to 50:1 range for most organizations - comfortably above any reasonable CFO threshold.

A: Avoided breach cost

Three data points produce A:

Breach cost. The IBM Cost of a Data Breach Report publishes annual averages by industry. Pick the figure for your industry; it's typically the most-cited number in CFO conversations and the one your CFO has likely seen elsewhere.
Phishing-attributed breach probability. The Verizon Data Breach Investigations Report has reported for years that phishing and stolen credentials together account for the majority of initial-access vectors in confirmed breaches. Use a defensible percentage (50-60% is conservative) for the share of total breach probability attributable to phishing.
Annual breach probability for your size and industry. This is the softest number. Conservative assumption: 1-in-20 (5%) for SMBs and mid-market; lower for very small firms; higher for healthcare and financial services. State the assumption explicitly so the CFO can challenge it.

A = (industry breach cost) × (phishing-attributed share) × (annual breach probability) × (program-attributed risk reduction). Conservative risk reduction assumption is 30%; published Forrester and Gartner research treats sustained programs as worth substantially more, but 30% survives challenge.

Worked example for a 200-employee professional services firm: $4.4M average breach cost × 55% phishing share × 5% annual probability × 30% risk reduction = $36,300 in probability-weighted avoided cost per year.

B: Insurance premium reduction

This is the easiest number to defend because your broker quotes it. Marsh, Aon and the major MGA forms now treat documented phishing simulation programs as a premium adjustment factor. Brokers consistently report 5-15% premium reductions for organizations that move from "no formal program" to "continuous program with automated remediation."

If your annual cyber insurance premium is $40,000, a 10% reduction is $4,000. That's an observable, broker-quoted line item that lands directly on the income statement. The 9 questions cyber insurers ask map directly to the program features that drive this reduction; if you're answering them well, the broker can quote the reduction explicitly.

B = annual premium × premium-reduction percentage. Use the broker's actual quote, not an industry average.

C: Audit and compliance time savings

SOC 2, HIPAA, PCI DSS 4.0, NIST CSF 2.0, and ISO 27001 all expect documented phishing training. With a modern platform, the evidence packet (campaign list, click rates, completion rates, written policy) exports as a single PDF. Without one, the program manager spends days reconstructing it across spreadsheets and email screenshots.

Measured time savings are typically 20-40 hours per audit cycle for SMBs, more for organizations under multiple frameworks. Multiply by loaded hourly cost. For a 200-person firm with one annual SOC 2 audit, conservatively estimate 30 hours saved at $150/hour = $4,500.

If your auditors charge by the hour and you've reduced their work by producing clean evidence, that line item drops through to invoiced fees as well - easy to confirm with the auditor.

D: Program cost

Be honest about D. Include:

Platform license fees (annual)
Internal program owner time (10-20% of one FTE for an SMB program)
Employee training time (15 minutes per quarter × headcount × loaded hourly cost)
Any third-party content or consulting

For a 200-employee firm with a transparent annual phishing simulation platform price, D typically lands between $5,000 and $20,000 fully loaded. If your platform pricing is opaque, that itself is a finding - opaque pricing creates budget defense problems beyond ROI.

Putting it together

Continuing the 200-employee professional services example:

A: $36,300 avoided breach cost
B: $4,000 premium reduction
C: $4,500 audit time savings
Total benefit: $44,800
D: $9,000 program cost
Net annual benefit: $35,800
ROI ratio: ~5:1

That's the conservative case. Adjust phishing-share to 60% and risk reduction to 40% - both within the credible range - and the ROI ratio doubles. The point is not to find the most flattering number; it's to produce a model whose worst case is still defensible.

Sensitivity analysis a CFO will actually run

Any ROI model presented to a CFO will be subjected to sensitivity analysis. The CFO's job is to ask "what assumption is this resting on, and what happens to the answer if I change it?" The model above survives that scrutiny because each input has a defensible source and an explicit assumption. Three sensitivity tests to run before the meeting:

Halve the breach probability. Run the model at 2.5% annual breach probability instead of 5%. The B (premium reduction) and C (audit savings) line items don't change because they are observable. The A line item halves. The total ROI ratio still typically lands above 5:1, which is comfortably above the threshold most CFOs use to approve recurring program spend.
Halve the program-attributed risk reduction. Run the model at 15% risk reduction instead of 30%. Same observation: B and C unchanged, A halves, ROI ratio still positive. The exercise demonstrates that the conclusion is robust to substantial assumption deterioration.
Strip out the probabilistic input entirely. Run the model with A=0, only B and C. For most organizations the ROI ratio is still positive on observable line items alone. This is the most-defensible version and the one to lead with if the CFO is unusually skeptical of probabilistic inputs.

A model whose conclusion holds up under aggressive sensitivity analysis is a model that survives a CFO conversation. A model that only works at the most-flattering input values does not.

Industry-specific considerations

Healthcare, financial services and education each have ROI modifiers worth applying:

Healthcare: The IBM Cost of a Data Breach Report's healthcare industry figure has consistently led other industries by a meaningful margin. The avoided-breach line item is therefore disproportionately large in healthcare. HIPAA Security Rule training requirements add a compliance-cost-savings input that doesn't appear in other industries.
Financial services: FFIEC and GLBA training requirements layer on top of cyber insurance, producing a larger C (audit savings) line item. Bank examiners also explicitly ask about phishing training, which makes documented programs a regulatory-cost factor on top of the insurance factor.
Education (K-12 and higher ed): Lower per-record breach cost than healthcare or financial services, but very high incident frequency. Models for this sector typically have a higher annual breach probability assumption (closer to 8-10%) and produce ROI ratios that are robust to assumption deterioration.
Manufacturing: OT/ICS-adjacent environments add a downtime-cost component to A that typical IT-only breach cost figures don't fully capture. ICS-CERT and CISA materials are useful for downtime cost framing.
Professional services: Lower per-incident loss but high reputational exposure. Conservative models lean on B (premium reduction) and C (audit savings) more heavily and de-emphasize A.

What not to include

Reputational damage avoidance. Real, but unquantifiable in a CFO conversation. Mention it; don't assign a dollar value.
Vendor "average customer" testimonials. Marketing data, not research. CFOs discount these to zero, correctly.
Productivity loss avoided across the whole workforce. The numbers get large quickly and invite challenge. Stick to IT and security team hours, which are defensible.
Stock price impact. Real for public companies, irrelevant for most SMBs and not how you want to frame the conversation regardless.

How the platform helps

The hard part of this calculation is producing the inputs. Bait & Phish reporting natively exports campaign cohorts, completion rates and time-to-remediation data, which is what your broker and auditor want to see - and which is what enables the B and C line items in this model. The five lure categories and three difficulty tiers in the template library produce realistic click rates that the model can rest on without hand-waving.

If you want to run the calculation against your own program, start a 25-user free trial and produce one quarter of real data. If you'd rather walk through the model on a call with your specific numbers, contact us and we'll do it. Our team has been building this category since 2010 and has watched the ROI conversation evolve from "trust me" to the model above. The math is on your side; the harder part is showing the work.

Related reporting and metrics guides

19aug