1. Cost

The facts on cyber breaches are well-published  - nearly every single cyber attack involves Phishing or Social Engineering to compromise your network. Removing the risk of your people being Phished or “socially engineered” in some way, a complete Security Awareness Training program can reduce your risk of risk of socially engineered cyber threats by up to 70 percent.1 Yes, we get it. That sounds high. But removing Social Engineering and Phishing risks virtually eliminates a hacker’s options. So, let’s explore that ROI.
‍
Typically, your Security Awareness Training software license cost is relatively small compared to other Cyber Security initiatives. That’s the good news. It’s important to highlight that the license is only a piece of the total cost of a complete Security Awareness Training program. The sneakier cost is in Time. The weekly/monthly hours required to manage your program must be budgeted for, whether it’s adding a role to an existing employee or a new hire. You’ll want to ensure your manager is on board with any new time commitments and related expenses.
‍
Most competing platforms will take at least 15 hours per month (based on 250 users) to manage successfully. This can easily become a point of conflict with other priorities if expectations are not set upfront. In the event you choose a vendor without complete automation, professional labor cost typically runs around 1-1.5x the cost of your license (again, at 250 users). When added up, this equates to approximately $7,200 in recurring labor expense to manage2 a successful, complete Security Awareness Training program.
‍
All-in, these costs in dollars and labor are well worth the investment.

2. Return on Investment (ROI)

Security Awareness Training program ROIs can vary widely, depending on your vendor choice and level of management. Broadly, ROI can range from approximately 50-550%3. That’s a HUGE spread. And much of that spread can be explained by the difference between selecting a manual or an automated platform. Utilizing a fully-automated platform removes the Labor cost.
‍
This offers strong support to a fully-managed or automated Security Awareness Platform. As explained in the above section, an automated program can cut your TCO by a full 50%+.
‍
It’s worth highlighting here than any estimated cost of an attack does must include several important considerations, including:

• Loss of Revenue from network downtime
• Reputational Loss from news headlines and breach notification
• Remediation cost
• Replacement hardware

The overall value of the program is only increased by reducing these risks.

3. User Experience

Executives are typically mindful of the employee experience, and this includes interactions with IT and Security products. You want to demonstrate the user experience to your management. This allows them to understand how Phishing tests will be treated and how delightful (or burdensome, in some cases) Training courses will be.
‍
It’s best to simply demonstrate the End User Experience with example Phishing emails and Training courses. This can be done through short video demos, pdf presentations or actual tests. It’s typically easiest and most information to use short videos. Not surprisingly, your executives don’t like a surprise Phish test all too much! Still, they need it just as much as everyone else. It’s simply best to wait until you’ve gained Executive buy-in to launch Phishing tests.