Contact us: +45 32 67 26 26

Is Security Awareness Training Worth the Cost?

Sarah Hofmann
By: Sarah Hofmann Awareness training | 19 January

If you are reading this, you might be wondering what the value of IT security training could be for your organisation. Security awareness training teaches your colleagues how to practice good security habits and reduces the risk of a security breach. But at the end of the day, the kind of training you can give your colleagues often comes down to what your budget allows. In this blog post, we use data to explain why security training is well worth the upfront cost. For example, did you know that organisations have about a 30% chance of experiencing a security breach in the next two years? Or that using security training reduces the security cost of an employee by 52%?

We’ll go over training costs, the consequences of security breaches, and the average ROI of training. Happy reading! 


Types of security awareness training

There are a lot of ways to train your organisation on IT security. For example, you could run awareness training through e-learning courses or in-person meetings, and you can send phishing test emails to your staff. You can do everything by yourself, or you can partner with a training organisation, like CyberPilot, so you have more time to work on the complex security challenges that need your focus every day. All these decisions impact the cost of training, the quality of your training, and how productive you and your colleagues are at work. So, let’s talk about the cost of training.

The average cost of IT security training: €60 per employee per year

On average, our security awareness training costs about €60 per employee per year. This is the average cost of purchasing training, but the cost varies depending on the size of the organisation. So, for an organisation with 75 employees, the price per year is €4,308. When you think about it, €60 is basically the cost of giving your employees a gift, or everyone working a few extra hours each year – it's a relatively minor cost.

There are a lot of factors that contribute to the total cost of training. For instance, the cost per user is typically lower the more users you have. You should also think about other costs, like time and productivity.

    • How much time will be taken from your workday if you manage all the training yourself?
    • How much time will your colleagues lose from their workdays to attend training?
    • What does this mean for your organisation’s productivity?
These secondary costs are common reasons why organisations choose to work with external training partners. Working with a training provider frees up the IT department’s time for important security tasks and hands over training to learning experts, meaning that your employees’ training time is well spent.

Companies like CyberPilot take all the work of creating and administering IT security training off your plate and deliver efficient training in sessions under 10 minutes each. This saves time for both the IT team and the rest of the office, keeping productivity high.


The average cost of a security breach

We have an in-depth post about the average cost of a data breach, which has information about different kinds of breaches and why they are so expensive. For now, we’ll stick to the numbers you need to know.

When you think about the cost of experiencing a security breach, you have to think outside of the financial box. In addition to the cost of repairing your systems or bringing your organisation back online, breaches have a negative impact on your organisation’s reputation. This leads to a loss of trust, and ultimately a loss of business.

The costs are, of course, different for big and small organisations. While the news mostly tells us about breaches that happen to big companies, breaches in smaller companies are just as harmful. The legal costs and reputation harm are often too much for smaller organisations to recover from.


The cost of doing nothing

We’ve gone over the cost of training and the cost of experiencing a security breach. So now what? We’ll help you put these costs into perspective so that you know what they might mean for your organisation.

You might run into the argument that your organisation isn’t likely to experience a breach, so it’s not worth spending money to prevent one. But research shows that in 2019, organisations had a 29.6% chance of experiencing a data breach in the next two years. Since then, data breaches have only become more frequent and sophisticated. This means you have at least a 1 in 3 chance of having a security breach, which the data shows can be really expensive or even put your company out of business.

Biggest GDPR fines of 2022

Let’s go a little deeper into the research now. Training is especially important for smaller organisations because 95% of cyber-attacks target small and medium-sized businesses. In fact, did you know that 61% of small and medium-sized businesses have experienced a cyber-attack in the last 12 months?

In addition to thinking about your organisation’s vulnerability to a breach through these statistics, you can also estimate the likelihood of a breach by running a phishing simulation or doing a risk analysis.

Phishing testing

Sending a fake phishing email to your colleagues is one way to guess how susceptible to a breach your organisation is. Phishing is one of the most common methods of a security breach, and as many as 39% of employees fall for phishing tests. Phishing emails can be difficult to spot, and 97% of people can’t detect a sophisticated phishing email. The results of a phishing test can tell you how vulnerable your company is. If a lot of your colleagues fall for your fake phishing email, they probably won’t be able to spot a real phishing attempt in their inboxes either. Security breaches caused by phishing email mistakes are the most expensive kind of breach for an organisation to handle.

Risk analysis

Another way to evaluate your security vulnerabilities is to do a risk analysis. We have a free template and guide that can help you get started. A risk analysis can help you figure out what your biggest security risks are and how likely they are to occur. From here, you can come up with a plan about what you can do next to meaningfully improve your security. It’s important to be thorough with a risk assessment and ensure that you aren’t leaving anything out. This means that no matter how talented your employees are, human mistakes that cause security breaches should always be included as potential risks.



But I have firewalls and other solutions – do I still need training?

With all the technical solutions available, it is tempting to invest in the newest software and think that we’ve done our job. We completely support investing in technological solutions, like anti-virus programs, firewalls, and SIEM. But we know that technology on its own is not enough. We know that 9 out of 10 security breaches happen because of human error, which is why we believe that employee training is an essential part of any security strategy.

Think of training like insurance

In a way, providing training for your employees is kind of like buying insurance, like for your home for instance. It’s a cost that might not seem worth it until something happens to prove its worth. Spending money every month to insure your home can be annoying because you don’t immediately see the benefit. But if you get a water leak in your house and you have to do a lot of repairs, you will be glad to have insurance experts to help you fix the problem. You'll also be happy that your repair costs will be covered. Investing in IT security training is really similar.

If you aren’t experiencing any security breaches, it could seem like a waste of money. But the fact that your business is not experiencing any disruptive breaches shows that the training is working. The awareness training is like having insurance against a security breach because your employees know how to act if a situation seems risky.


Better safe than sorry: training is worth the cost

We think training is worth the cost, and so do our customers. It is so much cheaper to build awareness and prevent a breach than to recover from a breach that has already happened. Especially when you think about the long-term costs of a breach, such as loss of customers and reputational harm.

If your organisation has 100 employees, you might spend around €6,000 total on security training each year based on an average cost of training of €60 per person per year. Using this estimation, and the average cost of a security breach ($4.35 million), you would have to pay for training for about 725 consecutive years before the cost of your training reached the cost of a breach. Maybe this number can help put the cost of a breach compared to the cost of training into perspective.

Of course, this calculation is simplified – not all breaches cost $4.35 million and not all training costs €60 per employee each year. We’re just using averages to keep it somewhat simple. But you can imagine that the cost of a breach is likely proportional to the number of employees you have and your company’s annual revenue. So, even though bigger companies have more money to lose in a breach, smaller companies will suffer in many of the same ways.

Training makes sense. It has a high ROI (Return on Investment), it works to prevent security mistakes, and it has plenty of other benefits.


The ROI of security training is high

Research shows that the ROI of security awareness training is quite high. In smaller companies, the annual cost per employee (related to security) is 52% cheaper when the company uses security awareness training. By using security training, small companies can save an average of $149 annually per employee. In bigger organisations, this looks like an average ROI of security training of up to 562%. So, investing in training can actually create a lot of savings in the long term!

Keep in mind that the ROI your organisation may achieve through security awareness training depends on several factors, including your employees’ salaries, the size of your organisation, and the severity of a potential breach. For instance, healthcare companies are known to experience some of the most expensive data breaches, so the ROI of training is probably higher for those organisations because they have more to lose.

A woman trying free awareness courses on her computer

Training works

Human behavior is the leading cause of security breaches. In fact, 9 out of 10 breaches are caused by human error. But mistakes can be reduced with good training and awareness raising activities. For example, this image shows how our customers make fewer mistakes after participating in continuous awareness training and phishing testing. You can see that by the third phishing test, the users had over a 50% reduction in mistakes made, meaning that they were much less likely to fall for phishing emails.

phishing training results show that the cost of training employees pays off

Additionally, training does not have to take a lot of time. Our courses teach important IT security concepts in under 10 minutes every other month, so that there isn’t a loss in productivity. Compare that with several hours to weeks of down-time due to a security breach, and the time lost to training seems like nothing.


Additional benefits of security awareness training and phishing testing

Besides ROI and the ability to reduce the mistakes that lead to security breaches, IT security training can have other positive impacts on your organisation. For example, having a continuous awareness training program in place can help you reach compliance with the GDPR and other IT security frameworks.

Having security certificates shows your customers that you can be trusted, which can benefit your business and reputation. It can make potential customers want to do business with you. It can also help you avoid receiving a GDPR fine.

Finally, training can improve your organisation’s security culture and bring your colleagues together with a common goal of enhancing security.

We hope this article has been useful to you. If you would like to see what security awareness training could do for your organisation, you are welcome to try our 14 day free trial of awareness training or get in touch with our team.