Cyber Security

How can we measure the ROI of a security awareness program focused on reducing pretexting risks?

AA Asked by Aaron Scott · 04-03-2025
0 upvotes 1,291 views 0 comments
The question

Our company invests heavily in security awareness training focused on common social engineering techniques like pretexting and tailgating. We've run several successful phishing simulations. However, senior leadership is now asking for hard data on the Return on Investment (ROI) for this training. What specific metrics, beyond just the click-through rate of phishing tests, can a cyber security team use to demonstrate that the investment in educating staff is actively reducing our organization’s overall risk of a successful social engineering attack and protecting sensitive data?

3 answers

0
RE
Answered on 18-04-2025

Measuring ROI requires connecting the training directly to quantifiable risk reduction. Track the reduction in incident response costs and time spent on cleanup activities related to user-reported incidents (vs. passively detected ones). A powerful metric is the Human Risk Score (HRS), which tracks employee behavior over time (simulated test results, reporting suspicious emails, policy compliance). A demonstrably decreasing HRS and an increasing Report Rate (how many employees report the suspicious email instead of deleting or clicking) directly show that the training has created an active line of defense, reducing the likelihood of a major cyber security incident caused by a social engineering exploit.

0
JA
Answered on 01-05-2025

Isn't the ultimate measure the tangible reduction in successful Business Email Compromise (BEC) or insider threat incidents that could be traced back to a pretexting attempt? How do you reliably calculate the "cost avoidance" aspect of an attack that never happened due to better security awareness?

RE 15-05-2025

Jason, calculating cost avoidance is tough but crucial. You'd typically use industry standards or your own historical data for the Average Cost of a Data Breach (e.g., $4.45M) and multiply it by the Reduction in Likelihood of an incident (derived from improved employee reporting/test scores). This gives you a financial value for the averted risk. Focus on quantifiable benefits like reduced helpdesk tickets for password resets post-phishing and lower overall insurance premiums due to demonstrably lower social engineering risk.

0
MA
Answered on 03-06-2025

The best indicator is the employee reporting rate for suspicious communications. An increase shows a shift from passive vulnerability to an active, engaged defense against social engineering and phishing.

JA 17-06-2025

I wholeheartedly agree with Maria. A high reporting rate demonstrates that employees are viewing themselves as part of the cyber security team. You can further add to this by tracking the time it takes for the first employee to report the campaign after it lands in the inbox.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session