Security Awareness Training ROI Calculator
See how much your organization can save by reducing phishing risk through security awareness training.
ROI Summary
Detailed Breakdown
| Metric | Value |
|---|---|
| Cost Breakdown | |
| Hourly Cost per Employee | - |
| Productivity Cost (training time) | - |
| SAT Platform Cost | - |
| Admin / Management Cost | - |
| Other Costs | - |
| Total Annual Program Cost | - |
| Risk Analysis: Before SAT | |
| Single Loss Expectancy (SLE) | - |
| Annual Rate of Occurrence (ARO): Baseline | - |
| Annualized Loss Expectancy (ALE) | - |
| Risk Analysis: After SAT | |
| Phish-Prone Percentage (After) | - |
| Annual Rate of Occurrence (ARO): After | - |
| Annualized Loss Expectancy (ALE) | - |
| ROI | |
| Annual Risk Reduction | - |
| Net Benefit | - |
| ROI | - |
Key Assumptions
Frequently Asked Questions
What data sources does this calculator use?
The calculator draws on two primary industry reports to establish its baseline assumptions:
Average cost per phishing breach: Single Loss Expectancy (SLE)
According to IBM's Cost of a Data Breach Report 2025, the average cost of a data breach where phishing was the initial attack vector is USD $4.8 million. This figure includes direct costs (incident response, forensics, legal, regulatory fines) and indirect costs (lost business, reputational damage, customer churn).
For modelling purposes, the $4.8M figure is benchmarked against a mid-market organization of approximately 500 employees. The calculator then scales this logarithmically based on your employee count. Smaller organizations receive a proportionally lower estimate, while larger organizations scale higher, capped at 2× the base.
Annual likelihood of a phishing-origin breach: Annual Rate of Occurrence (ARO)
The baseline ARO of 6% is derived from two published statistics:
- 43% of UK businesses reported experiencing a cyber security breach or attack within the last 12 months (UK Cyber Security Breaches Survey 2025).
- 16% of all data breaches had phishing as the initial attack vector (IBM Cost of a Data Breach Report 2025).
Combining these: 0.43 × 0.16 = 0.0688 (~6.9%). We conservatively round this down to 6% for modelling purposes.
Phish-Prone Percentage (PPP)
Baseline PPP benchmarks are informed by aggregate phishing simulation data collected by CanIPhish across its entire customer base, which shows an average initial click rate of approximately 30–35% across industries before any training. The reduction percentages for each program level reflect commonly observed outcomes from sustained training and phishing simulation programs.
How does the ROI calculation work?
The calculator uses the Annualized Loss Expectancy (ALE) model, a standard risk quantification framework:
ALE = ARO × SLE
SLE (Single Loss Expectancy): the estimated cost of a single phishing-origin breach, scaled by organization size. ARO (Annual Rate of Occurrence): the probability of a phishing breach occurring in a given year.
The calculator computes ALE twice:
Before SAT: using the baseline ARO of 6% (no training). After SAT: using a reduced ARO, adjusted proportionally by the Phish-Prone Percentage improvement from training.
The Annual Risk Reduction is the difference between the two ALE values. The Total Program Cost includes employee productivity loss during training, SAT platform subscription, admin/management time, and any other costs. Finally:
ROI = (Annual Risk Reduction − Total Program Cost) ÷ Total Program Cost × 100%
A positive ROI means the modelled risk reduction exceeds the cost of the program. All input values can be overridden in the “Risk & Training Variables” section if your organization has more specific data.
What is the Phish-Prone Percentage and how are the program levels determined?
The Phish-Prone Percentage (PPP) represents the proportion of employees likely to fall for a phishing attack. Industry benchmarks suggest an average of approximately 30% with no training.
The four program levels model progressively more effective security awareness programs:
| Level | Description | PPP | Training Time | Admin Effort |
|---|---|---|---|---|
| No SAT | No training or phishing simulations | 30% | 0 hrs/yr | None |
| Minimal | Annual bulk training + annual phishing simulation | 25% | 0.5 hrs/yr | 1 week/yr |
| Moderate | Quarterly training + quarterly phishing simulations | 10% | 1 hr/yr | 2 weeks/yr |
| Best Practice | Monthly training + risk-based smart phishing (weekly for high-risk, monthly for moderate, quarterly for low-risk users) | 2% | 2 hrs/yr | 3 weeks/yr |
The PPP reduction directly lowers the ARO: a lower PPP means fewer employees fall for phishing, which reduces the likelihood of a successful breach. The formula is: ARO (After) = Baseline ARO × (PPP After ÷ PPP Before).
How are the program costs calculated?
Total program cost is the sum of four components:
- Productivity Cost: the opportunity cost of employees spending time on training instead of working. Calculated as: Number of Employees × Hourly Rate × Training Hours per Year. The hourly rate is derived from the average annual salary divided by 2,080 standard work hours.
- SAT Platform Cost: the annual subscription cost for a security awareness training platform. This is auto-calculated using volume-based per-user-per-month pricing that decreases at higher employee counts, then annualised. If “No SAT” is selected, this is $0.
- Admin / Management Cost: the cost of staff time to set up and manage the SAT program (configuring campaigns, reviewing reports, following up on failures). This is modelled as a number of weeks of one person’s time at the average salary: Annual Salary × (Admin Weeks ÷ 52).
- Other Costs: any additional costs such as external consultants, custom content development, or compliance audit fees. Defaults to $0.
All cost values are auto-calculated but can be manually overridden in the “Risk & Training Variables” section to match your actual costs.
Why is my ROI negative?
A negative ROI means the modelled cost of the training program exceeds the estimated risk reduction under your chosen assumptions. This is most common in the following scenarios:
Very small organizations: the SLE scales logarithmically Minimal program selected: a minimal program only reduces PPP High salary / high admin overhead: if your average salary is high,
To improve ROI, try selecting a more comprehensive program level (which delivers a larger risk reduction), or adjust the cost variables to reflect your actual spending. In many cases, moving from “Minimal” to “Moderate” or “Best Practice” dramatically improves ROI because the risk reduction grows faster than the incremental cost.
Can I customise the values to match my organization?
Yes. Every auto-calculated field in the “Risk & Training Variables” section can be manually overridden. The defaults are based on industry benchmarks and are intended as reasonable starting points, but every organization is different.
We recommend adjusting the following values if you have organization-specific data:
SLE: if you have incident cost data ARO: if you track phishing incidents Platform Cost: if you already have a vendor quote, Admin Cost: if you know how much staff time Training Hours: if your training program uses a different time commitment
Selecting a different training program level will reset the auto-calculated fields to their default values for that level.
What does this calculator NOT account for?
This calculator provides a simplified risk model focused on phishing. It does not account for:
Other attack vectors: SAT also helps reduce risk Compliance benefits: many regulatory frameworks Insurance premium reductions: some cyber insurance providers Culture and reporting improvements: trained employees report Multi-year compounding: this is a single-year model.
As a result, the actual ROI of a well-run SAT program is likely higher than what this calculator estimates.