One of the challenges we often discuss about security awareness programs is determining ROI, how do organizations determine how much money they are saving with their program or how much risk they are reducing.  While presenting recently at the ISSA CISO Forum, we had a very interesting discussion at the end that got me thinking about the following.
  1. First, ROI (Return On Investment) means different things to different organizations.  As such, how your organization determines ROI is unique to you. However, keep in mind security awareness is nothing more then another control, treat it as such.  How would your organization determine the ROI for buying an enterprise anti-virus solution, token authentication or full disk encryption?  Whatever that process is, use the same process for security awareness training.
  2. Second, if reducing costs are important, try determing ROI in terms of FTE (Full Time Employee).  One organization I know keeps detailed metrics of how much time their security team spends addressing infected systems.  After their awareness program the numbers of infected systems dropped signifigantly, freeing up half a FTE to focus on more important projects (or simply saving costs).
  3. Third, most controls are designed to target specific risks.  Anti-virus mitigates malware, two-factor authentication mitigates weak passwords, mail filtering mitigates scams and malicious links.  Awareness is different, it is a control designed to address and help mitigate these three risks and many more (social networking, mobile media, incident reporting, etc).  So for example, lets say investing in two factor authentication is $20,000 for your organization, designed to address risks associated with passwords.  Lets say an awareness program is also $20,000, which do you choose?  Two factor authentication will most likely reduce password risk greater than an awareness program.  However keep in mind that awareness will address far more risks, so its overall ROI at reducing risk may be far greater.
ROI is a challenge not just for security awareness but for security in general.  Different organizations measure ROI differently, and in fact have different definitions of exactly what ROI is.  However perhaps some of the steps documented here can help you in the right direction.
About the Author
Thumbnail

Lance Spitzner

Director, SANS Security Awareness
Lance Spitzner has over 20 years of security experience in cyber threat research, system defense and awareness and training. He helped pioneer the fields of deception and cyber intelligence with his creation honeynets and founding of the Honeynet Project. In addition, Lance has published three security books, consulted in over 25 countries and helped over 350 organizations build programs to manage their human risk. Lance is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. Before working in information security, Mr. Spitzner served as an armor officer in the Army's Rapid Deployment Force and