One of the challenges we often discuss about security awareness programs is determining ROI, how do organizations determine how much money they are saving with their program or how much risk they are reducing.  While presenting recently at the ISSA CISO Forum, we had a very interesting discussion at the end that got me thinking about the following.
  1. First, ROI (Return On Investment) means different things to different organizations.  As such, how your organization determines ROI is unique to you. However, keep in mind security awareness is nothing more then another control, treat it as such.  How would your organization determine the ROI for buying an enterprise anti-virus solution, token authentication or full disk encryption?  Whatever that process is, use the same process for security awareness training.
  2. Second, if reducing costs are important, try determing ROI in terms of FTE (Full Time Employee).  One organization I know keeps detailed metrics of how much time their security team spends addressing infected systems.  After their awareness program the numbers of infected systems dropped signifigantly, freeing up half a FTE to focus on more important projects (or simply saving costs).
  3. Third, most controls are designed to target specific risks.  Anti-virus mitigates malware, two-factor authentication mitigates weak passwords, mail filtering mitigates scams and malicious links.  Awareness is different, it is a control designed to address and help mitigate these three risks and many more (social networking, mobile media, incident reporting, etc).  So for example, lets say investing in two factor authentication is $20,000 for your organization, designed to address risks associated with passwords.  Lets say an awareness program is also $20,000, which do you choose?  Two factor authentication will most likely reduce password risk greater than an awareness program.  However keep in mind that awareness will address far more risks, so its overall ROI at reducing risk may be far greater.
ROI is a challenge not just for security awareness but for security in general.  Different organizations measure ROI differently, and in fact have different definitions of exactly what ROI is.  However perhaps some of the steps documented here can help you in the right direction.