Building a business case for your security awareness program is always a challenge.  Budgets are tight and it can be difficult quantifying the human risk.  You need every weapon possible, and this is why we have a Security Awareness Business Justification section on our free resources page.  Checkpoint just published a social engineering survey that may be able to help you also.  They surveyed 850 IT administrators about social engineering attacks and defenses in their organization.  The survey results are simple to read and there may be some interesting statistics that can help support your program.  For example
  • 48% of all participants cite an average per incident cost of over $25,000
  • 30% of large companies cite a per incident cost of over $100,000
  • 48% of large companies and 32% of companies of all sizes have experienced 25 or more social engineering attacks in the past two years
  • New employees (60%), contractors (44%), and executive assistants (38%) are cited to be at high risk for social engineering techniques.
What really surprised me is that only 26% of the companies surveyed have an active awareness and education program.  That is like saying 75% of organizations have no anti-virus, no firewalls or no Intrusion Detection Systems.  Of course the human vector is going to be the most popular when 75% of organizations do nothing to protect them.