From qualitative to quantitative
Until now, budget requests for awareness in cybersecurity and privacy have mostly managed to be supported by qualitative arguments. Consider, for example, the following points:
- Improved digital skills: Awareness training improves employees’ digital skills and thus is crucial in the digitalization of an organization.
- Reduced risk: Awareness in cybersecurity and privacy and associated best practices reduce the likelihood of security incidents.
- Protecting Confidential Information: Cybersecurity and privacy awareness help protect confidential information from external threats and inadvertent information sharing, mistakes, data breaches and other risks
- Preventing image damage: As a government agency or organization, one quickly suffers reputational damage after a major data breach or hack, with all its consequences.
- Comply with laws and regulations: such as the AVG, BIO and NIS2. By raising awareness, an organization can comply with these requirements and avoid potential fines* or other legal consequences.
*Experience shows that to date, the Personal Data Authority has hardly imposed any serious fines. But better safe than sorry. - Increased productivity: When employees are aware of cybersecurity and privacy and can confidently work securely online, they work more efficiently.
In terms of quantitative arguments, they often got no further than some vague and undefined figures and statements. The main argument was always:
- Cost savings: If you prevent a data breach or hack, you prevent a very large sum of money spent on restoring data and systems.
“
People had only a vague idea of the cost of a data breach or hack, as well as the likelihood of an organization being affected. This made it difficult to establish a financial reserve just in case. Never mind that there was a clear picture of the actual cost savings that result from an effective cybersecurity and privacy awareness strategy.
The formula
By developing a formula, Brooklyn Partners has finally quantified the costs and benefits of cybersecurity and privacy awareness.
(reduced risk – annual cost security awareness program) / (annual cost security awareness program) *100% = ROAI
The result is a clear ratio between the cost of an investment in awareness and the expected return, or ROAI.
The formula takes into account several factors, such as the size of the organization, the type and level of awareness program deployed, and the average cost of a small, medium, or large data breach or hack. We also look at the number of data breaches and hacks per year by sector, the incidents with a high probability of misuse and the actual probability of an organization being affected. Based on these factors, the ROAI of a cybersecurity and privacy awareness strategy can be determined.
For example, suppose an industry has 5 hacks per year and 90 incidents with a high probability of abuse. If your organization operates in this sector with 350 parties, the probability of your organization being hit by a hacking attack is 1.4%. Then take the average of the cost of a successful hack or data breach in your industry.
With an awareness program that reduces your risk by 20%, you can then expect a cost savings of €22,400, whereas, for example, the program costs €15,000. This results in an ROAI of 49.33%.
With this formula, CISOs, FGs and POs can finally present a clear business case for cybersecurity and privacy awareness, with concrete numbers and a clear rationale. But it is also invaluable as an orientation tool and for choosing the right awareness program.
Meanwhile, curious about the numbers for your organization and what return on investment an awareness program can provide? We would be happy to demonstrate a business case for your organization. Leave a message and we will get back to you as soon as possible.