Platform

Unify HRM Overview

Platform

Capabilities

Identify: HROC Dashboard
Human Risk Quantification (HRI)

Insights

Benchmarking

Protect: Action Plans
Nudges: Communications & Employee Scorecards

Training: Risk Based SAT and Phishing

Orchestration: Policy Playbooks

Report
Report
Measure progress and ROI of action plans

Board and Executive Reporting

Manager Reporting

Bundles

Unify Go
Start your journey to HRM here.

Monitor risk by:

Security Training Compliance

Phishing and Email

Unify Enterprise
Covers risk in Unify Go and adds:

Malware & Ransomware

Data Loss

Account Takeover

Featured Resources

Living Security Blog
What is Attack Surface Management?
link

Living Security Blog
Why Your Team Should Have A Business Continuity Plan
link
Solutions

Solutions Overview

Solutions

By Role

CISO
Provides CISO’s, executives, and boards a complete picture and prioritization of workforce risk by type, department, location, and more.
link

Security Awareness Team
Go beyond training completion and phishing click rates and proactively safeguard your organization from human-induced security incidents.
link

GRC
Identify, resolve and track commonly violated policies with granular accuracy to lower risk and improve workforce compliance.
link

SOC/IR
Unleash the true potential of your human firewall with data-driven insights and action plans that curb threats before they become incidents.
link

By Risk

Training Compliance
Monitor training compliance status for users and segments across the enterprise.
link

Phishing & Email
Identify the users most and least at risk to social engineering attacks and protect them.
link

Malware & Ransomware
Proactively protect users from malware including viruses, worms, Trojan viruses, spyware, adware, and ransomware.
link

Data Loss
Pinpoint when data is at risk of leaving your controlled environment through unauthorized access or malicious intent.
link

Identity Threats
Get visibility into the most susceptible users for account compromise and mitigate their risk.
link
Products

Products

Products Overview
Transform how your organization approaches Security Awareness and Training by shifting to a proactive HRM approach that creates a strong culture of security.

Living Security Blog
What is Attack Surface Management?
link

Unify Human Risk Management
Establish a proactive security loop.
Security Awareness Training
Interactive compliance training for modern threats.
CyberEscape Rooms
Put your team in the center of security scenarios
Cybersecurity Awareness Month
Create a cyber vigilant workforce in October
Cybersecurity Engagement Training Go beyond compliance training Phishing
Stop social engineering attacks in their tracks with realistic simulations and training
across phishing, vishing, smishing, and more.
HRM

HRM

Human Risk Management: Proactive Security
Human Risk Management (HRM) is the process of identifying, assessing, and mitigating risks associated with human behavior in relation to an employee's use of technology.
HRM Maturity Model
How far is your company along the path to true proactive security?

Living Security Blog
What is Attack Surface Management?
link
Resources

Resources

Resources
Level up on Human Risk Management with a comprehensive collection of webcasts, whitepapers, ebooks, and more.
Blog
Access hundreds of informative blogs with deep dives and best practices relating to the full array of cybersecurity risks we face.
Webinars
Watch dozens of webinars tackling some of cybersecurity’s biggest challenges featuring thought leaders from leading organizations.
Case Studies
See how a variety of organizations utilize Living Security’s HRM Platform, Training, and Phishing to reduce risk with proactive defense.

Partners
Human Risk Management Powered by Partners.
Technology Alliance Program
Extend the value of your offering with HRM.
Partner Support
Unlock your potential with our partner hub.

Living Security Community Share HRM best practices Newsroom Read the latest news on Living Security. Support
The more you know, the more you grow.
Why Living Security
Establish a proactive security loop.
Start Now

May 26, 2021

5 Tips for Proving the ROI of Your Security Awareness Training

“What’s the ROI?” they demand, every time you ask for more support for your cybersecurity awareness training program.

Let’s be honest… that’s frustrating. Constantly pleading for the help and funding you need is enough to irritate any Security Awareness Program Owner.

The top execs and your CISO want to see what they’ll get for throwing more funds into security education— but proving return on investment in cybersecurity training is no simple feat, as you’re all-too-aware of.

Here are five tips for showing the ROI of your security awareness training initiative:

1. Consider the cost of NOT requiring training.

Take a step back and consider what could happen if you didn’t have the support you needed… Let’s say your budget proposal totally flops and you only get a fraction of what you asked for. Where are the gaps? What are the risks?

Consider the cost of being taken to court for a breach. Assign a number to your data and private information and what a leak might cost you in terms of reputational and financial loss.

But before you take big, scary statistics to your CISO and the C-suite, remember that creating fear within your organization around security is often NOT the best approach for long-term perception change around cybersecurity. By leaning too heavily into scare tactics, you’re creating a negative mindset around security. In reality, showing all the ways your campaign could create a positive impact is the smarter strategy for shifting the culture around security.

Do this by pushing the real return of long-term behavioral change and how slow nurturing today can lead to incredible organizational unity around security in your company’s future. Learn more about this modern approach to security awareness training here.

Let’s be clear: we’re not saying to blindly ignore the negative impact of poor security education. Instead, we’re suggesting you root your pitch in the positive by focusing on forecasted growth vs. loss.

2. Clearly define your metrics for success/KPIs.

It’s not that you’re not making an impact. You know you are! But the big dogs want numbers. They want projections. They want tangible proof you’re moving the needle.

It’s time to give them more than just the standard phishing campaign click-through rate.

Before you can prove the broader ROI, it’s crucial you and the execs are on the same page about both what success looks like and what you’re responsible for tracking.

In our blog, 6 Metrics To Track In Your Cybersecurity Awareness Training Campaign, we outline a few core metrics, including:

Security Training Module Completion
Awareness Training Quiz/Test Results
The Performance Of High-Risk Individuals
Engagement Activities Outside Of Training
Phishing Campaign/Clicks
Overall Security Score or Risk Rating

3. Align your OKRs with the security team at large.

While it’s great to come to the table with your own plan, you have to remember that you’re not in this alone. IT has its hands in your security too, they should be working in cooperation with your awareness-focused team.

At the end of the year, set up a meeting with IT to chat about your individual OKRs. How can you align your goals with theirs and vice versa? The more overlap and teamwork, the less begging and borrowing you’ll need for your awareness training budget.

Below are a few core security concerns both teams should care about. How can you each support each other to improve your overall security posture? Schedule monthly meetings to stay on the same page all year long and build a case for next year’s budget:
phishing

4. Don’t underestimate improvements in perceived safety.

Be careful not to get so caught up in proving your awareness program’s ROI with measurable metrics that you forget to step back and look at the big picture. Sure, employees may be completing the training modules and attending lunch and learns, but how do they really feel about your company’s security?

Perception is everything— and if employees are just going through the motions of watching training videos, without seeing the true value, they won’t carry what they’ve learned into the workplace.

Get a pulse on how your teams are receiving your training by sending out anonymous surveys or polls before and after every monthly campaign. Maybe certain subjects like privacy appeal to employees more than others. Find out why. Perhaps privacy hits home and employees like applying what they learned to their personal lives, increasing the digital privacy of their children’s social media accounts. Discovering this motivation is huge; it gives you the insight you need to mold campaigns around their personal interests so that on-the-job security training becomes valuable on and off the clock.

In your polls after training, ask them if they feel better prepared to recognize the threats they just learned about. Also, ask about areas where they think they need more support.

Consider adding questions about how likely they are to report a suspicious email on a scale of 1-5, or an open-ended inquiry about how they feel about this month’s training, overall. The feedback you receive may surprise you and give you an incredible direction for improving your approach moving forward.

5. Develop your own internal “Overall Security Score.”

Lastly: the solution you’ve been waiting for. Someone’s finally developed software for calculating your ROI for you— almost like a credit score for cybersecurity awareness.

Here at Living Security, we call it a “Risk Rating,” and in our blog, 6 Metrics To Track In Your Cybersecurity Awareness Training Campaign, we drill into what it means. Give it a read and discover the power of categorizing departments/individuals with High, Medium or Low risk scores— siloed down by their understanding of various cybersecurity topics.

Now that’s the way you speak the C-suites’ language.

security score

Don’t Shoulder it Alone

With the right tools to calculate your impact and proper support, you can rest easy knowing you’re leaving an impression on your company’s culture around cybersecurity.

Here at Living Security, we’re the whole package. We have modern Netflix-style security training videos to keep your team engaged, the software that automatically generates reports for proving the ROI and resources specially written for Security Awareness Program Owners like you.

With our Campaign in a Box package, you’ll receive a bundle of instant messages, emails, and other pieces of content to get your team excited about your upcoming training— so you can stop stressing about writing and focus your energy on other critical parts of your campaign.

Request our security initiative resources today.