Cybersecurity Awareness ROI: How to Convince Your Management
Cybersecurity ROI calculation framework. Average incident cost, calculation formula, detailed examples by SMB size, and a ready-to-use business case template.
The average cost of a data breach reached $4.88 million in 2025 (IBM Cost of a Data Breach). The cost of a phishing awareness platform: between 2 and 5 euros per employee per month. The math should be simple. Yet in most French SMBs, the cybersecurity budget remains one of the hardest line items to get approved.
The problem is not technical -- it is a communication problem. Your CISO knows awareness training is necessary. But the CFO sees a cost center. The CEO wants numbers. The executive committee demands ROI. And without a clear calculation framework, cybersecurity falls behind the CRM, behind marketing, behind the new equipment purchase.
This guide gives you the tools to flip that dynamic: sourced data on the real cost of incidents, an ROI calculation formula tailored to your company size, three detailed worked examples, the five arguments that work on a CFO, and a business case template ready to present to your board.
The True Cost of a Phishing Attack for an SMB
Before talking about ROI, you need to establish the real cost of what you are protecting against. The global figures are striking, but what matters to convince your management is data scaled to your company size.
The Reference Numbers
According to the IBM Cost of a Data Breach 2025 report, the average global cost of a data breach stands at $4.88 million. But this average pools companies of all sizes, including large multinationals. For a French SMB, the amounts are different, but still significant.
The Hiscox Cyber Readiness Report 2025 provides data closer to SMB reality:
| Company size | Median incident cost | Maximum observed cost |
|---|---|---|
| 10-49 employees | 15,000 - 50,000 euros | 200,000 euros |
| 50-249 employees | 50,000 - 250,000 euros | 800,000 euros |
| 250-500 employees | 150,000 - 500,000 euros | 2,000,000 euros |
These figures are backed up by data from CESIN (French cybersecurity executives association): 60% of SMBs hit by a major cyberattack go out of business within 6 months (CESIN). For a detailed cost breakdown by category: How much does a cyberattack cost an SMB with 50 employees.
Breaking Down Incident Costs
According to IBM, data breach costs fall into four categories:
- Detection and escalation (30%): Identifying the incident, forensic investigation, auditing, crisis management. For an SMB without an in-house SOC, this typically means calling in an external provider on an emergency basis -- at emergency rates.
- Containment and remediation (25%): Isolating compromised systems, eradicating the threat, restoring data, patching the exploited vulnerabilities.
- Notification (15%): Informing affected individuals (GDPR obligation), notifying CNIL (France's data protection authority), crisis communications, legal counsel. With NIS2, add notification to ANSSI (France's national cybersecurity agency) within 24 hours.
- Lost business (30%): Business interruption, lost customers, reputational damage, contractual penalties. This is often the most underestimated category.
Hidden Costs Nobody Quantifies
Beyond direct costs, a phishing incident triggers financial consequences that extend well past technical remediation:
- Cyber insurance premium increases: Insurers systematically reassess risk after a claim. Expect a 30 to 80% increase depending on severity, or even a refusal to renew coverage.
- Lost contracts: A growing number of enterprise buyers require cybersecurity guarantees in their procurement processes. A documented incident disqualifies you.
- Human cost: Stress, overtime, turnover within the IT team. The Ponemon Institute estimates that 25% of the total cost of an incident is tied to lost productivity.
- Regulatory fines: GDPR (up to 4% of annual revenue) and now NIS2 (up to 10 million euros). These fines stack on top of remediation costs.
Real-World Examples
Manufacturing SMB, 200 employees: BEC (Business Email Compromise): An accountant receives an email impersonating the CEO, requesting an urgent wire transfer of 320,000 euros to a foreign supplier. The transfer is executed. The fraud is discovered 48 hours later. The bank cannot reverse the transfer. Net loss: 320,000 euros + 45,000 euros in legal and investigation fees. This is exactly the type of attack a phishing simulation program would have prevented.
Accounting firm, 80 employees: Ransomware via phishing: A staff member opens a malicious attachment. The ransomware spreads across the entire network within 4 hours. Ransom demanded: 150,000 euros. The firm refuses to pay. Result: 3 weeks of near-total shutdown, partial data restoration from incomplete backups, permanent loss of some client files. Total estimated cost: 280,000 euros (IT restoration + lost revenue + client compensation).
The ROI Calculation Framework
The ROI of cybersecurity awareness is calculated like any ROI: by comparing the benefit gained (risk avoided) to the cost of the investment.
The Formula
ROI = (Risk Avoided - Solution Cost) / Solution Cost x 100
Where risk avoided is calculated as:
Risk Avoided = Incident Probability x Average Cost x Risk Reduction
The variables:
- Annual probability of a phishing incident: According to the Hiscox Cyber Readiness Report 2025, approximately 30% of SMBs experience at least one cyber incident per year. For SMBs without an awareness program, this rate climbs to 40-45% depending on size and sector.
- Average incident cost: Adapted to your company size (see the table above). Use the midpoint of the range for a conservative calculation.
- Risk reduction from awareness training: According to the Proofpoint State of the Phish 2025 report, companies that implement regular phishing simulations and continuous training reduce their click rate by 75% on average over 12 months. This click rate reduction translates directly into reduced incident risk.
Why These Numbers Are Conservative
The calculation above accounts for only one type of benefit: reduced incident risk. In practice, awareness training generates additional returns:
- NIS2 compliance: Training and simulations directly address the requirements of articles 21.2.f and 21.2.g. Without them, you face fines of up to 10 million euros.
- Insurance premium reduction: Several insurers offer 10 to 25% discounts to companies that demonstrate an active awareness program.
- Commercial advantage: Documenting your awareness program strengthens your position during client audits and certifications (SOC2, ISO 27001).
Worked Examples by Company Size
Let's apply the formula to three real company profiles, using market-rate pricing for a simulation and training platform.
SMB with 50 Employees
| Variable | Value | Source |
|---|---|---|
| Annual incident probability | 25% | Hiscox 2025 (SMB < 100) |
| Average incident cost | 80,000 euros | Hiscox 2025 median |
| Untreated annual risk | 20,000 euros | 25% x 80,000 euros |
| Platform cost | 1,188 euros/year | 99 euros/month (Starter plan) |
| Risk reduction | 75% | Proofpoint 2025 |
| Residual risk | 5,000 euros | 20,000 euros x 25% |
| Risk avoided | 15,000 euros | 20,000 euros - 5,000 euros |
| ROI | 1,163% | (15,000 - 1,188) / 1,188 x 100 |
In plain terms: For 99 euros per month, you reduce an annual risk of 20,000 euros down to 5,000 euros. Every euro invested returns 11.6 euros in risk avoided. And this calculation does not factor in potential NIS2 fines.
SMB with 200 Employees
| Variable | Value | Source |
|---|---|---|
| Annual incident probability | 35% | Hiscox 2025 (SMB 100-250) |
| Average incident cost | 250,000 euros | Hiscox 2025 median |
| Untreated annual risk | 87,500 euros | 35% x 250,000 euros |
| Platform cost | 2,988 euros/year | 249 euros/month (Pro plan) |
| Risk reduction | 75% | Proofpoint 2025 |
| Residual risk | 21,875 euros | 87,500 euros x 25% |
| Risk avoided | 65,625 euros | 87,500 euros - 21,875 euros |
| ROI | 2,096% | (65,625 - 2,988) / 2,988 x 100 |
In plain terms: For 249 euros per month, you reduce an annual risk of 87,500 euros to under 22,000 euros. The cost-to-benefit ratio exceeds 1:20. This is one of the best ROI figures you can find in IT security investment.
Mid-Market Company with 500 Employees
| Variable | Value | Source |
|---|---|---|
| Annual incident probability | 45% | Hiscox 2025 (mid-market 250-500) |
| Average incident cost | 500,000 euros | Hiscox 2025 median |
| Untreated annual risk | 225,000 euros | 45% x 500,000 euros |
| Platform cost | 6,000 euros/year | ~500 euros/month (Enterprise plan) |
| Risk reduction | 75% | Proofpoint 2025 |
| Residual risk | 56,250 euros | 225,000 euros x 25% |
| Risk avoided | 168,750 euros | 225,000 euros - 56,250 euros |
| ROI | 2,712% | (168,750 - 6,000) / 6,000 x 100 |
In plain terms: For 500 euros per month, you reduce an annual risk of 225,000 euros to 56,000 euros. The ROI exceeds 2,700%. And at this size, the likelihood of being audited by ANSSI (France's national cybersecurity agency) under NIS2 is high -- the compliance benefit adds to the investment return.
Calculate your actual ROI -- run a simulation and measure your team's click rate.
The 5 Arguments That Convince a CFO
Numbers are necessary but not enough. A CFO thinks in terms of risk, compliance, and competitive advantage. Here are the five arguments that tip the decision.
1. The Regulatory Argument
"The NIS2 directive requires us to train our employees and regularly test the effectiveness of our cybersecurity measures. This is not optional. The cost of non-compliance can reach 10 million euros or 2% of our global revenue. And executives are personally liable."
This is often the most effective argument with a CFO: NIS2 makes awareness training a legal obligation, not a discretionary budget item. See our full NIS2 guide for SMBs for details on the requirements.
2. The Insurance Argument
"Our cyber insurer now requires proof of awareness training to maintain our coverage. Without a documented program, our premium increases by 30 to 50%. Some insurers even refuse to cover companies that do not run regular phishing simulations."
According to AMRAE (French risk and insurance management association), cyber insurance underwriting criteria have tightened significantly since 2023. Training and simulation are now prerequisites for most policies. For more on this topic: Cyber insurance: training proof as a coverage enabler.
3. The Commercial Argument
"Our clients are asking for cybersecurity guarantees. Vendor security questionnaires systematically include questions about employee awareness. Without a documented program, we lose contracts -- or we don't even make it past the shortlist."
This argument is particularly powerful in B2B sectors where enterprise buyers include cybersecurity in their purchasing criteria. SOC2 and ISO 27001 compliance explicitly requires an ongoing training program.
4. The Benchmark Argument
"The average phishing click rate in our industry is 18%. We have never measured ours. That means we don't know whether 1 in 5 employees would click on a malicious email -- or 1 in 3. The risk is unmeasured, and therefore unmanaged."
A CFO hates unquantified risk. The absence of measurement is itself an argument to run at least an initial simulation campaign -- if only to establish a baseline. For detailed industry data, see our article on phishing click rate benchmarks by industry.
5. The Opportunity Cost Argument
"An awareness platform costs 99 euros per month for 50 employees. That is 1.98 euros per employee per month -- less than a cup of coffee per person. The average cost of a single phishing incident for a company our size is 80,000 euros. The platform represents 0.1% of the cost of one incident."
Framing the cost as a trivial per-employee monthly amount and comparing it to the enormous cost of a single incident is one of the most effective angles in budget negotiations.
Business Case Template for Your Board
Here is the structure for a 6-slide presentation, ready to adapt to your context. Each slide is summarized with the key points to include.
Slides 1-2: Context and Threats
- 91% of cyberattacks begin with a phishing email (Verizon DBIR 2025)
- [X] incidents reported in our sector in 2025 (source: ANSSI)
- The NIS2 directive mandates training and testing -- we fall within scope
- Average incident cost for our size: [X] euros (source: Hiscox)
Slide 3: Current Situation
- No phishing simulation in place
- Annual training limited to a PowerPoint presentation
- Unknown click rate = unmeasured risk
- No awareness documentation that would hold up in a NIS2 audit
Slides 4-5: Solution and ROI
- Simulation platform + training + AI detection
- 1-hour deployment, first results within 1 month
- Annual cost: [X] euros (based on the plan suited to your size)
- Annual risk avoided: [X] euros (detailed formula)
- ROI: [X]% over 12 months
- Bonus: NIS2 compliance + insurance + commercial benefits
Slide 5: Deployment Timeline
- Month 1: Platform deployment + baseline campaign (measure initial click rate)
- Months 2-3: First simulation campaigns + automated post-failure training
- Months 4-6: Regular program with quarterly reporting
- Month 6: First board report with trends and measured ROI
Slide 6: Recommendation
"We recommend starting a free 14-day trial to measure our real click rate -- our baseline. This test costs nothing and will give us the data we need to make an informed decision."
This recommendation is strategic: it does not ask for an immediate budget commitment, just a test. That is much easier to approve at the board level. And once management sees the actual click rate of their teams, the decision to invest makes itself.
Metrics to Present to the Board Quarterly
Once the program is running, you need to demonstrate its value at every board meeting. Here are the key metrics to include in your quarterly report:
- Click rate: The percentage of employees who click on a simulated phishing link. This is your primary indicator. Expected trend: from 15-25% (baseline) down to under 5% within 6 months.
- Reporting rate: The percentage of employees who report the suspicious email instead of clicking. This is your maturity indicator. A reporting rate above 60% signals that a security-aware culture is in place.
- Risk score by department: Identify the most vulnerable departments (often: accounting, HR, senior management). This lets you target training where it is most needed.
- Training completion: Number of micro-learning modules completed, completion rate, average score. Documented proof for NIS2 article 21.2.g compliance.
- Industry benchmark: Compare your results against your sector average. "We went from a 22% to a 4% click rate, while the industry average sits at 15%" is a powerful message.
- Cumulative ROI: Cumulative risk avoided vs. cumulative platform cost. This number only improves over time.
For a complete, automated dashboard of these metrics, see the nophi.sh analytics features.
Frequently Asked Questions
How do I calculate the cost of a phishing incident for my SMB?
Use the following formula as a starting point: take your number of employees, multiply by 1,000 euros (the low-end estimate of cost per impacted employee according to the Ponemon Institute), and add fixed remediation costs (15,000 to 50,000 euros for forensic investigation and restoration). For an SMB with 100 employees, this gives an estimate of 115,000 to 150,000 euros. Compare this with Hiscox data for your size bracket and use whichever figure best fits your sector.
Do cyber insurers offer discounts for phishing simulation programs?
Yes, and increasingly so. According to AMRAE (French risk and insurance management association), most French cyber insurers now factor employee awareness into their pricing criteria. Some offer explicit premium reductions of 10 to 25% for companies that demonstrate an active simulation and training program. Others make it a subscription prerequisite: without a documented program, no coverage -- or coverage with significant exclusions on phishing-related incidents.
What is the minimum budget for an effective awareness program?
For an SMB with 50 employees, a budget of 1,200 to 3,000 euros per year covers a full program including monthly phishing simulations and automated training. That works out to 2 to 5 euros per employee per month. Below this threshold, you can run one-off simulations, but not a continuous program with measurable impact. The ideal SMB cybersecurity budget allocates roughly 5 to 10% of the total IT budget to awareness training -- this is ENISA's recommendation.
How long before you see a positive ROI?
The ROI is technically positive from month one, since the monthly platform cost is negligible compared to the risk avoided. But in terms of measurable results: you will have your baseline (initial click rate) from the first simulation campaign (week 1-2). The first improvements become visible by the second month. A 50% reduction in click rate is typically achieved within 3 to 4 months. The 75% reduction cited by Proofpoint corresponds to a 12-month program.
How do you measure effectiveness without a real incident to compare against?
That is precisely the advantage of phishing simulation: it gives you proxy metrics that correlate directly with real risk, without needing to wait for an actual incident. The click rate on simulations is the best predictor of the click rate on real phishing emails. By measuring its reduction over time, you are directly measuring the reduction in your risk. It follows the same logic as a fire evacuation drill: you don't measure ROI by counting the fires that were avoided, but by measuring evacuation time and its improvement.
Conclusion
The ROI of cybersecurity awareness is among the highest of any IT security investment. With ratios ranging from 1:10 to 1:27 depending on company size, the documented return is among the best in IT security.
But beyond the numbers, the stakes are existential. According to the Hiscox Cyber Readiness Report 2025, 60% of SMBs hit by a major cyberattack go out of business within 6 months. Awareness training is a life insurance policy for your company.
The elements are all in place to convince your management. The ROI exceeds 1,000% even in the most conservative scenario, NIS2 makes training mandatory with personal penalties for executives, and both insurers and clients demand proof of awareness programs. A free 14-day trial is all it takes to measure your baseline and demonstrate the need. To help you pick the right platform, see our guide to choosing a phishing awareness solution. Every month without a simulation program is a month where your risk is neither measured nor managed.
Measure your real click rate -- first campaign in 15 minutes, results immediately usable for your business case.