HumanRisk SEAT
Home / Free Tools / ROI Calculator
Free Tool · No account needed

Security awareness ROI, with the math shown

Most ROI calculators hide their assumptions so the number looks good. This one shows every input and the formula behind it, so the result is something you can defend to a CFO. Enter your own numbers. Proof, not promise.

Your numbers

Defaults are illustrative placeholders. Replace them with your own incident history and finance estimates.

The model

Avoided loss = incidents × cost × reduction. ROI = (avoided loss − program cost) / program cost.

Expected annual loss today
Avoided loss from maturity gain
Net benefit (avoided loss − cost)
Estimated ROI

Adjust the inputs to see the model respond. This is an illustrative estimate, not a guarantee, and it is only as good as the numbers you put in.

12%
of practitioners can actually demonstrate ROI on their program (SANS, 2,700+ respondents)
88%
cannot prove ROI, usually because they measure activity instead of outcomes
84%
of organizations still measure effectiveness by training completion, a vendor metric

Why proving ROI is hard, and how to do it honestly

The reason most security awareness teams cannot prove ROI is not that the value is not there. It is that they measure the wrong thing. Training completion and click rates are activity metrics. They tell you something happened, not whether risk went down. SANS research across more than 2,700 practitioners found only about 12 percent can demonstrate ROI. The other 88 percent are doing real work with no defensible number to show for it.

The model behind this calculator

Honest ROI starts from expected loss: how many human-driven incidents you see in a year, multiplied by what each one actually costs you. A more mature program reduces the likelihood of those incidents. The avoided loss is that expected annual loss multiplied by the reduction you can credibly attribute to the program. Subtract program cost, divide by program cost, and you have an ROI figure that survives scrutiny because every assumption is visible.

Be conservative on purpose

The fastest way to lose a CFO is an inflated reduction percentage. Use a number you can defend, ideally tied to your own incident trend before and after program changes. A defensible 20 to 30 percent beats an unprovable 70 percent every time. The point of showing the math is that the conversation moves from "trust me" to "here are the inputs, challenge any of them."

From a number to evidence

A calculator gives you a business case. Defending it over time requires showing the program is genuinely maturing, not just busier. That is what a SEAT maturity assessment provides: a structured, dated baseline across Strategy, Engage, Assess, and Train that ties spending to measurable improvement, so next year's ROI claim rests on evidence rather than a spreadsheet.

Frequently asked questions

How do you calculate ROI on security awareness training?

Multiply the expected annual cost of human-driven incidents by the reduction a more mature program produces, then compare that avoided loss to total program cost. Expected loss equals incident likelihood times average incident cost. This tool exposes every assumption so the result is defensible.

Why can't most teams prove security awareness ROI?

Most programs measure activity (completion rates, click rates) rather than outcomes. SANS found only about 12 percent of practitioners can demonstrate ROI. Completion is not effectiveness.

What numbers should I use for incident cost and likelihood?

Your own. The defaults are editable placeholders. Drop in your actual incident history, your finance team's loss estimates, and your real spend. The output is only as credible as the inputs.

Is a free tool enough to prove ROI to my board?

It gives you a directional business case. To defend it you need evidence the program is actually maturing, which is what a SEAT maturity assessment provides.

More free tools

All Free Tools
The full set of HumanRisk practitioner tools.
Staffing Calculator
How many FTEs a mature program actually needs.
Compliance Requirements
Awareness obligations across 22 frameworks.
Free SEAT Assessment
Measure your program's maturity baseline.

Turn the estimate into evidence

The free SEAT assessment gives you a defensible maturity baseline, so next year's ROI claim rests on measured improvement, not a spreadsheet. No account needed, 10-15 minutes.

Take the free SEAT assessment