
No encrypted systems. No compromised accounts. No transfers to incorrect bank details. No days-long outage because a single click on a convincingly designed link triggered a chain of problems.
That is exactly why security awareness is still primarily viewed as an expense in many companies: training takes time, campaigns require a budget, and employees have to deal with topics that aren’t always at the top of their priority list amid the hustle and bustle of their daily work.
The more important question is not: What does security awareness cost?
But rather: What does it cost us if we lack it?
Technical safeguards such as firewalls, endpoint protection, backups, or email filters are indispensable. But even the best technology cannot fully protect against every situation.
That is because many attacks don’t start with a highly complex technical vulnerability, but with a person.
For example, an employee receives an email that appears to be from Microsoft. It claims that their password is about to expire and must be confirmed immediately. The page looks professional, the sender seems credible at first glance, and the message creates a sense of urgency.
Or a supplier supposedly provides new bank details. The email is written in a friendly tone, includes the correct logo, and refers to an invoice that could actually exist.
In both cases, technology alone does not determine the outcome. What is also crucial is whether the person pauses to question the situation and knows how to respond correctly.
This is exactly where security awareness comes in: Employees should recognize risks, take the right action, and report suspicious incidents early on.
ROI stands for “Return on Investment”—that is, the financial benefit an investment yields relative to its costs.
In the case of security awareness, this is not about generating additional revenue. The benefit comes primarily from avoided costs.
The simplified formula is:
ROI = (costs avoided – investment) / investment × 100
A positive result means that the expected or actual damages avoided are greater than the investment in security awareness.
This is not to claim that training prevents every cyber attack. That would be unrealistic. The goal is to reduce the likelihood of successful attacks and to limit the impact if something does happen.
Let’s imagine a medium-sized company with 250 employees.
An employee clicks on a phishing link and enters his login credentials. The account is compromised. The IT department must respond by locking accounts, checking systems, and resetting passwords. For security reasons, certain systems are unavailable for several hours.
During this time, 40 employees can only work to a limited extent. At an internal hourly rate of 70 Swiss francs and four hours of reduced productivity, this already results in costs of around 11,200 Swiss francs.
Added to this are, for example:
A single compromised account can quickly turn into an incident costing tens of thousands of Swiss francs—even if no data is leaked and no major damage becomes visible to the public.
Security awareness is designed to intercept precisely such situations early on.
For example, an employee might notice that the login page does not belong to the genuine Microsoft domain. He reports the email through the designated channel. The IT team can investigate the attack, warn other recipients, and, in the best-case scenario, prevent an account from being compromised in the first place.
The direct costs of a security incident can often still be calculated. These include IT expenses, external service providers, downtime, and recovery measures.
However, there are also costs that are much more difficult to quantify:
This effect is often underestimated, especially among small and medium-sized businesses. A security incident doesn’t necessarily have to make the news to have tangible consequences.
If an important customer is dissatisfied due to a delay or a project comes to a standstill for several days, this results in financial repercussions that are often not fully reflected in a standard IT cost analysis.
TreeSolution’s ROI calculator makes this economic perspective more tangible.
Instead of simply stating that security awareness is “important,” companies can base their calculations on their own assumptions: How many employees are affected?What are the internal hourly rates? What would be a realistic loss of productivity in the event of an incident? What costs arise from IT efforts, downtime, or external support?
This results in a customized calculation that better reflects the reality of the specific company than general average figures.
A company with 80 employees faces different risks, processes, and cost structures than an international company with 2,000 employees. Therefore, the economic assessment of security awareness should not follow a rigid template.
Let’s assume a company estimates that a significant security incident could occur, on average, every two years. The expected total cost of such an incident is approximately 120,000 Swiss francs.
Calculated on an annual basis, this corresponds to an expected risk of approximately 60,000 Swiss francs.
The company invests 18,000 Swiss francs annually in a structured security awarenes sprogram—for example, through targeted training, phishing simulations, regular communication, and measures for roles at particularly high risk.
If this reduces the probability or the impact of a successful attack by 60 percent, the expected annual risk drops from 60,000 to 24,000 Swiss francs.
The avoided costs thus amount to 36,000 Swiss francs.
After deducting the investment of 18,000 Swiss francs, the economic benefit is 18,000 Swiss francs. In this example, the ROI is 100 percent.
This is neither a guarantee nor a universally applicable figure. However, it demonstrates how security awareness can be evaluated economically: not based on gut feeling, but on verifiable assumptions.
A good ROI calculation does not have to be spectacular. It has to be credible.
That is why it is advisable to work with multiple scenarios:
Conservative: What impact is realistic even if only a small portion of the risks is reduced?
Realistic: What improvement can be expected from regular, targeted awareness measures?
Ambitious: What impact can be achieved if security awareness is integrated into processes, leadership, and corporate culture over the long term?
This approach also helps in internal discussions. Instead of just talking about the costs of a platform or training program, it highlights the costs that a security incident can cause—and the potential benefits of better prevention.
Security awareness is no guarantee against cyber attacks. But it can play a crucial role in ensuring that a suspicious email does not turn into a security incident and that a mistake does not lead to a company-wide crisis.
The economic benefits come from fewer successful attacks, faster reporting, reduced downtime, and better-prepared employees.
Those who view security awareness solely as a training expense are only seeing part of the picture. Those who also factor in the costs that could be avoided recognize its true value.
With TreeSolution’s ROI calculator, companies can apply this perspective specifically to their own organization and make more informed decisions about how much prevention makes economic sense.