Technology upgrades alone can’t stop cyber threats. Discover why targeting human risk—through training and behaviour change—yields a stronger ROI and better protection.
In today’s digital age, organizations are constantly faced with the challenge of protecting their assets, reputation and services from cyber threats. While technology upgrades, such as firewall refreshes, are commonly seen as a go-to solution for managing risk, there is a growing body of evidence suggesting that investing in human risk management – through awareness, behaviour, and culture change – can provide a significantly higher return on investment (ROI) in terms of cybersecurity risk.
Quantifying the ROI for security investments has always been a complex endeavour as the standard model doesn’t truly survive contact with the cyber security domain .
ROI = (Total Benefits – Total Costs) / Total Costs * 100
The primary difficulty lies in measuring the benefits of security measures in preventing incidents that, by their nature, are designed to be unpredictable. For instance, how do you measure the value of a cyberattack that didn’t happen because of improved security? Would it not have happened anyway? And how do you quantify intangibles such as damaged reputation?
This uncertainty means that ROI remains undefined which often leads organizations to default to the drumbeat of regular technology upgrades, which provide a tangible, albeit limited, feeling of ever-increasing security, justifying the continual expenditure.
Technology upgrades, such as refreshing firewalls, or increasing the capacity of the SIEM tooling, certainly play a role in a comprehensive cybersecurity strategy. However, the incremental risk reduction they provide can be minimal compared to the cost. New data gateways, for example, may increase throughput and stability, but rarely add any notable controls over the previous generation. Similarly, increasing system capacity may aid analysis, but adds limited detective capability, or swapping out your EDR may improve your exploit prevention rate by a % or two, but can be a complex and long running programme of work.
These technology improvements are important, but they tend to offer only small increments in security posture.
Focusing on human risk management, however, can yield substantial risk improvements at a fraction of the cost. According to a report by Forrester Research[1], human error will be a major contributing factor in 90% of cybersecurity breaches in 2024. By investing in awareness programs, behaviour modification, and fostering a security-centric culture, organizations can address the root cause of many cyber incidents, preventing disruption and cost.

1. Significant Risk Reduction: Changing human behaviour and fostering a security-aware culture can lead to dramatic decreases in the number of security incidents. For instance, a study by Aberdeen Group concluded that security awareness training reduced susceptibility to phishing and social media attacks by up to 70%, and one healthcare organisation reported a 50% reduction in malware infections within six months after implementing a security awareness training.
2. Cost-Effective: Human risk management initiatives often require significantly less investment compared to technology upgrades. Training programs, regular communication, attack rehearsals and awareness campaigns are relatively inexpensive when compared to technology upgrades yet can have a profound impact on reducing risk. The equation makes even more sense when the costs of training are compared to the costs of single cyber incident which, according to IBM, can easily rate into the millions[2].
3. Comprehensive Coverage: While technology can address specific vulnerabilities, human risk management tackles the broader issue of user knowledge and behaviour, which can lead to numerous types of breaches. A well-informed and vigilant workforce can act as a flexible layer of defence that technology alone cannot provide.
4. Sustainable Security Posture: Investing in the human aspect of cybersecurity fosters a culture of continuous vigilance and improvement. Effectively you are creating a human sensor network – watching out for risks, errors or attacks. This sustainable approach reduces the need for your security team to be plugged in to every project, initiative and meeting, while also bringing long-term security benefits as employees become proactive in recognizing and addressing potential threats.
Calculating the benefits for security is a challenge many CISOs have wrestled with. Fortunately, there are examples of models that can help. Michael Coden, Head of the Cybersecurity Practice at BCG Platinion, a company of Boston Consulting Group, for example, has created a model using research from the Massachusetts Institute of Technology (MIT).
Using this framework[3], Coden has developed an equation for the ROI of cybersecurity projects (such as security awareness training campaigns) that defines:

Where:

As our own people play such a significant part in any successful attack path, reducing this likelihood makes immediate inroads into overall risk. Investing say €30k into education to reduce your phishing susceptibility from 30% to 10% drives a positive ROI even if it just stops a few small incidents, irrespective of the other financial and strategic benefits listed previously. And if it can prevent that one wipeout ransomware event, which so often start with an innocent looking email, the ROI goes stratospheric!
While technology upgrades are an essential component of any cybersecurity strategy, they should not overshadow the importance of human risk management and should be considered as a potentially expensive method of tricking yourself into thinking that you are making progress.
The opportunity for risk reduction in the awareness, behaviour and culture of your staff, is far greater than the like for like replacement of one tech solution for another, marginally improved one.
By focusing on human risk, organizations can achieve a more substantial and cost-effective reduction in cyber risk, not only providing a higher ROI but also fostering a resilient and proactive security posture that technology alone cannot achieve.
Andrew Rose is an award-winning Chief Security Officer at SoSafe with over 25 years of experience in cybersecurity. He has held senior roles at MasterCard and served as a Forrester analyst, providing strategic guidance on security risk management. In his current role, Rose focuses on equipping organizations with the tools and knowledge to enhance cyber resilience and build robust security strategies to combat evolving threats.
[1] https://www.forrester.com/blogs/the-future-is-now-introducing-human-risk-management/
[2] https://www.ibm.com/reports/data-breach
[3] https://www.forbes.com/sites/forbestechcouncil/2019/05/09/yes-virginia-you-can-calculate-roi-for-cybersecurity-budgets/#3ec2106f3ad4