How to increase the perceived value for what you do to manage human cyber risk

Security professionals often struggle to quantify and communicate the business impact of human cyber risk management.

While it’s well known that the people aspect is an important part of any security and risk strategy, proving the ROI of managing human risk is more challenging.

Below is a comprehensive list of real-world examples demonstrating how human cyber risk initiatives align with core business priorities:

1. Make us money (Revenue generation)
2. Save us money (Cost reduction)
3. Reduce our risk (Risk mitigation)
4. Make us more productive (Efficiency gains)

Each example provides measurable metrics that security professionals can use to secure executive buy-in, justify budget, and align cybersecurity with business goals.

1. Make us money (Revenue generation)

1.1 Security as a competitive advantage in winning deals

• X% of deals in our pipeline included security-related objections or requirements.
• We successfully addressed Y%, progressing to contract negotiations.
• Without strong human cyber risk controls, we would have lost $Z million in potential revenue.

1.2 Increased eligibility for regulated industries and security-conscious customers

• X% of contracts in regulated industries (finance, healthcare, government) required proof of human cyber risk controls.
• By meeting these requirements, we secured $Y million in deals that would have been at risk.

1.3 Reduced sales cycle time by eliminating security objections

• Previously, security concerns extended deal cycles by X weeks.
• By proactively addressing human risk concerns, we cut security review time by Y%, accelerating contract signings by Z days.
• This unlocked $A in additional revenue per quarter.

1.4 Retaining existing customers by meeting evolving security requirements

• X% of customers required us to meet updated security standards to renew contracts.
• By demonstrating compliance, we retained Y% of customers at risk of churn, preserving $Z in annual recurring revenue (ARR).

1.5 Security as a revenue enabler for enterprise deals

• X enterprise contracts worth $Y million would have been disqualified without strong human cyber risk controls.
• Our improved security posture increased our eligibility for Z% more enterprise deals, driving revenue growth.

1.6 Preventing revenue loss by reducing security-related downtime

• Each hour of downtime costs the business $X in lost productivity and sales.
• 30% of the incidents resulting in downtime are related to user behavior.
• By improving ABC user behavior we reduced security-related downtime by Y%, preventing $Z in lost revenue over the past year.

1.7 Security as a competitive advantage in winning deals

• X% of contracts now require vendors to demonstrate compliance with MFA enforcement and strong password policies.
• By ensuring 100% adoption of password managers and MFA among employees, we passed Y% of vendor risk assessments, winning $Z in contracts.

2. Save us money (Cost reduction)

2.1 Lowering compliance-related fines and penalties

• Regulatory fines for security failures can reach $X per violation (GDPR, HIPAA, PCI-DSS).
• Our improved security behaviors reduced non-compliance incidents by Y%, avoiding $Z in potential penalties.

2.2 Reducing security-related IT support costs

• Each IT support ticket related to security (e.g., account lockouts, phishing reports) costs $X in labor time.
• By reducing these tickets by Y%, we saved $Z in IT support costs annually.

2.3 Lowering costs by reducing security-related downtime

• Security-related disruptions previously caused X hours of downtime per month.
• By reducing incidents by Y%, we saved an estimated $Z in lost productivity annually.

2.4 Optimizing security training to improve effectiveness while reducing spend

• Traditional training programs cost $X per employee annually with a Y% engagement rate.
• By switching to personalized, risk-based interventions, costs dropped by Z% per employee while improving engagement by A%.

2.5 Reducing costs of breach recovery and incident response

• The average breach takes X days to recover from and costs $Y in investigation, containment, and mitigation efforts.
• By reducing human-related incidents by Z%, and improving the post-incident engagement and behavior interventions, we’ve saved $A in breach response costs over the past year.

2.6 Reducing financial impact of security incidents

• The average insider-related breach costs $15.38M per incident (Ponemon).
• We implemented automated behavioral risk reporting, reducing unintentional insider-related security events by X%.
• Data loss incidents due to improper document sharing were reduced by X% through automated security nudges.
• Identified and mitigated Y high-risk employee behaviors, preventing $Z in potential financial losses.
• Prevented Y accidental sensitive data leaks, avoiding $Z in compliance fines.

3. Reduce our risk (Risk mitigation)

3.1 Measuring the effectiveness of human risk management

• Weak/reused passwords decreased by C%.
• Unapproved data sharing incidents reduced by D%.
• Overall user-related incidents dropped by E% over the past year.
• 🟢 Employees reporting security concerns increased by Z%. 
• 🟢 Shadow IT use (unauthorized software) reduced by A%.

3.2 Reducing risks associated with password security and authentication

• X% of breaches are caused by compromised credentials (Verizon DBIR).
• 🟢 Improvements in security behaviors associated with using password managers and MFA adoption led to a Y% decrease in credential theft incidents.
• 🟢 Reduced Z unauthorized access attempts, preventing potential account takeovers.

3.3 Reducing security policy violations and regulatory compliance risks

• Non-compliance fines can reach $X per violation.
• By improving employee adherence to data protection policies from Y% to Z%, we reduced the likelihood of breaches and avoided $A in potential penalties.

3.4 Reducing shadow IT risks

• 🟢 X% of employees previously installed unauthorized software, creating security vulnerabilities.
• 🟢 Automated detection, behavioral interventions, and policy reinforcement led to a Y% decrease in shadow IT use.
• 🟢 Reduced Z instances of unapproved cloud storage usage, minimizing risk exposure.

3.5 Reducing security policy violations and compliance risks

• 🟢 Failure to follow security policies (e.g., USB use, document handling) led to X incidents last year.
• 🟢 Through increasingly effective behavioral interventions policy adherence improved by Y%, decreasing Z incidents requiring security intervention.

3.6 Strengthening password security to reduce credential theft

• X% of security incidents in the past year involved weak or reused passwords.
• Y% of employees have now adopted password managers, reducing credential compromise incidents by Z%.
• Enforced multi-factor authentication (MFA) adoption led to a A% decrease in unauthorized account access.

3.7 Reducing compliance violations and audit risks

• Failure to meet compliance requirements (GDPR, HIPAA, PCI-DSS) can result in fines of up to 4% of annual revenue.
• Improved data handling and access control behaviors have ****reduced compliance violations by X%.
• Reducing audit findings and non-compliance risks by Y%, saving Z hours of remediation work per year.

3.8 Decreasing security policy violations across the workforce

• X% of employees previously engaged in risky behaviors, such as unauthorized cloud storage usage or sharing sensitive data.
• Improved security behaviors and fewer policy breaches led to a Z% decrease in corrective actions and disciplinary measures.

3.9 Reducing data exfiltration risks

• X% of security incidents involved unauthorized data transfers or accidental sharing.
• Implementation of data loss prevention (DLP) controls, combined with improvements in DLP-related security behaviors reduced incidents by Y%.
• Decreased Z instances of sensitive data exposure, mitigating potential reputational and financial damage.

3.10 Increasing threat detection response speed

• The average time to detect and respond to human-driven security incidents was X hours.
• Through automation, effective behavioral interventions, and real-time risk monitoring, we reduced response time by Y%, containing threats before escalation.

4. Make us more productive (Efficiency gains)

4.1 Automating human risk management to free up security team resources

• Manual risk assessments and interventions previously took X hours per week.
• By implementing automated behavioral interventions, we cut that by Y%, saving Z hours per week, allowing security teams to focus on high-priority threats.

4.2 Reducing security-related disruptions for employees

• Security-related IT support requests previously accounted for X% of help desk tickets.
• By reducing these incidents through automated and/or effective behavioral interventions by Y%, we saved employees an estimated Z hours of lost productivity per year.
• Account lockouts and password resets were reduced by X%, saving Y IT support hours per month.
• 🟢 Security automation for access requests reduced delays, saving Z employee hours per year.

4.3 Reducing unnecessary security friction while maintaining strong protections

• Adaptive security controls reduced:
  • Account lockouts by X%.
  • Unnecessary MFA prompts by Y%, saving Z minutes per employee per week.
  • False positive security alerts by A%, reducing analyst workload by B hours per month.
  • Shadow IT alerts by X%.
  • Unnecessary access approval requests by Y%, reducing employee frustration.

4.4 Reducing time spent on security awareness training without compromising security

• Employees previously spent X minutes per week on redundant security training.
• By optimizing training, we reduced time spent by Y%, saving Z minutes per employee per week, which scales to A hours regained across the company annually.
• 🟢 Personalized risk-based training reduced training time by Y%, saving Z hours across the organization annually.
• Just-in-time security interventions replaced generic training, improving behavioral compliance by X% while reducing overall training time by Y%.

4.5 Minimizing time wasted on phishing attack recovery

• Each phishing attack requires X hours of investigation, containment, and mitigation.
• By improving early detection and response, we reduced phishing recovery time by Y%, saving Z hours per month.

4.6 Streamlining security policies to improve workflow efficiency

• Complex security policies previously slowed down employee workflows by X minutes per task.
• By refining policies and introducing automated approvals, we improved efficiency by Y%, reducing employee frustration and increasing output.

4.7 Reducing time spent on repetitive security processes

• Employees spent X minutes per week resetting passwords, managing access approvals, and reporting security issues.
• Implementing self-service security tools reduced time spent by Y%, saving Z hours across the organization annually.

4.8 Creating capacity within security teams by reducing manual intervention

• Before automation, security teams spent X hours per month manually handling user-related security risks.
• By deploying risk-based security automation to target risky employee behavior, we reduced manual intervention by Y%, freeing Z hours per security analyst, and X hours per employee per year.

4.9 Preventing productivity loss from ransomware and other disruptions

• The average downtime from a ransomware attack is X days, costing $Y per day in lost productivity.
• By implementing stronger human risk controls, incident reporting, and proactive interventions, we reduced ransomware infection rates by Z%, minimizing downtime risk.