The ROI of cybersecurity awareness can be calculated with a simple formula: (avoided risk minus cost of the solution) divided by cost of the solution, multiplied by 100. For a 75-employee SME, this calculation typically yields an ROI above 2,000% over 12 months. This guide provides the complete formula, three worked examples by company size, the 5 arguments that convince a CFO, and a business case template ready for your board.
The average cost of a data breach reached $4.88 million in 2025 (IBM Cost of a Data Breach). The cost of a phishing awareness platform: between €2 and €5 per employee per month. The equation should be simple. Yet in most French SMEs, the cybersecurity budget remains one of the hardest line items to get approved.
The problem isn't technical — it's a communication problem. Your CISO knows awareness is necessary. But the CFO sees a cost centre. The CEO wants numbers. The board wants an ROI. Without a clear calculation framework, cybersecurity gets pushed behind the CRM, behind marketing, behind the new machinery.
What is the real cost of a phishing attack for an SME?
Before talking about ROI, you need to establish the real cost of what you are protecting against. Global figures are impressive, but what matters for convincing your leadership is figures scaled to your company size.
Benchmark figures
According to the IBM Cost of a Data Breach Report 2025, the global average cost of a data breach stands at $4.88 million. But this average aggregates companies of all sizes, including large international groups. For a French SME, the amounts differ — but remain considerable.
The Hiscox Cyber Readiness Report 2025 provides data closer to SME reality:
| Company size | Median incident cost | Maximum observed cost |
|---|---|---|
| 10–49 employees | €15,000 to €50,000 | €200,000 |
| 50–249 employees | €50,000 to €250,000 | €800,000 |
| 250–500 employees | €150,000 to €500,000 | €2,000,000 |
These figures are confirmed by CESIN data: 60% of SMEs that suffer a major cyberattack cease operations within 6 months.
How are incident costs broken down?
According to IBM, data breach costs break down into four categories:
- Detection and escalation (30%): incident identification, forensic investigation, audit, crisis management. For an SME without an internal SOC, this typically means calling in an external provider at emergency rates.
- Containment and remediation (25%): isolating compromised systems, eradicating the threat, restoring data, patching exploited vulnerabilities.
- Notification (15%): informing affected parties (GDPR obligation), notifying the CNIL, crisis communications, legal counsel. With NIS2, add notification to ANSSI within 24 hours.
- Business loss (30%): operational downtime, lost clients, reputational damage, contractual penalties. This is often the most underestimated item.
The hidden costs nobody quantifies
Beyond direct costs, a phishing incident creates financial consequences that persist well after technical remediation:
- Increased cyber insurance premiums: insurers systematically reassess risk after a claim. Expect a 30 to 80% increase depending on severity — or outright non-renewal.
- Lost contracts: more and more customers require cybersecurity guarantees in their RFPs. A documented incident disqualifies you.
- Human cost: stress, overtime, IT team turnover. The Ponemon Institute estimates that 25% of the total cost of an incident relates to productivity loss.
- Regulatory fines: GDPR (up to 4% of turnover) and now NIS2 (up to €10 million). These fines stack on top of remediation costs.
Two concrete examples
Industrial SME, 200 employees. CEO fraud: an accountant receives an email impersonating the managing director requesting an urgent transfer of €320,000 to a foreign supplier. The transfer is made. The fraud is discovered 48 hours later. The bank cannot reverse the transfer. Net loss: €320,000 plus €45,000 in legal and investigation fees. This is exactly the type of attack that a phishing simulation would have prevented.
Accounting firm, 80 employees. Ransomware via phishing: an employee opens a malicious attachment. The ransomware spreads across the entire network in 4 hours. Ransom demanded: €150,000. The firm refuses to pay. Result: 3 weeks of near-total shutdown, partial data restoration from incomplete backups, permanent loss of certain client files. Estimated total cost: €280,000 (IT restoration, lost business, client compensation).
What is the ROI calculation formula?
The ROI of cybersecurity awareness is calculated like any ROI: by comparing the benefit obtained (avoided risk) with the cost of the investment.
The formula:
ROI = (Avoided risk − Cost of solution) / Cost of solution × 100
Where avoided risk is calculated as follows:
Avoided risk = Probability of incident × Average cost × Risk reduction
The variables:
- Probability of a phishing incident per year: according to the Hiscox Cyber Readiness Report 2025, approximately 30% of SMEs experience at least one cyber incident per year. For SMEs without an awareness programme, this rate rises to 40–45% depending on size and sector.
- Average cost of an incident: scaled to your company size (see table above). Use the mid-range figure for a conservative calculation.
- Risk reduction from awareness training: according to benchmarking data (KnowBe4, Phishing by Industry Benchmarking Report 2024), companies that implement regular phishing simulations and continuous training see their click rate drop from approximately 33% to under 5% in 12 months. This reduction in click rate translates directly into reduced incident risk.
Why these figures are conservative
The calculation above only accounts for one type of benefit: reduced incident risk. In reality, awareness training generates additional returns:
- NIS2 compliance: training and simulations directly address the obligations of articles 21.2.f and 21.2.g. Without them, you risk a fine of up to €10 million.
- Reduced insurance premiums: several insurers offer discounts of 10 to 25% to companies that demonstrate an active awareness programme.
- Commercial advantage: documentation of your awareness programme strengthens your position during client audits and certifications (SOC 2, ISO 27001).
Worked examples by company size
Let's apply the formula to three concrete company profiles, using the real NovaShield pricing: free up to 50 employees (Freemium), then from €59/month. Prices below are those in force at the time of writing — consult the NovaShield pricing page for the current grid before presenting these figures to your leadership.
SME of 75 employees
| Variable | Value | Source |
|---|---|---|
| Probability of incident/year | 25% | Hiscox 2025 (SME < 100) |
| Average incident cost | €80,000 | Hiscox 2025 median |
| Untreated annual risk | €20,000 | 25% × €80,000 |
| Platform cost | €708/year | NovaShield Pro, €59/month (51–150 employees tier) |
| Risk reduction | 75% | Proofpoint 2025 |
| Residual risk | €5,000 | €20,000 × 25% |
| Avoided risk | €15,000 | €20,000 − €5,000 |
| ROI | approx. 2,020% | (15,000 − 708) / 708 × 100 |
In plain terms: for €59 per month, you reduce an annual risk of €20,000 to €5,000. Every euro invested returns more than 21 in avoided risk. And this calculation doesn't include potential NIS2 fines. For SMEs of 50 employees or fewer, NovaShield's Freemium plan is free — the ROI calculation becomes moot, as there is no cost to offset.
SME of 200 employees
| Variable | Value | Source |
|---|---|---|
| Probability of incident/year | 35% | Hiscox 2025 (SME 100–250) |
| Average incident cost | €250,000 | Hiscox 2025 median |
| Untreated annual risk | €87,500 | 35% × €250,000 |
| Platform cost | €1,548/year | NovaShield Pro, €129/month (151–300 employees tier) |
| Risk reduction | 75% | Proofpoint 2025 |
| Residual risk | €21,875 | €87,500 × 25% |
| Avoided risk | €65,625 | €87,500 − €21,875 |
| ROI | approx. 4,140% | (65,625 − 1,548) / 1,548 × 100 |
In plain terms: for €129 per month, you reduce an annual risk of €87,500 to under €22,000. The cost-to-benefit ratio exceeds 1:40. This is one of the best possible ROIs in IT security investment.
Mid-market company of 500 employees
| Variable | Value | Source |
|---|---|---|
| Probability of incident/year | 45% | Hiscox 2025 (mid-market 250–500) |
| Average incident cost | €500,000 | Hiscox 2025 median |
| Untreated annual risk | €225,000 | 45% × €500,000 |
| Platform cost | €2,748/year | NovaShield Pro, €229/month (301–500 employees tier) |
| Risk reduction | 75% | Proofpoint 2025 |
| Residual risk | €56,250 | €225,000 × 25% |
| Avoided risk | €168,750 | €225,000 − €56,250 |
| ROI | approx. 6,040% | (168,750 − 2,748) / 2,748 × 100 |
In plain terms: for €229 per month, you reduce an annual risk of €225,000 to €56,000. The ROI exceeds 6,000%. At this size, the probability of being audited by ANSSI under NIS2 is high — the compliance investment adds further to the benefit.
Run a simulation and measure your team's real click rate.
The 5 arguments that convince a CFO
Figures are necessary, but not sufficient. A CFO thinks in terms of risk, compliance, and competitive advantage. Here are the five arguments that tip the decision.
1. The regulatory argument
"The NIS2 directive requires us to train employees and regularly test the effectiveness of our cybersecurity measures. This is not optional. The cost of non-compliance can reach €10 million or 2% of our global turnover. And executives are personally liable."
This is often the most effective argument with a CFO: NIS2 makes awareness training a legal obligation, not a discretionary budget line.
2. The insurance argument
"Our cyber insurer now requires proof of awareness training to maintain our coverage. Without a documented programme, our premium increases by 30 to 50%. Some insurers refuse to cover companies without regular phishing simulations."
According to the AMRAE, cyber insurance underwriting criteria have tightened considerably since 2023. Training and simulation are now prerequisites in the majority of contracts.
3. The commercial argument
"Our clients ask for cybersecurity guarantees. Supplier security questionnaires systematically include questions on employee awareness. Without a documented programme, we lose contracts or fail the pre-qualification stage."
This argument is particularly powerful in B2B sectors where buyers integrate cybersecurity into their procurement criteria. SOC 2 and ISO 27001 compliance explicitly requires a continuous training programme.
4. The benchmark argument
"The average click rate on a phishing email in our sector is 18%. We have never measured ours. That means we don't know whether 1 in 5 of our employees would click on a malicious email, or 1 in 3. Unquantified risk is unmanaged risk."
A CFO hates unquantified risk. The absence of measurement is itself an argument for running at least one initial simulation campaign — if only to establish a baseline.
5. The opportunity cost argument
"An awareness platform costs approximately €2 per employee per month. Less than a coffee per person. The average cost of a single phishing incident for our size of company is €80,000. The platform represents a tiny fraction of one incident's cost."
Reducing the cost to a trivial amount per employee per month, then comparing it to the enormous cost of a single incident, is one of the most effective framings in budget negotiations.
How to build a business case for your board
Here is the structure of a 6-slide presentation, ready to adapt to your context.
Slides 1–2: context and threats
- Over 80% of breaches involve a human factor (Verizon DBIR)
- incidents reported in your sector in 2025 (ANSSI source)
- The NIS2 directive requires training and testing: you are within scope
- Average cost of an incident for your size: [X] € (Hiscox source)
Slide 3: current situation
- No phishing simulation in place
- Annual training via PowerPoint only
- Unknown click rate = unmeasured risk
- No awareness documentation to present in a NIS2 audit
Slides 4–5: solution and ROI
- Simulation, training and AI-powered email verification platform
- Target deployment in 15 minutes, first results within 1 month
- Annual cost: [X] € (see NovaShield pricing for the current grid: from €708/year for 51–150 employees to €4,188/year for 501–1,000, free up to 50)
- Annual avoided risk: [X] € (formula detailed above)
- ROI: [X]% over 12 months
- NIS2, insurance and commercial compliance bonus
Slide 5: deployment timeline
- Month 1: platform deployment and baseline campaign (measuring initial click rate)
- Months 2–3: first simulation campaigns and automated post-failure training
- Months 4–6: regular programme with quarterly reporting
- Month 6: first board report with trends and measured ROI
Slide 6: recommendation
"We recommend launching a free trial to measure our real click rate — our baseline. This test costs nothing and will give us the data needed to make an informed decision."
This recommendation is strategic: it doesn't ask for an immediate budget commitment, but a test. That's much easier to approve at board level. And once leadership sees the actual click rate of their teams, the decision to invest follows naturally.
Which metrics to present to the board quarterly?
Once the programme is running, you need to demonstrate its value at every board meeting. Here are the key metrics to include in your quarterly report:
- Click rate: the percentage of employees who click on a simulated phishing link. This is your primary indicator. Expected trend: from 15–25% (baseline) to under 5% in 6 months.
- Reporting rate: the percentage of employees who report the suspicious email rather than clicking. This is the maturity indicator. A rate above 60% signals an embedded security culture.
- Risk score by department: identify the most vulnerable departments (often finance, HR, executive) to target training where it's most needed.
- Completed training: number of micro-learning modules completed, completion rate, average score. Documented proof for NIS2 article 21.2.g compliance.
- Sector benchmark: compare your results to your sector average. "We went from 22% to 4% click rate, against a sector average of 15%" is a powerful message.
- Cumulative ROI: cumulative avoided risk vs cumulative platform cost. This figure only improves over time.
Discover NovaShield analytics features for an automated dashboard of these metrics.
Frequently asked questions
How do I calculate the cost of a phishing incident for my SME?
Use the following formula as a starting point: take the number of employees, multiply by €1,000 (low-end estimate of cost per impacted employee according to the Ponemon Institute), and add fixed remediation costs (€15,000 to €50,000 for forensic investigation and restoration). For a 100-employee SME, this gives an estimate of €115,000 to €150,000. Compare with Hiscox data for your size tier and use the figure most appropriate to your sector.
Do cyber insurers offer discounts for phishing simulation?
Yes, increasingly. According to the AMRAE, the majority of French cyber insurers now integrate employee awareness into their pricing criteria. Some offer explicit discounts of 10 to 25% on premiums for companies demonstrating an active simulation and training programme. Others make it a prerequisite for underwriting: without a documented programme, no coverage — or coverage with significant exclusions for phishing-related incidents.
What minimum budget for an effective awareness programme?
For a 50-employee SME, a budget of €1,200 to €3,000 per year enables a complete programme including monthly phishing simulations and automated training. That's €2 to €5 per employee per month. Below this threshold, you can run ad hoc simulations, but not a continuous programme with measurable impact. The ideal SME cybersecurity budget devotes approximately 5 to 10% of the total IT budget to awareness, per ENISA recommendations.
How long before seeing a positive ROI?
ROI is technically positive from month one, since the monthly platform cost is negligible compared to avoided risk. But in terms of measurable results, you will have your baseline (initial click rate) from the very first simulation campaign. First improvements are visible from month two. A 50% reduction in click rate is typically achieved within 3 to 4 months.
How do you measure effectiveness without a real incident to compare against?
This is precisely the advantage of phishing simulation: it provides proxy metrics that correlate directly with real risk, without needing to wait for an incident. The click rate on simulations is the best predictor of the click rate on real phishing. It's the same logic as a fire evacuation drill: you don't measure ROI by counting fires avoided, but by measuring evacuation time and its improvement.
The ROI case is made — now measure it for yourself
The ROI of cybersecurity awareness is among the highest of all IT security investments. With ratios that often exceed 1:10 depending on company size, documented returns rank among the highest in information security.
But beyond the numbers, the stakes are existential. According to the Hiscox Cyber Readiness Report 2025, 60% of SMEs that suffer a major cyberattack cease operations within 6 months.
The case for convincing your leadership is complete: ROI often exceeds 1,000% even in a conservative scenario, NIS2 makes training mandatory with personal liability for executives, and both insurers and clients demand proof of awareness. Read our guide to choosing a phishing awareness solution and launch your first campaign in 15 minutes.
Sources
- IBM, Cost of a Data Breach Report 2025.
- Hiscox Cyber Readiness Report 2025.
- CESIN (Club des Experts de la Sécurité de l'Information et du Numérique).
- Ponemon Institute.
- AMRAE (Association pour le Management des Risques et des Assurances de l'Entreprise).
- Verizon Data Breach Investigations Report.
- ANSSI.
- ENISA.
- KnowBe4, Phishing by Industry Benchmarking Report 2024.

