How Much Does Security Awareness Training Cost? A Market Analysis

Image showing several students undertaking security awareness training
Author profile photo
Sebastian Salla May 2, 2023
Follow:

Are you looking to secure your business through regular security awareness training? With dozens and even hundreds of providers, finding a cost-efficient way to do so is a common and challenging task.

So, we've created this in-depth market analysis to show you every option available, what you can expect to pay, and what the strengths or weaknesses of each option are.

How much should you pay for security awareness training?

Let's get straight to it and answer the question. In 2023, how much does security awareness training cost? From $0.42 to $4 monthly per employee. Where exactly you land in this price range depends on the provider you choose, your business size, and the commitment you make (i.e., a monthly, annual, or multi-year purchase).

Let's dive into these factors to understand their impact on the overall cost of running security awareness training.

The types of security awareness training providers

We've identified four distinct types of security awareness training providers based on market analysis and our expertise in this field. It's important to flag this because each has an impact on the price you can expect to pay:

1. Self-service security awareness training platforms

Self-service platforms are the most cost-efficient way of conducting security awareness training. Typically, these platforms operate under a low-margin, high-volume business model and rely on providing customers with all the information, tools, and educational content needed to conduct security awareness training. You sign-up for a free account, evaluate their platform, and if it suits your needs, you make a purchase. All without the need for human interaction.

This approach is typically a win-win for all parties. The provider can offer a low-cost alternative to semi-managed, fully managed, and niche-training providers while remaining profitable. The downside of this approach is that there may be a small amount of upskilling during the onboarding process.

The security awareness training platform that CanIPhish provides operates under this cost model. Depending on the size of your business and the commitment you make; you can expect to pay between $0.42 to $1.00 monthly per employee.

Cost of self-service security awareness training platforms

Reference: The image above depicts example pricing from a self-service provider of security awareness training.

2. Semi or fully-managed security awareness training platforms

Semi and fully-managed security awareness training platforms have been the only option for the past couple of decades. These platforms are typically more rigid in their onboarding process, which comes with benefits and downsides.

The typical onboarding process for these platforms is to:

  1. Register interest in an evaluation
  2. Receive a demonstration of the platform
  3. Speak with a sales representative for pricing (public pricing may not be available)
  4. Onboard the platform with assistance from technical support
  5. Have monthly or quarterly check-ins from customer success

These platforms do come at a premium cost which is the main downside. You will need to make an annual or multi-year commitment and can expect to pay between $1.50 to $4.00 a month per employee.

Cost of managed security awareness training platforms

Reference: The image above depicts example pricing from a semi managed provider of security awareness training.

3. Niche security awareness training providers

Niche training providers have been and always will be a solid option for conducting security awareness training. These training providers are typically expensive but have some of the most in-depth training capabilities available.

These providers are typically consultants in the country or region you operate in and have hands-on, relevant knowledge of your industry or business requirements. For example, they may thoroughly understand your compliance or privacy obligations or know trending pertinent threats to your business.

These training providers typically offer a variety of training solutions depending on your business needs. For example, the training may be virtual or in-person and use self-service, semi or fully managed platforms to help power their security awareness training offering.

When using a niche training provider, expect to pay between $3.00 to $6.00 a month per employee.

4. Open-source security awareness training tools

Open-source tools are usually much more limited in capability and require significant investment from internal employees to get them off the ground.

These tools are entirely self-managed. You need to operate the infrastructure, onboard the training material, and potentially integrate multiple open-source solutions to offer an end-to-end training capability.

While open-source tools have no immediate cost, you need to factor in the time it takes to stand them up, maintain them and whether your business has the necessary expertise to effectively use them for training your employees.

File download for an open-source phishing simulation platform

Reference: The image above depicts the files to download an open-source phishing simulation platform called GoPhish.

Now that we understand the types of tools, platforms, and providers available, let's understand how the size of your business may impact the cost of security awareness training.

How does the size of your business impact pricing?

Regardless of the type of provider you're using, there are sunk costs associated with acquiring and setting up the necessary infrastructure for each customer. As a result, you'll typically find that the cost per employee associated with running security awareness training becomes progressively lower as you scale through certain employee thresholds.

Each provider has different thresholds, but to give you an example, at CanIPhish, we provide the following discounting based on the size of a business:

  1. 10% discount for companies with 100 or more employees
  2. 20% discount for companies with 500 or more employees
  3. 30% discount for businesses with 1,500 or more employees

Discount shown for a business with 1,500 employees.

Next, let's understand how your commitment impacts the price per employee.

How does the commitment you make impact pricing?

As mentioned, providers have upfront acquisition and infrastructure costs to onboard customers. Because of this, almost every security awareness training provider will force customers to make an annual or multi-year subscription-based commitment. From market research, the team at CanIPhish found that you can expect the following discounts depending on the commitment you make:

  1. Monthly subscription: Typically, no additional discounting is applied, and very few providers offer subscriptions that only have a monthly commitment.
  2. Annual subscription: If a provider offers monthly subscriptions, you can typically expect a 20-40% discount for annual subscriptions. For example, CanIPhish provides a 40% discount on monthly pricing for annual commitments. If monthly subscriptions aren't on offer, then no additional discounts will apply.
  3. Multi-year subscription: Typically, multi-year subscriptions are stacked based on the years you commit for. The discounts can be 5-10% for every year of commitment. For example, with a 3-year commitment, you could expect an additional 15% discount from what the annual subscription purchase would be.

Example pricing scenarios

Now that we understand all the factors that determine how much security awareness training costs, let's look through a couple of real-world pricing scenarios.

Example annual subscription cost:

  • Self-service platform: $1.00 base price x 40% annual subscription discount x 30% volumetric discount = $0.42 a month per employee. Total annualized cost: $7,560
  • Semi or fully managed platform: $3.00 base price x 30% volumetric discount = $2.10 monthly per employee. Total annualized cost: $37,800
  • Niche training provider: $4.00 base price x 30% volumetric discount = $2.80 monthly per employee. Total annualized cost: $50,400

Example monthly subscription cost:

It's vital to note that not all providers offer monthly commitments. So for this example, we've based pricing on what we've seen in the market.

  • Self-service platform (Monthly commitment available): $1.00 base price x 10% volumetric discount = $0.90 monthly per employee. Total annualized cost: $225 (cancelling after 1 month).
  • Semi or fully-managed platform (Monthly commitment not available): $3.00 base price x 10% volumetric discount = $2.70 a month per employee. Total annualized cost: $8,100.
  • Niche training provider (Monthly commitment not available): $4.00 base price x 10% volumetric discount = $3.60 a month per employee. Total annualized cost: $10,800.

Note: These examples are for demonstration purposes only. Every provider offers different pricing, and may differ based on industry, geographic location, or currency used for the transaction.

Conclusion

We hope learned a lot about security awareness training and how various factors determine how much it costs. As some final tips to help choose your preferred security awareness training provider, we recommend considering the following:

  1. Do you have staff who speak various languages? Ensure the provider you choose can support multi-lingual training. The translation process should be seamless and auto-translate based on browser settings or allow for manual configuration.
  2. Ensure your provider meets your compliance and privacy needs. There are hundreds of providers and platforms out there. While it's tedious, read through their terms and conditions or privacy policy to understand how they handle your data, where it's located, and whether it will be shared with third parties such as insurance brokers.
  3. Evaluate before you purchase. It can be difficult to understand the benefits and capabilities a provider can offer you without evaluating their solution. Ensure that any providers you're considering offer a free evaluation, ideally without time pressures.
  4. Use simulated phishing to help direct training activities. Simulated phishing attacks are a fantastic tool to help lead training to those most in need of it. Many providers of security awareness training offer phishing as part of their package. Ensure that the phishing capabilities provided are realistic and in-depth. Every phishing attack should entice employees to perform a secondary action such as downloading an attachment, clicking a link, or simply responding to the message.
  5. Use automation to reduce operational overheads. The idea of manually setting up security awareness training campaigns every month is enough to deter people from the activity itself. Many platforms offer automation capabilities that can cycle through various training materials every week, month, or quarter to reduce the need for you to do it manually.

If you've looked around our website, you've likely already noticed that the team at CanIPhish provides a simulated phishing and security awareness training platform that ticks many of the boxes we've talked about in this article. If you want to evaluate our platform, create a free account and get started! If you have any questions, don't hesitate to contact the team.

Avatar profile photo
Written by

Sebastian Salla

A Security Professional who loves all things related to Cloud and Email Security.

Follow: