Business Case for Security Awareness Training

Bringing Information Security to Your Organisation

Building a Business Case for Information Security Awareness Training: as new businesses find out every day, a hack, data breach, or information security incident, can spell disaster. From the cost of recovery, potential fines and litigation, to a damaged reputation, we all know that information security should be a priority. So why are staff still failing to get the training they need?

Despite all that you invest in latest in technological solutions, the confidentiality, integrity and availability of your and your client’s data, is ultimately in the hands of your staff. With human error facilitating so many attacks, a robust business case to convince your organisation to allocate the correct resources, is essential to mitigate risk. Read on to learn more about building a business base for information security awareness training, and the importance of getting this right before going to the SMT or board for approval.

Building a Business Case

At a time when scarcely a day goes by without a high-profile data breach, it can be shocking to think how many organisations are willing to gamble with their future by simply hoping they are never hit with an information security attack

Part of the reason it can be difficult to secure buy-in from senior management and other internal stakeholders is because information security awareness training doesn’t generate return on investment, rather it helps protect ROI.

The below provides a rough guide to help you build a business case for information security awareness training, beginning with researching your options, onto matters of budgeting, how to achieve stakeholder buy-in, and finally, how to present your case.

Choosing a Solution

Identify your Problem

First, outline your existing problems and their implications. By making this first assessment you gain a clearer and more complete view of your situation; thus, allowing you an informed pathway forward.

Specific requirements

Once you have a clear understanding of your problems, draw from these to help understand your requirements. Find out what features are essential to your solution, features that are good to have, and what features are out-of-scope.

Speaking to key stakeholders for their input, at this stage, will not only help you understand requirements you may not have considered, but also help you later in the process of building a business case.

Research Options

Researching your options is paramount. While looking for your solution, speak to a wide variety of vendors and find one that suits your needs and fits your requirements. Though there are many notable, or high-profile vendors out there, be sure to put in the extra effort to diversify your search and be sure that you’re finding the best option, and not just the most obvious.

Benefits Over Features

While exploring your options, try to bear in mind that regardless of the amount of features a product may have, if the benefits of that product don’t solve your problems, then it is not the product for you.


Though it may sound simple, it’s worth noting, if you think you have found the information security awareness training package for you, a demonstration and proof of concept is strongly advised before any final decision is made. Training may appear perfect on paper, but it’s only when you experience a product first-hand, do you really understand its worth.

Securing Budget

  • Firstly, budget for this at the right time. If you can, include this within your annual budget from the offset, as it’s much easier to secure funds when they are already allocated.
  • Next, to demonstrate a solutions value, calculate the cost of not implementing a cyber security awareness training programme. This counter-factual method will allow stakeholders to appreciate the long-term positive effects training can have from a perspective of value.
  • Finally, be prepared to justify your plan. Knowing the details, short and long term, can only help strengthen your case. This may include details such as billing cycles, capital and operational expenditure, as well as the all-important cost.

Stakeholder Buy-In

When making your case, consider how a training solution will impact stakeholder groups and tailor your message to them. Within a single organisation there may be a variety of competing needs, therefore, building a business case for information security awareness training is rarely a singular approach.

This is not to say your message shouldn’t be consistent, but know, the best solution available may not please everyone immediately, or for the same reasons. Consider individuals and how they and their respective teams will be affected, considering their needs and the types of language they are used to.

When considering your approach, it is invariably a good idea to equip yourself with strong research. As you prepare your written business case or proposal, work together with your vendor, as they can provide you case studies, metrics and supporting information to help strengthen your position and fill in with much appreciated expertise.

You can provide industry specific research to strengthen your case further and a ‘show not tell’ approach is typically advised. By organising a training demonstration to get stakeholders involved, you can help alleviate doubts and speculation, allowing key individuals to draw conclusions of their own volition.


Communicating a change in practice to employees, and more importantly the importance of it, can make the difference between the initiative’s success or failure. Draw up a communications plan that effectively demonstrates to key stakeholders how you and your department intend to ensure that the importance of this change to process is communicated to all employees throughout the organisation.

Begin by meeting with all department managers to walk them through the change and what it means for their departments. Communicate the importance of the change, and how it translates to ensuring that the organisation is kept secure.

What’s Next?

Building a business case for information security awareness training is far from just theory, as such, practically planning and organising your case in an effective and convenient way will aide in your mission.

Schedule a convenient time with the relevant stakeholders to present your case either in person or via video conferencing facilities, after they have had time to read your proposal.

Keep your case succinct. Don’t be too brief, but don’t feel as though your need to cover every feature, no matter how small. By showing and not telling, you allow your audience to understand your case in a practical way, getting a sense and understanding of the solution via engagement, rather than mere instruction.

Hut Six Training

A data breach is the last thing any business wants, with loss of reputation, fines and recovery costs, a serious incident can spell the end for even the most successful organisation. But all these risks are a possibility when businesses choose to accept human error.

Building a robust business case is an essential to any project, and information security awareness is no exception. With so much at stake, find your solution, build your case, and don’t let avoidable human error cost you.

Hut Six information security awareness training not only satisfies compliance but is specifically designed to help action measurable behavioural change in your team, providing a detailed look at these, and many more information security essentials.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.


Zero Trust Security

How Zero Trust Works

How Zero Trust Works - Zero Trust Security blog by Information Security Awareness Training provider Hut Six Security.

Writing a Cyber Job Specification

How to Write a Cyber Job Specification

How to Write a Cyber Job Specification: Finding the Best Cybersecurity Talent. Cyber blog by Information Security Awareness solution provider Hut Six Security.

Building your Cyber Security Team

How to Build a Cyber Team

How to Build a Cyber Team - Top Points to Consider When Building Your Team. Blog by Information Security Awareness solution Hut Six Security.

UKGDPR Compliance

What is GDPR Compliance UK?

What is GDPR Compliance UK? Understanding the General Data Protection Regulation and UK Compliance. Blog by Hut Six Security.

DDoS Attack

What is a DDoS Attack?

What is a DDoS attack and what should you do if you think you are experiencing one? Blog by Information Security Training provider Hut Six Security.

How GDPR Relates to you Personally

Does GDPR Apply to Individuals?

Does GDPR Apply to Individuals? How GDPR Relates to you Personally. Blog by Information Security Awareness Training provider Hut Six Security

Paper Records and Data Protection Law

Does GDPR Cover Paper Records?

Does GDPR Cover Paper Records? Paper Records and Data Protection Law blog by Information Security Awareness Training provider Hut Six Security.

Security Check for your Organisation

How Secure is My Organisation?

How Secure is My Organisation? Knowing where you are, before knowing where to begin. Blog by Information Security Awareness solution Hut Six Security.

Ransomware Propagation

How Does Ransomware get on your Computer?

How Does Ransomware get on your Computer? Chances are that in the last few years you've heard the term "ransomware". Blog by Hut Six Security.

Auditing for GDPR Compliance - Guest Blog

Guest Blog: How to Audit Your Business for GDPR Compliance

How to Audit Your Business for GDPR Compliance with a GDPR Business audit. Hut Six Security guest blog by

Speak to us about your Cyber Awareness