Build the business case for phishing / security-awareness training. Enter your headcount, the baseline vs expected post-training phishing click rate, the chance a successful click turns into a breach, and the average cost of a phishing-driven breach. The tool computes your expected annual breach loss before and after training, the risk-reduction value, net benefit, ROI % and payback period — with a sensitivity note. Defaults come from the KnowBe4 2025 benchmark and IBM's 2025 breach-cost data; every input is an adjustable estimate. Saved in your browser. Exports to Word and CSV.
🔒 This is a defensive awareness-program business-case tool, not a guarantee of results. The model is a simple expected-value estimate: expected annual breach loss = employees × annual click rate × chance a click becomes a breach × average breach cost. The pre-filled figures are adjustable estimates drawn from published 2025 data — the KnowBe4 2025 Phishing by Industry Benchmarking Report (global untrained baseline phish-prone rate ≈ 33.1%, falling to ≈ 4.1% after 12 months of training) and IBM's Cost of a Data Breach Report 2025 (phishing was the top initial attack vector, averaging ≈ $4.8M per breach; global all-cause average ≈ $4.44M). Your own click rates, control effectiveness and breach exposure will differ — replace the defaults with your measured values. Everything runs in your browser and is stored only in this device's local storage; nothing is transmitted. Not financial, legal or audit advice.