The maths is Simple. The industry ignores it.
Security training is treated like a cost to be minimised. The data on what breaches actually cost - and what better training actually saves - makes that calculus very hard to defend.
The Behaviour Cycle White Paper ⋅ Research Series
$4.44m
Average global cost of a data breach in 2025. In the US the figure reaches $10.22M. These are averages - some organisations are paying significantly more. And 60% of the incidents driving those numbers involve human behaviour, not technical failure.
IBM Cost of a Data Breach Report (2025). Ponemon Institute. 600 organisations.
96%
of employees who took a risky security action knew it was risky when they did it. Not a knowledge gap. Not a training gap. A behaviour gap. Awareness is not the bottleneck. What people do under pressure, distraction, and deadline is.
Proofpoint State of the Phish (2024). 7,500 adults across 15 countries.
38%
Lower average breach cost for organisations with strong security training and tested incident response, compared to those without. On a $4.4M average, that's over $1.5M per incident. The training doesn't just reduce risk. It reduces the bill when it materialises.
IBM Cost of a Data Breach Report (2025).
What a breach actually costs. And who it costs most.
IBM's 2025 Cost of a Data Breach Report is the most comprehensive annual study of its kind - 600 organisations, dozens of industries, every major region. The headline is $4.44M globally. But the breakdown is where it gets interesting.
Of all breach types, those with a human element at the root cost more to contain, take longer to identify, and generate higher regulatory exposure. Phishing alone accounts for 16% of initial attack vectors. Social engineering a further 15%. That is nearly a third of all breaches entering through a door that better-trained people could have kept shut.
The Verizon 2025 Data Breach Investigations Report analysed 22,052 incidents and found the human element present in 60% of confirmed breaches - errors, social engineering, misused credentials. Of those, a striking 8% of employees account for 80% of incidents. Annual training reaches everyone identically. It does not reach the 8% with any more force than it reaches everyone else.
Four ways the current approach costs more than it saves
The Breach You didn't prevent
$4.44M global average. $10.22M in the US. Add regulatory fines, reputational damage, customer churn, and the cost of remediation - and the figure climbs even higher. The cheapest breach is the one that doesn't happen. Training that changes behaviour prevents breaches. Training that generates a completion certificate does not.
The Training Budget Spent on Theatre
Georgenson's research - cited in the foundational Baldwin and Ford review in Personnel Psychology - estimated that only around 10% of training expenditure results in transfer to on-the-job behaviour. Modern data doesn't contradict this. Organisations are spending real money on modules that 61% of employees fail to learn from, and that rigorous research shows have no measurable impact on actual behaviour under pressure.
Knowing and Doing Are Not the Same Thing
96% of employees who took a risky action knew it was risky. That figure is from Proofpoint's 2024 State of the Phish - 7,500 adults, 15 countries. The problem was never awareness. It was the gap between knowing something and doing the right thing anyway, under pressure, when tired, when rushed. That gap is closed by rehearsal. Not by modules.
The Saving You're Not Banking
IBM's data shows organisations with strong security training save approximately $1.5M per breach compared to those without. KnowBe4's 2025 Phishing Benchmarking Report - 14.5 million users, 67.7 million simulated tests - shows continuous immersive training cuts phishing susceptibility by 86% in twelve months. The ROI on training that works is not ambiguous. The question is whether the budget is going to training that works.
Training that works costs more. It also saves more.
Immersive training is more expensive to deliver than a click-through module. That is true. What is also true is that a $4.44M breach, a regulatory fine, or a reputational hit costs considerably more than the difference between the two approaches.
PwC's 2020 VR training study across 12 US locations found that learners in immersive formats trained four times faster than classroom equivalents, were 275% more confident to apply what they'd learned, and felt 3.75 times more emotionally connected to the content. Speed, confidence, and emotional encoding - the three things the brain needs to actually change behaviour.
86%
Reduction in phishing susceptibility over 12 months with continuous immersive training. Compared to no measurable impact from annual compliance modules.
KnowBe4's 2025 benchmarking data - 14.5 million users across 62,400 organisations - shows a 40% reduction in phishing susceptibility within 90 days of sustained simulation-based training. The baseline click rate starts at 33.1%. After twelve months of continuous engagement it drops to 4.1%. Annual training doesn't move that number. The research says so directly.
The organisations asking whether they can afford immersive training are asking the wrong question. The question is whether they can afford the alternative.
- IBM Security (2025). Cost of a Data Breach Report. Ponemon Institute. 600 organisations across 17 industries and 16 countries.
- Verizon (2025). Data Breach Investigations Report. 22,052 incidents analysed.
- Proofpoint (2024). State of the Phish Report. 7,500 adults across 15 countries.
- KnowBe4 (2025). Phishing by Industry Benchmarking Report. 14.5 million users, 62,400 organisations, 67.7 million simulated phishing tests.
- PwC (2020). The Effectiveness of Virtual Reality Soft Skills Training in the Enterprise. 12 US locations.
- Baldwin, T.T. & Ford, J.K. (1988). Transfer of training: a review and directions for future research. Personnel Psychology, 41(1). Citing Georgenson (1982) on training transfer rates.
- Epignosis (2023). Cybersecurity training survey. n=1,200 US employees.
- Ho, G. et al. (2025). Understanding the efficacy of phishing training in practice. Presented at IEEE S&P and Black Hat. UC San Diego / University of Chicago. n=19,500 employees.
Put a number on it.
The ROI case for better training, built around your organisation - not the industry average. Takes two minutes.