What security awareness training really costs

This page separates the four costs that a per-employee quote does not capture, gives you a way to estimate your own total, and explains when handing the work to a managed provider makes sense and when it does not.

The invoice tells you what the tool costs. It does not tell you what the program costs.

The invoice is not the total cost

A security awareness program carries four distinct costs, and only the first one appears on a vendor quote.

1. Software cost. The per-employee subscription for the platform that hosts content and tracks completion.
2. Operating cost. The recurring internal time to actually run the program: scheduling, reminders, follow-up, content choices, and measurement.
3. Evidence and reporting cost. The work to turn activity into something an auditor or a board will accept: mapping outcomes to controls, assembling records, writing reports.
4. Governance cost. The ownership that never leaves you: policy decisions, approvals, escalation, and accountability for the program’s results.

Per-seat comparisons make the first cost visible while often understating the other three. That is the gap this page is about.

What the software itself costs

Software is the easy part to price, so let’s start there.

KnowBe4 publishes list pricing, which makes it a useful transparent example rather than a market-wide benchmark. In its current published EUR pricing, the SAT Foundation tier runs at €2.28 per user per month for organizations with 25 to 50 users, falling to €1.55 for organizations with 501 to 1,000 users. That is approximately €27 down to €19 per user per year. The SAT Advanced tier runs higher, at roughly €43 down to €32 per user per year. These are recommended prices based on a three-year term, excluding VAT and other applicable charges. Actual quoted prices may differ. (KnowBe4 pricing, accessed June 2026)

Two things are worth noticing. First, per-seat pricing creates meaningful volume discounts: on KnowBe4’s published Foundation tier, an organization with 25 to 50 users pays approximately 47% more per user than one with 501 to 1,000 users (the SAT Advanced tier shows a smaller gap of around 34%). Smaller teams pay the most per person for the same software. Second, even at the small-team rate, the subscription is a contained, predictable number.

The software is straightforward to price. The work required to operate it is not. For a side-by-side look at platforms and operating models, see our guide to human risk management tools. The rest of this page is about the costs that guide cannot quote for you.

What it takes to operate the program

Buying the platform is the start of the work, not the end of it. A program designed to change behavior and produce defensible audit evidence requires someone, every cycle, to:

• maintain the employee population as people join, move, and leave
• select and review content so it stays relevant and credible
• schedule campaigns and manage timing across teams
• handle reminders, exceptions, and the people who do not complete on time
• evaluate effectiveness rather than just completion
• prepare reports leadership will read
• map outputs to the controls your framework expects
• produce evidence an auditor can test
• update the program as threats and regulations change

None of this is exotic. That is the point. It is steady, recurring, and it lands on someone who usually has another full-time job. A list like this is more honest than a tidy “hours per month” estimate, because the real number depends entirely on your size, your framework, and how seriously you take the measurement.

Why personnel capacity is often the real constraint

If this work were trivial, more organizations would simply do it. The data suggests that capacity is often a bigger blocker than willingness to spend.

In Fortinet’s 2025 Security Awareness and Training report (a survey of 1,850 leaders run by Sapio Research), personnel limitations were cited almost twice as often as budget constraints as the reason organizations had delayed security awareness training: 34% named limited personnel, 19% named budget, and 18% named other security priorities. In EMEA, 28% pointed to limited personnel. (Fortinet 2025 Security Awareness and Training report)

Fortinet’s own recommendation, for organizations facing those limits, is to partner with third-party experts to offload the burden and keep training quality and regularity consistent. That recommendation comes from a vendor, so weigh it as such, but the underlying finding is clear and useful on its own: for many teams, the scarce resource is people who can run the program, not money to buy the tool.

When administration becomes a function

The operating work grows with program scope, organizational complexity, and maturity. As a program matures, it stops being an occasional administrative task and becomes an ongoing function.

The SANS 2025 Security Awareness Report, drawing on more than 2,700 professionals across over 70 countries, associates programs that embed security into organizational culture with roughly 3.9 full-time equivalents of combined effort. The same research frames the timeline honestly: influencing behavior takes about three to five years, and shaping culture takes five to ten. (SANS 2025 Security Awareness Report)

It does not mean a small company should hire four people. It is combined effort across contributors in mature programs, and it shows how far a serious function extends beyond assigning an annual course. The lesson for a lean team is directional, not literal: the more you expect from the program (measurable behavior change, board-level reporting, defensible evidence), the more it behaves like a role rather than a task.

A practical way to estimate your total cost

There is no honest single number we can put here, because the recurring internal hours vary too much to quote. So instead of a fabricated total, use a model you can fill in for your own situation.

Total annual cost = software subscription + internal operating labor + evidence preparation + external support + integration and change costs.

To estimate the internal labor line, answer these for your organization:

• Who selects and approves content?
• Who manages joiners and leavers in the program?
• Who follows up on non-completers?
• Who reviews behavioral results, not just completion rates?
• Who prepares the audit evidence?
• Who reports to management or the board?
• How often is the program repeated through the year?
• What happens, and who does it, when a new regulatory topic has to be added?

Put a rough monthly hour estimate against those answers and price the time. As a neutral reference, Eurostat places average hourly labor cost across the EU at €34.9 (€38.2 in the euro area, ranging from €12.0 in Bulgaria to €56.8 in Luxembourg). (Eurostat, 2025) That is a whole-economy average, useful only to show that internal administration has a real economic cost before you even reach specialist security salaries. Your actual rate, especially for security or compliance staff, may be higher.

The exercise usually surprises people. The subscription is usually the easiest and most predictable line in the model. Once internal labor, evidence preparation, and external support are included, it may no longer be the largest.

Self-managed or managed: an operating-model choice

Once you see the four costs, the real decision is not which platform to license. It is who operates the function.

This is not another vendor comparison. It is a choice about where the recurring operating work sits.

Where SafeHabits fits

SafeHabits is a managed human risk program. It combines the platform and the recurring operating layer in one service: campaign delivery, curated and human-authored content, effectiveness measurement, framework mapping, and audit-ready evidence generation are included, with structured evidence packages prepared for upload into GRC platforms such as Vanta and Drata. You keep what should stay yours: policy ownership, approvals, and management oversight.

In the language of the model above, SafeHabits is built to handle most of the operating, evidence, and reporting work, so the customer’s internal role shifts from administration toward governance and oversight. Once the scope, employee list, and customer approval are available, the first program can be running the same day. Plans start from €1,900 per year and scale with organizational size and scope.

A direct per-seat comparison would miss the operating, evidence, and reporting work included in the managed model.

When managed delivery is not the right choice

Managed delivery is not for everyone, and pretending otherwise would undercut the argument. It is likely the wrong fit when:

• a mature internal awareness team already exists and has capacity
• you want extensive custom campaign engineering and full configuration control
• training already runs effectively inside a broader enterprise platform you operate
• you only need a basic annual compliance course, with no real measurement or evidence objective

That last case matters. If the goal is the cheapest possible completion certificate, a managed program is not the economical choice, and that is fine. The case for managed delivery is strongest when you need the program to actually work and to produce defensible evidence, without staffing the function to do it.

See the managed model in practice

SafeHabits runs the recurring human risk program while your organization retains policy ownership, approval, and management oversight. See how the SafeHabits journey works.

FAQ

How much does security awareness training cost?

Per-employee software subscriptions commonly run in the low tens of euros per user per year, and decrease per seat as headcount grows. But the subscription is only one of four costs. Operating the program, preparing evidence, and governing it are often larger for lean teams, and they do not appear on a vendor quote.

Why can the software be the smallest part of the cost?

Because the platform price covers access to the software, while scheduling, follow-up, measurement, reporting, and audit evidence remain recurring human work. For lean teams with specialist staff performing that work, the operating cost can exceed the license cost.

How many people does it take to run a security awareness program?

SANS associates mature programs that embed security into culture with roughly 3.9 full-time equivalents of combined effort. That is not a staffing rule for a small company. It illustrates how far a serious, sustained program extends beyond assigning an annual course.

Do I need a dedicated security awareness manager?

Not necessarily at small scale, where the work is usually a fraction of someone’s time. But as scope and reporting expectations grow, the operating work increasingly resembles a role rather than a task.

What does a managed human risk program include?

Typically campaign delivery, curated content, effectiveness measurement, framework mapping, and audit-ready evidence, with the customer retaining policy ownership and governance. SafeHabits includes these and prepares structured evidence packages for upload into GRC platforms such as Vanta and Drata.

How quickly can a managed program start?

Because a managed provider handles setup, onboarding, and the first campaign, there is no lengthy internal rollout. Once the scope, employee list, and customer approval are available, a SafeHabits program can be running the same day.

How is this different from a security awareness platform?

A platform is software you operate. A managed human risk program is the software plus the recurring operating layer, run for you. The choice between them is an operating-model decision, not a feature comparison.

Sources

• KnowBe4, Security Awareness Training Pricing (EU list pricing, accessed June 2026)
• Fortinet, 2025 Security Awareness and Training Global Research Report (Sapio Research, n=1,850)
• SANS Institute, 2025 Security Awareness Report
• Eurostat, EU hourly labour costs ranged from €12 to €57 in 2025

Related reading: What is human risk management · Human risk management tools · Compliance evidence for SOC 2, ISO 27001, and NIS2