December 15, 2017 By George Moraetes 3 min read

In a world where cyberattacks make headlines on a daily basis, security has become an urgent priority in every aspect of life, especially business. As a result, calculating the return on investment (ROI) of security solutions is a major challenge for enterprises around the world, across all industries.

Communicating Security’s Impact on the Bottom Line

Some of the most important questions chief information security officers (CISOs) must answer regarding the return on security investment (ROSI) include:

  • How does a business become secure?
  • How much security does the business need?
  • How can business leaders determine whether the investments are reasonable?
  • What is the appropriate amount of financing and time to invest in security?

Executive decision-makers are often indifferent as to whether firewalls or door barricades protect the organization’s servers and data. They just want to know how security impacts the business’ bottom line. The CISO must understand this mindset and communicate the importance of security in business terms. Common questions executives may ask include:

  • How much could a lack of security potentially cost the business?
  • What effect does security have on current organizational productivity?
  • What is the potential impact of a catastrophic security breach?
  • How would the recommended solutions impact productivity?
  • Are these recommendations the most cost-effective solutions?

The key is to calculate the ROSI not by comparing results from several solutions, but by considering the investment on a risk basis.

Breaking Down the Return on Security Investment Formula

Measuring the probability of a data breach and the associated security risk is a daunting task, and the risk of miscalculation is considerable. This computation is only as good as the analytical efforts that go into the ROSI formula, which must include the cost of the security solution as well as the annual loss expetency derived from risks:

ROSI (%) = (ALE-mALE) – Cost of Solution ÷ Cost of Solution

The components of the ROSI formula quantify the investment’s impact to the bottom line. This metric is critical to gain executive buy-in when presenting the return on investment.

The best way to understand the ROSI formula is to break down its components. Let’s start with the annual loss expectancy (ALE), which is the total financial loss expected from security incidents. This is the control number that demonstrates how much money could be lost without the security investment.

The ALE is calculated by multiplying the annual rate of occurrence (ARO) by the single loss expectancy (SLE). ARO is the probability of a security incident occurring within a year. This is a judgment call by the CISO based on historical incidents. SLE is the total financial loss from a single security incident. This component is based solely on data assets that have value within the organization. It also represents the direct costs of financial loss and the indirect costs associated with data breach fallout.

Finally, modified annual loss expectancy (mALE) is the ALE plus the savings the security solution delivers. This represents the percentage of threats halted by the security solution.

For example, let’s say a security solution has an annual investment of $75,000 to remediate 20 security incidents that resulted in $10,000 in data loss. According to the vendor, the solution will block 95 percent of cyberattacks. This scenario is computed as follows:

ROSI = ((20 x 10,000) x .95 – $75,000) ÷ $75,000

ROSI = 153.3 percent

The formula suggests that the security investment will generate of a return of 153.3 percent, or about $115,000 annually.

The Role of Security Metrics

Another common method used to determine the effectiveness of security investments is security metrics. These metrics track controls within the security infrastructure, such as antivirus, intrusion prevents system (IPS), firewalls, identity and access management (IAM), data loss prevention (DLP), security information and event management (SIEM), and more. The drawback is that security metrics are based on data collected over a long period of time. Therefore, the return on those security investments is influenced by past events and do not reflect advancements made to keep pace with emerging cyberthreats.

However, security metrics are crucial when it comes to calculating the ARO in the ROSI formula described above. When considering upgrading or implementing new solutions, these metrics allow security leaders to justify security investments in terms that executives can understand.

Listen to the podcast series: A CISO’s Guide to Obtaining Budget

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today