Things to Consider When Calculating the Return on Security Investment

In a world where cyberattacks make headlines on a daily basis, security has become an urgent priority in every aspect of life, especially business. As a result, calculating the return on investment (ROI) of security solutions is a major challenge for enterprises around the world, across all industries.

Communicating Security’s Impact on the Bottom Line

Some of the most important questions chief information security officers (CISOs) must answer regarding the return on security investment (ROSI) include:

  • How does a business become secure?
  • How much security does the business need?
  • How can business leaders determine whether the investments are reasonable?
  • What is the appropriate amount of financing and time to invest in security?

Executive decision-makers are often indifferent as to whether firewalls or door barricades protect the organization’s servers and data. They just want to know how security impacts the business’ bottom line. The CISO must understand this mindset and communicate the importance of security in business terms. Common questions executives may ask include:

  • How much could a lack of security potentially cost the business?
  • What effect does security have on current organizational productivity?
  • What is the potential impact of a catastrophic security breach?
  • How would the recommended solutions impact productivity?
  • Are these recommendations the most cost-effective solutions?

The key is to calculate the ROSI not by comparing results from several solutions, but by considering the investment on a risk basis.

Breaking Down the Return on Security Investment Formula

Measuring the probability of a data breach and the associated security risk is a daunting task, and the risk of miscalculation is considerable. This computation is only as good as the analytical efforts that go into the ROSI formula, which must include the cost of the security solution as well as the annual loss expetency derived from risks:

ROSI (%) = (ALE-mALE) – Cost of Solution ÷ Cost of Solution

The components of the ROSI formula quantify the investment’s impact to the bottom line. This metric is critical to gain executive buy-in when presenting the return on investment.

The best way to understand the ROSI formula is to break down its components. Let’s start with the annual loss expectancy (ALE), which is the total financial loss expected from security incidents. This is the control number that demonstrates how much money could be lost without the security investment.

The ALE is calculated by multiplying the annual rate of occurrence (ARO) by the single loss expectancy (SLE). ARO is the probability of a security incident occurring within a year. This is a judgment call by the CISO based on historical incidents. SLE is the total financial loss from a single security incident. This component is based solely on data assets that have value within the organization. It also represents the direct costs of financial loss and the indirect costs associated with data breach fallout.

Finally, modified annual loss expectancy (mALE) is the ALE plus the savings the security solution delivers. This represents the percentage of threats halted by the security solution.

For example, let’s say a security solution has an annual investment of $75,000 to remediate 20 security incidents that resulted in $10,000 in data loss. According to the vendor, the solution will block 95 percent of cyberattacks. This scenario is computed as follows:

ROSI = ((20 x 10,000) x .95 – $75,000) ÷ $75,000

ROSI = 153.3 percent

The formula suggests that the security investment will generate of a return of 153.3 percent, or about $115,000 annually.

The Role of Security Metrics

Another common method used to determine the effectiveness of security investments is security metrics. These metrics track controls within the security infrastructure, such as antivirus, intrusion prevents system (IPS), firewalls, identity and access management (IAM), data loss prevention (DLP), security information and event management (SIEM), and more. The drawback is that security metrics are based on data collected over a long period of time. Therefore, the return on those security investments is influenced by past events and do not reflect advancements made to keep pace with emerging cyberthreats.

However, security metrics are crucial when it comes to calculating the ARO in the ROSI formula described above. When considering upgrading or implementing new solutions, these metrics allow security leaders to justify security investments in terms that executives can understand.

Listen to the podcast series: A CISO’s Guide to Obtaining Budget

Share this Article:
George Moraetes

VP, Chief Security Officer and Architect, Securityminders Corporation

George Moraetes is one of the leading information security practitioners with over 20 years of industry experience. He currently serves as the VP, Chief Security Officer and Architect of Securityminders Corporation. In this role, he provides consulting services for Fortune 500 clients, federal and state governments in multiple management role engagements. He is responsible for strategy development, designing and implementing security architectures and overseeing security infrastructure implementations.