You’ve likely made the security pitch several times to management or the executive suite, and each time they directed investment dollars elsewhere. The CFO may have been the most resistant and ask “what’s the ROI?” which is a simple question but often tough to answer even for standard investments like product development. When it comes to security this can be an extremely daunting question that causes some reasonable frustration.
There are ways, however, you can calculate the Security Return on Investment for review by finance and the executive team. It should be noted that while the method presented here is straightforward, there is a common behavior of miscalculation that happens in regards to cost of an incident.
Classic Return on Investment
In the world of finance, capital investment must be measured for its effectiveness in generating profitability for the organization. This is where the return on investment (ROI) calculation comes in, for the evaluation of an investment. For an investment to be justified it must express in quantitative terms why it needs to happen. The proposals with the most profitability potential usually win; which is why cybersecurity proposals often lose unless there was a major event. The typical return on investment calculation looks like this:
Gain from investment – Cost of investment
ROI = _____________________________________________
Cost of investment
Security context to ROI
This simple evaluation concept applies to every investment, including security. The strength of an investment is normally measured by the certainty and size of return it will provide. Does this same logic apply to cybersecurity, well yes and no. Return on security investment (ROSI) has some nuance to it.
Security is trickier in that an investment does not provide increased revenues, but it does provide savings during the inevitable cyber attack. Security experts call this loss prevention, while in business and economics, loss prevention will fall under the category of opportunity cost. Managers and executive talk about opportunity cost to evaluate the value of one investment option against another one. If one investment gives immediate payback but in the long term costs the company more than another opportunity, then they will not go with the short term option. Increased revenues should not be the expectation when investing in cybersecurity. Instead preservation of capital and assets is what should be expected. Before exploring the calculation, it is important to understand the variables of risk assessment.
Risk assessment concepts
In order to quantify the impact of cybersecurity on the bottom line, risk needs to be determined. The following risk concepts will be the basis of the ROSI calculation.
Single Loss Expectancy (SLE)
SLE is simply the expected amount of money, total cost, that is lost during a single security incident. This is one of the most complex parts of the calculation because it is dependent on if your data assets have been organized and valuated. If not then there is a lot of work that needs to be done with IT and the CIO. At minimum, this number should include direct costs of losses, and indirect costs associated with fallout of the data breach.
Annual Rate of Occurrence (ARO)
ARO measures the likelihood or probability of a security incident occurring in a year. It is that straightforward. It is up to you how you determine this, often in finance they measure historical records to understand this. An example would be you notice in your company there are about 10 incidents that happen per year, so you determine for the coming year that may be the estimated amount you can expect.
Annual Loss Expectancy (ALE)
ALE is the total annual financial loss to expect from security incidents. This is the control number that demonstrates how much money can be lost by maintaining business-as-usual. ALE is calculated as follows:
ALE = ARO * SLE
Modified Annual Loss Expectancy (mALE)
The modified ALE is the same as above but with the addition of losses saved from implementing a security solution. This can be acquired by determining the mitigation ratio, which will be the percentage of threats deterred by the cybersecurity solution.
Return of Security Investment (ROSI) Equation
The combination of the above elements forms the ROSI equation. The ROSI equation integrates the risks and costs associated with a security incident, and combines that with the impact of a security solution. In meetings, classic ROI opens conversations regarding the technicalities and how that number was determined. This figure will open up that discussion to be had among the executive team, and will make it hard to ignore the cost of continuing business-as-usual.
The formula is as follows:
ALE * mitigation ratio – Cost of solution
ROSI = _____________________________________________
Cost of Solution
ROSI example
To demonstrate how this would work in a real-life situation, here is an example scenario:
Echo Inc. has been suffering from increased security breaches for the last few years and is considering investing in a user behavior analytics (UBA) solution. However, the executive suite is not convinced the investment is worth it. The new CIO has decided to run some numbers. Echo’s CIO estimates that Echo has been suffering about 10 (ARO=10) security incidents per year for the last three years. These incidents seem to cost about $20,000 (SLE=20,000) in data loss, fine, and productivity. The UBA solution is projected to block about 90% (mitigation ratio = 90%) of the attacks. However, the costs are causing the solution is an estimated $50,000 per year. In this scenario the equation would be the following:
ROSI = ((10 * 20000) * 0.9 - 50,000) / 50,000 = 260%
The investment in this example of $50,000 per year would save Echo Inc. an estimated $130,000 per year. Put simply the saving produced from the investment would provide a 260% payback on the security investment.
With this framework for calculating return on security investment go forth and make your proposals. Fair warning though, this formula is only as good as the analysis you put in to produce accurate variables.