RoSI (Return on Security Investment): Measuring the value of your cyber security programme
Justifying your organisation’s cyber budget is far from an easy task. Wavestone’ s study shows that cyber still only accounts for 6.6% of an organisation’s total IT budget. What if measuring the RoSI of your cyber security programme were the solution to rationally defending your future cyber security budgets/spending?
Return on investment is a financial ratio measuring the amount of money gained or lost in relation to the amount initially invested in a given investment. This concept is often referred to by the acronym ‘ROI’ (‘Return on Investment’).
The concept of RoSI (‘Return on Security Investment’) is inspired by this notion of ROI, while introducing the idea that security does not directly generate value, but helps to protect assets.
How should ROSI be defined? How can the quantification of cyber risk, also known as CRQ, prove to be a relevant aid in this process? This article aims to shed some light on these two questions, so that you can make informed decisions about your cyber security strategy.
How to calculate your RoSI?
RoSI (Return on Security Investment) is a crucial metric for assessing the effectiveness of cybersecurity investments. Calculating the RoSI enables organisations to determine whether the expenditure made to protect their digital assets is generating a positive return on investment. The general formula for calculating RoSI is :
RoSI = (Reduction in potential losses – Cost of safety measure) / Cost of safety measure.
This approach helps decision-makers justify IT security investments by quantifying the financial benefits in relation to the costs incurred.
To begin with, it is essential to estimate the reduction in potential losses resulting from the implementation of security measures. This estimate is based on risk analysis, which identifies potential threats, their probability of occurrence, and the financial impact of security incidents. For example, if a company estimates that without a certain security measure, it could suffer annual losses of €500,000, and that this measure reduces the risk by half, the reduction in potential losses would be €250,000. This stage requires close collaboration with the risk management and internal audit teams to obtain accurate and realistic estimates.
The cost of the security measure includes all the costs associated with implementing and maintaining it. This includes direct costs, such as expenditure on software and hardware, as well as indirect costs, such as employee time, training and operational costs. For example, if the company spends €100,000 to implement a new intrusion detection system, this amount should be used in the RoSI calculation. It is important to take into account all the costs over the lifetime of the security measure to get a complete picture of the investment.
Finally, by applying the RoSI formula, the organisation can assess the profitability of its cybersecurity investments. If the calculation gives a positive result, this means that the security measure is cost-effective, because it reduces potential losses by more than the cost of implementing it. For example, if the reduction in potential losses is €250,000 and the cost of the security measure is €100,000, the ROSI would be 1.5, indicating a 150% return on investment. This metric helps companies prioritise the most effective security initiatives and justify the budgets allocated to cyber security to stakeholders.
A framework for implementing RoSI within the company
Lawrence A. Gordon and Martin P. Loeb, two professors specialising in accounting information systems and information systems respectively, have proposed an economic analysis model for information security investments. Their model, known as the ‘Gordon-Loeb Model’, has been published in several academic articles, notably in the Journal of Information Security.
The Gordon-Loeb model provides a framework for determining the optimal amount to invest in cyber security based on the vulnerability of information and the probability of security incidents occurring. This model suggests that companies should invest up to a certain percentage of the expected value of potential losses due to a cyber attack to maximise their return on security investment. It also highlights that security investment should not exceed around 37% of the expected loss, regardless of the vulnerability of the information.
The integration of Gordon and Loeb’s work with other frameworks and industry standards, such as the NIST Cybersecurity Framework, enables businesses to develop robust and economically viable cybersecurity strategies. This not only ensures the protection of their information assets, but also the optimisation of their financial resources in a context of increasing cyber threats.
Refining RoSI by quantifying cyber risk
Quantifying cyber risk plays an essential role in refining the calculation of ROSI (Return on Security Investment), as it provides an accurate estimate of the potential losses associated with security incidents. By assessing cyber risks quantitatively, companies can identify the most likely and costly threats. This approach is based on hard data, such as historical incident frequencies, the most common types of attack, and the costs associated with data breaches. With this information at their fingertips, decision-makers can better assess the scale of the risks they face and adjust their cybersecurity investments accordingly.
One of the main methods of quantifying cyber risk is probabilistic analysis, which helps to estimate the likelihood and potential financial impact of different types of security incident. By applying techniques such as loss modelling and Monte Carlo simulations, companies can obtain a probability distribution of potential losses. This allows expected values and extreme scenarios to be determined, providing a more granular view of risk. This accurate data is essential for calculating RoSI, as it provides a solid basis for estimating the reduction in potential losses as a result of the safety measures put in place.
By incorporating the quantification of cyber risk into the RoSI calculation, businesses can also prioritise their investments according to the most critical risks. For example, if the analysis reveals that ransomware attacks represent a major threat with high potential losses, resources can be prioritised to strengthen defences against this type of attack. This not only maximises the return on investment by targeting the most effective security measures, but also strengthens the organisation’s overall security posture.
Quantifying cyber risk also makes it possible to measure the effectiveness of existing security controls. By regularly assessing the risks and comparing the results before and after security measures have been implemented, businesses can determine the real impact of these controls on risk reduction. This information is essential for adjusting and optimising current security strategies, ensuring that resources are used efficiently. This contributes directly to a more accurate and dynamic calculation of RoSI, reflecting changes in threats and security measures.
In addition, quantifying cyber risks facilitates communication with internal and external stakeholders. Quantitative data and model-based analyses make it possible to present convincing, fact-based arguments to justify investment in cyber security. Financial managers and board members, who may not be familiar with the technical aspects of cyber security, are more likely to understand and support security initiatives when they are presented in terms of potential financial risks and returns.
Finally, by using cyber risk quantification to refine the RoSI calculation, businesses can take a proactive rather than reactive approach to cyber security. Rather than reacting to incidents after they have occurred, organisations can anticipate threats and take preventative measures to mitigate the most significant risks. This proactive approach not only improves overall security, it also optimises the use of financial resources, ensuring that every euro invested in cyber security makes an effective contribution to protecting information assets and ensuring business continuity.
Why not give CRQ a try? Find out what using Citalid can do for your business by joining the next live demo session. Sign up here!