With cybercrime expected to cost the global economy a massive $6 trillion in 2021, more and more companies are looking to increase their investments in cybersecurity. But increased investments require justification in the form of hard revenue. Here, cybersecurity usually hits a roadblock.
Cybersecurity investments are in hardware and software products designed to prevent cybercrimes. These expenditures make it harder for the IT and Security teams to quantify the returns on their investments.
How do you quantify the value of something that does not occur?
The absence of tangible reasons to spend doesn’t merely cause frustration amongst IT professionals; it also leaves organizations exposed to glaring cybersecurity gaps and malicious hackers, waiting for the right moment to strike.
After all, no sane leadership will invest millions of dollars on a strategy that has no tangible returns.
But what if we were to tell you that there is a method to justify this expense. It’s called Return on Security Investment or ROSI.
How to calculate Return on Cybersecurity Investment
Whenever a company is looking to invest money, the finance department evaluates the investment based on conventional calculations. These traditional methods of quantifying returns usually work with revenue earned or expenses avoided. Terms like ROI, NPV and IRR are used. The catch here is that these calculations only work with investments that deliver visible improvements in profits. Some IT investments are also measured based on the Total Cost of Ownership or TCO. The TCO is the sum of the purchase price of the IT product and the cost of its ongoing support. While this statistic does give us an overview of total expenses incurred in the investment, it does not account for the money saved by avoiding cybersecurity breaches.
This is where ROSI comes in.
ROSI is a modified version of the ROI calculation, with some changes to accommodate the uniqueness of cybersecurity-related investments. It compares the net benefit of total expenses of security breaches avoided to the prevention cost incurred. It provides a fairly accurate picture of how profitable a cybersecurity investment will be.
How to calculate ROSI?
ROSI = (Security expense avoided – prevention cost) / prevention cost
ROSI = (Annual loss expected x mitigation rate – prevention cost) / prevention cost
ROSI = [(Single loss expectancy x annual rate of occurrence) x mitigation costs – prevention cost] / prevention cost
The terms used in this equation are defined as follows:
Single loss expectancy
Refers to expenses incurred by the organization to solve a single cybersecurity problem. Simply put, it is the expected loss from a single breach. This amount includes the damage caused by the event, the scope of the damage, data loss, damage to physical assets, restoration costs, legal and consulting costs, fines to be paid and forced downtime for employees. Canadian companies usually lose $4.5 million per data breach on average.
The annual rate of occurrence
Represents the number of times the said event can occur in a given year. Past data, industry benchmarks, standards or consultant estimates can help arrive at this number.
Quantification of how effective the cybersecurity measures purchased or implemented are.
The amount invested yearly to shore up cybersecurity defences.
While this formula is effective in justifying cybersecurity investments, problems can arise during data collection. Since several assumptions are made in the formula, the underlying data need to be rock solid. Moreover, due to the evolving nature of cyber threats, past data may not be an effective marker.
But these are minor aberrations that in no way reduce the absolute value of the cybersecurity investment. Data collection is an ongoing effort that will get better over time. Good data supports the provisioning of relevant cybersecurity budgets, which will help build an effective long-term plan that keeps the organization safe.
Additionally, this formula leads to building synergies between the business, security and finance teams. Each department gets to understand the roles and responsibilities of the other. While the business team can see how cybersecurity investments are layered, the finance team gets to work with a quantifiable formula for the investments.
Lastly, armed with ROSI, IT and Security professionals can use hard numbers to convince the leadership to allocate sufficient funds that make effective cybersecurity measures possible. For more information on penetration testing or to get a free quote specific to your organizations’ needs contact us today!
10 January - Blog
Your Guide to Objective-Based Penetration Testing
14 December - Blog
2022 in Review and Our Predictions for 2023: Cyber-Threat Landscape
05 December - Blog
Choosing a Penetration Testing Company: Methodology & Certifications