Assuming security incidents cost the same as the damage they cause often leads to inaccurate calculations.
The CFO is typically the most resistant person to presenting the security pitch. In fact, they may even ask “what’s the ROI?” which is a simple question about the profitability of a certain project. This can be frustrating for security professionals, especially since answering this question can be very difficult. Typically, the management or the executive suite will direct investment dollars elsewhere if they’re asked this question.
You can easily calculate the Return on Security Investment for review by the finance and executive teams. Many people fail to properly quantify the cost of an incident because of a tendency to underestimate costs.
Classic Return on Investment
Investment returns are calculated to determine whether an investment is effective. This is why the ROI, or return on investment, is necessary for any financial calculation. To justify an investment, it must be measured in terms of how much it will help the organization grow and make money. Proposals with the most financial benefit usually come out on top. This is why many cybersecurity proposals fail— no surprise considering their low profitability. This also means that companies typically calculate returns on investment as this:
Gain from the investment – Cost of investment
Cost of investment
Security context to ROI
The strength of a cybersecurity investment is measured by how big the return will be. Confidence in a cybersecurity investment comes from the assurance that it’ll be profitable. This can be quantified with an evaluation system called Return on Security Investment or ROSI. There’s some nuance to this system because security investments can fall into categories such as data privacy or network defense.
Loss prevention is a difficult concept to grasp. It’s much easier to understand if you consider that it’s a measure of how hard it is to prevent losses after a cyber attack. Security professionals often call this measure “security,” while in the world of business and economics, loss prevention is known as opportunity cost.
When discussing different investments, finance professionals consider the value of one option against another. When choosing between two investments with similar payback times, the company should consider the long-term cost of each option. They shouldn’t just pick one option because it rewards them more quickly. Instead, they should choose the option that costs them more in order to avoid short-term financial loss. Calculating risk assessment should be explored before focus on the variables involved in capital preservation. Understanding this beforehand, people should expect to maintain their assets and capital.
4 Ways To Calculate Your Return On Security Investments
Risk assessment concepts: Quantifying the negative financial impact of cybersecurity on a business requires calculating risk. The Rosi calculation uses the following risk concepts as its foundation.
1 – (SLE) Single Loss Expectancy
In addition to the long-term effects of the data breach, there needs to be significant consideration given to the costs associated with IT and the CIO. This includes losses due to not implementing proper security measures and indirect costs as a result of public backlash against the breach. Incorrectly claiming expenses would necessitate extensive data recovery and information technology support efforts. Additionally, this failure must account for the costs of each employee’s loss of confidence in the company.
2 – (ARO) Annual Rate of Occurrence
ARO predicts the likelihood of a security incident occurring in a year. It’s that easy to understand. You can determine this by examining historical records, with one example being a business tracking the number of yearly events through their records. By determining the next year’s estimated number of events, you can predict how much revenue you can expect to make.
3 – (ALE) Annual Loss Expectancy
The loss of annual finances calculated through ALE is referred to as the control number. It serves as a benchmark for how much money can be lost by continuing day-to-day operations. This number is calculated as follows:
ALE = ARO * SLE
4 – (mALE) Modified Annual Loss Expectancy
A security solution can significantly reduce threats; the modified ALE takes losses from implementing this into account. Calculating the mitigation ratio determines the ratio of threats prevented by a cybersecurity solution. This same ratio can then be applied to any cybersecurity solution.
(ROSI) Equation Return of Security Investment
The ROSI equation combines the risk and cost of a security incident with the impact of a security solution to create a final result. It combines the elements listed above to create the equation. Classic ROI opens up a discussion about the technical aspects by discussing the number that was chosen. Doing this makes it hard to ignore the expense of continued business as usual in meetings. This is because classic ROI makes executives discuss why business-as-usual continues to be expensive.
The formula is as follows:
ALE * mitigation ratio – Cost of solution
Cost of Solution
This is an example of how this system would work in real life to demonstrate its functionality.
Echo Inc. has been experiencing increased security breaches for the last few years. The executive suite believes that purchasing a UBA solution isn’t worth the investment. Echo’s CIO recently decided to run some numbers to assist with his responsibilities. Echo’s CIO estimates that the company has suffered about 10 annual reports of security incidents, which cost $20,000 in lost data, productivity and fine. The UBA plan is expected to reduce attacks by 90%— or 90% of the damage— for a mitigated cost of $50,000 per year.
ROSI = ((10 * 20000) * 0.9 – 50,000) / 50,000 = 260%
Echo Inc. investing $50,000 per year would save them an estimated $130,000 a year. This investment would provide a 260% return on the security investment and produce a payback of $130,000.
Use this analytical framework to calculate the value of your proposals. However, be aware that this formula is only as effective as your data collection efforts.