How Can You Determine the ROI for Cybersecurity Investments?


For organizations that are looking forward to their cybersecurity needs for 2020 and beyond, there are plenty of challenges. Organizations of all sizes need to find the appropriate tools and practices for robust cybersecurity, but it also needs to fit within their budgetary restrictions.

Despite the growing threats for businesses of all sizes in terms of cybersecurity, many organizations are still reluctant to invest in this area adequately.

Often, spending on cybersecurity is reactive as opposed to proactive, even knowing what we know.

One reason for this is because they aren’t able to see how it’s a business decision and calculate the return on investment. Businesses need to be able to, for example, look at the benefits of DDI, which is one aspect of cybersecurity and management, and then compare those benefits to the costs.

Executives are starting to take on more of a responsibility for the decisions regarding cybersecurity, and they may want to see a clear plan of action paired with ROI.

It’s essential to be able to calculate a concrete return on investment for cybersecurity initiatives, and the following are some tips organizations can follow.

Calculating Expected Loss (EL)

One measure that you can use as part of determining ROI for cybersecurity investments is what’s called Expected Loss or EL. To calculate EL, you first define the probability of a compromise, and then the impact of said compromise.

One option to measure the probability of a compromise is multiplying threats by vulnerabilities. Then, to calculate the impact of a compromise, you can multiply assets times loss in the event of a compromise.

This is a means of calculating ROI cited by Forbes contributor Michael Coden, who serves on the Forbes Technology Council.

According to Coden, assets used in the second part of the equation can include data assets like M&A data, intellectual property, or physical assets.

The second part of the equation looks at five impacts on assets, both virtual and physical. These are disclosure, direct theft, modification, disruption, and destruction.

Calculate the Return on Security Investment (ROSI)

The Return on Security Investment (ROSI) approach is another method that’s defined to determine the ROI for cybersecurity solutions.

This involves several components. The first component is the Annualized Loss Expectancy, which is the amount of money that’s estimated to be lost if there were a single incident. Then, that’s multiplied by the estimated frequency that a threat is likely to occur in a year.

After that, there’s the mitigation ratio. This is based on predicting the number of mitigated risks. The final component is the cost of the solution. This includes not only the purchase price but the price to implement and maintain the solution

Look at Tools That Have a Proven ROI Track Record

If you’re just getting started with a more comprehensive cybersecurity plan, and you’re trying to decide where you should spend, look at the tools that can demonstrate an existing and proven ROI.

There’s not one particular cybersecurity tool or approach that’s going to meet all the needs of an organization, so look at the ROI of these individual components as you build a layered approach.

For example, it’s often the case that automation-based tools provide some of the best cost savings and improvements in overall efficiency while reducing security incidents.

Look What Competitors Are Doing

A very general way to get a grasp of what your cybersecurity investments should be is to look around at other competitors in your industry.

What are they spending and what is their strategy? This will show you how well certain elements of their strategy are working, which can streamline your investment decisions. It also gives you more of an idea of what the common threats are within your industry, so you’re not wasting money on unnecessary layers of protection or prioritizing in the wrong areas.

Sometimes a company will use an independent, third-party analyst to gain a better understanding of these considerations within their industry.

Finally, don’t count out the role of compliance-related costs as you’re calculating ROI. This is an area often overlooked, but you need to think about how a lack of necessary security protocols and tools could lead to compliance-related spending.

If you’re currently investing in cybersecurity and yet you’re not seeing a return in terms of compliance, then you should reevaluate your approach.

It’s not as straightforward to address cybersecurity ROI as other areas of a business, but it’s necessary, and it’s likely to become a growing priority with the evolving landscape of cybersecurity and its related business effects.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.