If you’ve conducted a cybersecurity risk assessment, you have a list of recommendations to mitigate risk. Yet it can be challenging to express the value of cybersecurity in quantified terms—particularly if the C-suite is looking for traditional return on investment.
If you’re going to spend a certain amount on cyber security managed services, what kind of “return” should you expect?
Does that question even make sense for an investment that’s intended to avoid loss?
In this post, we’ll give you the rundown on cybersecurity ROI (or more properly, ROSI—return on security investment). We’ll also give you a simple calculator to help you estimate your ROSI from cybersecurity.
Last of all, we’ll give you tools for communicating cybersecurity ROSI to the C-suite.
Let’s dive in!
1. What are we measuring?
2. The concept of loss avoidance
3. Cybersecurity ROSI as a measure of loss avoided
4. Average SLE, ARO, and ALE for various types of cybersecurity incidents
5. Sample cybersecurity ROSI calculation
6. Cybersecurity ROI/ROSI calculator
7. How to build consensus about cybersecurity ROSI among the C-suite
8. The takeaway
1. What are we measuring?
In a typical ROI calculation, the investment is intended to produce more revenue than its cost, as expressed in this formula:
ROI = net income / cost of investment x 100.
But cybersecurity investments are different. For example, a managed SIEM (security information and event management) solution is the bedrock of any cybersecurity program—but it doesn’t produce revenue. It can’t provide a figure for the “net income” portion of the standard ROI formula. Rather, a SIEM solution protects revenue and essential systems, providing a single dashboard in which your team (or your provider) can see security incidents and respond to them in real time.
This is why cybersecurity professionals prefer the term ROSI (return on security investment), rather than ROI. It helps highlight the fact that this is a different type of calculation.
So what exactly are we measuring?
We’re measuring loss avoided. And we’re expressing it as a percentage of the cost of the solution.
Let’s unpack that.
2. The concept of loss avoidance
The world of retail offers a great analogy here.
Physical security measures, like magnetic tags and detectors at exits, are essential to preventing shoplifting. It’s not enough to say, “We have a small store, and shoplifting probably won’t happen.” In fact, it will happen, and any good retail budget will quantify (and plan for) an acceptable percentage of shrinkage.
Once that expected shrinkage has been quantified in terms of dollars, you know how much loss you’re preventing if you invest in physical security measures. (Of course, no physical security measures are perfect, but these are rough calculations. More on that below when we get to “mitigation ratio” in cybersecurity.)
Once you have the quantified loss that you’re preventing, you can express it as a percentage of the cost of the security measures. This is the concept behind ROSI.
3. Cybersecurity ROSI as a measure of loss avoided
As defined by the SANS Institute, the basic formula for cybersecurity ROSI is:
ROSI = ([ALE x mitigation ratio] – cost of solution) / cost of solution
So what are ALE and mitigation ratio? Let’s explore these.
ALE (annualized loss expectancy)
This is the total, annualized monetary loss that you can expect from the type of security incident(s) mitigated by the cybersecurity solution. It’s calculated as follows.
ALE = ARO x SLE
ARO is the annualized rate of occurrence. If the incident in question typically occurs once per year, ARO = 1. If it typically occurs 5 times per year, ARO = 5.
SLE is the single loss expectancy, i.e. the monetary value of the loss from one occurrence. (See below for average losses incurred by single occurrences of various types of cybersecurity incidents.)
Mitigation ratio
This is the ratio at which the solution in question mitigates the security risks that it addresses. For example, if an email security solution catches 96% of phishing emails, its mitigation ratio is 0.96.
4. Average SLE, ARO, and ALE for various types of cybersecurity incidents
The cybersecurity threat landscape is evolving rapidly, and every organization will experience a unique amount of security incidents. The best guide for estimating these things in your scenario is your company’s own historical data on incidents experienced.
That said, here are a few stats for illustration purposes.
DDoS
- SLE: $218,000
- ARO: ~170 (70% of organizations experience DDoS 20-50x per month)
- ALE: $37,060,000
Phishing
- SLE: $1,000,000+
- ARO: 1.5 (500M attacks per year total, estimated 334M companies in the world)
- ALE: $1,500,000
Ransomware
- SLE: $4,450,000
- ARO: 0.66 (66% of organizations were hit with a ransomware incident last year)
- ALE: $2,937,000
5. Sample cybersecurity ROSI calculation
Using our example data above, let’s imagine a managed cybersecurity services agreement that addresses DDoS, phishing, and ransomware. To get our rollup number for total ALE, we’ll add up the ALEs of all three attack types. (This is not an exhaustive calculation—merely an example of how to run the calculation.)
Total ALE = $37,060,000 + $1,500,000 + $2,937,000 = $41,497,000
We also need a figure for the mitigation ratio—how effective the solution is at stopping the types of attacks it targets.
In the real world, you may need to treat the mitigation ratio separately for each control that you’re rolling up in your total ALE calculation. For the purposes of illustration, we’ll assume an 80% mitigation ratio for the solution as a whole, which is pretty conservative. This rough simplification will allow us to proceed with the example calculation.
Now let’s assume an annual cost of $120,000 for working with an MSSP. Again, this is merely an example, as costs will vary based on the services you need, the number of devices and users in your organization, and the scope and complexity of your systems.
That said, here’s the sample calculation using the above figures.
ROSI = ([ALE x mitigation ratio] – cost of solution) / cost of solution
ROSI = ([41.5M x 0.8] – 120,000) / 120,000
ROSI = 27,567%
As you can see, this particular cybersecurity investment is well worth it.
Also note that in this example, the solution as a whole costs less than the fully-loaded salary of one cybersecurity expert. These professionals make an average of $128,870 per year (2023)—yet a managed cybersecurity provider gives you access to numerous experts for less than the cost of hiring one on staff. Again, MSSP costs vary, but it’s not uncommon to get the value of an entire cybersecurity team from your MSSP relationship—for far less than the cost of hiring in house.
6. Cybersecurity ROI/ROSI calculator
Use our FREE calculator to determine ROI/ROSI for a variety of cybersecurity investments.
7. How to build consensus about cybersecurity ROSI among the C-suite
It’s challenging to make the case for an investment that protects revenue rather than increasing it. Without that simple, traditional ROI calculation, the C-suite may hesitate to pull the trigger on managed cybersecurity services.
The key here is to reframe the discussion. Use the loss prevention analogy from retail (discussed above), coupled with a quantified cybersecurity ROSI calculation. With this analogy and these numbers in hand, you’ll want to craft individual messages that appeal to the concerns of each member of the leadership team.
Here’s what this might look like.
CEO/VP Sales
Ultimately, the CEO (or VP of sales) is responsible for revenue.
If you can express your cybersecurity investment in terms of revenue protected, you’ll make a great case.
You can do this by supplementing the basic ROSI calculation with a view of potential revenue loss from various outages. Consider these downtime stats and multiply them by your organization’s average revenue per minute, hour, or day.
- DDoS: Average 2.75 days of downtime
- Phishing: See average downtime due to ransomware (below)
- Ransomware: Average 22 days of downtime
CFO/VP Finance
The finance leader cares deeply about the final analysis on the profit and loss sheet. Lost revenue is a component of that, but it isn’t enough to give the CFO the full picture.
Instead, provide the detailed financial analysis that went into your cybersecurity ROSI calculation. The outcome of that calculation is the perfect number to convince your CFO, but they’ll want to see everything that went into your calculation. (Hint: You may want to provide far more granularity and precision than we did in our example calculation.)
COO/VP Operations
The operations leader cares deeply about productivity. They want to control cost while producing as much output as possible. They should be quite familiar with both your organization’s cost of operations per day, and the value of your production output every day.
Given that, the best case you can make involves the average outage times that you shared with the CEO or sales leader. Here, however, you’ll want to generate two stats: 1) average outage lengths multiplied by the daily cost of operations, and 2) average outage lengths multiplied by the daily value of production.
These numbers will bring home the value of cybersecurity ROSI for your operations leader.
CMO/VP Marketing
For the marketing leader, you’ll want to frame cybersecurity investments in terms of protecting brand equity and reputation. Consider these high-profile breaches that have hit well-known companies in the last few years.
If these stories feel too disconnected from your company, try googling cyberattacks in your industry. If there are recognizable brands in that list, especially competitors, this can really bring home the risk for your marketing leader.
CIO/VP IT
Chances are, the IT leader is already in your corner. (Or maybe you are the IT leader!) But if you need to do some convincing, or you want data to make a stronger case, consider how a cybersecurity investment takes out the guesswork in IT operations (and budget) related to a potential security incident. You get a single IT budget line item, the retainer for your MSSP (managed security services provider). Your MSSP will step in to mitigate any threats that occur under the terms of the agreement, relieving the burden on your internal IT team.
Now, how much of your IT budget should go to security? Consider that companies under $100M in annual revenue typically spend 18% of their IT budget on security (IANS 2023 Security Budget Benchmark Report).
8. The takeaway
Cybersecurity ROSI is a nuanced calculation, but it offers excellent rewards when you put the effort in. The ability to quantify risk avoided from cybersecurity breaches makes it easier to advocate for essential people, processes, and technology. With a strong ROSI calculation in hand, you’re ready to make the case and get the investment your organization needs.
