It is a challenge to calculate the return on investment for IT and security. ROSI, or return on security investment, is a modified ROI calculation, where the net benefit is the annual cost of security breaches avoided as compared to the prevention cost incurred. Here is how to calculate your return on security investments.
What is the value of something that does not happen?
For those of us who value investments and opportunities each day, this is a major challenge when calculating the return on investment for IT and security. Not surprisingly, it is a major source of frustration for our colleagues in IT and security who are trying to justify the cost of purchasing hardware and software to protect our systems, tools, and digital ecosystems.
The problem is that standard calculations to evaluate investments are based on expected cash flow, in the form revenue earned or expenses avoided: ROI, NPV and IRR. Total cost of ownership (TCO) is commonly used for IT investments but is exclusively based on expenses by totaling initial purchase price plus ongoing support. Investments in cybersecurity are difficult to value using these common methodologies, leaving frustration on all sides of the discussion:
Business: We grow the business with new products and processes and rely on IT to make everything secure. Let’s give them money to keep us safe, and the we can all go back to work.
Chief Information Security Officer (CISO): How secure do you want to be? I can design a protocol for different security levels, but it comes with limitations on the customer experience and different costs. By the way, we will never get to 100 percent security.
Finance Person: We have limited capital, but it is possible to spend an unlimited amount of money on security. Which investments should we choose? What is the value something that does not happen?
Here is one tool to help: ROSI, or return on security investment. Essentially it is a modified ROI calculation, where the net benefit is the cost of security breaches avoided as compared to the prevention cost incurred. Here it is in more detail:
- ROI = (Security cost avoided - Cost) / Cost
- ROI= (Annual Loss Expected * Mitigation Rate – Cost) / Cost
- ROI = [($Single Loss Expectancy *Annual Rate of Occurrence) * Mitigation – Cost] / Cost
- Single Loss Expectancy = cost to remediate a single occasion of the loss event. In risk terms, this is the expected loss of a single event. Some of the direct costs associated may include the following: the scale and scope of the incident; data or physical assets damaged or purchased during restoration; legal and consulting costs; fines and damages to customers or contracted parties. Indirect costs may include time spent by employees remediating and down-time for the business team.
- Annual Rate of Occurrence = the number of times this event is likely to happen in a year. This may be based on prior experience, benchmarks, industry standard or an estimation. In risk terms, this is the likelihood of loss.
- Mitigation Rate = The effectiveness of controls that you are investing in, as measured by the improvement gained in either of the above terms (less severity or less likelihood).
- Cost = one year cost, to match the one year of anticipated benefit. If you stretch the benefits over multiple years, you must assume corresponding costs.
While the formula is simple, gathering good data about theoretical loss is a challenge. This calculation contains many assumptions (as do all business cases), except that the past may be of limited value in assessing emerging threats. This does not degrade the value of the effort, but leads to two implications. First, in the initial efforts to calculation ROSI, the absolute value may be variable as teams fumble through the data collection and gain comfort. This should improve over time.
Second, the greatest value is found in having the conversation. Efforts to quantify security investments provide a format that elevates the conversation beyond, “We need this” and “This is table stakes for being in the business.”
There are both tangible gains and obligations for each party at the discussion: The business sees that security is not a service to be bought and paid for like a subscription, but a series of layered investments that depend on the both external threats as well as the interactions created to engage the markets. The CISO gains a seat at the investment table alongside other decision-makers but needs to explain what level of security is realistic and has to try to quantify risk and opportunities. And finance gets a way to quantify its practices and compare options but needs to dig deep to come up with realistic assumptions. Everyone gets to evaluate their risk appetite by examining the tradeoffs demanded by the business.
For more insights, subscribe to FP&A in Focus, the newsletter that 28,000+ finance professionals turn to.