People often talk about security in terms of defenses and caution – an emergency system to prevent worse-case scenarios. However, thinking in terms of defense and prevention can distract us from a fundamental truth: security is powerful. It has an incredible amount of value to organizations across all sectors and markets. Establishing the ROI of security – the return on security investment (ROSI) – in a systematic way is worthwhile so that you know exactly how much you are getting back for what you spend on security environments, tools, and services (such as hosting in an SSAE-16-compliant data center).
What are return on investment (ROI) and return on security investment (ROSI)?
Entrepreneur defines ROI as “[a] profitability measure that evaluates the performance of a business by dividing net profit by net worth.” If your total assets are $1 million and your net profits are $250,000, your ROI is .25 or 25 percent. While that framework introduces how to calculate ROI, perhaps a simpler way to consider ROI is comparing the amount you get back to the amount you put in. A 100% ROI is the break-even point when the business or aspect of your business has at least made back the amount that you spent.
Establishing a strong ROI helps to make a good business case for further investment in something we all know is important given the current digital landscape: information security.
Metrics-driven ROSI approach
By using metrics to determine how effective various security tools are, organizations are able to consistently be assessing how well their overall defense system is functioning, understand the most pronounced threats they face, and reveal areas that might need replacement or additional safeguards.
Metrics help you better understand your systems, but they are also important because they help you sharpen the analysis behind your ROSI calculations so your investment proposals are stronger. Even though determining ROSI is valuable to organizations, fewer than 1 in 5 (17%) use this approach, per the NSS Labs 2017 Security Architecture Study.
Determining the ROSI and backing it with applicable metrics is becoming increasingly important, noted Vikram Phatak on security news site Dark Reading. Phatak said that not having the ROSI figures to back up their assessments could lead to situations in which security leaders have to report “that the cause of a data center breach was a result of ‘having had [italics his] a technology solution for the problem in the budget, but it got cut.'”
The basis for the ROSI formula
Here are risk assessment concepts that you can use to leverage your metrics and make your ROSI calculations. These concepts together make up the ROSI formula:
Annual loss expectancy (ALE) – The total amount you should expect to lose to security problems every year, ALE is a control figure that is used to show the amount of money that can be lost assuming no changes are made.
ALE = Annual Rate of Occurrence (ARO) * Single Loss Expectancy (SLE)
Annual rate of occurrence (ARO) – ARO gauges how likely it is for a security incident to happen during a year. You can look at your history to determine how many incidents occur in the average year.
Single loss expectancy (SLE) – This figure is the total amount of money that you expect to lose during one security event. Determining the SLE can become easier and more systematic if you have organized and valuated your data. This number should at least include your direct and indirect costs for a breach.
Modified annual loss expenctancy (mALE) – The mALE is identical to the annual loss expectancy except that you add the losses saved when you install a security measure. Your improvement should be expressed in the mitigation ratio, which is the percentage of threats that the security tool blocks.
Return on security investment (ROSI) formula – Using the above concepts, you create the ROSI formula. This formula takes into account the costs and risks of security events, along with how much it costs to put a security protection into place. When you talk about ROSI, you can discuss the technical manner in which the number was calculated. Here is the formula:
ROSI = (ALE * mitigation ratio – cost of solution) / cost of solution
ROSI example #1: warehouse robots
Risk represents costs. There are potential costs associated with a risk that are mitigated with security defenses. Information security to lower risk can be very expensive. Since that’s the case, risk analysis (indicated in the above concepts) will guide organizations in determining ROSI because it will reveal just what level of investment is needed in safeguards.
An example suggested by Norman Marks in information management publication CMSWire is the defenses for robots implemented in a warehouse. The information executives at the company collaborated with business decision-makers to determine the level of risk – chance of a risk and its potential impact. The business managers, as a round figure, estimated that the total cost of a breach would be about $10 million. The chief of information security (CISO) reported that he thought the current chance that a breach of that scope would occur was 5%.
The CISO wanted to spend $250,000 annually in order to get the risk of that $10 million event down to 2%. To measure ROSI, you are adjusting the ROI formula so that you are gauging the level of risk reduction (through the mitigation ratio) rather than the level of investment gain. By reducing the risk from 5% to 2%, that would mean a 3% improvement in risk. Turn that risk chance into a real number: a 3% reduction in the chance of a $10 million loss should be caulculated as 3% of that figure per year, which in this case would be $300,000. Since the idea is that you are putting in $250,000 per year of protections but are getting back $300,000 in reduced risk, your ROSI is 20%.
Additional analysis should occur to determine if the investment is sound, but that initial assessment looks positive.
ROSI example #2: UBA platform
Another example ROSI situation is described by Isaac Cohen in IDG’s CSO. In that example, a company is looking into a company-wide solution, a user behavior analytics (UBA) platform, to prevent breaches. The CIO of the company calculates that there have been 30 security incidents over the last 3 years – so 10 annually on average. In total costs related to fines, lost productivity, and lost data, each incident represents a cost of $20,000. The UBA is expected to be able to defend against 9 out of 10 current attacks. The cost of the UBA platform is $50,000 per year. The way you would calculate ROSI in this case would be as follows:
- 10 incidents times $20,000 per incident = $200,000.
- $200,000 times mitigation ratio of .9 = $180,000.
- Subtract the $50,000 from that for the solution, and you get $130,000.
- Now take $130,000 (your return) and divide it by what you spent, $50,000.
- You get 2.6, equivalent to a 260% ROSI.
Strong security for your critical data
Implementing strong security is in part about finding the right partners. At Total Server Solutions, our SSAE-16 Type II audit is your assurance that we follow the best practices for keeping the data center up and running strong. See our security commitment.