Magda On Cyber
Published in

Magda On Cyber

Can we Calculate Cybersecurity ROI?

ROI stands for “return on investment”. It’s a measure of how efficient a company is in turning its investments into profits. In other words, it’s a way to gauge whether or not a company is doing a good job of using its money to make more money.

There are two ways to calculate ROI: the first is by dividing the company’s profits by its total investment; the second is by dividing the company’s revenue by its total investment. Both calculations will give you the same result. However, most people prefer to use revenue rather than profits because it takes into account all of the company’s expenses, including things like salaries and rent.

On the other hand Return on Security Investment (ROSI) is a metric that quantifies the financial benefit of an organization’s information security investments relative to the amount of risk reduced as a result.

Photo by Jason Leung on Unsplash

Simply put, ROSI is a way to measure how much bang an organization is getting for its buck with respect to its cybersecurity spending. It takes into account both the monetary value of assets protected and the likelihood that those assets will be compromised in the event of a successful attack.

So, How to quantify a ROSI?

To calculate a ROSI in cybersecurity, one would need to consider the cost of implementing a cybersecurity solution and the benefits that are expected to be realized as a result. There are a few different ways to calculate ROSI (return on security investment). One way is to use the following formula:

ROSI = (Gain from investment — Cost of investment) / Cost of investment

For example, let’s say you invested $100 in a security and it went up by $10. Your ROSI would be (10–100)/100 = -0.9. This means you lost 90% on your investment.

Alternatively, if the security went down by $10, your ROSI would be (10+100)/100 = 1.1. This means you gained 110% on your investment.
The first step is to calculate the cybersecurity impact likelihood. To do this, you need to understand the organization’s business risk and how that risk might be impacted by a cyberattack.

For example, let’s say an organization’s business risk is $10 million. If there is a 10% chance that an attack could cause a loss of $1 million, then the cybersecurity impact likelihood would be calculated as 10% ($1 million/$10 million).

Once you have calculated the cybersecurity impact likelihood, you can then use that number to determine the ROSI. The higher the number, the more it will cost to implement mitigating measures and therefore the higher the ROSI will be.

There are a number of factors to consider when calculating a ROSI in cybersecurity. The first is the likelihood of a cyberattack. This can be difficult to estimate, as there is no guarantee that an attack will happen, even if all the required conditions are met. However, there are several resources that can help you understand the likelihood of an attack happening. Once you have estimated the likelihood of a cyberattack, you need to consider the consequences if one were to occur. What would be the impact on your business, and activities or a calculation of the financial impact of a cybersecurity incident: the cost of forensic investigations, data recovery, regulatory fines, loss of business, and reputation damage amongst others.

So, to calculate a ROSI in cybersecurity, you need to take into account the following factors:

The cost of the cybersecurity solution -This can be difficult to track if the organization does not have a holistic view of costs.

The effectiveness of the solution -captured through weighing three primary factors: prevention (reducing attacks and their success), detection (speed of identifying an attack), and response (mitigation capabilities and speed).

The likelihood of the threat being exploited in your environment.

The potential associated costs when a cyber attack happens, and is successful.

For example, if a company spends $1,000 on cybersecurity solutions and can expect to save $5,000 as a result of those solutions (a net savings of $4,000), then the ROSI for cybersecurity would be 400%.

Can I quantify reputational loss?

There’s no easy answer when it comes to quantifying reputational loss. It can depend on various factors, and of course, the severity of the data breach or cyber attack. Depending on the severity of the attack, and the company’s ability to mitigate data loss and regain customer trust, losses could range anywhere from a few percentage points to over half of their total market share. In some cases, a complete loss of customer confidence could mean that a company is forced out of business entirely.

Quantifying the reputational damage caused by a breach can be difficult, but is often more expensive in the long run than any direct financial losses. When trying to estimate market share loss following a cyber attack, it’s important to consider not just the immediate fallout but also any ongoing effects that could continue to follow across many years.

In general, however, there are a few ways to measure reputational damage.

One way is to look at share price performance. If a company’s stock plummets after a data breach or cyber attack, that’s a clear sign that investors are losing faith in the company’s ability to protect itself (and its customers’ data). That loss of investor confidence can quickly translate into real financial losses for the company.

Another way to measure reputational damage is through customer market share, or customer market loss following a cyber attack.

Finally, think about any previous incidents where the company or similar companies have been criticized or had serious problems with its reputation.

In some cases, a reputation may be ruined forever if there are major ethical lapses or if criminal behavior is exposed. In other cases, a reputation may be able to recover if there are sincere apologies and corrective actions are taken. And in still other cases, the reputational damage may not be as bad as initially thought if the public learns more about the situation and changes their opinion.

Last year, the Ponemon Institute released a study that found the average cost of a data breach had risen to $3.8 million. And yet, despite these increasing costs, many companies still aren’t doing enough to protect themselves from cyber attacks. For larger organizations, the cost can be much higher. The study also found that the average time it takes to detect a data breach is 197 days, and the average time required to contain a data breach is 69 days.

The damage caused by cyber attacks can be extensive, and can include lost revenue, stolen or corrupted data, damaged reputation, and fines from regulators. In addition, companies may experience increased customer churn and difficulty attracting new customers.

In fact, a recent study found that nearly two-thirds of businesses experienced a cyber attack in the past year, and that 60 percent of those businesses had suffered a data breach as a result of those attacks. The damage done by these breaches can be significant. In addition to the financial costs, there is also the cost of lost business and damage to your company’s reputation.

So, it is important to calculate the ROSI and understand the implications on not implementing cybersecurity. It is also relevant to note that there are many different ways to calculate a ROSI, and the calculation will be specific to the organization’s industry, size, and risk profile.

Cybersecurity insurance can help organizations protect themselves from some of the financial damages associated with a data breach, but it’s important to note that no insurance policy can completely protect against cyber attacks. It is all about cyber risk management, including treatment first.

So, it is best to consult with an expert in this area who can help you develop an accurate estimate.

Follow Magda on Twitter:


By Magda Chelly

Chief Security Officer | TEDx Talk | Author & Keynote Speaker | IFSEC Global Top 20 Cybersecurity Influencer | Entrepreneur | PhD, S-CISO, CISSP, Cert SCI (General Insurance)

Find out on


Follow Magda on her Social Media Accounts:



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Cyberfeminist | Entrepreneur | Former CISO | PhD, CISSP, S-CISO | CoFounder @R3sp_Cyb3r | @womenoncyber | Documentary The Dark Web on @myCanal