Calculating ROI for Your Cybersecurity Project

Published in

TechMagic

16 min readJul 4, 2024

In light of the growth of cyber risks and threats, the issue of security is the cornerstone of initiatives to protect organizations. According to an IBM report, the average cost of a data breach in 2023 was $4.45 million.

Gartner’s research shows that spending on security services (consulting, IT outsourcing, hardware implementation, and support) is expected to reach $90 billion in 2024. Cybersecurity services are expected to represent 42% of total security and risk management spending in 2024.

At the same time, 88% of boards of directors view cybersecurity as a business risk, not just a technology issue. This is why measuring return on investments has strategic value and indicates the need to demonstrate real numbers to justify the costs.

In this guide, we will dive deeper into calculating cybersecurity ROI, its specifics and nuances. We will also consider best practices, tools, and resources to make this process easier and faster.

Why you should measure this metric

Ponemon Institute study found that organizations that have metrics to measure cybersecurity performance allocate resources more efficiently and improve threat detection. Measuring ROI in cybersecurity also helps organizations comply with regulatory requirements, which is essential for meeting government requirements and avoiding fines .

According to a study by PwC, 87% of consumers said they would take their business elsewhere if they don’t trust a company is handling their sensitive data more responsibly. Measuring cybersecurity ROI helps build and maintain this customer trust by showcasing their commitment to data protection.

PwC’s Global Investor Survey highlighted that 79% of investors consider cybersecurity and privacy to be crucial factors in their investment decisions. Demonstrating a positive ROSI can enhance investor confidence and attract more funding.

Security ROI: The Essence

Generally speaking, the term return on investment or ROI is the value received from the investment. High ROI accordingly provides more value to your business. Everything is simple and plain here.

The same is relevant for the return on security investment, or ROSI — indicator that measures the return on investment in security initiatives. Indeed, they are paramount to any organization from an ethical and operational point of view.

Here are some other benefits:

Investing in cybersecurity allows you to comply with contractual obligations and industry or government regulations, saving you money on penalties for violating these rules.
You can reduce the ongoing costs of dealing with cyberattacks by clarifying the best security practices based on ROSI.
Cybersecurity investments often eliminate business risks by reducing the probability of security incidents and their consequences.

This approach allows you to get more resources and time for business development, and determining security ROI will help you have a clear picture of your investment.

Components of Cybersecurity ROI

Measuring cybersecurity ROI is a very delicate matter, and you’ll understand why after reading this article. You need to consider different metrics depending on your security strategy, industry, scale, and historical data.

In general, such metrics include security return on investment, cost avoidance, risk reduction, and effectiveness of security protection measures. Some can be measured by numbers, and some cannot. Let’s consider all this in detail.

Measuring Security Costs and Benefits

It is impossible to measure security directly, but we can assess costs associated with implementing robust cybersecurity measures and the value of your system as a target for an attacker. The best approach in such a scenario is to consider the investment in security against the probability of an attack, taking into account the time and the cost of the target.

Cybersecurity ROI and investments

To begin with, you have to understand how much money will be spent on cybersecurity efforts. If you know the exact planned amount, everything is simple. However, sometimes, determining accurate cybersecurity spending is a more difficult task.

There are many models for assessing the adequacy of investments in cybersecurity. One of the most famous is the Gordon-Loeb model. It is great to explain the connection between investments and results. No model and this one is no exception, can set an accurate security budget by itself, but it will help you determine the main evaluation points.

The Gordon-Loeb model relates the level of investment in security and an inherent vulnerability parameter to the probability of experiencing a loss. The function is chosen so that as costs increase, the marginal benefit in terms of improved security decreases. Diminishing marginal returns is logical, as the most cost-effective controls are often implemented first.

The model determines the point at which security investments are optimized. Here, the marginal cost of additional security investment equals the marginal benefit of reduced expected losses.

Unlimited budgets for cyber security are actually undesirable, because there comes a point when large investments in security do not provide more benefit than smaller capital investments. According to the Gordon-Loeb rule, businesses should never spend more than 37% of their expected losses on security.

You can also use a simple model for evaluating the effectiveness of the cybersecurity budget and key metrics to consider by The National Cyber Security Centre.

The costs associated with implementing cybersecurity measures

Now, when we are familiar with the subtleties and nuances of measuring investments in digital transformation, we can move to the more practical things. Let’s talk about categories of costs associated with cybersecurity today and with implementing cybersecurity strategy.

Direct costs:

Hardware and software — for acquiring firewalls, intrusion detection systems, antivirus software, encryption tools, etc.
Implementation expenses — related to installing and configuring cybersecurity solutions, including consulting fees and labor costs.
Training investments — training employees and IT staff on cybersecurity best practices, new tools, and compliance requirements.
Maintenance expenses — ongoing costs for maintaining, updating, and upgrading cybersecurity systems to address new threats and vulnerabilities.

Indirect costs:

Operational disruptions — this may be temporary downtime or reduced productivity during the implementation and testing phases.
Compliance expenses — related to meeting regulatory and industry standards (e.g., GDPR, HIPAA), including audits and certifications.
HR costs — salaries and benefits for cybersecurity professionals (security analysts, IT security managers, incident response teams, and so on.).
Potential revenue loss or delays in other projects due to the allocation of resources to cybersecurity initiatives.

You should also consider such a category as hidden costs. They are related to the impact on user interaction and supplier management. In the first case, additional security tools such as multi-factor authentication (MFA) or strict access control can change the digital experience of your users and require more money to improve it. In the second case, you should consider the costs associated with managing third-party vendors and ensuring they meet cybersecurity standards.

Benefits: risk reduction and avoided costs

Risk reduction as a benefit may include threat mitigation. This is the reduction in the likelihood or impact of cyber threats such as malware, phishing attacks, and data losses. You can also add the cyber security incident response as a benefit, as it enhances the capability to detect, respond to, and recover from cybersecurity incidents. In this case, you have to measure the minimized or eliminated damage and downtime.

Do not forget about the ability to identify, prioritize, and remediate security vulnerabilities, reducing the risk of exploitation. Here, we can move to avoided costs, as risk management prevents expenses related to dealing with incidents. You can determine this number.

You can also quantify savings from preventing customer data theft, disruptions caused by cyber incidents, paying ransoms and regulatory compliance fees, etc. Reputational damage also affects ROSI. Although you can’t accurately measure it in numbers, you can at least roughly estimate the losses from losing clients and expenses to restore your credibility. You can save all this money with a proper security system and by preventing cyber threats.

ROI in Cybersecurity: Measuring Threats

The ROI in cybersecurity is also about measuring threats and the results of incidents.

Measuring the financial impact of cybersecurity incidents

Measuring the cost of cybersecurity incidents is directly related to studying the damage caused by insecurity. In this case, you should pay special attention to documenting the prevalence of attacks, the impact of such attacks, and evaluating the effectiveness of countermeasures.

The easiest way to determine damages is to estimate the financial costs in the event of a security breach. For example, it could be a loss of income due to a service interruption. Or the loss of a certain number of customers and payments for services due to reputational damage.

Framework by The National Cyber Security Centre

Many industries estimate the cost of cybercrime to be trillions of dollars. However, in each individual case, it is worth paying attention to a more detailed and accurate assessment. You need to define:

indirect losses from the crime — reputational losses, for instance;
direct losses — losses and opportunity costs incurred due to certain cybercrimes (news about a data breach leads to fewer customers, purchases, and lost profits, respectively).

Defense costs are money spent on prevention and control. Another indicator is the supporting infrastructure. This is all related to hacked websites and internet infrastructure directly controlled by attackers to carry out attacks. It is good practice to place it in a separate category to avoid duplication of the included costs. Indirect damages concern both the cybercrime directly and the supporting infrastructure.

Calculating ROSI Metrics

Determining ROI for cybersecurity can be difficult because defense, unlike many other fields, typically does not generate direct revenue. However, this is the most effective, and probably the only one, way to protect your income and assets. So, in order to determine the ROSI, you need to clarify the cost savings from potential threats that were prevented due to the preventative measures taken by security teams.

The basic approach consists of 4 steps:

Determination of possible losses.
Prediction of the probability of a cyber attack.
Calculation of potential savings from specific cyber security measures.
Subtracting the cost of these activities.

One-size-fits-all ROSI formula

Accordingly, you can calculate the basic return on security investment using this formula:

Where the Annual Cost of Security Incidents Avoided is the benefit you get because of security investments.

Example:

Let’s say a company invests in a new firewall system. Here’s how we could calculate the ROSI:

Annual Cost of Security Incidents Avoided (ACSIA): The company estimates that the firewall would prevent $200,000 in losses from potential breaches each year.

Annual Security Investment (ASI): The cost of the firewall, including installation, maintenance, and training, is $50,000 per year.

Using the ROSI Formula:

ROSI = ($200,000 — $50,000) / $50,000

ROSI = 3

Interpretation: The ROSI of 3 indicates that for every dollar invested in the firewall, the company can expect a return of $3 due to prevented security incidents.

Annualized Loss Expectancy formula

Another metric to consider is the Annualized Loss Expectancy or ALE. It is an important part of risk management as it helps to estimate the expected monetary loss that an organization could incur over a year due to a particular cyber risk or threat. ALE helps to quantify the financial impact of potential security incidents on an annual basis.

Annual Rate of Occurrence, or ARO represents the estimated frequency with which a specific risk or threat is expected to occur within a year. In other words, it is the number of times the event is expected to occur in a year. You can determine this number based on your historical data, expert judgment, or industry data and benchmarks.

Single Loss Expectancy or SLE is the estimated monetary loss that would occur from a single incident of the specified risk or threat. It includes costs such as direct financial losses, recovery costs, and any other related expenses.

For example, you want to assess your company’s risk of data breaches. Suppose the data breach could occur twice a year, then ARO = 2. Next, you need to determine the cost of a single data breach incident, including legal fees, fines, and recovery costs. For instance, it is $100,000, so SLE = $100,000.

Using the formula we have ALE = 2 × 100,000 = 200,000

After you calculate this metric of a specific security incident, you can estimate the real benefit of a security solution based on the anticipated reduction in the ALE.

Payback Period formula

This is the time it takes for the cybersecurity investment to pay for itself and generate enough benefits to recover its initial cost. In the context of cybersecurity projects, the Payback Period helps understand how long it will take for the cost savings and benefits derived from security to equal the initial expenditure.

Initial Investment is the total cost required to implement the cybersecurity project. It includes purchasing hardware and software, consulting fees, training, and deployment.

Annual Benefits are the financial gains or cost savings generated by the cybersecurity project each year. These may be cost savings from avoided security breaches, reduced downtime and productivity losses, compliance-related savings, etc.

For instance, you invested $500,000 in new cybersecurity infrastructure, training, and implementation. This is your initial investment. You can get annual benefits of $150,000 savings from avoided breaches, reduced downtime, etc.

According to formula, your Payback Period= 500,000/ 150,000 = 3.33 years

After comparing the ROI metrics, you can make an informed decision about your cybersecurity initiative. It is important to understand that you will have to consider both quantitative and qualitative benefits, so the process can be quite complex. In this case, it is worth turning to security companies and specialists, who would have enough expertise and could notice those characteristics of your business that you might have overlooked.

Best Practices in Measuring ROSI

Apart from all that was mentioned above, it is worth paying attention to a few more best practices.

Be clear in defining your goals. It is necessary to define clear and tangible desired results in order to understand how to calculate the return on investment and what indicators to pay attention to. Are you focusing on preventing data breaches, reducing downtime, or improving regulatory compliance? Setting specific, measurable goals will help you choose the right metrics and track your progress effectively.

Example: A goal could be to reduce the number of successful phishing attacks by 50% within a year.

Align cybersecurity objectives with broader business goals. Focus on real evidence of the effectiveness of security measures. This may be the number of detected threats, time of response to incidents, system uptime, frequency of phishing simulation clicks, etc.
Evaluate the benefits. This is a quantifiable indicator because you can determine how much the costs of avoiding violations and downtime will decrease.
Carry out regular reviews. New threats and technologies are constantly emerging in cybersecurity, so ROSI can change. It is worth checking it for relevance and accuracy. If new vulnerabilities emerge in a particular technology, reassess the potential impact on your ALE and adjust your security investments accordingly.
Compare your ROSI with industry benchmarks. This will help you more accurately assess the effectiveness of your cybersecurity investment. If your industry average for ROSI is 5, and your calculation is 3, it may indicate that you need to optimize your security investments or explore more cost-effective solutions.
Industry standards also provide context for your ROI calculations and help identify areas for improvement.

Finally, it is important to track adherence to internal cybersecurity policies to assess the organization’s compliance with established security protocols and the effectiveness of employee training programs.

Factors Influencing ROSI

When it comes to the ROI of a cybersecurity project, several key factors can significantly influence it.

Scale and scope of the project. Larger projects with comprehensive security measures may have higher initial costs while offering more substantial long-term savings. Also, if your project covers multiple aspects of cybersecurity (network security, endpoint protection, data encryption, and so on), it tends to provide more extensive protection benefits.
Current threat landscape and existing security posture. The dynamic nature of cybersecurity threats affects the effectiveness of security measures. Projects that address the latest threats tend to offer higher ROI by preventing new types of attacks. Businesses with a low baseline security level may see a higher ROI from new investments, as there is more room for improvement.
Regulatory requirements. Meeting regulatory requirements can be costly, but when you achieve compliance, you can avoid significant fines and legal costs, thereby improving ROI.
Cost of potential breaches. The potential financial impact of security incidents (e.g., data breaches, ransomware attacks) greatly affects ROI. The likelihood and frequency of security incidents also play a crucial role.
Implemented security solutions. The ROI can depend on how well the chosen technologies detect, prevent, and respond to threats. High-performing solutions typically provide better returns on investments. Also, technologies that seamlessly integrate with existing IT infrastructure can reduce implementation costs.
Incident response and recovery capabilities. The speed and efficiency of incident response influence the damage caused by security breaches. Investments may improve these capabilities and, accordingly, provide substantial ROI by reducing downtime and recovery costs.

You need to be aware of your company’s and industry’s unique specs to make an informed decision and maximize the financial benefits of your investments.

Find out more on ourManaged Cyber Security Services

Tools and Resources for Calculating ROSI

It is not easy to calculate cybersecurity ROI because of a number of factors. To simplify this process, you can use special tools that vary from simple calculators to complex structures and software solutions. Here are some of the most commonly used options.

Cybersecurity ROI calculator

You can use simple generic ROI calculators that help estimate ROI for various types of investments in security, regardless of the specific vendor. Typically, they require input on costs, potential savings, and other relevant metrics. For instance, you can use one of the OMNI ROI calculators.

These may also be vendor-specific calculators tailored to particular products. They help users estimate the financial benefits of implementing specific security solutions. For example, these may be Cisco Wireless Solution Calculator.

Risk Assessment Frameworks

One of such frameworks is The National Institute of Standards and Technology (NIST) Framework which helps organizations identify and prioritize their defense measures and assess their effectiveness. It includes security tools and guidelines for performing risk assessments, which are essential for calculating ROI.

Another valid option is ISO/IEC 27001 — the international standard that provides a systematic approach to managing sensitive company information. It includes a risk management process that can help quantify the benefits of cybersecurity investments.

Financial Analysis Tools

For example, Gartner offers a TCO (Total Cost of Ownership) analysis tool that helps organizations understand the full cost of their IT investments, including cybersecurity projects. You can also use Forrester’s TEI (Total Economic Impact) methodology to evaluate the potential financial impact of technology investments. It considers costs, benefits, flexibility, and risks.

Consulting Services and Industry Reports

In most cases, especially when it comes to complex systems, it is better to seek advice from certified security professionals. They can help calculate and analyze ROI based on your specific cyber security and threats. Reports often include data on cost savings, risk reduction, and best practices.

Find out more on TechMagic’s Security Testing Services

Wrapping Up

Determining the return on investment in cybersecurity is a complex but necessary task. This indicator helps to have a clear financial picture and focus on reducing potential risks, avoiding costs, and actually improving the effectiveness of the defense. It is also the way to make investments that are both strategic and financially reliable.

Accurately measuring the ROI of cybersecurity initiatives requires a detailed assessment of quantified indicators and consideration of parameters that cannot be measured in numbers but are no less important. It is a fine art to identify both tangible costs and immeasurable benefits.

A good practice is to align cybersecurity investments with broader business goals, use models such as the Gordon-Loeb model to optimize investments, and regularly review and update results to adapt to emerging threats. This is how you can get a more or less clear idea of the value derived from these investments. Of course, it also helps you make informed decisions about where to allocate resources, how to prioritize cybersecurity measures, and ultimately how to effectively protect digital assets.

At TechMagic, we have enough expertise in this regard, and we will be happy to advise you on this matter. Our certified security experts will help you determine the optimal metrics specifically for your business and choose the best measurement frameworks.

FAQ

Why calculating cybersecurity ROI is important for cybersecurity projects?

Calculating ROI in cybersecurity investment helps justify the investment by comparing the value and benefits to the costs. It is critical to allocate resources properly, aligning the cybersecurity strategy and initiatives with business objectives, and providing a clear rationale for stakeholders to support funding and implementation are critical.

What are the key components of cybersecurity ROI calculation?

In most cases, key components of ROI security calculation include initial costs, operational costs, obtained benefits, and savings (cost avoidance from prevented breaches, reduced downtime, and avoidance of legal fines and reputational damage).

How do you identify the costs and benefits of a cybersecurity project?

You can do this by considering initial investment costs (hardware, software, and implementation), ongoing operational costs (maintenance, updates, and training), and indirect costs (productivity losses during implementation). As for benefits, you should evaluate potential cost savings from prevented incidents, improved productivity, compliance with regulatory requirements, and enhanced brand reputation and customer trust.

What factors should be considered when quantifying cybersecurity risks and threats?

Everything depends on your projects and the industry’s specifics. In general, you should consider the likelihood of different types of attacks, the potential impact of each attack (data and financial loss, operational disruption), historical data on past incidents, industry benchmarks, and the specific vulnerabilities of your organization’s infrastructure and data.

What are some common metrics used to calculate ROI for cybersecurity initiatives?

These are the basic ROSI, SLE, and playback period. You have to consider the cost of the data loss, downtime costs, incident response costs, compliance costs, and risk reduction.

What factors can influence the ROI of a cybersecurity project?

These may be the scale of the project, the current threat landscape, the effectiveness of the implemented solutions, the existing security posture, regulatory requirements, the cost of potential breaches, operational efficiency, and the ability to respond to and recover from incidents.

Are there any tools or resources available to help with calculating cybersecurity ROI?

You can use ROI calculators provided by cybersecurity vendors, risk assessment frameworks like NIST and ISO 27001, and financial analysis tools that incorporate cybersecurity metrics. Additionally, our security team can provide insights and benchmarks to assist in the calculation process.