As for any organization, the security department needs to measure cost-effectiveness, justify budget usage, and support its next budget claim.
But organizations often have difficulty accurately measuring the effectiveness and cost of their information security activities. This is because security is not usually an investment that provides profit – it provides loss prevention.
What is the amount an organization should invest in protecting information and how can we quantify the return on this investment?
There are many good articles about the term "ROSI" – Return On Security Investment. The ROSI calculation uses a simple formula that relies on the following parameters:
Annual Loss Expectancy (ALE) - The total annual financial loss from security incidents.
Mitigation Ratio and mALE - The modified ALE is the same as above but includes losses that were prevented by implementing a security solution. The value of prevented losses can be obtained by determining the mitigation ratio, which is the percentage of threats deterred by the cybersecurity solution.
Cost of Solution – the cost of the mitigating solution.
(These 3 parameters are a bit more complicated but simplified here for an easier explanation).
ALE * mitigation ratio – Cost of solution
ROSI = ____________________________________________
Cost of Solution
Below is an example of how ROSI would be calculated:
Based on his risk management process, a large healthcare organization's CIO believes that adding another layer of mail security solution will help reduce the risk of a breach and its consequences. However, the management is not convinced this large investment is worth it.
The CIO has decided to run some numbers:
Based on past years, the organization's annual cost of cyber incidents is $200K (ALE).
The cost of the email security solution is $80K per year (cost of solution).
The CIO made a calculated guess that the additional email security layer would reduce threat penetration ratio by 90%.
In this scenario, the formula would be:
200 * 0.9 – 80
ROSI = ____________________
The return on this security investment is 125%, which means for the investment of $80K on email security, the CIO will save $100K (80K*125%).
The main gap in this example is that the CIO only guessed the mitigation ratio of this solution.
When it comes to information security and risk estimation, many executives are still relying on guessing.
To choose the best security control and present a validated mitigation ratio, it is crucial to test the solution's effectiveness and mitigation ratio.
By leveraging Cymulate's extended security posture management, you can do an end-to-end validation and assess the exact mitigation ratio of every security solution and control.
Returning to the example above, now assume that the CIO has tested his current email security posture with 15K email threats. Assuming his current risk score is 20, the CIO can now deploy a new email security control in a POC process and measure the risk score.
By reducing the score from 20 to 10, the CIO can see that the mitigation ratio of that solution is 50%.
In another example, a CISO considers investing in a WAF solution. The current risk score for the WAF vector is 100. After implementing a WAF solution and testing it with 7K different OWASP top 10 payloads, the organization reduced its risk to a score of 15, which is an 85% mitigation ratio.
When you need to justify the budget and show the ROI of your security activities, it is much better to rely on validated numbers and avoid guesswork.