The calculation of the Return on Security Investment (ROSI) entails the combination of the quantitative assessment of risk and the cost of implementing security to counter the measures of the risk. Security is often more complex to measure in that an investment does not offer increased revenues but does provide savings during the inevitable cyber-attack risks (Choi et al., 2019). Experts specializing in security refer to this as loss prevention, while in business and economics, loss prevention will be included in the category of opportunity costs (Kohen, 2017). Both executives and managers consider the need for taking opportunity costs into account for evaluating the value of one option of investment against another one. Thus, the equation for ROSI involves both risks linked to security incidents and the impact of the implemented security solutions.
In every company, each investment budget must have justification, with its effectiveness being evaluated afterward. The ROSI will help estimate the return on security investment based on how much organizations can save by lowered losses divided by the investment (Attivo News, 2019). This will allow to evaluate cyber security technologies to determine if the solution is cost-effective. For organizations, the costs of cyber security solutions should never exceed the benefits of their implementation. CEOs and CFOs need to determine specific and detailed ROSI, especially if they can be ‘boiled down’ to dollar figures. This will allow for streamlining the assignment of budgets and relevant approvals because of the possibility of calculating a quantifiable budget. Overall, security is concerned with a risk calculation, with understanding how much risk an organization is taking and what the implications are.
Making estimates regarding the amount of money saved from losses that may never occur is a complicated task, which, in reality, entails much more than the application of simple formulas. The limitation of the ROSI calculation is that the results are often approximate and cannot give a 100% accurate prediction of how much would the cost of the risks to organizations be. The expensed that may go toward incidents related to cyber security and the yearly rate of their occurrence are complex to estimate, with the resulting numbers possibly varying wildly depending on environmental factors (European Network and Information Security Agency, 2021). Moreover, the approximations can be affected by analysts’ bias of their perception of the occurring risks, which means that the ROSI calculation can be manipulated easily to serve the interests of its users. This may be done for justifying a certain decision instead of informing it. Therefore, the statistical data introduced within the ROSI calculation must be essential. Nevertheless, actuarial data on security incidents are complex to find because companies are not always open to providing data on such issues.
To evaluate the technologies selected for the study with the help of the ROSI, which fall under the category of information systems, it is important to consider the ubiquitous nature of data, possible service disruptions, confidentiality issues, and data integrity challenges. Besides, after the calculation, it is necessary to answer the questions regarding the items covered by the cost, the timeframe before benefits occur, the period of payback, as well as the amortization periods. To conclude, evaluating information systems with the help of the ROSI can entail omissions or optimistic assumptions, which must be avoided.
References
Attivo News. (2019). Using ROSI to evaluate cybersecurity technologies. Web.
Choi, J., Kaplan, J., Krishnamurthy, C., & Lung, H. (2019). Perspectives on transforming cybersecurity.
European Network and Information Security Agency. (2012). Introduction to return on security investment: Helping CERTs assessing the cost of (lack of) security. Web.
Kohen, I. (2017). How to calculate your return on security investments.