Return on Security Investment (Definition)

A method of determining whether a set of proposed security measures is cost effective.

For each threat that will be affected by the new security measures, the likelihood (annualized rate of occurrence) and severity (single loss expectancy) figures are calculated. The latter includes not only direct costs, but also any indirect costs such as loss of custom, loss of goodwill, political embarrassment, etc.

For each threat, we can then calculate:

annualized loss expectancy = annualized rate of occurrence * single loss expectancy

The estimates are then repeated assuming the proposed security measures are implemented.

Added to this latter figure are the costs of the proposed security measure may then be calculated, including setup fees (hardware, software, training, consulting fees, etc.) as well as on-going annual costs. This set of costs can viewed as additional losses if the security measures are implemented.

The difference in cost between the two scenarios can then be compared using the preferred accounting method (e.g. Internal Rate of Return) to determine if the investment in security measures is worthwhile.

Because of the uncertainty in the estimates used, a Monte Carlo method may be used to test the sensitivity of the assumptions. Minimum, expected, and maximum losses and likelihoods are used instead of a single estimate, and the result is then a graph of probable outcomes rather than a single figure.

More information on Return on Security Investment (ROSI), including a spreadsheet with a worked example, can be found from the Government of New South Wales' website

Note that on the government website ALE refers to an Avoidable Loss Expectancy rather than Annualized Loss Expectancy.

See also:

If you are an industry professional, consider subscribing to the free Risky Thinking Newsletter for articles, insights, and commentary on risk, business continuity, and security. It's low volume: we don't send out the newsletter unless there is something interesting to say!

Errors or Omissions? Contact us and let us know!