by Scott Berinato

Calculating Return on Security Investment

Feb 15, 20022 mins
IT Strategy

T is the cost of the intrusion detection tool.

To determine our return on security investment (ROSI) we simply subtract what we expect to lose in a year (ALE) from the annual cost of intrusion.

Doing this equation yields the Annual Loss Expectancy.

E is the dollar savings gained by stopping any number of intrusions through the introduction of an intrusion detection tool.

R is the cost per year to recover from any number of intrusions.

(R-E) + T = ALE

R – (ALE) = ROSI

The Earlier You Invest in Security, the Greater the Return

Researchers found that you get a 21% return on your security investment at the software design phase, a 15% return at the implementation stage and a 12% return at the testing stage.

RETURN on security investment


source: MIT/Stanford/@stake

For More Information on the Economics Behind Security

A good primer on economic terms and techniques, including concepts such asindifference curves.

Stanford economist Kevin Soo Hoo’s thesis on quantifying infosecurity. It’s a little math-heavy, but it contains excellent data on the history of the problem and a proposed model for fixing it.

The CERT website has an entire page devoted to emerging research on survivability and the quantification of it. It includes the research highlighted here.