{"id":4719,"date":"2011-06-13T16:42:47","date_gmt":"2011-06-13T16:42:47","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/blog\/011\/06\/13\/is-it-possible-to-calculate-the-return-on-security-investment-rosi\/"},"modified":"2024-12-21T16:19:46","modified_gmt":"2024-12-21T16:19:46","slug":"is-it-possible-to-calculate-the-return-on-security-investment-rosi","status":"publish","type":"post","link":"https:\/\/staging.advisera.com\/27001academy\/blog\/2011\/06\/13\/is-it-possible-to-calculate-the-return-on-security-investment-rosi\/","title":{"rendered":"Is it possible to calculate the Return on Security Investment (ROSI)?"},"content":{"rendered":"<p>If you are an information security or business continuity professional, then you\u2019re probably aware of the most difficult part of your job: to convince your management that investment in information security\/business continuity makes sense.<\/p>\n<p>Traditionally, \u201cmaking sense\u201d for management means that the revenues that will result from the investment will be larger than the total cost of investment. (Of course, there are some other aspects the management will also consider \u2013 read <a href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2011\/05\/16\/managements-view-of-information-security\/\">Management\u2019s view of information security<\/a>).<\/p>\n<p>So what\u2019s the problem? The problem is, even if you can calculate the total cost, there are no revenues to be made; OK, instead of revenues you might have cost savings, but the general opinion is that these are impossible to calculate.<\/p>\n<p>However, I think there is a way to estimate the financial benefits (i.e. cost savings) of information security. Let\u2019s take a deeper look of what it really means.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Is it really impossible?<\/h2>\n<p>First of all, you need to estimate the potential damage an incident could cause \u2013 it is also called the Single Lost Expectancy or SLE. But to calculate SLE you need to take into account several factors:<\/p>\n<ul>\n<li>The scope of the potential incident \u2013 which departments, locations, business units and processes would be affected.<\/li>\n<li>The cost of purchasing of equipment, goods and materials that were damaged by the incident.<\/li>\n<li>Employees \u2013 the cost of employees resolving the incident.<\/li>\n<li>Legal and\/or contractual penalties \u2013 if you didn\u2019t comply with legislation or contractual obligations.<\/li>\n<li>Lost revenues \u2013 both from your existing clients and from potential clients.<\/li>\n<\/ul>\n<p>The next step is to estimate the likelihood \u2013 normally, you would have to consider threats and vulnerabilities, as well as existing security measures. The best way is to assess how often you think such an incident would occur \u2013 e.g. once every three months, once every three years or once every 30 years.<\/p>\n<p><div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script> <div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<p>When you multiply Single Lost Expectancy and likelihood, you get the Annualized Lost Expectancy (ALE) \u2013 you could also consider this number to be the annual cost of that risk. For instance, the annualized risk of earthquake will cost you US$ 30000 if SLE is US$ 3 million and the likelihood is once in 100 years.<\/p>\n<p>After that you would need to assess the frequency of the potential incident after you implement security measures \u2013 in the earthquake example, the frequency will stay the same; however, if you implement more effective anti-virus software, the likelihood of a successful malicious code attack will decrease.<\/p>\n<p>Finally, you need to estimate how much your security measures will cost \u2013 to be accurate, you will again need to take into account various factors:<\/p>\n<ul>\n<li>Purchase value \u2013 cost of hardware, software, implementation services etc.<\/li>\n<li>Residual value of the security measure \u2013 its value after it is no more in use.<\/li>\n<li>External costs of maintenance \u2013 servicing, repairs etc.<\/li>\n<li>Internal costs of maintenance \u2013 mainly employees.<\/li>\n<\/ul>\n<p>When you have all these inputs together, you will know whether your Return on Security Investment is positive or not \u2013 the point is that the decrease in your risk needs to be bigger than the total cost of security measures. It is best if you calculate both on an annualized level \u2013 this would mean that your Annualized Lost Expectancy has to be greater than the annual cost of security measures.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">\u201cDelusion or idiocy?\u201d<\/h2>\n<p>When we have published our <a href=\"https:\/\/staging.advisera.com\/27001academy\/free-tools\/free-return-security-investment-calculator\/\" target=\"_blank\" rel=\"noopener noreferrer\">ROSI Calculator<\/a> based on the above mentioned logic, one of the leading information security experts (whom I really do respect) has commented our tool on his Twitter account as follows: \u201cdelusion or idiocy? take your pick: &#8211; just enter \u2018probability of incident occurrence\u2019:-( #ROSI #ROI&#8221;.<\/p>\n<p>Why did he react this way? \u2013 Let\u2019s be realistic, it is quite difficult to calculate all the costs related to the potential damage of an incident; however it is even more difficult to estimate precisely the likelihood of such an incident occurring. Especially if there are no statistics to support such an estimation.<\/p>\n<p>But the question is \u2013 is it better to have nothing at all, or is it better to have at least some feeling about the financial consequences of the work you are doing? If you are a perfectionist, you will probably wait for another 10 or 20 years for a better methodology \/ statistics to evolve (by the way, the banking sector is now developing those under Basel II \u2013 Advanced Measurement Approach); or if you are a realist, you could use this logic to help you, keeping in mind that it is not perfect.<\/p>\n<p>If you take the latter approach, you won\u2019t be the only one in your company \u2013 just take a look what your marketing department is doing. They usually spend a lot of money on TV and radio commercials, but they cannot calculate exactly if that is profitable either, can they? What they sure are good at is presenting why this investment is needed, guessing along the way quite a lot of factors. Instead of making fun of them you should learn from them.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Something is better than nothing<\/h2>\n<p>So is it possible to calculate exactly what the Return on Security Investment will be? Unfortunately, the sceptics are right \u2013 it is impossible to calculate it precisely \u2013 mainly because it is difficult to estimate the likelihood of incident occurrence. But chances are you wouldn\u2019t miss the probability that much \u2013 you wouldn\u2019t assess the likelihood once in 100 years if it is more likely that an incident is going to happen every five years. That, together with taking into account all other relevant factors, will give you a much better picture of the risk your organization is exposed to.<\/p>\n<p>And having that information in hand is much better than having nothing at all. More importantly, you will start speaking your management\u2019s language (Profit &amp; Loss language), which increases your chances of being heard.<\/p>\n<p><em><span class=\"notion-enable-hover\" data-token-index=\"0\">To automate your compliance with ISO 27001 security controls,<\/span>\u00a0<\/em><a class=\"notion-link-token notion-focusable-token notion-enable-hover\" tabindex=\"0\" href=\"https:\/\/staging.advisera.com\/conformio\/\" target=\"_blank\" rel=\"noopener\" data-token-index=\"2\"><span class=\"link-annotation-unknown-block-id-1092142182\">sign up for a free trial<\/span><\/a>\u00a0<em><span class=\"notion-enable-hover\" data-token-index=\"4\">of Conformio, the leading ISO 27001 compliance software.<\/span><\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you are an information security or business continuity professional, then you\u2019re probably aware of the most difficult part of your job: to convince your management that investment in information security\/business continuity makes sense. Traditionally, \u201cmaking sense\u201d for management means that the revenues that will result from the investment will be larger than the total &#8230;<\/p>\n","protected":false},"author":26,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[277,378,379,525],"class_list":["post-4719","post","type-post","status-publish","format-standard","hentry","category-blog","tag-risk-assessment","tag-business-continuity","tag-information-security","tag-risk-treatment"],"acf":[],"_links":{"self":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4719","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=4719"}],"version-history":[{"count":1,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4719\/revisions"}],"predecessor-version":[{"id":103336,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4719\/revisions\/103336"}],"wp:attachment":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=4719"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=4719"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=4719"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}