ROSI helps justify security spending by demonstrating risk reduction value.
Calculation
ROSI = (Risk Mitigated - Security Cost) / Security Cost
Components
- Risk before: Annual Loss Expectancy (ALE) = Impact × Probability.
- Risk after: Reduced ALE with controls in place.
- Risk mitigated: Difference between before/after.
- Security cost: Total cost of implementation and operation.
Example
- Annual breach risk: $5M.
- Control cost: $500K.
- Risk reduction: 60% = $3M mitigated.
- ROSI = ($3M - $500K) / $500K = 500%.
Challenges
- Difficult to quantify intangible benefits.
- Probability estimates are uncertain.
- Compliance requirements may override ROI.
- Prevention value vs detection/response value.
Related Tools
Explore More Risk & Resilience
View all termsBusiness Impact Analysis (BIA)
An assessment that identifies critical business processes and quantifies the impact of their disruption.
Read more →Cyber Insurance
Insurance coverage that protects organizations against financial losses from cyberattacks and data breaches.
Read more →Data Breach Cost
The total financial impact of a security incident, including detection, response, notification, and long-term damages.
Read more →Incident Response Plan (IRP)
A documented, tested approach for detecting, containing, and recovering from cybersecurity incidents.
Read more →MITRE ATT&CK Framework
A globally accessible knowledge base of adversary tactics, techniques, and procedures mapped to the attack lifecycle.
Read more →Ransomware
Malware that encrypts systems or exfiltrates data, demanding payment to restore access or prevent disclosure.
Read more →