Measuring Security Value Through ROI

By ivision February 27, 2023

In one of our recent Pulse videos, I mentioned three things Chief Information Security Officers (CISOs) can and should articulate in terms of value of security to the leadership and their board of directors:

  1. Determine the quantification of the business value vs. loss of it (in other words, risk of mitigation vs risk without mitigation)
  2. Quantify the cost to implement the security initiative (in other words, cost of mitigation)
  3. Calculate the ROI of the prevention of loss to determine effectiveness ​​​​​​​of the investment

This “prescription” is not new, and it’s purely economics. This “recipe” can be used in context of understanding risk aversion of a cyberattack. In the words of ChatGPT, “The ROI (Return on Investment) formula can be adapted to measure the return on investment for risk averted by using the following formula:

“ROI = (Risk without mitigation – Risk with mitigation) / Cost of mitigation”

Furthermore, the OpenAI service explains that “the result of this formula will show the amount of money saved by investing in [information security] risk mitigation, for every dollar spent on mitigating the risk. A positive ROI indicates that the investment in risk mitigation is justified, while a negative ROI suggests that the cost of mitigation is greater than the value of the risk averted.”

To use this formula, quantify the risk without mitigation and the risk with mitigation. This can be done by estimating the potential impact of the risk event and the likelihood of it occurring with and without mitigation measures in place. The cost of mitigation can be calculated by adding up the expenses of implementing the risk mitigation measures.

Calculating the ROI – Without Mitigation

The risk without mitigation is easy to determine – it’s the current state.

For example, imagine you realize that your administrative access to Azure AD, AWS and GCP are respective to their built-in privileged access controls, but the compute and storage services in AWS and GCP do not have those same conditional access policies or multi-factor authentication (MFA).

What would it take for you to react to a breach of access that a privileged access tool would have prevented? This would include costs like:

  • The reactive effort, time and resources to stop the breach (i.e., recover)
  • Analysis of breach, including value of data loss (i.e., root cause analysis)
  • Improvements in UEBA, ZeroTrust, training, etc. (i.e., prevention)
  • Potential legal and regulatory consequences and loss of trust / downward C-SAT (i.e., fallout)

“It’s important to also consider other factors, such as the impact of the risk event on the organization’s reputation, customer satisfaction and employee morale, as well as the potential legal and regulatory consequences of the risk event.” – ChatGPT

All of this would give you the cost of risk without mitigation. Let’s use an easy figure of $100k per incident. Depending on your business or service, the probability of cyberthreats may include ransomware attacks, data theft and disruption of services to perform or abilities to earn revenue. Let’s say that one of each per year – so a total of $300k per year.

Calculating the ROI – With Mitigation

Now, to determine risk with mitigation, you first need to understand cost of mitigation. Let’s use risk to privileged access to assets, whether domain controller, Cloud services, network devices or even documents or file-sharing services that contain intellectual property information. So, you inquire of a vendor, such as CyberArk, regarding their capabilities. They quote you $100k for full suite per year, and a partner, such as ivision, quotes $100k to implement CyberArk to get you started. The total cost may include:

  • License cost (annual)
  • Implementation (one-time)
  • Training (one-time)
  • Operational (annual)

Let’s say the total includes another $50k for training and $50k operations, so $300k total of the cost for year one, but $100k annual from year 2 and onwards.

How would CyberArk Privileged Access services mitigate risk? Let’s assume that the tooling, in this scenario, would prevent data theft and ransomware attack by 99%, but perhaps only 20% of disruption of services. Let’s tally that as:

  • Ransomware attacks – $1k
  • Data theft – $1k
  • Disruption of services: $80k

Putting It All Together

In summary, we have:

  • Risk without mitigation: $300k
  • Risk with mitigation: $82k
  • Cost of mitigation: $300k

Let’s plug our figures into the ROI formula, which now shows:

ROI Year 1 = ($300k – 82k) / $300k

ROI = 73%

If you could foresee this type of return, would you hesitate to invest in stock or endeavor? The percentage of this example ROI shows the effectiveness of moving forward with the risk mitigation strategy just for year 1. The following ROI for years 2 and onwards shows:

ROI Years 2+ = ($300k – $82k) / $150k

ROI Years 2+ = 140%

So, year one risk mitigation demonstrates 73% effectiveness, while years 2 and onward shows the migration of risk (i.e., risk aversion) of the investment to the tune of nearly double the benefit! Again, a no brainer to proceed.

Showing this type of quantification of cyber risk aversion to the overall business or service articulates the request in terms your chief financial officer (CFO) will clearly see as a necessary investment worth funding year to year. And while this scenario showcased financial potentials in simplicity, ivision can help you to realize your true value potentials in information security investments.