Saturday, May 28, 2022

Slide Slide
Home Cyber Security Quantifying ROI of Cyber security

Quantifying ROI of Cyber security

An investment in cyber security will pay back a business

This is an exclusive interview conducted by the Editor Team of CIO News with Sanket Sarkar, Founder of ZERON, on quantifying the return on investment (ROI) of cyber security.

When the management asks the CISO: “Hey, we invested $5000 last month on cyber security measures. What’s the return on that?”

A generic reply is, “We saved 30 attacks out of 40 attacks; we saved five data breaches.”

Well, if you ask me, the answer is pretty good, but it can be cooler. Think if you could answer, “Well, we invested $5000; in return, we saved $30,000 worth of losses.”

That’s where quantification of cyber security to a micro-economics level comes into the picture.

Return on Investment (ROI) is probably the single most important metric when it comes to business. It answers the question, “For every dollar invested, what do I get back?” In profit-generating areas like sales, it’s fairly easy to calculate ROI because it’s just Revenue – Cost = Profit. However, cyber security is a cost center, meaning it doesn’t generate profit for the business, so it’s a bit harder to calculate the ROI, but it’s not impossible.

There are many methodologies, but here I would be focusing on SLE.

Single Loss Expectancy [SLE] methodology

SLE is the estimate of the amount of damage that an asset will suffer due to a single incident.

Asset categories include people, facilities, equipment, materials, information, activities, and operations.

The following formula is used to calculate the single loss expectancy: Single Loss Expectancy = Asset Value * Exposure Factor

The exposure factor (EF) is expressed as a percentage of the asset value. If loss can be limited to one type, the impact on the asset by the percentage of the asset value lost can be determined.

This means that an investment in cyber security will pay back a business. Anytime the company suffers some type of security breach, there is a cost associated with that. So, by reducing the rate of occurrence for a specific type of incident, you save the company money. For example, say company “X” suffers seven data breaches a year because of phishing emails that cost $13,000 to fix (7 X 13,000 = $91,000 per year). To fix this, you implement a security control that costs you $25,000 but reduces the rate of occurrence by half, saving you $60,000 per year.

Your payback in the first year alone will be 60,000-25,000 = $35,000. This is one way a cyber security initiative can have a measurable ROI by looking at the annual rate of occurrence, calculating the expected decrease in rate of occurrence, and subtracting the amount of the control. Controls can be technical things like a firewall, but they can also be hiring additional staff to do training or to respond to and contain situations as they occur.

Some statistics show how cyber security is getting more time in boardrooms. And the thing that matters most to the board members is the “MONEY”.

Image 1

It’s pretty much clear that CISOs should have systems in place that can give them an understanding of the ROI of their investments.

Also readCIO News interviews Shri Wangki Lowang, Minister (IT) of Arunachal Pradesh

Do FollowCIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter

About us:

CIO News, a proprietary of Mercadeo, produces award-winning content and resources for IT leaders across any industry through print articles and recorded video interviews on topics in the technology sector such as Digital Transformation, Artificial Intelligence (AI), Machine Learning (ML), Cloud, Robotics, Cyber-security, Data, Analytics, SOC, SASE, among other technology topics


Please enter your comment!
Please enter your name here

- Advertisment -1x1 banner1x1 banner1x1 banner1x1 banner

Most Popular

SBI Card appoints Vinod Kumar Gupta as VP – Head Cyber Security operations

Back in 2008, when he was the lead solution architect at Data Secure Solutions, he career started in cyber-security. In 2011, he joined MothersonSumi...

What strategy can technology leaders implement to protect the endpoints from being compromised even after cyber-criminals attack and try to steal company data?

Endpoint users must be trained and retrained to avoid installing freeware or pirated software and to detect any unusual activity This is an exclusive interview...

Delhivery granted a patent for its proprietary technology product, Addfix

The patent covers Delhivery’s innovation in address verification and location mapping - ‘System and method for validating geographic location accuracy for an address.'  India, May 27,...

Technology leaders must develop a genuine interest in the well-being of their customers, says Dr. Bharathy CSS, Founder | VR | AR | MR...

The pace of emerging technologies like AR and VR technology is extremely fast and leaders need to be nimble and adapt to these changes This...

Recent Comments