Return on Security Investment (ROSI)

Return on Security Investment (ROSI) is a metric that quantifies the expected net value of an IT security investment. ROSI is a popular IT management metric in budgeting IT security investments and corporate IT budgets. In the case of cybersecurity, Return on Security Investment is focused on risk avoidance and mitigating the negative impact of security-related breaches. Hence, Return on Security Investment focuses on measuring the value of the risk avoided.

With a ROSI approach, security breach costs are both tangible and intangible. Tangible costs include lost revenue, mitigation costs, and legal expenses. Intangible costs include brand reputation, customer satisfaction, and, indirectly, company valuations. Since cybersecurity solutions are never guaranteed, Return on Security Investment also measures the reduction in likelihood that a security incident will occur if the investment is made. While the ROSI basic formula is relatively constant, there are many permutations of ROSI formulas. An IT organization should include factors that are important to key internal stakeholders and factors that drive corporate business objectives. An excellent place to start learning more about Return on Security Investment is this SANS white paper on quantifying risk measurement.

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.