The traditional method for calculating standard Return on Investment (RoI) is that it equals the gain minus the cost, divided by the cost. The higher the resulting value, the greater the RoI. The difficulty in calculating a return on security investment (RoSI), however, is that security tends not to increase profits (gain), but to decrease loss – meaning that the amount of loss avoided rather than the amount of gain achieved is the important element.
Following the standard RoI approach, RoSI can be calculated by the sum of the loss reduction minus the cost of the solution, divided by the cost of the solution. In short, a high result is better for RoI, and a low result is better for RoSI.
This is where it gets difficult: how do you measure the ‘loss reduction’? To a large extent it is based on guesswork and surveys. Bruce Schneier in The Data Imperative concluded, “Depending on how you answer those two questions, and any answer is really just a guess — you can justify spending anywhere from $10 to $100,000 annually to mitigate that risk.”
What we find as a practical outcome of delivering our SIEM-as-a-service offering (SIEM Simplified) is that many customers value the anecdotes and statistics that are provided in the daily reports and monthly reviews to demonstrate RoSI to management. Things such as how many attacks were repulsed by the firewalls, how many incidents were addressed by criticality, anecdotal evidence of an attack disrupted or misconfiguration detected. We publish some of these anonymously as Catch of the Day.
It’s a practical way to demonstrate RoSI which is easier to understand and does not involve any guesses.