ROSI or Return On Security Investment is simply a way to calculate if a security control is worth implementation or not. For a control to be financially viable, the reduction of risk has to be greater than the cost of implementing security control.
In a very simplistic way, to calculate ROSI, you will calculate monetary risk for a specific incident and subtract the cost of implementing a security control to mitigate the risk. A positive value shows ROSI and the value of security control. A negative value indicates that the control is not worth implementation from a cost-benefit perspective.
ROSI = Reduction in Risk – Cost of Security Control
- ROSI Calculators – There are a number of online resources and calculators to measure ROSI and you can select one that you like. Searching on “ROSI Calculator” on the Internet will give you a number of links.
- Simplicity – Find a calculator that is simple as ROSI calculations can be very complicated depending upon how granular you want to go. I prefer simplicity at least in the initial phases.
- ISACA published ROSI calculations guidelines – These guidelines are available online and can be a good reference to start with. The guidelines are available under guideline number G41 on ISACA web site.
- ROSI and Risk Calculations – ROSI is tied to quantitative risk assessment. If your organization is not mature to perform quantitative risk calculations, calculation of ROSI may be tricky but not impossible.
Measuring ROSI is a time-consuming task and should not be used all the time. Here are few things to consider:
- Selective Use – ROSI should be used only for major investments in information security. Avoid excessive use to ROSI calculators to save time.
- Business Justification Tool – ROSI provides business justification of information security projects. Use it in project plans. It provides credibility of investments in information security.
- Rationalize the calculations and share data with your executive team.