What is Return on Security Investment (ROSI) Anyway?

Credit Pexels

ROSI or Return On Security Investment is simply a way to calculate if a security control is worth implementation or not. For a control to be financially viable, the reduction of risk has to be greater than the cost of implementing security control.

In a very simplistic way, to calculate ROSI, you will calculate monetary risk for a specific incident and subtract the cost of implementing a security control to mitigate the risk. A positive value shows ROSI and the value of security control. A negative value indicates that the control is not worth implementation from a cost-benefit perspective.

ROSI = Reduction in Risk – Cost of Security Control

  • ROSI Calculators – There are a number of online resources and calculators to measure ROSI and you can select one that you like. Searching on “ROSI Calculator” on the Internet will give you a number of links.
  • Simplicity – Find a calculator that is simple as ROSI calculations can be very complicated depending upon how granular you want to go. I prefer simplicity at least in the initial phases.
  • ISACA published ROSI calculations guidelines – These guidelines are available online and can be a good reference to start with. The guidelines are available under guideline number G41 on ISACA web site.
  • ROSI and Risk Calculations – ROSI is tied to quantitative risk assessment. If your organization is not mature to perform quantitative risk calculations, calculation of ROSI may be tricky but not impossible.

Measuring ROSI is a time-consuming task and should not be used all the time. Here are few things to consider:

  • Selective Use – ROSI should be used only for major investments in information security. Avoid excessive use to ROSI calculators to save time.
  • Business Justification Tool – ROSI provides business justification of information security projects. Use it in project plans. It provides credibility of investments in information security.
  • Rationalize the calculations and share data with your executive team.

Your feedback is very important to me. Please share your thoughts on my Twitter handle at @rafeeq_rehman

Related References:

About Rafeeq Rehman

Consultant, Author, Researcher.
This entry was posted in InfoSec and tagged , , , . Bookmark the permalink.

Comments are closed.