Free Return on Security Investment Calculator

Did you ever face a situation where you have been told that your security measures are too expensive? Or you find it very difficult to explain to your management what the consequences could be if an incident occurs? Proving that it is worth investing in security is tough, but our Return on Security Investment (ROSI) calculator can help you. It's completely free.

The definition of Return on Security Investment is the following: ROSI = monetary risk mitigation − cost of control. Therefore, a security investment is judged to be profitable, if the risk mitigation effect is greater than the expected costs. (Source: Christian Locher, Methodologies for evaluating information security investments, 2005).

Following that definition, here is how our ROSI calculator performs the Return on Security Investment analysis:

  • Step #1 - it calculates the cost of an incident by taking into account all the relevant costs if an incident occurs and the probability of incident occurrence.
  • Step #2 - it calculates the cost of security measure(s)/control(s), and the level to which the risk of this incident would decrease because of such mitigation.
  • The final result (after Step #2) is the calculation whether the gain (the risk decrease) is higher than the needed investment (security measures/controls).

To learn more about the methodology used in this calculator, read this article: Is it possible to calculate the Return on Security Investment (ROSI)?



Step #1: Calculating the cost of an incident




The security measures you have already implemented that should decrease the likelihood and/or impact of such incidents - e.g. backup, antivirus protection, fire suppression systems, and other measures relevant to this incident.




E.g. databases, software, documents in electronic format, paper documents etc.

E.g. hardware, office space, facilities, furniture, other infrastructure etc.

Select the currency you will be using in this calculation.

The cost of services of suppliers and partners that would occur as a consequence of this incident - technicians, cleaning, PR & marketing, legal, financial etc. These costs might be related to the business unit that is directly influenced by the incident, or related to other business units that are indirectly affected by the incident. If there would be none, just write 0

What equipment or goods or materials would you have to buy because of the damage caused by this incident? If there would be none, just write 0.

E.g. travel expenses, bonuses, paid overtime etc. These costs might be directly related to resolving the incident, or indirectly related - for instance catching up on the backlog of regular work. If there would be none, just write 0.

In case you have legal or contractual requirements for providing products/services at the predefined level, but you wouldn't be able to comply with these because of the incident. If this is irrelevant for you, just write 0.


If there would be none, just write 0 or leave this field blank.

%
The margin equals to net sales minus the cost of goods and services sold.

If your company is not able to provide products/services at the expected level, you may lose part of your revenues. Take into account the lost revenues during the incident (taking into account the length of negative impacts), together with the lifetime revenues you would lose from clients that would leave you as a consequence of this incident. If this is not relevant for you, just write 0.

Because of the direct negative impacts of the incident and because your management and employees would be focused on resolving the incident, you probably wouldn't acquire new clients like as usual. Calculate the lifetime revenues you would have earned from such clients. If this is irrelevant for you, just write 0.

Amount you would have received from insurance company because you have insured your assets that were impacted by the incident. If there would be none, just write 0.

(To be calculated automatically - in your currency). SLE = Cost of external services + Cost of purchasing + Employee costs + Penalties + Other costs - Insurance claims + (Lost revenues from existing clients + Lost revenues from potential clients) * Average margin

Take into account the threats and vulnerabilities, as well as existing security measures.

(To be calculated automatically - in your currency.) ALE = SLE * likelihood (how often could such an incident occur).
   
   
Step #2: Calculating the costs and benefits of protection
If the annual costs of security measures (costs of protection) are less than Annualized Loss Expectancy (ALE), then these security measures will be profitable. And vice versa.

Describe only one security measure (control), or a set of security measures that would be used to mitigate the negative effects of an incident from Step #1.

After applying this/these security measure(s), how often could such an incident occur?

%
How much would this/these security measure(s) decrease the Total cost of single incident (i.e. SLE)? The security measure(s) might be able to shorten the reaction time for resolving the incident, shorten the duration of an incident, decrease the number of locations or business units or processes that would be affected, decrease the amount of data that would be compromised, decrease the number of physical assets that would be affected, or decrease the extent of damage to those assets. If there would be none, just write 0.

E.g. the value of hardware and other equipment, software, consulting services, support services during implementation, etc. Make sure you also take into account the traveling costs, training costs and other costs of your employees working on implementation of such security measures.

How many years would such measures be in effective operation before becoming obsolete or for any other reason unusable?

What would be the sales value of security measure(s) after their period of usage? E.g. if there is equipment that could be sold after it was used, what would be the realistic market value for such equipment?

All the costs (on an annual basis) of suppliers and partners needed for normal operation of security measure(s) - e.g. maintenance, audits, analysis, consulting, periodic training, testing, lease, infrastructure costs, etc.

On an annual basis, number of man-days of employees needed for the operation of the security measure(s). The employees that will be needed to operate, maintain, analyze, test, improve and supervise such security measure(s); also take into account the time needed for regular trainings of such employees.

Total costs for one average employee - gross salary, benefits, other costs. On per year basis.

Total number of available working days (for any kind of business activity) for one average employee during one year. You need to take into account weekends, holidays, leaves of absence etc., and deduct these from 365.


If there would be none, just write 0 or leave the field blank.

(To be calculated automatically - in your currency.)
 
 
Conclusion
The investment in this/these security measure(s) is profitable if the last field below (ROSI) is positive.

If it is negative, then the security measure(s) are not profitable.

(To be calculated automatically - in your currency.) The value of Single Loss Expectancy (SLE) when the effects of security measure(s) are taken into account. SLE (with security measures applied) = SLE (initial, with no security measures) * (100 - % of reduction of SLE)

(To be calculated automatically - in your currency.) The value of Annual Loss Expectancy (ALE) with the effects of security measure(s) taken into account. ALE = SLE (with security measures applied) * Incident frequency (with security measures applied)

(To be calculated automatically - in your currency.) The amount of reduction of one year risk exposure (ALE) as a consequence of applying the security measure(s). Risk reduction = ALE (initial, with no security measures) - ALE (with security measures applied)

(To be calculated automatically - in your currency.) This is the value of annual profit created when investing in security measures. ROSI = monetary risk reduction − annual cost of protection

%
(To be calculated automatically - in your currency.) This is the profit displayed as percentage of security measure(s) cost. ROSI (percentage) = ROSI (absolute amount) / annual cost of protection * 100%

The data from this form will be sent to this email address when you click the "Send" button.