Return on Security Investment (ROSI)
Executives and decision makers in big organisations bring cyber risks as an essential topic on their agendas to know how well cyber risk is being managed in their organizations and what exactly is needed, in terms of cyber investments. However, convincing a board to invest in cybersecurity is challenging as such investments are costs and cannot be directly mapped to profit. Unfortunately, cyber investments are often the target of financial cuts because they do not result in direct revenue impact. Usually, the costs of cyber investments are compared to the expected benefits. Whenever a security investment decision needs to be made, decision makers do that based on the potential financial loss against digital assets, according to risks and remediation actions prioritisation.
Generally speaking, a cyber risk is a type of operational risk, which means the potential for business losses including; financial, reputational, operational, regulator, etc. In big organisations; it is an established business practice to prioritise investment decisions based on Return on Investment (ROI) calculations and prioritisation of cyber investments requires extending the concept of ROI to Return on Security Investment (ROSI).
Do you prioritise your cyber risks based on accurate estimates of ROSI and the cost of security breaches or do you rely on the experience of cyber experts?