Commentary: Calculating ROI for cybersecurity spending has always been a challenge for security officers, their management and the board.

According to PwC’s Global State of Information Security® Survey 2016, organizations have increased their data security budgets by 24 percent for 2016. Nevertheless, many security officers still have to justify to their management every extra amount spent on data security.

With the Internet of Things and mobile threats, the number of new cyber risks is constantly growing, and companies have to spend on data security in the areas where they have never even thought about cybersecurity.

Many companies fail to understand how a particular security solution or service can reduce their risks, and most importantly, how it can prevent direct and clearly understandable financial losses. The FUD (Fear, Uncertainty and Doubt) tactic, selected by some vendors, only aggravates the current situation, as management prefers not to think about cybersecurity challenges.

Organizations need to make money in order to pay bills and salaries (including the salaries of the cybersecurity team), so they reasonably think about money first. Every dollar spent must either bring profit or reduce costs. Therefore, if you prepare a well-explained financial justification for your cybersecurity budget, using terminology and language understandable by management, your chances of getting your data security budget approved without modifications and deductions will increase.

As an example for this article, let’s take a budget required to protect front-end of a midsize e-commerce website. To stay simple, we will not calculate the risks of chained attacks, such as Advanced Persistent Threats (APTs).

We will base our ROI calculations on direct financial loss prevention: if by spending $10 you can prevent a highly probable annual loss of $100, your management will happily allocate the $10. Often, the problem is to prove that you really need $10 (and not just $7 or $8) and that the risk(s) mitigated with the $10 will really cause a highly probable $100 direct loss to the organization.

First, we need to calculate an annual loss expectancy (ALE), an expected approximate financial loss caused by particular risks and threats that are not properly mitigated. We will use a simplified ALE formula from the official guide to CISSP-ISSMP.

ALE = (Number of Incidents per Year) X (Potential Loss per Incident)

In this hypothetical case, the number of incidents per year can be reasonably set to 12, expecting one serious intrusion attempt via web front-end per month. We can obviously make it bigger, but don’t forget that we are preparing the budget for management, who will be skeptical if they are presented with numbers that look overstated.

Potential financial loss per incident is a bit trickier, because it consists of numerous factors and sub-factors. Cyber threats will now affect Moody’s ratings, including those of healthcare organizations; however, it’s a very subjective impact, because it’s almost impossible to predict if a particular data breach will impact the rating. The same difficulty applies for reputational losses and all other high-profile losses related to a data breach.

Therefore, we shall try to take an average cost per breach from a reputable source. Losses for big breaches in healthcare can be substantial, into the millions of dollars; in some cases, management may question such a “big” amount. As a result, CISOs will need to take tangible and unavoidable incident costs and present them one by one to management to validate the amount.

In this example of a small to medium-sized business based on e-commerce, web front-end, it’s fairly simple to identify at least some of the costs, leading to an estimate of $38,000 per incident:

* Cost of customer database and other sensitive information theft and exposure

* Cost of e-commerce portal unavailability during forensics and recovery

* Cost of third-party experts allocated to investigate and remediate the breach

* Cost of legal and compliance fines.

In this example, obvious and easily calculable costs are related to PCI DSS compliance. If for example you have PCI merchant level 2, you may be demoted to level 1 in the event of a data breach, with all the related costs. Costs related to third-party consultants are also simple to calculate, estimating that they will have to spend at least one week investigating the incident – for that, an organization would need to pay at least $10 000. But let’s come back to our modest $38,000 for our example and use it in our equation:

ALE = (Number of Incidents per Year) X (Potential Loss per Incident)
ALE = 12 X $38,000
ALE = $456,000

This is the amount a company should expect to lose per year if nothing is done to protect its web front-end. Of course, each new incident will aggravate the losses.

The next step is to justify the money you are asking for. The easiest way to do so is to provide your management with the most efficient and effective solutions and products, carefully selected by the price/quality ratio. In this example, to protect the web front-end (I omit SDLC and all other costs related to secure development, maintenance and compliance) we typically need:

* Web Application Firewall. In spite of the fact that a WAF cannot offer protection against sophisticated attacks, it’s a great protection layer against bots and other malicious “noise,” automated attacks and script-kiddies.

* Continuous vulnerability scanning and security monitoring solution. What is secure today may become vulnerable tonight, and an annual penetration test will not detect it on time. Therefore, continuous security monitoring is extremely important.

* Regular manual or hybrid assessments involving third-party experts. A good example is a critical RCE in Zen Cart, recently detected by High-Tech Bridge in the latest version of this popular e-commerce platform. The vulnerability is present only in the latest version and was not detected by any automated scanners before it was discovered.

Estimating that a) + b) + c) will be $40,000 per year, we can come back to our equation and calculate ROI. We will take ROI formula from the official guide to CISSP-ISSMP:

ROI = (ALE / Cost of Countermeasures) X 100%
ROI = ($456,000 / $40,000) X 100%
ROI = 1140%

Even though such a huge ROI may be subjective from a purely technical point of view, it will definitely convince your management better than a long story about the dangers of a data breach.

Robert Metcalf, a cybersecurity expert at PwC Switzerland, says, "Cybersecurity is about risk management and loss prevention, not just earnings, and so any investment in security needs to demonstrate to the business that it is focused on defending what is of most value to the organization, its ‘crown jewels.’ How these key assets are being targeted by threat actors can strongly indicate where you must invest the most and where your business reputation is also at stake."

If you speak with management about money, speak their language, and you will definitely get what you need.

Ilia Kolochenko is CEO of High-Tech Bridge, (, which offers security services and solutions. A version of this column previously appeared in Information Management, a sister publication to Health Data Management.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access