ROI of Your Cybersecurity Investment
Cybersecurity done right is the absence of events. Measuring the return of the investment in cybersecurity is an inverse of the negative impact of an event versus the resources to prevent it. What is the return on investment for something that doesn’t happen? To do this, you must forecast uncertainty and make some assumptions.
ROI = (Savings from Investment – Cost of Investment) / Cost of Investment * 100%
To calculate a ROI, you must first determine the amount invested. This can vary based on many factors. Managed Detection & Response (MDR) offerings are less expense and more standardized than Managed Security Servics (MSS) solutions. Both offer 24×7 protection from cyber threats using a set of tools and expertise. The cost can range from several thousand dollars on the entry level end to six figures for extremely large or complex IT environments.
Example: Company XYZ makes widgets for the USA and UK military. They invest $4,500 per month work with a company to provide 24/7 cybersecurity services. The time period of the investment is three years. This ROI analysis will disregard the present value of money for simplicity. Thus, the investment if $4,500 * 36 = $162,000.
Breaches affect the people whose personally identifiable information (PII) is lost. That information can be used in identify theft, as part of hacking or for other nefarious purposes. As a result of this, regulators want to shift the impact to the companies.
PCI fines are based on a number of variables, including the amount of cards breached or compromised, business size and length of being out of compliance. Fines can range from $5,000 to $100,000 a month. GDPR fines are also based on data breached. The fines can be up to 4% of the annual revenue or €20 million. Companies that suffer the loss could be responsible for providing credit monitoring for those impacted as well.
Worst-Case Scenario Example: The provider notices an in-properly cloud configuration that would have exposed 10,000 customer records. The fine depends on many factors, but let’s assume $50,000 if the provider did not discover.
The benefits of the perception of security for customers vary based on the industry. Customers might be interested. Knowing their partner is secure can be a competitive advantage. Evidence of this is seen on many site shopping carts. Vendors proudly display that they passed a security standard. The security indicator in the browser also indicates this. Lost business due to the lack of future earnings is difficult to calculate due to uncertainty.
Suffering a breach or hack can tarnish the reputation of a company. This can have an impact on the willingness of other companies to work together.
Worst-Case Scenario Example: After the breach was made known, they lose a deal worth $75,000.
Lost productivity can come into place if the situation involves a company making physical items. Downtime as a result of a hack can be calculated by looking at the inventory that was not made as a result and the cost of starting back up.
Worst-Case Scenario Example: Company XYZ enjoys protection from IoT hacking with their cybersecurity provider. Without it, they might have suffered downtime for 2 hours due to hacking. One study puts the average cost of downtime at $260,000, meaning this outage costs $520,000.
What is the risk if you lose the sold benefit of your trade secrets? Secret formulas, methods of production and other intellectual property are important. Losing intellectual property to competitors or nation-state actors. The value of an asset can be looked at as the result of the investment made.
Worst-Case Scenario Example: Company XYZ has top minds working on their widget design. Without protection from cyber threats, a competitor from a foreign nation steals the secrets. The value of the intellectual property lost can be calculated in a number of ways. One way is to look at the value on annual financial reports. In this example, the value of the IP lost is $200,000.
The amount paid to hackers is a tangible figure in calculating ROI. Having a top-notch cybersecurity program can mitigate this risk. If a company does not pay, the expense of replacing hardware and processes is then the amount in question.
Worst-Case Scenario Example: This company cannot catch a break! Without dedicated cyber protection again phishing, they would get infected with malware. The average ransom paid to decrypt the computers in 2019 is $36,295. The company paid this amount.
Putting it Together
The ROI for this fictitious company from cybersecurity preventing these worst-case scenario attacks is:
($50,000 Data Fines + $75,000 Lost Business + $520,000 Downtime + $200,000 IP Theft + $36,295 Ransomware) – ($162,000 Investment) / ($162,000) * 100%
$881,295 Hyptothetical Loss from Cybersecurity Attacks – $162,000 Investment to Prevent = $719,295 / $162,000 = 4.44 * 100% = 444% ROI of Cybersecurity Investment
A company is unlikely to face each of these losses, but the possibility exists. Change the assumptions in this simple example to get a sense for the value of preventing cybersecurity incidents. Pick a framework, pick a model and start collecting data. Orient your activities to protect this data. Make sure all the stakeholders are aware. To dig deeper into this analysis, there are a number of models to employ.
Factor Analysis Information Risk (FAIR): This model is used to understand the probability for incidents to take place based on inputs.
CMM Model: This model looks at the maturity of controls in order to look at investing time and money to improve.