Calculating Return on Security Investment (ROSI) - Essay Sample

Introduction

All organizations, whether private or public, have to justify their budget investment to assess its effectiveness and evaluate it. This evaluation in finance is referred to as return on security investment (ROSI). The calculation of ROSI is

Is your time best spent reading someone else’s essay? Get a 100% original essay FROM A CERTIFIED WRITER!

Save 25%

ROSI = Gain from investment-Cost of investment

Cost of Investment

All investments must apply ROSI concept calculation, including in security. In security, ROSI calculation gives quantitative answers to essential questions in finances. ROSI calculation is a combination of the cost of security implementation and assessments of quantitative risks. The results are used to compare annual loss expectancy with expected saving loss. ROSI calculation is formed on the basis of 3 variables which include, solution cost, risk mitigation estimate, and estimated the potential loss.

ROSI is also used in the evaluation of cybersecurity technologies. Decision-makers use ROSI in evaluating security impacts at the bottom line. ROSI is also used in evaluating how much should be spent on security, how a lack of security costs the business, and the solutions that are cost-effective to security (European Network and Information Security Agency, 2012). The cost of the protection should not be more than the benefit gained or accrued. ROSI calculation combines both the implementation of countermeasures of security and assessment of the quantitative risk to evaluate cybersecurity technologies.

ROSI has several limitations. This is because an estimate that is calculated from an estimation of money that is saved from losses is a difficult task. In reality, the application of more than straightforward formulas can help solve the issue. The first limitation is the issue of estimation in which it is a limitation. The rate of occurrences and the cost of incidents involving cybersecurity cannot be readily estimated. Therefore, the numbers are subject to variations according to the different environments. Due to these approximations and estimations, the views of the risk become biased, and therefore, manipulation of ROSI calculation is easy (European Network and Information Security Agency, 2012). It is essential to use accurate data in ROSI calculation. This is, however, not possible to get actual data regarding security incidents since most companies fail to give actual data concerning security incidents.

Lastly, according to a model by Loeb and Gordon, assets that have high value are not supposed to benefit from high investments that protect it. The model shows that ROSI calculation is just an approximation model, and the results of the calculation should be handled carefully. Therefore, organizations and companies should use the results as guidelines instead of using them as strict rules to be followed (European Network and Information Security Agency, 2012). ROSI calculation is, therefore, inaccurate.

ROSI calculation is a critical evaluation of the effectiveness of the costs of the solutions provided in managing cybersecurity. Both private and public organizations have integrated the use of ROSI regarding security. However, ROSI has been used to evaluate security costs. It is, however, not effective due to the limitations it possesses. These limitations are due to the fact that ROSI uses approximations and estimations hence inaccurate data, which in turn gives incorrect results.

Reference

European Network and Information Security Agency. (2012). Introduction to Return on Security Investment: Helping CERTs assessing the cost of (lack of) security.

Heraklion, Crete, Greece: Author. Retrieved from https://www.enisa.europa.eu/activities/cert/other-work/introduction-to-return-on-security-investment/at_download/fullReport