Calculating ROI for cybersecurity spending has always been a challenge for security officers, their management and the Board. Seven years ago, Bruce Schneier wrote a very good article about the difficulties and challenges of ROI calculation for data security spending within companies. Nothing really changed since then, however both annual spending on cybersecurity and the cost of global cybercrime have significantly increased.According to PwC’s Global State of Information Security® Survey 2016, organizations increased their data security budgets by 24 percent for 2016. Nevertheless, many security officers still have to justify to their management every extra thousand pounds spent on corporate data security. With the Internet of Things and mobile threats, the number of new cyber risks is constantly growing, and companies have to spend on data security in the areas where they have never even thought about cybersecurity before. Traditionally, Europe is more conservative than the US, and many more European security officers are asked to reduce initially proposed cybersecurity budgets by removing some items or replacing them with less expensive substitutes. Many companies fail to understand how a particular security solution or service can reduce their risks, and most importantly, how it can prevent direct and clearly understandable financial losses. The FUD (Fear, Uncertainty and Doubt) tactic, selected by some vendors, only aggravates the current situation as management prefers not to think about cybersecurity challenges. Businesses need to make money in order to pay bills and salaries (including the salaries of the cybersecurity team), so they reasonably think about money first. Every pound spent must either bring profit or reduce costs. Therefore, if you prepare a well-explained financial justification for your cybersecurity budget, using terminology and language understandable by the management, your chances of getting your data security budget approved without modifications and deductions will at minimum double.As an example for this article, let’s take a budget required to protect front-end of a midsize e-commerce website. To stay simple, we will not calculate the risks of chained attacks, such as Advanced Persistent Threats (APTs) that are starting at vulnerable websites nowadays.We will base our ROI calculations on direct financial loss prevention: if by spending $10 you can prevent a highly probable annual loss of $100, your management will happily allocate the $10. Often, the problem is to prove that you really need $10 (and not just $7 or $8) and that the risk(s) mitigated with the $10 really cause a highly probable $100 direct loss to the organization.First, we need to calculate an ALE (Annual Loss Expectancy): an expected [approximate] financial loss caused by particular risks and threats (if not properly mitigated). We will use a simplified ALE formula from the official guide to CISSP®-ISSMP®: ALE = (Number of Incidents per Year) X (Potential Loss per Incident) In our case, the number of incidents per year can be reasonably set to 12, expecting one serious intrusion attempt via web front-end per month. We can obviously make it bigger, but don’t forget that we are preparing the budget for management who will be skeptical if you present them with numbers that look overstated.Potential financial loss per incident is a bit trickier, as it consists of numerous factors and sub-factors. Cyber threats will now affect Moody’s ratings, however it’s a very subjective impact as it’s almost impossible to predict if a particular data breach will impact the rating. The same difficulty applies for reputational losses, stock options drop, and all other high-profile losses related to a data breach.Therefore, we shall try to take an average cost per breach in our industry from a reputable source. For example, according to a recent study by Kaspersky Lab, the amount of financial loss suffered by SMEs averaged $38,000. In some cases, management may question such a “big” amount, therefore, we will need to take tangible and unavoidable incident costs and present them one by one to management in order to validate the amount. In the case of e-commerce web front-end, it’s pretty easy to identify at least some them: 

 Obvious and easily calculable costs are related to PCI DSS compliance. If for example you have PCI merchant level 2, you will be “promoted” to level 1 in case of data breach with all the related costs. Costs related to third-party consultants are also simple to calculate, estimating that they will have to spend at least one week investigating the incident – you already have at least $10 000.For example, TalkTalk [due to the size of the business and the scale of hack] has lost about £35 million in total following its data security cyber attack in 2015 and, in comparison to that, $38,000 looks very reasonable. Even a higher cost per incident comes from the 2015 Information Security Breaches Survey published by UK government and PwC, where the average cost of data breach for SMEs is between £75,000 and £310,800 ($112,000 and $466,200 respectively). But let’s come back to our modest $38,000 for our example and use it in our equation: ALE = (Number of Incidents per Year) X (Potential Loss per Incident) ALE = 12 X $38,000ALE = $456,000 This is the amount a company should expect to lose per year if nothing is done to protect its web front-end. Of course, each new incident will aggravate the losses, but here we can omit this point.The next step is to justify the money you are asking for. The easiest way to do so is to provide your management with the most efficient and effective solutions and products, carefully selected by the price/quality ratio. In order to protect the web front-end (I omit SDLC and all other costs related to secure development, maintenance and compliance) we typically need:Web Application Firewall – despite that a WAF cannot protect from sophisticated attacks, it’s a great protection layer against bots and other malicious “noise”, automated attacks and script-kiddies.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access