CyberROI

Cybersecurity Investment Calculator
$100M
1x
Blog
Total Investment $0
Annual Loss Reduced $0
Net Benefit $0
ROI --
Baseline Annual Loss $0
Payback Period --
Security Maturity --

Risk Scenarios Annual Loss Expectancy (ALE) = likelihood x impact

Security Controls Select to model

1x

Risk Reduction by Control

Residual vs Reduced Annual Loss by Scenario

Data Sources & Methodology

Breach Costs

  • IBM Cost of a Data Breach Report 2025 — Global avg $4.44M; US avg $10.22M; ransomware $5.08M; phishing $4.80M
  • Sophos State of Ransomware 2025 — Recovery cost $1.53M excl. ransom; median ransom $1.0M
  • Ponemon/DTEX Insider Risk 2025 — Malicious insider $715K per incident
  • MazeBolt DDoS Report 2025 — Avg damaging DDoS ~$500K

Probabilities

  • Hiscox Cyber Readiness 2025 — 59% of orgs hit by cyber attack in past 12 months
  • Verizon DBIR 2025 — 44% of breaches involve ransomware; 30% involve third parties
  • Cloudflare 2025 — 20.5M DDoS attacks blocked in Q1 2025

Control Effectiveness

  • Microsoft Research — MFA blocks 99.22% of account compromise
  • IBM 2025 — Zero Trust saves $1.5M per breach; IR plans save $1.49M; AI/SIEM cuts lifecycle by 80 days
  • Ponemon/KnowBe4 — Training reduces phishing clicks 54% in 6 months, up to 86% in 1 year
  • Gartner — CSPM addresses 99% of cloud security failures

Industry Modifiers

  • IBM 2025 — Healthcare 1.67x ($7.42M); Financial 1.25x ($5.56M); Tech 1.08x ($4.79M); Retail ~1.10x

Methodology

  • Risk model uses Annualised Loss Expectancy: ALE = probability x single-loss expectancy
  • Multiple controls use diminishing returns: residual = product of (1 - effectiveness) per control
  • Costs and impacts scale with annual turnover using non-linear multipliers
  • All figures are estimates for decision support — not actuarial precision
Caveats & Assumptions
  • Simplified model: This calculator provides directional estimates for decision support — it is not actuarial-grade risk quantification.
  • Independent scenarios: Risk scenarios are modelled independently. In practice, events can be correlated (e.g., a phishing attack leading to ransomware). Compound events are not considered.
  • Diminishing returns: Multiple controls targeting the same scenario use a multiplicative model (residual = product of (1 − effectiveness)), which is more realistic than additive but still an approximation.
  • Annualised costs: Control costs represent annualised total cost of ownership, blending setup and ongoing costs. In practice, some controls (e.g., Zero Trust, SIEM) have significant year-1 implementation costs that reduce in subsequent years. Use the "Customise $" feature to input actual vendor quotes.
  • Static probabilities: Threat probabilities are based on industry surveys and remain fixed regardless of organisation size. In reality, larger organisations face higher targeting rates for ransomware and supply chain attacks, and your threat landscape depends on geography, maturity, and attacker interest.
  • No implementation timeline: The model assumes all controls are fully deployed. Real-world deployments take months and deliver partial value during rollout.
  • Risk transfer not included: This model covers risk reduction through security controls. Cyber insurance (risk transfer) is a separate budget consideration that can offset residual financial exposure but is not modelled here.