How to Calculate Cybersecurity ROI
Cybersecurity has traditionally been viewed as a cost centre, but forward-thinking CISOs are reframing it as a risk-reduction investment with measurable returns. The key is adopting a financial model that translates security controls into monetary outcomes.
The Core Formula
Cybersecurity ROI compares the cost of security controls against the expected losses they prevent. The fundamental equation is:
ROI = (Annual Loss Reduced − Annual Control Cost) / Annual Control Cost
An ROI of 3.0x means that for every dollar spent, you avoid three dollars in expected losses. This gives boards and CFOs a number they can compare against other business investments.
Step-by-Step Approach
- Identify risk scenarios — list the threats most relevant to your organisation (ransomware, phishing, insider threats, etc.)
- Estimate Annual Loss Expectancy (ALE) — for each scenario, multiply the probability of occurrence by the expected financial impact
- Select security controls — identify which controls mitigate which scenarios and by how much
- Calculate residual risk — after applying controls, determine the remaining exposure
- Compare cost vs reduction — the difference between baseline ALE and residual ALE is your loss reduced; subtract control costs for net benefit
Common Pitfalls
Avoid overstating effectiveness — no control eliminates risk entirely. Use diminishing returns models when stacking multiple controls against the same threat. Also account for implementation costs in year one, which may differ significantly from ongoing operational costs.