Measuring most types of return on investment (ROI) is relatively straightforward: You compare the cost of what you spent to the value of what you gained in return.
However, calculating cybersecurity ROI presents a big challenge: It’s not always clear how much value cybersecurity investments create because when the investments are effective, nothing happens — meaning no security breaches occur. And you can’t easily quantify the monetary value of nothing.
But that doesn’t mean it’s impossible to measure cybersecurity ROI in a meaningful way. The numbers may always be a bit hazier than more concrete forms of ROI, but nonetheless businesses can — and should — attempt to determine how much monetary value their cybersecurity investments yield.
Why Cybersecurity ROI Is Hard to Calculate
Quantifying the total cost of cybersecurity investments — which have long been at the top of most companies’ IT spending priorities — is easy enough. It entails adding up the cost of the hardware resources, software tools, and personnel (including both internal employees as well as any outsourced cybersecurity services) that an organization deploys to mitigate security risks.
But determining how much value those investments yield is where things get tricky. This is primarily because, again, the goal of cybersecurity investments is to prevent breaches from occurring — and when no breach occurs, there is no quantifiable cost to measure.
Instead, the best businesses can do to calculate ROI in the context of cybersecurity is estimate how many breaches they would have experienced if they had not invested in cybersecurity and the total cost of those breaches. These are highly intangible figures because it’s impossible to know which breaches might have occurred, and it’s equally impossible to ascertain the exact cost of a breach that never happened.
These factors make cybersecurity ROI inherently more challenging to quantify than most other forms of ROI. For other types of ROI, the most prominent difficulty organizations typically run into is determining which outcomes to attribute to which investments; for instance, when calculating marketing ROI, it’s not always clear which purchases were motivated by which marketing campaigns. But at least marketers still have real, tangible outcomes they can track. Cybersecurity teams don’t.
Approaches to Measuring Cybersecurity ROI
The fact that calculating cybersecurity ROI in a straightforward fashion is difficult doesn’t mean it’s not worth attempting this type of measurement or that there are no meaningful ways to capture the value created by cybersecurity spending. Several methods are available.
1. Calculating the hypothetical cost of breaches based on historical data
First, businesses that have experienced breaches in the past can determine how much those incidents cost and then use that figure as a basis for calculating the value created by avoiding similar breaches thanks to cybersecurity investments.
For instance, imagine a company that experiences an average of one breach per year over a five-year period, with a total cost per breach of $10 million. If, over the following five years, the company experiences an average of only 0.5 breaches per year thanks to enhanced cybersecurity, it can conclude that cybersecurity ROI was $5 million per year.
The downside of this approach is that historical data does not always accurately reflect the current risk or cost of a breach, so a decrease in breaches can’t always be definitively attributed to cybersecurity investments.
2. Calculating the hypothetical cost of breaches based on those experienced by other companies
Rather than estimating breach frequency and cost based on historical data specific to your business, you could look at data about current cybersecurity trends for other companies similar to yours, considering factors like their region, the type of industry they operate in, and their size. This data provides insight into how likely your type of business will experience a breach and what that breach will likely cost.
For instance, if similar companies experience an average of two breaches in the current year at a total cost of $20 million (or $10 million per breach) but your company only experiences one breach, you can draw the conclusion that you saved $10 million.
The challenge here, of course, is that cybersecurity trends that impact other companies may not affect yours. Experiencing fewer breaches in a given year could just mean you were lucky, not that your cybersecurity investments yielded a high return.
3. Measuring cybersecurity ROI by the cost of breaches you didn’t prevent
A third approach is to measure cybersecurity ROI in terms of the value you don’t create due to breaches that do occur. This is effectively an inverse form of cybersecurity ROI.
For example, if your company currently spends $1 million per year on cybersecurity and experiences breaches that cost a total of $10 million per year, your inverse cybersecurity ROI is $10 million — which is the amount of money that you’re losing per year when you spend $1 million on cybersecurity.
Using this data, you can predict how much money you’d save through additional cybersecurity spending. For instance, if $1 million of investment currently results in $10 million of costs, you could estimate that doubling your spending to $2 million would decrease breach costs to $5 million.
The limitation of this method is that it doesn’t actually measure value created; it measures the value lost. In addition, there is no guarantee that cybersecurity spending rates and the frequency or cost of breaches will increase and decrease at fixed rates; you could double the value of your investments only to find that they reduce your costs by a mere 20%, for instance, instead of cutting them in half.
Still, this technique at least gives you tangible figures to work with on both ends of the equation because your total cybersecurity spending and your total breach costs are both definitive data points that you can measure in a straightforward way.
Conclusion: The Messy Business of Cybersecurity ROI
No matter which approach you adopt (and for many businesses, it makes sense to use multiple methods simultaneously), the cybersecurity ROI measurements you arrive at will be imperfect at best. But they’re nonetheless valuable to your business because cybersecurity can be quite expensive, and it’s critical to know which investments in this realm are and aren’t working — especially in an era when a sizeable portion of IT budgets are shrinking, making it more important than ever to maximize the value of every dollar invested in security.
