How to make Cybersecurity investments count-Part II

By Ajay Singh, Author of CyberStrong! A Primer on Cyber Risk Management for Business Managers

Part 1 of this article

looked at how large and small companies struggle to determine if their cybersecurity investments are adequate or well-directed. The article also looked at the various methods and strategies that organizations adopt to decide the quantum and direction of cybersecurity investments. It is pointed out that the average cost of a data breach in terms of economic and reputational losses can add up to US$ 4.24 million. Part II examines the different ways in which organizations can evaluate whether their cybersecurity investments are effective, optimal to address their cyber threat perceptions, and to what extent they are aligned with their business objectives.

Business leaders and owners are predisposed and trained in understanding the concept of return on investment. Their methods of evaluating competing investment opportunities and objectives of investing are seldom for defensive strategies for asset protection but for productivity enhancement, business expansion, and other initiatives that lead to revenue and profit growth. A change in mindset among business leaders is required to be able to assess the true value of their cybersecurity investments.

Regular measurement metrics like Return on Investment (ROI), Net Present Value (NPV), etc. fail to provide any insights into the effectiveness of cybersecurity investments which are primarily in the form of hardware, software, and training efforts. Positive outcomes of cybersecurity investments are in the form of blocking cyber threats as well as preventing cyber-attacks and cybercrimes. The Total Cost of Ownership (TCO) model widely used as a metric for IT investments while capturing all costs associated with cybersecurity investments, does not provide any clear insight into the outcome or in terms of the money saved by avoiding cybersecurity breaches. Hence, new approaches to cybersecurity investment evaluation are necessary.

To ascribe values to intangible outcomes is quite difficult and hence the justification of cybersecurity investments poses a formidable challenge, especially in a commercial world where monetary investments must provide a rate of return and must end at some point. Cybersecurity investments in that respect need to be ongoing to be in line with risk perceptions. What is more frustrating is that all the cybersecurity investments made cannot guarantee immunity from cyber-attacks and protection from any kind of loss. The European Union Agency for Cybersecurity, ENISA, suggests that to do justice to any evaluation of cybersecurity investments we must begin by accepting that cybersecurity is not usually an investment that provides profit but is made for loss prevention.

Gordon & Loeb Model

For the mathematically inclined, Lawrence Gordon and Martin Loeb in their paper – “The Economics of Information Security Investment “observed that investing to protect company data involves a cost that, unlike other investments, usually does not generate profit. However, it can prevent additional costs. They suggest that it is important to compare how expensive it is to protect a specific set of data, with the potential loss in case said data is stolen, lost, damaged, or corrupted.

To use this model; companies need to have an estimate of the following three parameters:

  • Value of their data
  • Value of data is at risk
  • The probability of an attack on the data is going to be successful.

The model helps derive insights that can determine the optimal amount of money a company should spend on protecting the information which should, in most cases, be only a small fraction of the predicted loss.

The ROSI Model

A simpler method that can be used is the Return on Security Investment (ROSI) model which represents a modified version of the popular Return on investment (ROI) model. ROSI evaluates the net benefit of total security expenses avoided by comparing it to the investment made in prevention. A limitation of the ROSI methodology is that it can give only a broad idea of the effectiveness of cybersecurity investments as there are several assumptions made in its computation.

Cybersecurity Maturity Model

Another methodology to evaluate cybersecurity investments is to consider them against progress made by an organization towards building a strong security posture measured by the level of cyber security maturity achieved. The Cybersecurity Maturity Model Certification (CMMC) is a popular methodology through which external agencies can certify the level of cybersecurity maturity achieved by classifying an organization into one of the following five levels:

LEVELSecurity ProcessesSecurity Practices
CMMC Level 1PerformedBasic Cyber Hygiene
CMMC Level 2DocumentedIntermediate Cyber Hygiene
CMMC Level 3ManagedGood Cyber Hygiene, High compliance
CMMC Level 4ReviewedProactive
CMMC Level 5OptimizingAdvanced/Proactive

Cybersecurity Level of Preparedness Model

As measurements of outcomes of cybersecurity investments can be subjective, a better way to evaluate them is to consider the level of preparedness and controls that can help avoid/mitigate losses in the event of any adverse cybersecurity incidents.

While certifications and maturity measurements can be performed after a series of investments and security processes and procedures have been put in place, there are some regular high-level cybersecurity metrics that are handy in evaluating the direction and effectiveness of investments.

Level of Preparedness

  • Percentage of unpatched IT assets (devices servers and apps)
  • Percentage of inappropriate usage activities out of all usage activities
  • IT Assets at Risk- value, impact

Effectiveness of Controls

  • Intrusion attempts denied
  • Unidentified Devices on Internal Networks
  • Significant security incidents like phishing etc, response times and times to remediation
  • Access Management


  • Compliance with standards & Regulations
  • Security gaps that could lead to compliance failures
  • Compliance metrics on basic cyber hygiene – passwords, privileged access, patching, phishing, and penetration testing


  • Independent security ratings of the company, benchmarked against peers
  • Third-party and fourth-party risk indicators
  • Independent security assessments (e.g., external consultants and auditors)

To bring an element of financial evaluation of cybersecurity investments some measures that incorporate costs and value can be considered such as control cost per IT application, the financial value of reduced risk compared to cybersecurity investment, cost per cybersecurity incident, and cost of non-compliance.

Finally, investment and efforts to improve cybersecurity are continuous and there is no specific return that can be expected except to know that the organization is well prepared to handle cyber risks at a point in time. The question business leaders should be asking before and after making cybersecurity investments must therefore be ‘how will this investment reduce our cyber risk exposure level and by how much?’.