Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Monday, 30 January, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

How to calculate ROI and justify your cybersecurity budget

by The Gurus
December 16, 2015
in Editor's News
Share on FacebookShare on Twitter

How to calculate ROI and justify your cybersecurity budget
By Ilia Kolochenko, CEO of High-Tech Bridge
If you speak with management about money – speak their language and you will definitely get what you need. 
Almost eight years ago, Bruce Schneier wrote a great article about the problems of ROI calculation for cybersecurity spending within organizations. Since then, both annual spending on cybersecurity and the cost of global cybercrime have significantly increased.
Despite that organizations increased their information security budgets by 24 percent in 2016, many security officers still have to justify to their management every extra thousand spent on cybersecurity. Traditionally, Europe is more conservative than US, and many more European security officers are asked to reduce their initial cybersecurity budgets by removing some items or replacing them with less expensive alternatives.
Businesses need to make money in order to pay salaries (including salaries of the cybersecurity team), so their point of view, based mainly on financial numbers, is pretty clear and reasonable. Nevertheless, if you prepare a well-explained justification for your cybersecurity budget using terminology and language understandable by management, your chances of getting the budget approved without modifications will at minimum double.
For example, let’s take a budget required to protect front-end of a midsize e-commerce website. To stay simple, we will not calculate the risks of chained attacks, such as Advanced Persistent Threats that are starting at vulnerable websites these days.
We will base our ROI calculations on direct financial loss prevention: if by spending $10 you can prevent a highly probable annual loss of $100, your management will happily allocate the $10. Often, the problem is to prove that you really need $10 (and not just $7 or $8) and that the risk(s) mitigated with the $10 really cause a highly probable $100 direct loss to the organization.
First, we need to calculate an ALE (Annual Loss Expectancy): an expected [approximate] financial loss caused by particular risks and threats (if not properly mitigated). We will use a simplified ALE formula from the official guide to CISSP®-ISSMP®: 
ALE = (Number of Incidents per Year) X (Potential Loss per Incident)
In our case, the number of incidents per year can be reasonably set to 12, expecting one serious intrusion attempt via web front-end per month. We can obviously make it bigger, but don’t forget that we are preparing the budget for management who will be skeptical if you present them with numbers that look overstated.
Potential financial loss per incident is a bit trickier, as it consists of numerous factors and sub-factors. Cyber threats will now affect Moody’s ratings, however it’s a very subjective impact as it’s almost impossible to predict if a particular data breach will impact the rating. The same difficulty applies for reputational losses, stock options drop, and all other high-profile losses related to a data breach.
Therefore, we shall try to take an average cost per breach in our industry from a reputable source. For example, according to a recent study by Kaspersky Lab, the amount of financial loss suffered by SMEs averaged $38,000. In some cases, management may question such a “big” amount, therefore, we will need to take tangible and unavoidable incident costs and present them one by one to management in order to validate the amount. In the case of e-commerce web front-end, it’s pretty easy to identify at least some them:

  • Cost of customer database and other sensitive information theft and exposure
  • Cost of e-commerce portal unavailability during forensics and recovery
  • Cost of third-party experts allocated to investigate and remediate the breach
  • Cost of legal and compliance fines.

Obvious and easily calculable costs are related to PCI DSS compliance. If for example you have PCI merchant level 2, you will be “promoted” to level 1 in case of data breach with all the related costs. Costs related to third-party consultants are also simple to calculate, estimating that they will have to spend at least one week investigating the incident – you already have at least $10 000.
For example, TalkTalk [due to the size of the business and the scale of hack] has lost about £35 million in total, and in comparison to them $38,000 looks very reasonable. Even a higher cost per incident comes from the 2015 Information Security Breaches Survey published by UK government and PwC, where the average cost of data breach for SMEs is between £75,000 and £310,800 ($112,000 and $466,200 respectively). But let’s come back to our modest $38,000 for our example and use it in our equation:
ALE = (Number of Incidents per Year) X (Potential Loss per Incident)
ALE = 12 X $38,000
ALE = $456,000
This is the amount a company should expect to lose per year if nothing is done to protect its web front-end. Of course, each new incident will aggravate the losses, but here we can omit this point.
The next step is to justify the money you are asking for. The easiest way to do so is to provide your management with the most efficient and effective solutions and products, carefully selected by the price/quality ratio. In order to protect the web front-end (I omit SDLC and all other costs related to secure development, maintenance and compliance) we typically need:

  • Web Application Firewall – despite that a WAF cannot protect from sophisticated attacks, it’s a great protection layer against bots and other malicious “noise”, automated attacks and script-kiddies.
  • Continuous vulnerability scanning and security monitoring solution – what is secure today may become vulnerable tonight, and an annual penetration test will not detect it on time. Therefore, continuous security monitoring is extremely important.
  • Regular manual or hybrid assessments involving third-party experts – a good example is a critical RCE in Zen Cart, recently detected by High-Tech Bridge in the latest version of this popular e-commerce platform. The vulnerability is present only in the latest version, and was not detected by any of automated scanners prior to our discovery.

Estimating that a) + b) + c) will be $40,000 per year, we can come back to our equation and calculate ROI. We will take ROI formula from the official guide to CISSP®-ISSMP®:
ROI = (ALE / Cost of Countermeasures) X 100%
ROI = ($456,000 / $40,000) X 100%
ROI = 1140%
Even if such a huge ROI may be subjective from a purely technical point of view, it will definitely convince your management better than a long saga about the dangers of blind XSS attacks.
Robert Metcalf, a cybersecurity expert at PwC Switzerland, says: “Cybersecurity is about risk management and loss prevention, not just earnings and so any investment in security needs to demonstrate to the business that it is focused on defending what is of most value to the organization, its “crown jewels”. How these key assets are then being targeted by threat actors can strongly indicate where you must invest the most and where your business reputation is also at stake.”
If you speak with management about money – speak their language and you will definitely get what you need.

FacebookTweetLinkedIn
ShareTweetShare
Previous Post

Five steps to protect your company from cyber threats

Next Post

Three Colorado Safeway stores involved in skimming breach

Recent News

Acronis seals cyber protection partnership with Fulham FC

Acronis seals cyber protection partnership with Fulham FC

January 30, 2023
Data Privacy Day: Securing your data with a password manager

Data Privacy Day: Securing your data with a password manager

January 27, 2023
#MIWIC2022: Carole Embling, Metro Bank

#MIWIC2022: Carole Embling, Metro Bank

January 26, 2023
Lupovis eliminates false positive security alerts for security analysts and MSSPs

Lupovis eliminates false positive security alerts for security analysts and MSSPs

January 26, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information