What is a security investment and why should we make it?

Investments in cybersecurity constitute any investments made into programs, softwares, solutions or other security controls to which you direct resources, including both money and human resources. As security threats have become more common and hackers have found new ways of getting private data, cybersecurity softwares have also become more refined and complex. They can protect our passwords, our search history and location, help us not install malware and other viruses, as well as help companies secure their data and communication within the company network. With remote work becoming a new normal, it’s even more important to ensure your employees have a safety net around their online work and communications. 

But a lot of people are now more cautious and aware of cyberthreats, and there are simple security features on your laptop which you can use without spending a lot of money and resources on cybersecurity programs. So how do we evaluate if we actually need a certain security software, or if we need to hire additional IT staff for this purpose? Since investing in security software is not an investment that brings profit, but rather one that prevents losses, it can be a bit hard to evaluate.

Calculating the return on a security investment

When it comes to usual investments, we are all familiar with simple ROI (Return on Investment) calculations, where we divide the return or profit that we gain with the cost of the original investment. Clear, simple, and very easy to decide if an investment is worth it. With security, however, the calculation can be a bit more complex, mostly because it is based on variables which need to be approximated. Some values we need can be defined completely, like the cost of legal penalties, IT specialists and similar, but other values can never be exact. This includes the time a company is down and loses profit during a cyber attack, the loss of potentially affected customers, the stained company image after the incident, and many others.

We need to be aware that these values can’t be exact and perfect, but that it is still possible to calculate the ROSI (Return on Security Investment) and predict if our investments will be beneficial for the company. It’s important to try and estimate everything as closely as possible, but not get stuck on variables that you can’t possibly know exactly.

ROSI is calculated as (Annualized loss expectancy * Mitigation ratio – Cost of solution) / Cost of Solution. It might sound complex, but it is not so hard to calculate even on your own at home. The Annualized loss expectancy is a multiplication of the approximate cost of a certain security incident, and how many times per year that incident could happen. The Mitigation ratio is how effective the solution is, for example that it solves or prevents the problem in 93% of cases. And the Cost of solution is just how much we would pay for that certain software or program. 

Calculating ROSI for each potential security investment can help you decide which issues need more or less funding, if your spending is justified, or if you should allocate resources to a different problem instead. It can help you see these abstract security investments in a more clear light and quantify them into numbers. 
But seeing a number and calculating the specific ROSI isn’t the only important factor concerning cybersecurity. Having a good cybersecurity software can help you protect from threats that you maybe wouldn’t have even anticipated, it can save you a lot of time by preventing issues instead of having to deal with them after they occur, it can help you stay more relaxed and feel more secure, as well as prevent any damage to the brand name and company image which can result from security problems, especially ones involving sensitive client data.

Is it worth it?

Now that you are aware of both specific tangible ways to calculate your return on security investments, as well as things to consider which may be intangible and more abstract, it is your decision to see which security investments are worth it or not. Security investments are hard to quantify since they prevent loss instead of bringing profit, but having a good software to prevent disasters as well as bring a certain peace of mind seems worth it.

All of this can be applied in personal life as well. Companies are not the only ones who need to protect data and stay away from malware and hacker attacks. Your private data deserves to be protected and safe online. Personal information, healthcare data, bank statements, passwords – these are all things which cybersecurity softwares can help you protect, and the benefit is usually way higher than the cost.

Some extra sources:

https://blog.netwrix.com/2018/08/07/how-to-calculate-return-on-security-investment/
https://www.csoonline.com/article/3229887/how-to-calculate-your-return-on-security-investments.html