The ability to measure performance is at the heart of any effective management, and performance measurement is essential to allocating resources, selecting operations, and rewarding personnel. To assess this performance, executives use massive amounts of data and metrics. Return on investment determines which products increase their company's value; similarly, Return on security investment determines which products and practices strengthen the company's security posture.

However, measuring cybersecurity performance is challenging. Traditional performance metrics such as revenue or cost are irrelevant, and analogs to market and credit risk metrics like value at risk do not exist for cybersecurity. Measuring cybersecurity incidents might lead people to believe that security teams protect the organization, although they can't detect ongoing attacks.

Analysts have been trying to identify possible risks and damage and the probable occurrence of cyberattacks to avoid missing out on the necessary security investments. However, these risks and probabilities are difficult to account for, and some companies only make drastic changes in their strategies once the first attack has occurred.

Metrics exist, but whether executives look at Return on investment (ROI) or Return on security investment (ROSI) to assess the quality of their investment, we think the main challenge is understanding that cybersecurity investment is about linking an actual expense with an unforeseeable threat.

Why is assessing the quality of a cybersecurity investment hard according to traditional metrics?

Quantifying the returns of cyber security is challenging, given that it is a preventive measure. Cybersecurity neither impacts revenues directly nor provides immediate payback. Thus, traditional metrics do not reflect the investments.

Cyberattacks have specifics that are hard to put a price on.

The growing awareness has given rise to significant increases in the budgets allocated to information security departments.

However, it is often complicated for a Chief information security officer (CISO) to demonstrate the benefit of security expenses since cost avoidance remains the prevailing paradigm. CISOs have to put a value on what hasn't happened yet.

In addition, the cybersecurity environment is dynamic. Threats escalate fast, and new technologies and operational practices appear every day. This environment makes it challenging for CISOs, who are already struggling to control their tool stack, to stay afoot and determine whether their security architecture is sound or need to add some tools or reduce their stack.

Moreover, assessing the costs of a cyberattack may prove very complex as it varies according to the type of breach, its length, or the sensitivity of the data stolen. (metrics on cost of data breaches). Along with this financial impact, possible regulatory penalties should be considered. For example, companies facing a data breach could be fined under the GDPR - up to 4% of the worldwide turnover - if convicted of being negligent in protecting these data.

Further, sometimes, the assessment of incidents fluctuates considerably. For instance, what is the cost of one hour of unavailability for an e-commerce site during the sales period following a DDoS attack? Cyberattacks have the particularity to have the potential to impact the availability, reputation, and confidence, which are intangible and hard to price.

The return on investment is the traditional primary metric for assessing the quality of an investment.

Traditionally, the Return on investment (ROI) is calculated based on returns on cost, and the Return on a particular investment cost (IC) is measured relative to the initial investment's price (IP). It is calculated like so:

Therefore, assessing ROI works for investments that yield positive results, such as cost savings or revenue enhancements. ROI is a metric used to evaluate the efficiency or profitability of an asset or compare the efficiency of several different investments. It's not designed to determine how much loss the organization avoided with its initial investment.

How can companies properly evaluate their investment in cybersecurity?

Executives must account for actual expenditures that aren't readily apparent against an unforeseeable threat. They then need to shift from a paradigm focused on cost minimization to encouraging investments. Quantitative and qualitative methods can evaluate investment correctly; organizations should use both.

Companies should return on security investment.

Cybersecurity is a preemptive investment. Its goal is not to increase the value of the initial investment but to avoid its depreciation due to hostile actions. As such, a measure of Return to the classical way sounds irrelevant. Any assessment of a cybersecurity investment should be based on how much loss the organization could avoid due to the acquisition, not on positive value added to the initial cost.

According to this specificity, the European Union Agency for Cybersecurity issued a methodology more suited to calculating a company's returns when investing in cybersecurity solutions. As such, estimated Return. Returncurity investments (ROSI) entail identifying expected losses that have been prevented and determining the rate of risk mitigation. The equation is written as follows:

Here, the Annualized Loss Expectancy (ALE) is the estimated amount of money that a company will lose in a single security incident (single loss expectancy, SLE) multiplied by the estimated occurrence of a threat within a year (annualized rate of occurrence, ARO). Usually, CISOs estimate ALE based on the successful breaches the year before adopting a new solution.

The Mitigation Ratio (MR) is an approximate number determined by assessing the number of mitigated risks based on an algorithm established. For instance, if a company invests in a solution expected to reduce the current data security risk by 90%, then MR equals 90%. Although it is unrealistic to assume any solution to be a 100% guarantee, CISOs can assess reasonable expectations when looking at a given solution.

Finally, the cost of Solution (CS) is the only independent index in this equation, and it includes the costs associated with solution purchase, implementation, and maintenance. CISOs have to make sure that they consider all costs, not just the one-time price of hardware or software. This includes maintenance, a Threat Management service subscription, the time and cost to train staff, and the time needed to configure and implement the solution.

You can add other qualitative and quantitative metrics to enrich and enhance your ROSI

After dissecting that equation, it's easy to see that some parts are hard to estimate. Thus, CISOs should try to enrich their ROSI metrics with other methods to further precise the calculus. This can be done by comparing with peers or planning red team exercises. Eventually, one way to enhance ROSI is by choosing automation and orchestration with the help of Security orchestration, automation, and response (SOAR).

Compare your organization with your peers and with public resources.
Finding accurate estimations for SLE and ARO is complicated. For Single Loss Expectancy, CISOs can look at internal sources such as figures for the cost of production line downtime, office productivity, or actual losses after an attack. Still, to assess the exact cost, CISOs would need to be able to price the reputational and confidence damages. CISOs should keep in mind that intangible damages always occur after a cyberattack.

However, as for financial metrics besides internal sources, there are also external ones a CISO can look into. IBM and the Ponemon Institute, or Verizon, put out annual Data breach reports that can give information on losses in various industries internationally. The same goes for the ARO; any internal history the organization may have will be helpful, but there are also a variety of reports on the subject that may be of help.

Also, more generally, comparing security budgets with those of other organizations in the industry is an excellent way to gauge the effectiveness of security investment. To that end, a company could get the help of a consultancy firm.

Evaluate your organization's readiness to address incidents: One great way to assess the quality of security investment is to carry out security simulations. Separate teams are responsible for infiltrating and defending a specific infrastructure. This is an excellent way to stay current with security scenarios and identify weak links. It also helps test a tool's effectiveness and potential, check the level of security awareness in the organization, and measure the performance of each IT team member.

Performing simulations regularly can serve as an excellent practical metric for evaluating cybersecurity investments affecting the organization.

Implement automation and orchestration to increase your ROSI: Today, Security orchestration, automation, and response (SOAR) solutions provide some of the highest cost savings opportunities with AI and automation. It helps CISOs resolve some security professionals' burdens, such as the sheer volume and sophistication of attacks, the dwell time of breaches, the high rates of false positives, the time and resources required to respond, and the cyber skills shortage.

Further, automating and streamlining incident management reduces the time to detect and respond, increases the detection rate, and lowers the possibility of false positives.

Eventually, orchestration between each tool, enhancing their connectivity and visibility, is a way for CISOs to continuously assess the opportunity of the current composition of the security stack, keep all the tools up to date, and limit the percentage of unused tools although allowing working staff to use the tools they want.

Conclusion

An investment in cybersecurity cannot traditionally be assessed for Return on investment. Security investments are made to avoid costs and not to deliver direct profitability.

However, this approach must complement other measures, such as comparisons and tests. We are also convinced that SOARs are solutions that must be implemented because they drastically reduce costs and enhance processes simultaneously.