In this fourth in our six part series of articles on investing in security systems, we turn the tables on traditional views of security as an overhead and explore Return on Security Investment (ROSI) and security as a value-add.
In our previous posts we've explored how TCO provides the most holistic account possible of the potential whole-of-life costs of a security system solution. That’s helpful in terms of accounting for the costs of security, but it falls short of accounting for the potential value derived from a security solution.
“The traditional view that purchasers of security have is that security is a cost centre, an overhead,” says Optic Security Group Managing Director Mark Lloyd. “But there are two reasons why this view is flawed.
“Firstly, it is the primary role of security to prevent loss, harm and disruption, and the extent to which it does this over and above what it cost to implement it’s actually an astute investment. Secondly, IP-based security systems comprise sensors and analytics that deliver not just security but also fantastic data for business intelligence. Whether it’s tracking retail customer journeys for store optimisation purposes or monitoring room usage for more sustainable air and lighting operation, security can be a value-add.”
Return on Security Investment (ROSI)
According to Investopedia, “Return on investment (ROI) is a performance measure used to evaluate the efficiency or profitability of an investment or compare the efficiency of a number of different investments. ROI tries to directly measure the amount of return on a particular investment, relative to the investment’s cost.”
In other words, ROI is calculated by dividing the Net Return on Investment (the final value of the investment minus the cost of the investment) by the cost of the investment and multiplying it by 100.
According to the Association for Financial Professionals (AFP), “ROSI, or return on security investment, is a modified ROI calculation, where the net benefit is the annual cost of security breaches avoided as compared to the prevention cost incurred.”
According to this definition, ROSI is calculated by dividing the Net Loss Reduction (the monetary value of losses prevented minus the cost of the security solution) by the cost of the security solution and multiplying it by 100.
Calculating the dollar value of ROI
The above formula looks easy enough, but there is a general tendency among organisations to misevaluate the actual costs of a security incident – and physical security incidents in particular. Apart from calculations of ‘shrinkage’ and ‘profit loss’ in the retail sector, very scant effort is made to measure the costs of a physical security incident. It’s left in the ‘too hard basket’.
This is understandable to some extent, but it’s also unfortunate.
Calculating the monetary value of losses can be tricky, particularly if the calculation is based on a projection of losses, with the biggest stumbling blocks tending to be around (i) the accuracy of data, and (ii) understanding the range of costs.
Accuracy of data
“The first thing to recognize when you are trying to predict the future of "badness" involving intelligent adversaries is that there is no way to perform these measurements with precision, so you should opt for accuracy,” writes Peter Lindstrom in SearchSecurity.
The monetary value of losses is often referred to as the ALE, or Annual Loss Expectancy, which is calculated by multiplying the Single Loss Expectancy, or SLE (the total financial loss from a single security incident), by the Annual Rate of Occurrence, or ARO (the annual frequency of a security incident)
For example, let’s say a security solution has an annual investment of $70,000 to remediate 20 security incidents that resulted in $8,000 in data loss. According to the vendor, the solution will block 90 percent of breaches. This scenario is computed as follows:
ROSI = (20 x 9,000) x .90 – $70,000) ÷ $70,000
ROSI = 131.4 percent
The formula suggests that the security investment will generate of a return of 131.4 percent, or about $91,980 annually.
The ROSI calculation is the result of many approximations. The cost of security incidents and Annual Rate of Occurrence are hard to estimate, and approximations can vary greatly due to divergent risk perceptions/outlooks. For this reason, it’s best to get your hands on historical statistical data if you can.
Understanding the range of costs
According to the research, organisations tend to underestimate or understate the costs of a security breach. According to the Ponemon Institute’s State of Cyber Security Readiness, over 50% of small-to-medium businesses “are worried about the time and productivity loss than they are about more tangible outcomes such as loss of customers and business partners, damage to reputation or an increased cost when it comes to winning over new prospects.”
The IT and cyber security field has long grappled with the challenge of accounting for the costs of cyberattacks and data breaches, so it makes sense to leverage their experience. The Ponemon Institute annual cost of cybercrime studies, for example, utilise activity-based costing frameworks and benchmark methods to calculate the cost of cyberattacks.
These studies tend to identify security breach cost categories that describe the different ways in which a breach can cost an organisation. And while the costs may vary somewhat between cyber and physical security breaches, the costs of a physical security breach potentially are no less significant, particularly when one considers consequences such as physical injuries and fatalities.
For the purposes of costs relevant to a physical security breach, categories can include the following (we used the same categories in our previous article on 'soft' cost factors):
Loss and damage costs: Personal harm (emotional or physical injury, fatality), Loss and breakage (theft of assets and/or information, damage, vandalism, and associated repairs and restorative costs; Regulatory penalties; Insurance premium increases; Litigation costs; and costs associated with security review and new security controls.
Disruption costs: Staff morale degradation; Productivity loss; Additional personnel costs; Business continuity and disaster recovery costs.
Opportunity costs: Brand/reputational damage Market fallout and potential customer loss; in short, loss of income that might have otherwise been achieved in the absence of a security breach.
In order to know how much they should spend on security, decision makers need to know how much a lack of security can cost the business – and what the most cost-effective solutions are. With a measure of research, the above costs can be estimated and modelled so that the best security investment decisions may be made.
As a side note, within the broader context of ‘security convergence’, it makes good sense for an organisation to account for the costs of security breaches across its cyber, physical, and cyber-physical systems. Identify and treat the security risks to the organisation across the traditional digital-physical siloes, and account for the collective sum of your ‘Return on (cyber and physical) Security Investments’.
But ROSI isn’t just about minimising loss and protecting profit; it’s also about understanding the potential for security systems to deliver value-add for organisations. In our fifth article in this series we’ll explore the ways in which security can be a strategic enabler for your business.
In the meantime, if you’d like to find out more about how Optic Security Group can manage your security risks through solutions that tick the TCO box, please get in touch with us.