Transforming IT Blog
Join us in the Transforming IT HP Blog where we will discuss reinventing IT to overcome obstacles and take advantage of Instant on Enterprise opportunities.

Measuring the Return on Security Investment

When it comes to building a business case for information security the focus is always on risk.  In order to put the business case on the same footing as other corporate investments, it is necessary to quantify how the security investment will produce a return through the reduction of risk and potential losses.  Traditionally, security has been classified more as an expense that would hopefully pay for itself instead of as a true investment in information technology.  A business case needs to specify how investments in security may prevent potential losses for an organization.


Potential losses to an organization include the following:

  • Loss of revenue
  • Loss of productivity
  • Repair costs
  • Loss of data, temporary, permanent and compromised
  • Loss in reputation
  • Regulatory fines
  • Regulatory sanctions
  • Contractual service-level agreements (SLA) fines
  • Shareholder or class action lawsuits

The goal for an organization is to be optimally insured for the amount of money spent (commensurate with value of assets at risk). This is not an easy task since an increase in security investment does not always directly result in reduction of risk.  The key is to find the largest return on security investment where there is a level of optimum loss prevention at a reasonable cost.  Formulas such as the Annual Loss Expectancy (ALE) are used to calculate the return on security investment through the reduction of potential loss.


Factors of ALE include:

  • Exposure Factor (EF), which is the percentage of the loss caused by identified threats
  • Single Loss Expectancy (SLE), which is the value of the loss multiplied by the EF
  • Annualized Rate of Occurrence (ARO), which is the estimated frequency in which the loss could occur within a year
  • ALE = SLE x ARO
  • Reduction of potential loss = ALE before implementation of the security measure – ALE after implementation of the security measure

Using the ALE formula provides a quantifiable range to evaluate the return on security investment.  While it may be challenging to quantify the potential loss, the biggest challenge usually comes from obtaining buy-in from the organization on the results.  The organization has to support the belief that there is a tangible, quantifiable security risk and that the risk can be mitigated by the proposed investment in security.  Active communication with the organization stakeholders is essential for getting buy-in and support. It is through the successful implementation of this method that the money spent on security can be represented as an investment instead of an expense and a return on investment can be incorporated into a business case for information security.


Learn how HP Technology Services can help you optimize business results.


 Security Pic.png


Laura Cunningham small.jpg

TSchreider | ‎09-28-2012 09:27 PM

Great article on the investment aspect of InfoSec programs. I wonder if self-insurance accruals or cyber insurance policy premiums or deductibles could be used as well?

LCunningham | ‎10-09-2012 09:52 PM

Agreed Tari, insurance policies can be evaluated based on the same criteria. A business case can specify not only how investments in security may prevent potential losses for an organization but also how money spent on cyber insurance policies can hedge against potential losses.  The goal when purchasing insurance is to secure the optimum loss protection for a reasonable cost. 

GaryWhite | ‎10-10-2012 09:51 AM

This is an excellent and practical example of quantifying the value of security for the business case. To help with the buy-in process you can also interlink the business case to other mission critical initiatives. This provides justification and reinforces the basis of the business case.

Showing results for 
Search instead for 
Do you mean 
About the Author
Laura Cunningham is a CPA and business consultant with HP Technology Services Consulting. She helps CIOs and their teams bridge the gap betw...

Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.