Sorting out the cybersecurity mess today can be a costly business. Cybersecurity Ventures have predicted we are looking at a global spend on cybersecurity clean-ups of around $6 trillion (£4.7 trillion) by 2021. Even small companies end up spending a lot of their hard-earned revenue on the mess left behind by the cybercriminal. Hiscox estimates the cost of a “cybersecurity clear-up” hits a small company to the tune of around £25,700.
Even so, spending money on something that might not have happened yet to prevent it occurring, is a hard pill to swallow. Enter the “Return on Investment” (ROI) calculator. I am going to take a hard look at the idea of an ROI calculator and give you my unbiased (I promise) view of the validity of such a calculator.
What is Return on Investment and Why Is it So Loved?
The ROI Equation
Generally, mathematical equations are based on a set of variables and some have constants too.
Variables are things that ‘vary’ in what they stand for. They represent any quantity that affects the result and that can take different values.
Constants are constant (mathematics is great, isn’t it)? Constants also affect the outcome but have fixed values. For example, Pi is a constant and it never changes (hopefully, or the universe will explode – I have no scientific proof this is true).
An ROI equation gives you a definitive quantifiable outcome. This is a really useful thing to have to convince a board or management to give you money to fight cybercrime and internal cybersecurity issues.
An ROI equation is a very simple thing. It is usually expressed as:
ROI = R/I
R = Return (Benefit)
I = Investment (Cost
This sort of simple equation can be really powerful when you have clear costs and benefits. You can plug the numbers in, turn the handle, and ‘hey presto’ out pops an ROI. You can then use that figure to justify doing something – it might cost X, but it’ll return Y.
Unfortunately, cybersecurity isn’t so clear cut.
The ROI Equation for Cybersecurity
Many organizations have updated the simple ROI equation to add in an element of probabilityto calculate percentage risk. This is a more realistic way of calculating ROI in a fuzzy system like security which has many variables – some of which are not quantifiable with any degree of certainty.
An attempt at generating a cybersecurity ROI equation can be seen in this post by Michael Coden in Forbes. Coden uses research from MIT into the different aspects of a ‘cyber-threat’ chain, aka all the steps that can happen to create an incident. If you are interested, the framework for assessing and managing cybersecurity risk goes by the acronym STACHT.
Coden uses this key research to establish the impact of a cyber-incident. Then maps this to a project that applies preventative controls (as in cybersecurity measures).
Using this, the ROI equation for cybersecurity is generated:
ROI = [(PCxIC before project) – (PCxIC after project) – cost of project] / Cost of project
Probability of a Compromise (PC) = threats x vulnerabilities
Impact of a Compromise (IC) = asset x losses given a compromise
- Source: Michale Code, Forbes
Probability is calculated as a measure of the total number of threats multiplied by the vulnerabilities in the project; in this way, it acts as a type of weighting system factor.
The impact covers the losses that occur if a cybersecurity incident happens.
Plug them into the equation and you get your ROI to show your board. But is it realistic?
The ROI Equation for Security Awareness Training
The issue I have with the ROI equation for cybersecurity is that it makes you do a lot of work for a result that is open to interpretation.
The equation also suggests it can be used as a basis for working out the value of cybersecurity awareness training; setting that as a specific project to run the equation against. But, it appears unlikely the equation takes all of the variables impacted by security awareness training into account.
I am talking about variables that are intangible, difficult to quantify, often difficult to reflect even with weightings applied. Three examples of impactful but intangible items that can come out of not doing security awareness training at all are:
- Excuse of ‘we weren’t trained” in court costs: As exemplified by the recent court case where a Peebles Media employee was sued when she inadvertently lost over 100K due to a Business Email Compromise attack (BEC). The woman is counter-suing as she hadn’t been through security awareness training.
- Insurance premium could increase: Cybersecurity insurance can have lower premiums if you reduce your risk by training employees in security awareness and carry out phishing simulations. Or impacted adversely if you don’t use training.
- Compliance not covered – fines? A number of regulations around data protection, such as PCI-DSS and GDPR, either mandate or strongly suggest that you use security awareness training. If you suffer a breach and have implemented awareness training, you will have a better defence in any court case that ensues.
Adding intangibles like the above and others like post-breach reputation damage is important. These sorts of items are hard to quantify but have a large impact – their weighting in terms of any ROI equation would be high.
Tangible and Observable Facts
Security awareness training can show real measurable success – this is why metrics are part of any good program of training. Observable facts show the true ROI of security awareness training; and this is something that everyone can intrinsically understand.
When you choose to use security awareness in your company you need to apply practical ways to measure it. Ways that transcend an equation, that show real results. Practical and observable thing such as:
- Increased staff awareness – your employees acting like a layer of protection against cyber-threats
- A tangible decrease in incidents and good security – metrics showing fewer clicks on phishing emails, fewer malware infections, better password hygiene, etc.
- An increase in reports of phishing – and related items which are a tangible and positive sign your business is making progress against cyber-threats
As you can see, it’s not an easy thing to calculate the ROI of cybersecurity, let alone specific projects like security awareness training, and many assumptions are made to get there. Sometimes, a ‘thing’ is not suited for a mathematical equation of this nature. Sometimes things are too ‘fuzzy’ to capture in this way. Sometimes, the human brain just needs to look at the various touchpoints of a ‘thing’ like cybersecurity, to work out why it’s a no-brainer to invest in cybersecurity 101 – security awareness training. Fortunately, security awareness training has built-in metrics which output real measures of security. This includes both graph-based metrics as well as actual observable changes in the levels of security your business experiences.
Perhaps, instead of using an equation that only fits the ROI decision by manipulation, you can instead write up a simple list of pros and cons of cybersecurity projects with typical costs. You can then back this up with the positive outcomes from a good security awareness training program. You can then have an at-a-glance view of what makes sense to do in a cybersecurity landscape that changes very quickly.