Bang for the buck – calculating the ROI of cybersecurity


The cybercrime business – just like any other business – looks at their return on investment. If an attack does not not yield results, more than 60 percent of hackers will move on within 40 hours, since hackers have become corporate in their behavior, balancing costs, risks and effort.

You are in competition with cyber criminals for the security of your data. But while the average cyber attacker stands to make a few thousand dollars per attack, the average cost of data breach to a U.S. business has risen to $7 million and a standard ransomware campaign could earn an attacker a 1,425 percent ROI. You have a lot more to lose, than they have to gain.

For any business, the cost of cybercrime includes damage and destruction of data. For example, stolen money and fraud, also theft of personal and financial data and lost productivity. And costs for post-attack disruption, investigation and restoration. A lot of which is difficult to measure in monetary terms. 

And on top of that, there is the damage to the company’s intangible assets. It might be potential customers losing trust in the brand, or wounded customer relationships. This is a problem of more concern than ever before, since intangible assets have become the business’s main value drivers.

The evolution of value drivers reveals how intangibles now comprise 80 percent of corporate valuations. More companies than ever are creating high value with fewer fixed assets. A report from McKinsey shows that these asset-light, idea-intensive sectors generate 31 per cent of western economy. 

With that said, business leaders may need to adapt their business models or develop new ones. Quality decision-making and value-creating data insights are essential to achieve this. And it is also rapidly becoming determinants of organizational success. 

With new measures to manage performance, organizations need to develop their intangible assets and achieve their strategic goals.


Framework for calculating the cost of cyberattacks on your company

Customers are at the beginning and the end of the balanced value chain. Without their trust and liking, there will be no company. To make sure that your safety tactics are reasonable it is important to (try to) calculate its potential effect. 

Step 1: Identify your organization’s most important value-drivers

To understand the economic impact an attack might have, it is important to identify the organization’s most important value-drivers – intangible assets – and how they could be affected. 

The most important determinants of value in businesses today, ranking from high to low: 

  1. Customer satisfaction
  2. Quality of business process
  3. Customer relationship
  4. Quality of people (human capital)
  5. Reputation of brand. 

Step 2: KPI:s that can measure the organization’s value-drivers

The problem is that intangible assets are also difficult to measure, especially in financial terms. In order to manage the intangible assets, it is important that they are being measured (or at least described in non-financial terms).

Based on the identified value-drivers efficient KPI:s can be chosen, since they need to be related to each other. 

There is, however, a good chance they are not. As a matter of fact, finance executives are pointing out that there is a need to identify new KPI:s. Since they should be measuring the value-drivers and nothing else.

It is important that the KPI:s chosen is: 

  • Connected to the value-drivers. 
  • Measurable
  • Impact the business
  • Built on accurate data

Value drivers

Customer satisfaction Customer experience & satisfaction, Customer pipeline and retention
Quality of business process Data quality
Customer relationship Customer experience & satisfaction, Customer pipeline and retention
Quality of people (human capital) Employee productivity, Employee engagement & retention. Talent sourcing and pipeline. 
Reputation of brand Brand awareness and equity

Step 3: Phrase well-defined KPI based on relationship

To measure intangibles, businesses must make connections between financial outcomes and pre-financial measures that they can use as leading indicators, usually based on a causal relationship or correlation.

Step 4: Calculate the potential negative effect on the intangible assets

Identify what cost centers are affected by data breaches, and to what effect. (For a proper ROI calculation – do not forget the cost of lost tangible assets.)

Step 5: Calculate the cost of prevention

The cost of prevention might differ from what and to what effect you will protect your data. Some of the commonly known areas for protection are: 

  • Security Awareness Training
    Training employees how to recognize and defend against cyber attacks is one of the most important things you can do. Training employees on how to recognize and react to phishing emails and cyber threats may be the best security ROI. Take extra care if you are a Healthcare provider. The past two years they have been the bullseye for hackers and is the most hacked vertical we’re seeing right now. What makes this industry different is that it affects everyone not just financially but personally.
  • Standards and processes
    Today, there are a number of tools that can be applied to achieve better information security, e.g. ISO 27001. But often they tend to be just static tools. And used as just a “tick-in-the-box” and nothing more. Symptoms of this may be that you have a security and information policy but you don’t train your staff properly in how to handle it. You can have the best shell protection, but well within this there is no separation between different classified information domains.
  • SIRP
    When an incident has occurred or a breach is discovered you need a plan, which will tell you how to handle the situation, and will help you avoid mistakes you are likely to make when in crisis mode. A Security Incident Response Policy (SIRP), ensures that your organization has both the controls to detect security incidents, and the processes to resolve them. No one likes to read it any more than you like to write it.
  • HIPS
    An effective Host Intrusion Prevention System (HIPS) blocks the attacker entirely on all ports if they trigger any of the detectors. As a result: the attacker will be unable to communicate with your server at all. Thus, automatically protecting every other service you might have running on it. This would be similar to an intruder trying to unlock your door, triggering the alarm, and realizing that the building had “magically” disappeared. In conclusion: Built-in intrusion prevention is good. A HIPS is better.
  • NIST-framework
    National Institute of Standards and Technology (NIST) is a non-regulatory US government agency responsible for driving innovation and competitiveness through technology and metrics. It is called the NIST Cybersecurity Framework (NIST CSF), which organizes cybersecurity activities into five broad actions: identify, protect, detect, respond, and recover from threats. Download the framework here.

Step 6: Return on investment 

By relating the initial cost of cyber security measures (the value of the investment) to the money that potentially and plausibly are saved by this measure (the value of the investment), can be calculated.