Do you know how much you should spend on cybersecurity? It’s a simple question, yet the answer is terribly elusive. The goal of this article is to answer the following questions:
1. How much should we spend on cybersecurity?
2. What should we spend the cybersecurity dollars on?
This guide equips you with a toolkit to justify cybersecurity investments in a language your finance stakeholders will understand. By moving beyond the limitations of Return on Security Investment (ROSI) and leveraging tools like FAIR, Net Present Value (NPV), Internal Rate of Return (IRR), and the Gordon-Loeb model, we can make defensible, business-aligned decisions. Let’s dive into how we can reframe cyber risk as a calculated bet, using a simplified ransomware scenario to illustrate the process.
Let’s start with a bold statement: ROSI, while useful, falls short for long-term cybersecurity investments. As practitioners, we’re all familiar with ROSI’s simplicity—it’s a tactical cost-saving metric that’s great for quick wins. For small projects with paybacks within 12-24 months, ROSI shines because it’s easy to calculate and aligns with short-term budget cycles. Its benefits include:
But ROSI has serious limitations when projected over three to five years. It ignores the time value of money, treating $1 saved today the same as $1 saved years from now. It collapses multi-year benefits into a single figure, failing to account for evolving attack surfaces, control decay, or changing Annualized Loss Expectancy (ALE). Most critically, ROSI misaligns with what boards care about: not the “biggest ROSI number,” but the optimal spend to reduce risk. Instead of discarding ROSI, I propose using it where it works: for short-term, tactical decisions, and complementing it with more robust tools for long-term strategic investments.
Instead of asking, “What’s the ROSI?” I challenge you to ask, “Is this the optimal amount to spend to reduce risk?” To answer this, I’ll introduce a ransomware scenario to demonstrate how FAIR, NPV, IRR, and Gordon-Loeb can guide strategic investments.
To make this practical, let’s use a simplified ransomware scenario targeting a large bank, deliberately focusing on spear-phishing emails as the initial attack surface to keep the example clear. While the full attack chain (e.g., lateral movement, encryption) needs to be accounted for in the analysis, let’s zero in on one control (email filtering) to illustrate how financial tools evaluate a single investment simply. Here’s the scenario:
This scenario sets the stage for evaluating a $1 million email filtering investment (including $700K initial costs and $100K/year maintenance), which reduces ALE by $4 million annually. Let’s walk through how we analyze this using our toolkit.
Assuming familiarity with FAIR (Factor Analysis of Information Risk), let’s focus on the high-level process to apply it alongside financial metrics, without diving into the details of the FAIR model. The goal is to quantify risk in dollars and evaluate controls systematically. Here’s the workflow:
1. Identify:
- Define the decision: Should we invest in email filtering to mitigate ransomware risk?
- Specify the question: Spear-phishing as the initial attack vector.
- Outline the business context: Critical assets (bank’s data, transaction systems).
The outcome should be a well-defined risk scenario, as proposed by the FAIR taxonomy.
2. Analyze:
- Map the attack surface and loss chain, focusing on spear-phishing.
- Identify key controls (e.g., email filtering) and assess performance (see FAIR-CAM for metrics).
- Quantify Loss Event Frequency (LEF) and Loss Magnitude (LM) using FAIR’s loss forms (e.g., response costs, fines).
3. Evaluate:
- Calculate ALE, LEF, and LM using FAIR.
- Conduct what-if analysis to measure impact (e.g., email filtering reduces ALE by $4M/year).
- Prioritize cost of controls, and develop treatment plans.
In our scenario, a before-and-after simulation showed email filtering reducing ALE by $4 million annually. This figure accounts for the full attack chain but emphasizes the initial vector for clarity. FAIR practitioners will of course note that in practice the FAIR factors are distributions and not single point estimates. The reason for distributions rather than discrete numbers is the level of uncertainty for each of these factors, but we’ll focus on the most likely values for the sake of simplicity.
Despite attempts, I believe a true return is difficult with cybersecurity: the best we can do is a reduction in potential loss, or potential costs. For this reason some people are using the term return on security investment (ROSI) rather than ROI:
ROSI= (Benefits – Costs)/Costs
So, let’s invest $700,000 in an email filtering solution (Cost) that reduces our annualized expected loss by $4M/year (Benefit). The email filtering solution costs us $100,000/year to operate and our three year ROSI is $11M (assuming future benefits are not discounted, an assumption that will be revised in the next example).
If we are using ROSI as our justification measure then we’d most likely move forward with this investment.
Unfortunately, it’s not that simple. ROSI is a great tactical screen: it’s easy, familiar to finance, and works for quick wins where pay-back is under two years. But there are problems with using ROSI to justify cybersecurity investments. ROSI breaks down when we stretch the time horizon: it ignores the time value of money, assumes annual loss expectancy (ALE) stays flat and can’t cope with uncertainty. The other issue with ROSI is it’s not the same thing as optimizing corporate investment. In fact, from the CFO’s perspective, the goal of the firm is not maximizing ROSI, but rather deriving the optimal level of cybersecurity investment for the firm. These are two very different goals.
To address ROSI’s shortcomings, I’d like to introduce NPV and IRR, which account for time, uncertainty, and investment efficiency. Here’s how they apply to our scenario:
Net Present Value (NPV): NPV discounts future benefits to their present value, ensuring we compare apples to apples. Using a 15% discount rate—aligned with our finance team’s weighted average cost of capital (WACC), investment time horizon and scenario-specific risks—the email filtering project yields a positive NPV. This means the future risk reduction ($4M/year) outweighs today’s $1M spend. The diminishing returns over time are clear: year one’s benefit is worth more than year three’s.
Internal Rate of Return (IRR): IRR is the “break-even” return rate that sets NPV to zero. In our case, the IRR is far exceeding our 15% hurdle rate, indicating a highly efficient investment.
Choosing the right discount rate is critical. I recommend collaborating early with your finance team to align on a rate (typically 10-30% for cybersecurity, depending on WACC and risk factors).
Be transparent about assumptions to build credibility with stakeholders because scenario-specific risk factors matter - Higher discount rates can be applied to scenarios with greater uncertainty in risk reduction estimates or greater uncertainty in projected benefits.
In our example, we’d make the investment because NPV >0 however, the NPV is substantially less than the ROSI. The reality of cybersecurity investments is there is significant risk involved, particularly when projecting expected loss reductions. What I really like about NPV is we can reflect this risk in the discount factor. For example, what if we double the discount rate to 30% or 35% to reflect the highly uncertain nature of our projections? This drops our NPV considerably compared to our initial ROSI projection and initial NPV. Most likely, we’d still make the investment since NPV >0, but it’s not the clear cut win we see with the ROSI, or even the initial NPV.
How much is too much to spend on a control? The Gordon-Loeb model provides a guardrail: spend no more than ~37% of expected loss, as additional dollars yield diminishing returns. In our scenario, the $1M email filtering investment is well below this cap, ensuring efficiency. However, this is a guide, not a hard rule. For high-stakes scenarios you might justify spending more. Use Gordon-Loeb alongside NPV and IRR, but lean on your judgment to balance theory with business priorities.
To integrate these tools, I suggest a simple workflow: Use FAIR to quantify ALE reduction ($4M over three years), NPV to confirm financial viability (positive NPV at $1M cost), IRR to assess efficiency (way above the 15% hurdle), and Gordon-Loeb to cap spending. This answers, “Is this the optimal investment?” with a resounding “Yes, here’s why.”
No model is perfect. FAIR, NPV rely on assumptions like risk reduction estimates, the quality of input data, and or evolving threat landscapes. Our $4M figure is a most likely estimate; validate it with empirical data and test sensitivity (e.g., ±20% ALE). The Gordon-Loeb’s 37% rule assumes specific conditions, so adjust for context. “All models are wrong, but some are useful”. Cybersecurity is a calculated bet, not a quest for zero risk. Partner early with your finance, IT, and procurement teams to refine assumptions and build a compelling case. A quick executive summary with NPV/IRR, and IRR charts can translate this for boards.
As practitioners, we’re tasked with protecting our organization while justifying every dollar. ROSI is a good start for quick wins, but for strategic bets - like multi-year ransomware defenses - we need FAIR and rigorous financial metrics and models. Our simplified ransomware scenario showed how to focus on one control to quantify risk, assess financial value, and avoid overspending. By speaking the language of the business, you’ll turn cyber risk into smarter investments.
I hope this framework empowers you to make better decisions. Try running a similar scenario through these tools, starting with a single control. Engage your finance team to align on the discount rates and watch your proposals gain traction. What’s your next cybersecurity bet?
Stay tuned for our continued in-depth and accurate modeling and forecasting of the value of security investments.