As part of the AMS research tracks on Cybereconomics, we conducted surveys and interviews with practitioners to assess whether they use economic modelling to justify cybersecurity investment decisions and communicate these decisions to boards.
Surprisingly, the majority reported that they do not apply ROSI in practice. ROSI, or Return on Security Investment, is a financial metric that evaluates the monetary benefit of security measures. It measures the value by comparing the cost of implementing security solutions to the potential losses prevented, considering both tangible and intangible avoided costs. Essentially, it calculates the economic gain from a security investment by assessing risk reduction and cost savings against total security expenses.
When asked why they don’t utilize ROSI, respondents typically cite four main challenges:
• Quantifying risks and risk reduction is difficult due to complexity and a lack of actuarial data.
• Limited analytical capabilities are often linked with the perception that complex mathematical calculations are necessary.
• Lack of time and resources to perform quantitative analyses.
• Organisational culture and preferences. Case organisations report that decision-making in IT and/or cybersecurity, based on quantification, is not part of the organisation's culture.
Leaving cultural aspects aside, the first three obstacles stem largely from perceptions of complexity associated with quantitative methods, such as ROSI. This finding prompts a closer examination of Cyber Risk Quantification (CRQ) adoption.
The problem: the perceived complexity of cyber risk quantification This perceived complexity, rather than actual mathematical difficulty, hinders the adoption of risk quantification. In many cases, organisations describe their cyber investment decision-making as based on a combination of industry benchmarks and “gut feeling”.
Complementary research conducted by AMS students confirms that most organisations rely on qualitative or mixed methods, despite ~75% of respondents considering CRQ feasible, and all agreeing that quantification would enhance decision-making.
A practical starting point is to replace qualitative labels with quantitative proxies and to express uncertainty as ranges rather than fixed numbers.
When examining industry benchmarks, it is evident that cybersecurity investments continue to increase year after year. If ROSI and CRQ are rarely applied, how do organisations then actually decide on cybersecurity investments? AMS research identified seven key factors that influence decision-making:
Most organisations apply only a subset of these factors—often combined with intuition. This shows that security investment decisions are context-dependent and multifaceted.
Based on these findings, we conclude that organisations use a range of quantitative and qualitative factors to inform their decisions on cybersecurity investments.
We argue that cybersecurity investment decisions are context-dependent and must balance interlocking factors rather than relying on a single ROI metric. We build upon the work of AFCEA in 2015, which employed a similar approach to mastering both sophisticated and non-sophisticated attacks by striking a balance between simple interventions at a relatively low cost.
As a starting point, we propose applying three lenses we often use in our lecturing, which are derived from the digital risk management pyramid proposed by ANSSI as part of the eBIOS method. Based on these lenses we suggest a model to facilitate the selection of decision-making factors based on the context in which investment decisions are made.
The cybersecurity investment-pyramid considers three different perspectives for investment decisions, each requiring different criteria depending on whether the decision context is hygiene, compliance, or risk-driven. Effective governance makes these trade-offs explicit, combines quantitative evidence with expert judgment, and prioritises investments that maximise risk reduction and business value at acceptable total cost.
Operating in a digital environment comes at a price. Certain threats are inherent to the use of technology to achieve organisational goals. To counter these inherent threats, an organisation should implement basic cyber hygiene measures such as multi-factor authentication and proper authentication and authorisation mechanisms.
A precursor of basic cyber hygiene is the concept of reliable IT operations. An environment that is unmaintainable and/or unstable will pose significant challenges from a security perspective.
The set of basic cyber hygiene measures is relatively well-known and embodied in several frameworks as the “base” maturity level (e.g., CyFun Basic, CIS Controls IG1). Organisations should not seek to justify investments in these measures but rather select the most efficient approaches to operationalising controls within their organisational context.
What it is? Patching, hardening, MFA, inventory/ownership, least privilege, segmentation, and logging are implemented and measured uniformly. Representative catalogues include the protect-surface–oriented measure set (encryption in transit/at rest, IAM, segmentation, content inspection, backups, vulnerability management).
Why first? AMS breach analyses indicate that these, including lateral movement, overprivileged users, and configuration misconfigurations, are the dominant root causes and thus form the basic mitigations (inventory, access control, lateral movement barriers, endpoint detection/response).
How to value? Consider the Total Cost of Ownership (TCO) and technical requirements, balanced with contextual and strategic fit for the organisation. In terms of internal resource capabilities.
The compliance layer encompasses all requirements imposed by internal and external regulations. These regulations aim to address common threats associated with operating in specific industry sectors (e.g., aerospace, finance, critical services have different regulatory regimes).
The completeness of this layer is highly dependent on the industry sector in which the organisation operates. Highly regulated sectors will be subject to a significant set of security measures (e.g., NIS2, DORA, PCI-DSS), whereas less regulated sectors will be held to considerably lower standards and subsequent audit regimes, as well as fines and liability consequences for boards.
Security investments originating from this compliance perspective can be considered the barrier to entry for an organisation to operate in a given industry sector. The organisation should consider the cost of compliance in relation to the potential losses associated with non-compliance or the opportunity to play in a new regulated market.
These losses will most likely involve the direct consequences of non-compliance, such as fines imposed by regulators, loss of the licence to operate, or, in some cases, direct implications for board members. Opposing the fines is the opportunity to play in new markets when companies gain new accreditations for their products or services or win new customers by complying with a specific regulatory regime.
Decisions on investments within this context should consider these direct consequences and balance them with the TCO of the proposed solutions. Other factors, such as technical requirements, resource capabilities and contextual and strategic fit, remain relevant at this level.
What it is? Controls needed to satisfy sectoral regulation (e.g., GDPR Art. 32 safeguards; NIS2/DORA capabilities) and to demonstrate “being in control” through evidence and response readiness (dashboarding, SOC/CSIRT). The company’s “trust centers” proactively demonstrate to the public the reputation of the firm’s performance in the data-cyber domain.
Why now? Regulatory exposure is often a top cost driver, well-evidenced responses and governance demonstrably lower penalties and reputational harm.
How to value? Combine cost-avoidance (expected fines/claims) with assurance value: reserve ROSI bounds using Gordon–Loeb (investing more than approximately 37% of expected loss is inefficient) and recognise operational fit/total cost of ownership
At the top of our pyramid is the risk layer, where we consider threats specific to the organisation. Depending on the “thickness” of the compliance layer, few or many risks may remain to be addressed from this perspective.
Organisations operating a reliable IT environment in a highly regulated sector will have already covered a wide range of scenarios, leaving this layer for fine-tuning their security posture for very specific and targeted events.
However, organisations with very “thin” layers beneath will need to consider a wide range of threat and risk scenarios to ensure adequate coverage. We recommend approaching the risk layer of the pyramid through scenario-based thinking. Ideally, these decisions should be integrated with actual business decision-making, rather than being addressed retrospectively.
What it is? Targeted scenarios reflecting relevant actors and sector threats (e.g. National Cybersecurity Centres (NCSC) threat reports, MITRE Tactics, Techniques and Procedures used by hackers mapped to High Value Assets (e.g. protect surfaces) and business loss drivers; this is where advanced analytics (e.g. Bayesian updates, simulations) are worthwhile. (Bobbert, 2020).
Why last? Only after hygiene and compliance “raise the floor” do marginal, scenario-specific investments deliver outsized ROSI. AMS case work shows that combining sector threat data with business-specific loss data makes ROSI tangible for boards and shifts the portfolio towards the highest payoffs. (Bobbert, 2020).
How to value? Apply ROSI in combination with the factors relevant for decisions in the other contexts. Estimate ALE via ALE = ARO × SLE and show ranges (e.g. 90% intervals) rather than fixed points; base ARO on base rates and controls coverage, and SLE on cost-of-breach components. (Antwerp Management School)
Workshop results at AMS also demonstrated that you don’t need a lot of actuarial breach and control data to conduct a scenario-based breach simulation. Revenues in annual reports can be easily calculated back to daily disruption losses. Many researchers have already examined the exact cost breakdown of a breach.
Both intangible and tangible costs of a breach. The value of stolen data is rated yearly by Ponemon Institute and IBM, which helps to predict or calculate the data loss value. Penalties are calculated as a percentage of revenue, increasing significantly when the authority encounters malfunctioning boards, and then the fine is raised to set an example in the market.
When making decisions about cybersecurity investments, it is essential to consider whether the investment is made from a cyber hygiene, compliance, or risk-based perspective. Based on this context, organisations can prioritise different factors for investment decision-making and require varying levels of evidence by tailoring their evaluation criteria accordingly.
Do not rely on fixed numbers as cybersecurity investments are highly context-dependent. Instead, use ranges and scenarios, since benchmarks and rules of thumb only capture part of the picture and may overlook strategic fit. Additionally, note that industry benchmarks offer insight into the overall portfolio of cybersecurity investments but do not aid in selecting the most valuable individual investment decisions.
When applying ROSI, remember that it is not about complex formulas. Ensure that you use ROSI in the appropriate context, where you are prepared to invest in quantifying cybersecurity risks. Even then, keep the approach simple. There should always be room for expert opinions, provided they are grounded in a conceptually coherent framework.
When we approach cybersecurity investment decisions as contextual rather than purely mathematical problems, we make better and more precise choices. Security controls that are more tailored to the strategic fit, the company's challenges, and their resource capabilities, such as knowledge and maintenance.
This article argues that a significant part of cybersecurity investment is mandated from a cyber hygiene and compliance perspective. Compliance ensures we are "in control," and only after that should we optimise organisation-sector-specific, risk-based investments using quantitative methods. Organisations can now make cybersecurity investment decisions across each of these layers, using different criteria to guide these decisions. This Maslow-like pyramid also helps to initiate discussions about basic needs (hygiene) and the essentials or optional aspects of specific investments, such as outsourcing or handling tasks in-house.
To make a strong case to boards and regulators, you should consider decision-making in each of these contexts differently:
Our seven habits for cybersecurity investment decision-making are:
Connect with leaders in cyber risk management around the world - join the FAIR Institute.
Verslegers, D. (2025). Decisions on Cybersecurity Investments (ROSI) technical report. Obstacles to ROSI; contextual decision model; “formulas are not the problem”.
National Cybersecurity Agency of France (ANSSI). (2019). EBIOS Risk Manager – The method. l'ANSSI. https://cyber.gouv.fr/sites/default/files/2019/11/anssi-guide-ebios_risk_manager-en-v1.0.pdf
Bobbert, Y. (2020). Digital risks to business, what do they cost? AMS Blog—scenario-based ROSI, ALE = ARO × SLE, and board communication. (Antwerp Management School)
AFCEA (2013). The Economics of Cybersecurity: A Practical Framework for Cybersecurity Investment. This paper is the result of collaboration among the members of the Economics of Cybersecurity Subcommittee of the AFCEA Cyber Committee and a set of outside advisors
This mix gives you a clear ladder from mandatory hygiene to advanced, risk-tailored controls with authoritative anchors you can cite to boards and regulators.
Connect with leaders in cyber risk management around the world - join the FAIR Institute.