White Paper: Go Beyond ROSI to Measure Return on Risk Reduction with FAIR

Two of the FAIR Institute’s sharpest thinkers on aligning FAIR risk analysis with value to the business…

• Laura Voicu (image above), Cofounder, Chief Data Science Officer Enterprise Risk Quantification Institute and Co-Chair, FAIR Institute Swiss Chapter) and
• Caleb Stogner (image below) Senior Manager, Technology and Data Risk Management, Capital One

…collaborated on a white paper that goes beyond the traditional Return on Security Investment (ROSI) to leverage FAIR outputs with the established financial decision tools Net Present Value (NPV), Internal Rate of Return (IRR), and the Gordon–Loeb model.

Read the White Paper:

Measuring Return on Risk Reduction

A Modern Approach to Return on Security Investment (ROSI)

As Caleb and Laura write, “Traditional Return on Security Investment (ROSI) calculations offer a quick way to estimate the cost-effectiveness of security controls, but they often overlook important factors such as uncertainty in cyber risk, diminishing returns from additional spending, and the time value of money.

“As a result, ROSI alone can lead to incomplete or misleading conclusions when evaluating significant cybersecurity investments.”

In the white paper, they explain:

>>How to use FAIR outputs (ALE, loss distributions) as inputs to finance models to redefine the analysis goal from delivering risk quantification to supporting investment decisions based on risk reduction in financial terms

>>How to structure risk reduction as a discounted cash flow problem, compatible with NPV and IRR

>>How to apply Gordon-Loeb to avoid over-investing in security while compensating for its limitations with FAIR analysis that shows probable loss in ranges.

Caleb and Laura clarify their guidance with detailed examples of risk scenarios from banking, professional services and manufacturing.

“Cybersecurity should no longer be seen merely as a defensive expense or a compliance checkbox, but as a strategic investment that directly supports business resilience and long-term value,” they argue.

“Combining the structured risk quantification of FAIR with established financial tools…allows organizations to make cybersecurity investment decisions that are transparent, defensible, and aligned with enterprise value objectives, elevating security from a cost center to a disciplined component of strategic financial management.”

Read the white paper Measuring Return on Risk Reduction