VIEW 35 Return on security investment (RoSI)

One interesting feature of the cyber insurance market, at present, is the unusual ratio between spending on prevention and spending on insurance. In mature markets, such as property, the amount invested in fire prevention in a building and the amount invested in insurance cover are broadly similar. In the cyber arena, the amount spent on cyber security is around 20 times greater that the size of the cyber insurance market. One conclusion could be that the cyber insurance market will grow fast and eventually catch up.

35. Return on security investment (RoSI)

A different conclusion could be that the amount spent on cyber security is disproportionally high and this has prompted some attempts to quantify the return on this investment. For insurance cover, the return on investment is explicit; this much cover for that much premium paid. For cyber security the RoSI is more opaque; how do you quantify the amount you have saved in future costs by spending on a penetration test today?

A white paper by Accenture on “The Costs of Cyber Crime” in 2017 attempted to answer this question and the results are summarised in the diagram to the right. In a survey consisting of 2,182 interviews of 254 companies in seven countries, participants were asked to evaluate the return on investment for nine categories
of enabling security technologies. The results of their rankings
are shown.

35. Return on security investment (RoSI)

The broad conclusion that can be drawn is that three types of cyber security investments are particularly cost effective: security intelligence systems, machine learning for anomaly detection and user behaviour analytics. These technologies are more to do with monitoring and intelligence than traditional defensive barriers, which chimes in well with the squid model we discuss in View ^#10.

35. Return on security investment (RoSI)