Information Security ROI [Part 2]

In a previous blog post, we showed how Beckstrom’s Law could be applied to security initiatives to calculate their value or Return On Investment. A quick recap:

Value = Benefit Value – Security Investment – Residual Loss or V = B – SI – L

If your security initiative potentially saves the business $1 million and costs $75,000 per year in licensing and support, it’s a very positive ROI. Calculating the savings can be a time-intensive analysis, though. What about the probability of breach? Isn’t there some way to estimate potential losses should a breach occur, in a way that would indicate what controls to put in place to mitigate?

With the Ponemon Institute’s Report on Breach Costs, combined with Beckstrom’s Law, there is. Ponemon releases this report annually, reporting on different countries and geographical regions. Its organization is based on a per-capita, or per-record-lost cost basis: how much is a single PCI, PHI or PII record worth regarding breach cost? How does that vary per industry vertical?

Ponemon Institute Breach Cost By Vertical


The mean cost per capita for US companies in 2016 was $221. The probability of a breach that would carry a cost equivalent to a 10,000-record loss in the United States is 24% over the next 24 months – 26% globally.

In short, there’s a 1 in 4 chance that your company will have a breach cost of $2.21 million in the next two years.

Probability of data breach by country

The longer it takes to identify and contain a breach, the more is costs. Mean Time to Identify in the United States in 2016 was 191 days; Mean Time to Contain was another 58 days, driving breach costs up. Figures listed are in millions, showing how costs rise dramatically in cases of poor incident response.


Breach Cost Mean Time to Identify

Breach Cost Mean Time to Contain

But there’s more, and this to me is the exciting part: the Ponemon Breach Cost Report includes figures for how much a breach cost is reduced by undertaking certain security initiatives. Per the graphic below, these activities reduce per-capita breach costs by the deviation from the mean of $221 as shown. Combining this with Beckstrom’s Law is a wonderful way to illustrate ROI or ROSI.

Ponemon Breach Cost Security Investment Reduction


Let’s create an example based on probability using the mean per-capita cost, then:

  • 50,000 records stolen equals a $11 million breach cost
  • Having an Incident Response Team would lower that breach cost by $25.80 per capita, or $1.29 million
  • Presume a cost of $225,000 to fund the Incident Response Team, and that by having them you avoid the high-cost impacts of MTTI and MTTC – perhaps by discovery through Threat Hunting
  • V = B – SI – L
  • V = $1.29M - $225K – $11M
  • V = -$9,935,000 – a significant reduction from $11M in potential breach cost

Combining these security initiatives can greatly reduce the actual costs of the risks posed by security breaches.  To maximize your ROSI, use Managed Security Services to handle your detection, alerting and even much of your incident response – contact CIPHER to find out how.

CIPHER Cybersecurity Resources and Guides