Managing Cyber Risk through Return on Security Investment
A ROSI framework allows businesses to link risk, security and insurance to help manage cyber exposure and increase cyber resilience.
The complex risk landscape often creates challenges for business leaders to prioritize and manage cyber risk.
A ROSI framework provides many benefits — including the opportunity for straightforward financial conversations with the board and C-suite.
With the right implementation, ROSI allows firms to make more informed cyber risk management decisions.
The number one risk facing business leaders and their organizations is a significant cyber incident. It’s not just IT systems of business that are affected by a cyber attack — the reputation, balance sheet and operations of the company are also caught up.1
Resilience is a crucial step for preventing or mitigating an impending cyber threat — and in parallel, a strong cyber posture is essential to strategic risk transfer. With the cyber insurance pricing environment showing significant improvement, businesses with best-in-class cyber risk profiles will have more choice and stronger bargaining power.2 Working within a Return on Security Investment (ROSI) framework, a business can confidently calculate its return on security investment, while linking risk, security and insurance to better manage cyber exposure and increase cyber resilience.
Here we discuss the ins and outs of a ROSI framework and how to successfully implement one into your firm for optimal cyber security decision making.
Return on Security Investment: How it Works
Leaders must effectively prioritize risk and allocate budget to manage their ever-widening cyber risk portfolio. Amid today’s complex cyber risk landscape, leaders often struggle to best prioritize and manage cyber risk. The ROSI framework provides a decision map featuring three key questions:
1. How big is the problem?
2. What budget does the organization have to spend?
3. How will leadership decide where to spend this budget?
Leaders have often found it difficult to answer these questions, especially for non-tangible, information assets. Unfortunately, businesses often do not have visibility on adequate spend or areas of focus to address cyber risk until they fall victim to an attack.
Using current modeling and quantification tools, the ROSI framework allows security and IT leaders to have straightforward financial conversations with the board and C-suite. For example: “The business has $100 million worth of exposure. We can spend $5 million to reduce exposure to $50 million, or $7 million to reduce it to $10 million.”
The framework focuses on data collection across three core points:
1. Estimated potential loss
2. Estimated risk mitigation
3. Cost of solution
To examine potential loss or exposure, organizations should take a detailed look at the threat landscape, attack surface and business model. This means viewing cyber security as a people issue.
Eight in 10 cyber security teams believe that hybrid or remote working has increased their organization’s vulnerability to cyber attacks.3
Clear metrics explain how changes in the attack surface impact exposure, like the increase of remote work. Within mitigation, it’s important to understand how each control can impact the likelihood and severity of an event. Where possible, controls are linked to three drivers of exposure and the risk can be better quantified.
Implement a ROSI Framework in Five Steps
For all businesses, five key actions should be taken to implement a ROSI framework into cyber security decision making:
1. Understand the business model. How does the business make money, and what stops it from making money? What is the future direction and does this introduce new exposures?
2. Identify key assets. What does the organization value most? For example, data or intellectual property, and where do these assets reside?
3. Set the foundation. Does the organization have fundamental security in place, like end-point protection or anti-malware? If not, stop to implement this basic protection before taking on a ROSI-framework.
4. Make a scenario-plan. Whiteboard attack scenarios that will result in the greatest impact. Socialize these potential scenarios with non-technical business leaders to solicit input.
5. Quantify the risk and identify controls. Determine which controls align to each risk scenario. Then perform a cost-benefit analysis, including a look at exposure risk and mitigation costs, as well as risk-transfer options via insurance or another vehicle.
Use Data to Inform Your Cyber Risk Decisions
To help assess your organization’s current cyber maturity and decision-making abilities, ask the following three questions:
- Do you know the total cost of cyber risk to your organization?
- Do you know where to invest security budget to get maximum balance sheet protection?
- Do you have access to scenario and financial modeling tools to measure your company’s return on security investment?
Understand the key actions to take and know where your firm stands on its cyber risk journey. A strategic approach to cyber security that is circular, iterative, and importantly, informed by data will have the best results.4 Learn more.
1 Global Risk Management Survey | Aon
2 “E&O Cyber Market Review. Mid-year Report 2022.” Aon. September 2022. Retrieved from https://www.aon.com/insights/articles/2022/eo-cyber-market-review-midyear-2022
3 Why HR Leaders Must Help Drive Cyber Security Agenda | Aon
4 “Cyber Loop: A Model for Sustained Resilience.” Aon. Report. 2022. Retrieved from https://www.aon.com/cyber-solutions/thinking/the-cyber-loop-a-model-for-sustained-cyber-resilience/
This material has been prepared for informational purposes only and should not be relied upon for any other purpose. You should consult with your own legal and information security advisors or IT Department before implementing any recommendation or guidance provided herein.
The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.
Stay in the loop on today's most pressing cyber security matters.
Article 8 Min ReadManaging Cyber Risk through Return on Security Investment
Article 27 Min ReadTop 5 Cyber Threats To Mergers and Acquisitions
Article 12 Min ReadMitigating Insider Threats: Your Worst Cyber Threats Could be Coming from Inside
Article 17 Min ReadWhy HR Leaders Must Help Drive Cyber Security Agenda
Article 14 Min ReadResisting Cyber Attacks Through Layered Security Systems
Environmental, Social and Governance Insights
Explore Aon's latest environmental social and governance (ESG) insights.
Article 9 Min ReadESG Data: How Businesses Can Use Data to Gain an Edge
Article 12 Min ReadWhy ESG Is Even More Important In A Crisis Like COVID-19
Insights for HR
Explore our hand-picked insights for human resources professionals.
Article 9 Min ReadCOVID-19 has Permanently Changed the Way We Think About Wellbeing
Article 11 Min ReadDE&I in Benefits Plans: A Global Perspective
Article 13 Min ReadHow Data and Analytics Can Optimize HR Programs
Article 17 Min ReadWhy HR Leaders Must Help Drive Cyber Security Agenda
Article 10 Min ReadCase Study: The LPGA Unlocks Talent Potential with Data
Article 16 Min ReadNavigating the New EU Directive on Pay Transparency
Article 14 Min ReadHow to Design Better Talent Assessment to Promote DE&I
Article 9 Min ReadTraining and Transforming Managers for the Future of Work
Article 10 Min ReadRethinking Your Total Rewards Programs During Mergers and Acquisitions
Article 21 Min ReadBuilding a Resilient Workforce That Steers Organizational Success | An Outlook Across Industries
How do businesses navigate their way through new forms of volatility and make decisions that protect and grow their organizations?
More Like This
Article 11 Min Read
Belonging at Work: How Employers can Strengthen DE&I
Companies can enhance their DE&I efforts — and gain better returns — by creating a culture that enables their employees to feel a sense of belonging at work.
Article 7 Min Read
5 Tips to Evaluate Future Skills Using Talent Assessments
In a constantly evolving business landscape, talent assessments can help organizations understand current and future skills gaps in their workforces.
Article 10 Min Read
Litigation and Contingent Risks: Unlocking the Value in M&A
Without the proper insurance, litigation and contingent risks can lock up capital and prevent a deal from closing.