Information Security

Defending the digital infrastructure


News Stay informed about the latest enterprise technology news and product updates.

Break-even analysis: The highs and lows of risk and ROSI

What's a dollar spent on security worth in terms of risk? Break-even analysis helps you decide.

Pete LindstromIn my first column I issued a call to action to help technology risk management professionals make good decisions through the application of economic techniques. While that might seem like a tall order, you're already making those decisions. What you thought were random qualitative choices about running a security program actually reveal a lot about your risk expectations.

It's impossible to measure technology-related risk, or that's the commonly held belief. The reason: the challenge of determining both the likelihood of bad things happening and the financial amount that could be lost. It can be very complex (mind-boggling, really) if you attempt to think through all of the details.

But those "revealed preferences" (versus stated) are hard at work tattling on you by providing a baseline amount to work with. At the very least, every resource allocation decision involves justification; usually, just deciding to do the "most important" thing on your list, because "it's worth it."

Break-even analysis pointers

Therefore, we need to understand what "worth it" actually means in a decision to allocate resources. In a broad sense, it means that you believe every dollar you spend on security will reduce risk by at least that dollar. So a decision to spend $100,000 on a security solution is only made when you believe it will save $100,000 in reduced risk. That amount becomes your break-even point.

If you spend one dollar on security to reduce risk by two dollars, your ROSI is 100% for the time period that's being addressed: ($2-$1)/$1 =100%.

If you've never thought of resource allocation decisions in this way, I assure you, this is what you're stating to the world. And strangely, because we are dealing with historical decisions made over (possibly) many years, the decisions also incorporate all that shelf-ware and wasted time that you know exists as demonstrated by your continued willingness to allocate resources.

In economics, this revealed "willingness-to-pay" is one of the stronger measures of value. Even better, because we are using spending as a placeholder for the minimum amount of risk being reduced, and we know that risk is the product of the probability and impact of some negative outcome, we can plot a line on a risk matrix using the security spending amount as the slope. So, for example, a $100,000 investment to reduce risk by at least that amount can be plotted at points {100%, $100,000} through {1%, $10,000,000}, and on either side of the points for higher or lower frequencies. I call this the "Control Horizon."

Seeing this line on a graph (risk matrix) can provide a whole new level of insight into the beliefs of the enterprise when it comes to estimating risk. If the perceived amount of risk that's being addressed is below that line, the enterprise is essentially operating "underwater" and should consider alternative ways to address its issues.

ROSI outlook on risk

Hopefully (and usually), the amount of risk that's being addressed is reduced by more than the amount being spent. And this, my friends, is where we get "Return on Security Investment" (ROSI). ROSI is conceptually simple to understand. If you spend one dollar on security to reduce risk by two dollars, your ROSI is 100% for the time period that's being addressed: ($2-$1)/$1=100%.

As you make ongoing daily decisions to allocate resources for your security program, remember that all of those decisions provide insight into your notion of your minimum valuation of risk that's being addressed. Of course, nobody wants to break even when it comes to spending on risk reduction -- that's not really the point. My next column will take a whack at measuring risk so that you can see it through ROSI-colored glasses.

Peter Lindstrom is principal and vice president of research for Spire Security. He has held similar positions at Burton Group and Hurwitz Group. Lindstrom has also worked as a security architect for Wyeth Pharmaceuticals, and as an IT auditor for Coopers and Lybrand and GMAC Mortgage. Contact him via email at, on Twitter @SpireSecor on his website,

Article 7 of 7
This was last published in November 2013

Dig Deeper on Risk assessments, metrics and frameworks

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

As i have recently taken a role where assessing this risk is a requirment, i've had some opportunity to consider this issue. Rather than asking companies to spend millions to implement a security solution to protect data, and be fined if a leak occurs, how about changing this overall approach. Instead, every company is charged a secruity tax, until they apply and join a newly created US security coalition. In order to remain within this coalition, each company must maintain an agreed upon security threshold, yet to be determined. This way, there is immediate incentive to join this coalition to no longer be charged this regular fee. I know what i'm suggesting is hugely complicated, but we have to start somewhere. And to your point, companies do not believe there is a real financial risk in not implementing the appropriate solution. When, in fact, depending on the company, some data leaks could lead to massive economic upheaval that would not only impact the company, but could impact the nation as a whole.

Get More Information Security

Access to all of our back issues View All