Return on Security Investment: The Simple Formula

At its core, information security exists to preserve value—the value of intellectual property, transactions, data access, brand reputation and more. Breach headlines put dollar signs on that mission:

• When Verizon closed its acquisition on Yahoo in June of 2017, it shaved $350 million off the original $4.8 billion price tag after disclosing two separate breaches impacting over 1 billion accounts.
• Equifax's 2017 breach ultimately cost the company over $1.4 billion in direct costs—and its stock never fully recovered the market capit lost in the fallout.

Those are the headline-grabbing hits. But what about the ongoing drag on your budget? According to the Ponemon Institute's 2024 cost of a Data Breach Report, the global average cost of a breach reached $4.88 million—a 10% jump year-over-year and the hightest on record. And it isn't just breaches:

• Organizations now pour $183 billion into information security annually (2024 forecast) as they wrestle with ransomware, nation-state activity and the explosion of shadow data.
• Security budgets average 5.6% of total IT spend—up from under 4% just a few years ago—as CISOs fight for headcuont and tools.
• Gartner predicts that global infosec spend will climb to $212 billion in 2025 (a 15% increase over 2024) as software, services, and AI-driven defenses race to keep pace with adversaries.

When your board asks, "What's our Return on Security Investment?" you need more than "because it's insurance." You need a clear formula.

Rod Beckstrom—a former DHS Cybersecurity Center director and ICANN CEO—proposed a simple way to show value:

Value of Network=Benefit−Cost\text{Value of Network} = \text{Benefit} - \text{Cost}Value of Network=Benefit−Cost

If it costs $25 to buy a book in-store and $15 online, the network’s value to each buyer is $10. For 1,000 buyers, that’s $10,000; if they buy ten books every workday (261 days/year), the annual network value jumps to $26.1 million.

To factor in security investments and losses, add two more terms:

V=B−SI−LV = B - SI - LV=B−SI−L

• V = Value of security
• B = Benefit (avoided loss without security)
• SI = Cost of security investment
• L = Residual loss (downtime, remediation, lost productivity)

Example:
You insure a $25,000 car with a $2,500 alarm system. A thief tries to break in, triggers the alarm and only causes $500 in lock damage.

V=25,000−2,500−500=22,000V = 25{,}000 - 2{,}500 - 500 = 22{,}000V=25,000−2,500−500=22,000

That $22,000—what you effectively “save”—is a powerful justification.

Legacy antivirus alone no longer cuts it. Today's EDR/XDR agents bundle malware prevention, behavior analytics, device control, and cloud-delivered threat intelligence in one footprint.

• A mid-sized global firm (2,500 endpoints) was averaging 4,500 virus-related incidents per year, each costing 3 hours of downtime at roughly $75/hour per technician + user = $450 per incident. That's $2.025 million in annual labor loss.
• The team projected a 25% reduction by deploying a modern EDR platform (~$75,000/year licensing), plus an additional $60,000/year in simulated-phishing training (via a leading cloud service).
• Residual losses (missed deadlines, follow-up investigations) were pegged at $60,000/year.

V = 500{,}000 \;(\text{25% of 2.025M}) - 75{,}000 - 60{,}000 = 365{,}000

If they could achieve 75% incident reduction, value jumps even higher:

V=1,518,750−75,000−15,000=1,428,750V = 1{,}518{,}750 - 75{,}000 - 15{,}000 = 1{,}428{,}750V=1,518,750−75,000−15,000=1,428,750

That kind of multimillion-dollar ROI wins board support—and positions security not as an expense, but as a strategic investment.

You can extend this model to:

• Managed Security Services (MSS/MSSPs)
• Security Operations Centers (SOCs)
• Incident Response Plans
• Professional Consulting

Whenever you propose a new initiative, anchor it in B-SI-L. Show stakeholders that every dollar you spend on security is a dollar earned back in avoided cost—and you'll turn "it's insurance" into "it's a growth engine."

Want to learn more about how Cipher can help support your security strategy while also building your return on investment for board members and stakeholders? Speak to an expert today.

 

 

 

 

Disclaimer: This post was originally published in 2023 and republished on June 19, 2025. Some details may have changed since the original publication; please explore our latest resources or contact our Cipher experts for the most current information.