The ROSI calculation is a comparison of the Annual Loss Expectancy and the Expected Loss Saving. The Effectiveness of security solutions is measured by the extent to which they lower the Annual Loss Expectancy. In summary, therefore, ROSI = combination of quantitative risk assessment - the cost of putting in place countermeasures for the said risk. The ROSI is used to evaluate cyber security technologies for calculating the cost of an attack incident. The ROSI takes into consideration all relevant costs that would be incurred in case of an incident that the cyber security technology was not in place. It also considerers the probability of the event occurring. The method also calculates the cost of cyber security technology and the level to which the risk of the attack is decreased because of such mitigation. The ROSI shows whether the gain from the cyber security technology also referred to as the risk reduction is greater than the needed investment it requires (Sonnenreich et al. 2006).
One of the limitations of the ROSI metric is that the final recommendation is largely based on estimates that have many drawbacks (E. N.I.S.A. 2012). When estimations are used in the calculation, it means that the result is equally just estimation and not a fact. The estimations used in the ROSI are hard to reach and also vary from one environment to another. Another limitation is the vulnerability of the metric to the user’s biases. The user can manipulate the ROSI either because of their perception towards the risk or purely to serve their interests. For example, the cost of control is not straight forward rather a combination of both direct costs that are easy to estimate and indirect costs that are hard to estimate. An example of indirect cost is the effect on productivity and internal cost associated with the implementation of the solution.
References
European Network and International Security Agency. (2012). Introduction to Return on Security Investment: Helping CERT’s Assessing the Cost of (Lack of) Security. Heraklion, Crete, Greece: Author.
Sonnenreich W., Albanese J. & Stout B. (2006). Return on Security Investment (ROSI)- A Practical Quantitative Model. Journal of Research and Practice in Information Technology, 38(1): 45-56.
