Last year Rahul Khanna was featured in a video by iVision in which he discussed three key points that Chief Information Security Officers (CISOs) should effectively communicate to leadership and their board of directors when demonstrating the value of security investments:

1. Assess the business value and potential losses (i.e., risk of mitigation vs. risk without mitigation)

2. Determine the cost of implementing a security initiative (i.e., cost of mitigation)

3. Calculate the ROI of loss prevention to evaluate investment effectiveness

This economic approach is not new but can be applied effectively to understand the risk aversion of a cyberattack. According to ChatGPT (v3.5), the Return on Investment (ROI) formula can be adapted for measuring risk aversion as follows: 

ROI = (Risk without mitigation - Risk with mitigation) / Cost of mitigation

OpenAI's ChatGPT further explained that this formula demonstrates the money saved per dollar spent on mitigating risk. A positive ROI indicates a justifiable investment in risk mitigation, while a negative ROI suggests that the cost of mitigation exceeds the value of the risk averted.

To apply this formula, quantify the risk without mitigation and the risk with mitigation by estimating the potential impact and likelihood of the risk event occurring with and without mitigation measures in place. Calculate the cost of mitigation by adding up the expenses of implementing the risk mitigation measures.

Calculating the ROI – Without Mitigation

The risk without mitigation represents the current state. For example, consider a scenario where your administrative access to Azure AD, AWS, and GCP is protected by their built-in privileged access controls, but compute and storage services in AWS and GCP lack conditional access policies or multi-factor authentication (MFA). In the event of a breach that a privileged access tool could have prevented, the costs might include:

• Reactive efforts to stop the breach (i.e., recovery)
• Analysis of the breach and value of data loss (i.e., root cause analysis)
• Improvements in UEBA, Zero Trust, training, etc. (i.e., prevention)
• Potential legal and regulatory consequences, and loss of trust / customer satisfaction (i.e., fallout)

ChatGPT advises to consider factors such as the risk event's impact on the organization's reputation, customer satisfaction, and employee morale, as well as potential legal and regulatory consequences.

Assuming a simple figure of $100k per incident, and one ransomware attack, data theft, and disruption of services per year, the total risk without mitigation is $300k per year.

Calculating the ROI – With Mitigation

To calculate the risk with mitigation, first determine the cost of mitigation. Let's say you inquire about a vendor like CyberArk and their capabilities. They quote you $100k for a full suite per year, and a partner like iVision quotes $100k to implement CyberArk. Additional costs may include:

• License cost (annual)
• Implementation (one-time)
• Training (one-time)
• Operational (annual)

Assuming $50k for training and $50k for operations, the total cost for year one is $300k, with an annual cost of $100k from year two onwards.

Next, evaluate how CyberArk's Privileged Access services mitigate risk. In this scenario, let's assume that the tooling would prevent data theft and ransomware attacks by 99%, but only reduce disruption of services by 20%. This results in:

• Ransomware attacks: $1k
• Data theft: $1k
• Disruption of services: $80k

Putting It All Together

To summarize, we have:

• Risk without mitigation: $300k
• Risk with mitigation: $82k
• Cost of mitigation: $300k

Plugging these figures into the ROI formula, we get:

ROI (year 1) = ($300k - $82k) / $300k

ROI (year 1) = 72.7%

If you could foresee a 72.7% return, would you hesitate to invest in stock or an endeavor? The percentage of this example ROI demonstrates the effectiveness of moving forward with the risk mitigation strategy just for year 1. For years 2 and onwards, the ROI calculation is:

ROI (years 2 and beyond) = ($300k - $82k) / $150k

ROI (years 2 and beyond) = 145.3%

So, in year one, risk mitigation shows a 72.7% effectiveness, while years 2 and onward display a migration of risk (i.e., risk aversion) of the investment with nearly 1.5 times the benefit! Clearly, this makes a strong case for proceeding with the investment.

Presenting this type of cyber risk aversion quantification to the overall business or service articulates the request in terms your chief financial officer (CFO) will clearly see as a necessary and worthwhile investment year after year. Although this scenario provided a simplified financial overview, Propensic Solutions can help you realize your true value potentials in information security investments.

By adopting a systematic approach to ROI analysis, you can objectively quantify the value of security initiatives, making it easier to prioritize and justify investments. This will not only help protect your organization from potential cyber threats but also ensure that resources are allocated effectively to optimize the return on your security investments.