Most security budgets are approved based on a gut feeling, not actual data. The Chief Financial Officer (CFO) stumbles upon a six-figure line item and wonders what the company is buying. “Protection”, the CISO responds, and neither attendee of the meeting is happy with the exchange. The spend isn’t the flaw, it’s the lack of a fiscal model to weigh it. Return on Investment (ROI) with cybersecurity is tangible, but it relies on calculating the occurrence of something not taking place, and that’s not a process many organizations are currently practicing.
Shift From Cost Center to Risk Reduction Model
It all starts by changing the way we categorize security spend. If we follow a “view security as a cost center” approach, it presents security as a financial burden for the organization. Often with no direct impact on the bottom line. An alternative view is to consider it as a risk reduction, meaning it plays a part in reducing possible losses.
To make this more tangible, calculate your Cost Per Incident (CPI): this is the total cost of a security incident divided by the number of incidents in a set timeframe. This typically includes IT remediation hours, legal fees, downtime, and any penalties. Then see by how much that number changes after a new program is implemented. If your CPI drops 30% year-over-year after a policy change or a new tool implementation, you have a solid number to share with the CFO. The global average cost of a data breach was up to $4.45 million in 2023, 15% over three years (IBM Cost of a Data Breach Report 2023). This gives you an industry benchmark of what an incident could cost. Your internal CPI might be lower, but it’s more about the trend than the actual number.
Measuring Human Risk With Precision
Most security incidents involve human error, so how your employees act is the most critical component you can control. The upside is it’s also the most straightforward to measure.
There are two metrics that define this space: click-through rate (CTR) and reporting rate. CTR is, in this context, the percentage of your employees that click a malicious link in a test phishing email. Reporting rate is the percentage that report the email to your IT department. Managing your awareness program by this metric pairing gives you a clear view of where your workforce is in the real world, the risky world, not the one presented to you in your policy documents.
Ongoing awareness training for phishing can be managed via the rolling 12-month drop in successful phish over a 12-month period. An organization that starts out with a 28% CTR in a simple controlled test and drops to 9% over a year hasn’t just improved the ratio of risk between phish-prone and not-phish-prone employees, it has reduced an attackable surface. That is a pure risk reduction, and equates to a reduced likelihood of incident, which feeds directly into the prevention cost part of your security ROI.
This is what we mean when we talk about Human Risk Management (HRM): the measurement and active management of your employees as an actual security control in the same way you patch software.
The Hidden ROI Most Teams Miss
Investments in security offer benefits that go beyond what you can quantify on a single spreadsheet. IT time savings and insurance costs are two of the most commonly overlooked returns.
When it comes to IT time savings, automated security tools for tasks like threat detection, password resets, and access provisioning can provide immense relief for your IT team by reducing manual work. If your team is spending 15 hours a week on tasks that a $40,000 tool could do in minutes, the ROI of that tool becomes pretty compelling. One way to demonstrate the benefits of such tools is to compare Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) before and after their implementation. A more efficient IT team responds faster and at a lower cost.
On the insurance side, the impact of well-documented security maturity improvement is becoming a direct input to your cyber insurance premiums. Insurance carriers price risk, and if you can document lower risk through a maturity model that maps to NIST or your internal framework, you’ve got a good case to negotiate a lower price. Premium decreases of 10-20% are not unheard of for companies who can show the carrier documented improvement in controls and training completion rates.
Brand and Revenue Protection as a Financial Input
A security breach is not only costly to repair, but it also leads to losing customers. When a public security breach harms your reputation, you can actually measure how many customers you lose due to that, but that lost revenue is rarely considered as part of the return on investment (ROI) calculation for security tools.
Business continuity planning (BCP) provides a framework to help you quantify this. For example, map out your critical revenue-generating processes and estimate the cost per hour if those processes go down. Then, calculate the likelihood of those processes going down due to a security incident with your current security controls compared to your planned security controls. The difference in expected loss can be a very direct financial argument for your initiative.
Regulatory fines work on the same principle. The money saved by not paying a hefty fine for non-compliance with key privacy requirements isn’t a soft benefit, it’s cash in the bank.
Making the Numbers Work For You
Security ROI will never be as clean as a sales attribution model. But “hard to measure perfectly” isn’t the same as “impossible to measure usefully.” Pick three or four metrics, baseline them now, and track them quarterly. Over time, the story writes itself, lower incident rates, faster response times, declining phishing susceptibility, and reduced insurance costs. That’s a business case any CFO can understand.
