Managing Cyber Risk through Return on Security Investment

A ROSI framework allows businesses to link risk, security and insurance to help manage cyber exposure and increase cyber resilience.
Key Takeaways
-
The complex risk landscape often creates challenges for business leaders to prioritize and manage cyber risk.
-
A ROSI framework provides many benefits — including the opportunity for straightforward financial conversations with the board and C-suite.
-
With the right implementation, ROSI allows firms to make more informed cyber risk management decisions.
The number one risk facing business leaders and their organizations is a significant cyber incident. It’s not just IT systems of business that are affected by a cyber attack — the reputation, balance sheet and operations of the company are also caught up.1
Resilience is a crucial step for preventing or mitigating an impending cyber threat — and in parallel, a strong cyber posture is essential to strategic risk transfer. With the cyber insurance pricing environment showing significant improvement, businesses with best-in-class cyber risk profiles will have more choice and stronger bargaining power.2 Working within a Return on Security Investment (ROSI) framework, a business can confidently calculate its return on security investment, while linking risk, security and insurance to better manage cyber exposure and increase cyber resilience.
Here we discuss the ins and outs of a ROSI framework and how to successfully implement one into your firm for optimal cyber security decision making.
Return on Security Investment: How it Works
Leaders must effectively prioritize risk and allocate budget to manage their ever-widening cyber risk portfolio. Amid today’s complex cyber risk landscape, leaders often struggle to best prioritize and manage cyber risk. The ROSI framework provides a decision map featuring three key questions:
1. How big is the problem?
2. What budget does the organization have to spend?
3. How will leadership decide where to spend this budget?
Leaders have often found it difficult to answer these questions, especially for non-tangible, information assets. Unfortunately, businesses often do not have visibility on adequate spend or areas of focus to address cyber risk until they fall victim to an attack.
Using current modeling and quantification tools, the ROSI framework allows security and IT leaders to have straightforward financial conversations with the board and C-suite. For example: “The business has $100 million worth of exposure. We can spend $5 million to reduce exposure to $50 million, or $7 million to reduce it to $10 million.”
The framework focuses on data collection across three core points:
1. Estimated potential loss
2. Estimated risk mitigation
3. Cost of solution
To examine potential loss or exposure, organizations should take a detailed look at the threat landscape, attack surface and business model. This means viewing cyber security as a people issue.
Eight in 10 cyber security teams believe that hybrid or remote working has increased their organization’s vulnerability to cyber attacks.3
Clear metrics explain how changes in the attack surface impact exposure, like the increase of remote work. Within mitigation, it’s important to understand how each control can impact the likelihood and severity of an event. Where possible, controls are linked to three drivers of exposure and the risk can be better quantified.
Implement a ROSI Framework in Five Steps
For all businesses, five key actions should be taken to implement a ROSI framework into cyber security decision making:
1. Understand the business model. How does the business make money, and what stops it from making money? What is the future direction and does this introduce new exposures?
2. Identify key assets. What does the organization value most? For example, data or intellectual property, and where do these assets reside?
3. Set the foundation. Does the organization have fundamental security in place, like end-point protection or anti-malware? If not, stop to implement this basic protection before taking on a ROSI-framework.
4. Make a scenario-plan. Whiteboard attack scenarios that will result in the greatest impact. Socialize these potential scenarios with non-technical business leaders to solicit input.
5. Quantify the risk and identify controls. Determine which controls align to each risk scenario. Then perform a cost-benefit analysis, including a look at exposure risk and mitigation costs, as well as risk-transfer options via insurance or another vehicle.
Use Data to Inform Your Cyber Risk Decisions
To help assess your organization’s current cyber maturity and decision-making abilities, ask the following three questions:
- Do you know the total cost of cyber risk to your organization?
- Do you know where to invest security budget to get maximum balance sheet protection?
- Do you have access to scenario and financial modeling tools to measure your company’s return on security investment?
Understand the key actions to take and know where your firm stands on its cyber risk journey. A strategic approach to cyber security that is circular, iterative, and importantly, informed by data will have the best results.4 Learn more.
1 Global Risk Management Survey | Aon
2 “E&O Cyber Market Review. Mid-year Report 2022.” Aon. September 2022. Retrieved from https://www.aon.com/insights/articles/2022/eo-cyber-market-review-midyear-2022
3 Why HR Leaders Must Help Drive Cyber Security Agenda | Aon
4 “Cyber Loop: A Model for Sustained Resilience.” Aon. Report. 2022. Retrieved from https://www.aon.com/cyber-solutions/thinking/the-cyber-loop-a-model-for-sustained-cyber-resilience/
This material has been prepared for informational purposes only and should not be relied upon for any other purpose. You should consult with your own legal and information security advisors or IT Department before implementing any recommendation or guidance provided herein.
General Disclaimer
The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
Terms of Use
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.
Aon's Better Being Podcast
Our Better Being podcast series, hosted by Aon Chief Wellbeing Officer Rachel Fellowes, explores wellbeing strategies and resilience. This season we cover human sustainability, kindness in the workplace, how to measure wellbeing, managing grief and more.
Aon Insights Series Asia
Expert Views on Today's Risk Capital and Human Capital Issues
Aon Insights Series Pacific
Expert Views on Today's Risk Capital and Human Capital Issues
Aon Insights Series UK
Expert Views on Today's Risk Capital and Human Capital Issues
Construction and Infrastructure
The construction industry is under pressure from interconnected risks and notable macroeconomic developments. Learn how your organization can benefit from construction insurance and risk management.
Cyber Labs
Stay in the loop on today's most pressing cyber security matters.
Cyber Resilience
Our Cyber Resilience collection gives you access to Aon’s latest insights on the evolving landscape of cyber threats and risk mitigation measures. Reach out to our experts to discuss how to make the right decisions to strengthen your organization’s cyber resilience.
Employee Wellbeing
Our Employee Wellbeing collection gives you access to the latest insights from Aon's human capital team. You can also reach out to the team at any time for assistance with your employee wellbeing needs.
Environmental, Social and Governance Insights
Explore Aon's latest environmental social and governance (ESG) insights.
Q4 2023 Global Insurance Market Insights
Our Global Insurance Market Insights highlight insurance market trends across pricing, capacity, underwriting, limits, deductibles and coverages.
Regional Results
How do the top risks on business leaders’ minds differ by region and how can these risks be mitigated? Explore the regional results to learn more.
Human Capital Analytics
Our Human Capital Analytics collection gives you access to the latest insights from Aon's human capital team. Contact us to learn how Aon’s analytics capabilities helps organizations make better workforce decisions.
Insights for HR
Explore our hand-picked insights for human resources professionals.
Workforce
Our Workforce Collection provides access to the latest insights from Aon’s Human Capital team on topics ranging from health and benefits, retirement and talent practices. You can reach out to our team at any time to learn how we can help address emerging workforce challenges.
Mergers and Acquisitions
Our Mergers and Acquisitions (M&A) collection gives you access to the latest insights from Aon's thought leaders to help dealmakers make better decisions. Explore our latest insights and reach out to the team at any time for assistance with transaction challenges and opportunities.
Navigating Volatility
How do businesses navigate their way through new forms of volatility and make decisions that protect and grow their organizations?
Parametric Insurance
Our Parametric Insurance Collection provides ways your organization can benefit from this simple, straightforward and fast-paying risk transfer solution. Reach out to learn how we can help you make better decisions to manage your catastrophe exposures and near-term volatility.
Pay Transparency and Equity
Our Pay Transparency and Equity collection gives you access to the latest insights from Aon's human capital team on topics ranging from pay equity to diversity, equity and inclusion. Contact us to learn how we can help your organization address these issues.
Property Risk Management
Forecasters are predicting an extremely active 2024 Atlantic hurricane season. Take measures to build resilience to mitigate risk for hurricane-prone properties.
Technology
Our Technology Collection provides access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities of technology. Reach out to the team to learn how we can help you use technology to make better decisions for the future.
Top 10 Global Risks
Trade, technology, weather and workforce stability are the central forces in today’s risk landscape.
Trade
Our Trade Collection gives you access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities for international business. Reach out to our team to understand how to make better decisions around macro trends and why they matter to businesses.
Weather
With a changing climate, organizations in all sectors will need to protect their people and physical assets, reduce their carbon footprint, and invest in new solutions to thrive. Our Weather Collection provides you with critical insights to be prepared.
Workforce Resilience
Our Workforce Resilience collection gives you access to the latest insights from Aon's Human Capital team. You can reach out to the team at any time for questions about how we can assess gaps and help build a more resilience workforce.
More Like This
-
Article 22 mins
The AI Data Center Boom: Strategies for Sustainable Growth and Risk Management
Rapid growth in data center construction, spurred by AI advancements and cloud demand, creates interconnected risks for developers. However, with effective risk management solutions, navigating this dynamic market while prioritizing sustainability is possible.
-
Article 9 mins
Employer Strategies for Cancer Prevention and Treatment
Nearly 20 million people get cancer each year,<sup>1</sup> and the impact is far-reaching — from those diagnosed to their loved ones and colleagues. When developing a meaningful cancer prevention strategy, employers must show empathy and compassion while managing rising costs.
-
Article 8 mins
Mitigating Volatility and Maximizing Profits: A Guide to Risk Capital in the Food, Agribusiness and Beverage Industry
In an industry with tight operating margins, FAB organizations face significant challenges in managing spend and protecting their financial health — requiring industry leaders to adopt a sophisticated approach to risk capital optimization.
-
Article 15 mins
5 Top Trends for Risk Capital in 2025
The risk capital landscape is poised for change, driven by emerging trends reshaping market dynamics. With a buyer-friendly market currently prevailing across most lines, opportunities abound for strategic investment and risk management.
-
Article 9 mins
3 Strategies to Help Avoid Workers Compensation Claims Litigation
When a workers compensation claim goes to litigation, expenses rise dramatically — a burden that is often shouldered by the business. To mitigate attorney-related costs, organizations should re-think their approach to engaging injured workers and use artificial intelligence to enhance outcomes.
-
Article 35 mins
5 Human Resources Trends to Watch in 2025
Human resources is increasingly involved in all areas of a company’s strategy. As the workforce changes, HR leaders should identify and leverage these five important and evolving trends.
-
Article 6 mins
The Long-Term Care Conundrum in the United States
Long-term care is expensive, and costs are rising due to shortages. With the population aging at the fastest rate in a century, finding solutions to pay for care is an urgent priority. How can employers support this growing population?
-
Article 6 mins
Improving Benefit Communication for a Multi-Generational U.S. Workforce
With a multi-generational and diverse workforce, it is important for employers to develop benefit communications and engagement strategies to help employees understand their unique benefit options. Here are five useful tips to consider.
-
Article 13 mins
Medical Rate Trends and Mitigation Strategies Across the Globe
Rising medical costs are a global phenomenon. Aon’s 2025 Global Medical Trend Rate Survey found that costs are projected to rise 10 percent in 2025.
-
Article 7 mins
Key Trends in U.S. Benefits for 2025 and Beyond
As healthcare costs continue to rise, employers are trying to balance the need to take care of their workers with the need to keep costs under control. Aon’s 2025 U.S. Health Survey provides insights into the choices employers are making, and their potential effects on costs.
-
Article 9 mins
Pension Reform: Navigating the Future of Retirement
Pension reforms in Europe are reshaping retirement planning, demanding more oversight from employers and new strategies for employees’ financial wellbeing.
-
Article 6 mins
Managing Non-Financial Risks to Build Organizational Resilience in the Financial Institutions Industry
Non-financial risks are often difficult to predict and quantify, yet present a real threat to financial institutions. In this volatile environment, risk management is playing a greater role in creating business resilience and identifying where capital should be deployed.
-
Article 9 mins
Ensuring Operational Stability Post-Spin-Off: A Conversation with Daniel Halter from Sandoz
Daniel Halter, Director Global Insurance at Sandoz, discusses how smart risk and insurance management supported the Sandoz core mission to provide affordable, off-patent medicines to patients who need them most with Ana Serdarevic, Head of Aon’s Transaction Advisory Services for DACH.
-
Article 7 mins
How to Navigate AI-Driven Cyber Risks
Business leaders are aware of AI-driven cyber risks and their implications. But understanding changing risk profiles to make better decisions around the management of new exposures is the key to cyber resilience.
-
Article 8 mins
U.S. Rail Sectors Work to Mitigate Capacity and Pricing Risk Issues
U.S. freight and commuter rail industries are facing excess liability and property issues for different reasons. These railroads are critical to infrastructure and vital to the economy, yet finding effective solutions remains complex.
-
Article 11 mins
D&O Risks and Considerations for Businesses Planning an IPO
As private companies prepare for an IPO, they face increased risks that require directors and key leaders to adopt essential risk management strategies to ensure a smooth transition.
-