Managing Cyber Risk through Return on Security Investment
A ROSI framework allows businesses to link risk, security and insurance to help manage cyber exposure and increase cyber resilience.
Key Takeaways
-
The complex risk landscape often creates challenges for business leaders to prioritize and manage cyber risk.
-
A ROSI framework provides many benefits — including the opportunity for straightforward financial conversations with the board and C-suite.
-
With the right implementation, ROSI allows firms to make more informed cyber risk management decisions.
The number one risk facing business leaders and their organizations is a significant cyber incident. It’s not just IT systems of business that are affected by a cyber attack — the reputation, balance sheet and operations of the company are also caught up.1
Resilience is a crucial step for preventing or mitigating an impending cyber threat — and in parallel, a strong cyber posture is essential to strategic risk transfer. With the cyber insurance pricing environment showing significant improvement, businesses with best-in-class cyber risk profiles will have more choice and stronger bargaining power.2 Working within a Return on Security Investment (ROSI) framework, a business can confidently calculate its return on security investment, while linking risk, security and insurance to better manage cyber exposure and increase cyber resilience.
Here we discuss the ins and outs of a ROSI framework and how to successfully implement one into your firm for optimal cyber security decision making.
Return on Security Investment: How it Works
Leaders must effectively prioritize risk and allocate budget to manage their ever-widening cyber risk portfolio. Amid today’s complex cyber risk landscape, leaders often struggle to best prioritize and manage cyber risk. The ROSI framework provides a decision map featuring three key questions:
1. How big is the problem?
2. What budget does the organization have to spend?
3. How will leadership decide where to spend this budget?
Leaders have often found it difficult to answer these questions, especially for non-tangible, information assets. Unfortunately, businesses often do not have visibility on adequate spend or areas of focus to address cyber risk until they fall victim to an attack.
Using current modeling and quantification tools, the ROSI framework allows security and IT leaders to have straightforward financial conversations with the board and C-suite. For example: “The business has $100 million worth of exposure. We can spend $5 million to reduce exposure to $50 million, or $7 million to reduce it to $10 million.”
The framework focuses on data collection across three core points:
1. Estimated potential loss
2. Estimated risk mitigation
3. Cost of solution
To examine potential loss or exposure, organizations should take a detailed look at the threat landscape, attack surface and business model. This means viewing cyber security as a people issue.
Eight in 10 cyber security teams believe that hybrid or remote working has increased their organization’s vulnerability to cyber attacks.3
Clear metrics explain how changes in the attack surface impact exposure, like the increase of remote work. Within mitigation, it’s important to understand how each control can impact the likelihood and severity of an event. Where possible, controls are linked to three drivers of exposure and the risk can be better quantified.
Implement a ROSI Framework in Five Steps
For all businesses, five key actions should be taken to implement a ROSI framework into cyber security decision making:
1. Understand the business model. How does the business make money, and what stops it from making money? What is the future direction and does this introduce new exposures?
2. Identify key assets. What does the organization value most? For example, data or intellectual property, and where do these assets reside?
3. Set the foundation. Does the organization have fundamental security in place, like end-point protection or anti-malware? If not, stop to implement this basic protection before taking on a ROSI-framework.
4. Make a scenario-plan. Whiteboard attack scenarios that will result in the greatest impact. Socialize these potential scenarios with non-technical business leaders to solicit input.
5. Quantify the risk and identify controls. Determine which controls align to each risk scenario. Then perform a cost-benefit analysis, including a look at exposure risk and mitigation costs, as well as risk-transfer options via insurance or another vehicle.
Use Data to Inform Your Cyber Risk Decisions
To help assess your organization’s current cyber maturity and decision-making abilities, ask the following three questions:
- Do you know the total cost of cyber risk to your organization?
- Do you know where to invest security budget to get maximum balance sheet protection?
- Do you have access to scenario and financial modeling tools to measure your company’s return on security investment?
Understand the key actions to take and know where your firm stands on its cyber risk journey. A strategic approach to cyber security that is circular, iterative, and importantly, informed by data will have the best results.4 Learn more.
1 Global Risk Management Survey | Aon
2 “E&O Cyber Market Review. Mid-year Report 2022.” Aon. September 2022. Retrieved from https://www.aon.com/insights/articles/2022/eo-cyber-market-review-midyear-2022
3 Why HR Leaders Must Help Drive Cyber Security Agenda | Aon
4 “Cyber Loop: A Model for Sustained Resilience.” Aon. Report. 2022. Retrieved from https://www.aon.com/cyber-solutions/thinking/the-cyber-loop-a-model-for-sustained-cyber-resilience/
This material has been prepared for informational purposes only and should not be relied upon for any other purpose. You should consult with your own legal and information security advisors or IT Department before implementing any recommendation or guidance provided herein.
General Disclaimer
The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
Terms of Use
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.
Aon's Better Being Podcast
Our Better Being podcast series, hosted by Aon Chief Wellbeing Officer Rachel Fellowes, explores wellbeing strategies and resilience. This season we cover human sustainability, kindness in the workplace, how to measure wellbeing, managing grief and more.
Aon Insights Series Asia
Expert Views on Today's Risk Capital and Human Capital Issues
Aon Insights Series Pacific
Expert Views on Today's Risk Capital and Human Capital Issues
Aon Insights Series UK
Expert Views on Today's Risk Capital and Human Capital Issues
Construction and Infrastructure
The construction industry is under pressure from interconnected risks and notable macroeconomic developments. Learn how your organization can benefit from construction insurance and risk management.
Cyber Labs
Stay in the loop on today's most pressing cyber security matters.
Cyber Resilience
Our Cyber Resilience collection gives you access to Aon’s latest insights on the evolving landscape of cyber threats and risk mitigation measures. Reach out to our experts to discuss how to make the right decisions to strengthen your organization’s cyber resilience.
Employee Wellbeing
Our Employee Wellbeing collection gives you access to the latest insights from Aon's human capital team. You can also reach out to the team at any time for assistance with your employee wellbeing needs.
Environmental, Social and Governance Insights
Explore Aon's latest environmental social and governance (ESG) insights.
Q4 2023 Global Insurance Market Insights
Our Global Insurance Market Insights highlight insurance market trends across pricing, capacity, underwriting, limits, deductibles and coverages.
Regional Results
How do the top risks on business leaders’ minds differ by region and how can these risks be mitigated? Explore the regional results to learn more.
Human Capital Analytics
Our Human Capital Analytics collection gives you access to the latest insights from Aon's human capital team. Contact us to learn how Aon’s analytics capabilities helps organizations make better workforce decisions.
Insights for HR
Explore our hand-picked insights for human resources professionals.
Workforce
Our Workforce Collection provides access to the latest insights from Aon’s Human Capital team on topics ranging from health and benefits, retirement and talent practices. You can reach out to our team at any time to learn how we can help address emerging workforce challenges.
Mergers and Acquisitions
Our Mergers and Acquisitions (M&A) collection gives you access to the latest insights from Aon's thought leaders to help dealmakers make better decisions. Explore our latest insights and reach out to the team at any time for assistance with transaction challenges and opportunities.
Navigating Volatility
How do businesses navigate their way through new forms of volatility and make decisions that protect and grow their organizations?
Parametric Insurance
Our Parametric Insurance Collection provides ways your organization can benefit from this simple, straightforward and fast-paying risk transfer solution. Reach out to learn how we can help you make better decisions to manage your catastrophe exposures and near-term volatility.
Pay Transparency and Equity
Our Pay Transparency and Equity collection gives you access to the latest insights from Aon's human capital team on topics ranging from pay equity to diversity, equity and inclusion. Contact us to learn how we can help your organization address these issues.
Property Risk Management
Forecasters are predicting an extremely active 2024 Atlantic hurricane season. Take measures to build resilience to mitigate risk for hurricane-prone properties.
Technology
Our Technology Collection provides access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities of technology. Reach out to the team to learn how we can help you use technology to make better decisions for the future.
Top 10 Global Risks
Trade, technology, weather and workforce stability are the central forces in today’s risk landscape.
Trade
Our Trade Collection gives you access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities for international business. Reach out to our team to understand how to make better decisions around macro trends and why they matter to businesses.
Weather
With a changing climate, organizations in all sectors will need to protect their people and physical assets, reduce their carbon footprint, and invest in new solutions to thrive. Our Weather Collection provides you with critical insights to be prepared.
Workforce Resilience
Our Workforce Resilience collection gives you access to the latest insights from Aon's Human Capital team. You can reach out to the team at any time for questions about how we can assess gaps and help build a more resilience workforce.
More Like This
-
Article 7 mins
Key Trends in U.S. Benefits for 2025 and Beyond
As healthcare costs continue to rise, employers are trying to balance the need to take care of their workers with the need to keep costs under control. Aon’s 2025 U.S. Health Survey provides insights into the choices employers are making, and their potential effects on costs.
-
Article 6 mins
Managing Non-Financial Risks to Build Organizational Resilience in the Financial Institutions Industry
Non-financial risks are often difficult to predict and quantify, yet present a real threat to financial institutions. In this volatile environment, risk management is playing a greater role in creating business resilience and identifying where capital should be deployed.
-
Article 9 mins
Ensuring Operational Stability Post-Spin-Off: A Conversation with Daniel Halter from Sandoz
Daniel Halter, Director Global Insurance at Sandoz, discusses, how smart risk & insurance management supported the Sandoz core mission to provide affordable, off-patent medicines to patients who need them most with Ana Serdarevic, Head of Aon’s Transaction Advisory Services for DACH.
-
Article 8 mins
U.S. Rail Sectors Work to Mitigate Capacity and Pricing Risk Issues
U.S. freight and commuter rail industries are facing excess liability and property issues for different reasons. These railroads are critical to infrastructure and vital to the economy, yet finding effective solutions remains complex.
-
Article 11 mins
D&O Risks and Considerations for Businesses Planning an IPO
As private companies prepare for an IPO, they face increased risks that require directors and key leaders to adopt essential risk management strategies to ensure a smooth transition.
-
Article 10 mins
How Public Entities and Businesses Can Use Parametric for Emergency Funding
As climate change intensifies the frequency and severity of extreme weather events, public entities and businesses need more flexible funding solutions. Parametric stands out as an adaptable resource capable of swiftly responding to potential disasters.
-
Article 17 mins
How Insurance Helps Unlock Capital for Hydrogen Projects Amid Financing Pressures
Funding challenges due to macroeconomic factors have prevented several green and blue hydrogen projects from getting off the ground. Organizations facing hurdles in accessing capital can work with risk and insurance experts to expedite projects and help make the promise of hydrogen a reality.
-
Article 11 mins
Strengthening Human Capital Strategies to Attract Talent in the Food, Agribusiness and Beverage Industry
Learn how strong human capital strategies can help recruit, retain and motivate vital talent in a competitive and evolving job market.
-
Article 7 mins
Trends U.S. Corporate Boards Should Prepare for in 2025
As corporate boards meet to discuss strategy, including any changes to executive compensation, there are key trends to consider for the year ahead.
-
Article 6 mins
Leading the Biofuels Transition: Risk Strategies to Cut Through Complexity
Companies aiming to be a net-zero company may face many challenges during the biofuels transition. Read more on risk strategies to cut through complexity.
-
Article 6 mins
DC Pension Schemes: Improving Investment Returns
With DC schemes growing across Europe, many organizations are realizing the importance of ensuring strong performance from their investments. Here’s how asset owners and managers can optimize DC outcomes through the right investment strategy.
-
Article 9 mins
Developing a Paid Leave Strategy That Supports Workers and Their Families
With no federal paid leave law in the U.S., employers have limited guidance in designing equitable and comprehensive paid leave programs to support their workforce. Looking beyond compliance to focus on strategy and values will help create fair and well-designed policies.
-
Article 8 mins
Unlock the Potential of Alternative Risk Transfer Solutions
Risk managers are increasingly looking to Alternative Risk Transfer Solutions for potential enhancements in managing risk.
-
Article 8 mins
2025 Salary Increase Planning Tips
Amid economic uncertainty, companies are taking a careful approach to hiring and salary planning — one that includes focused hiring strategies, revising salary budgets and implementing measures that respond to the current economic environment.
-
Alert 7 mins
Client Alert: Responding to Heightened Risk in the Middle East
The current operating environment in the Middle East is increasingly complex and multifaceted, characterized by ongoing conflicts in Gaza, Israel, Lebanon and neighboring states, alongside significant changes in the business and insurance environment.
-
Article 8 mins
Florida Hurricanes Not Expected to Adversely Affect Property Market
Hurricanes Helene and Milton insured loss estimates are expected to fall between $34 billion and $54 billion. Healthy, well-capitalized insurance and reinsurance markets are positioned to absorb those losses.
-
Article 17 mins
Q3 2024: Global Insurance Market Overview
Buyer-friendly conditions continued across much of the global insurance market in Q3, painting a largely positive picture as we head into year-end renewals.
-
Article 10 mins
Why It’s Key to Conduct Cyber Due Diligence in Financial Services During Mergers and Acquisitions
A successful M&A strategy relies on due diligence across financial, legal, human capital, technology, cyber security and intellectual property risks. As cyber threats become more complex, robust cyber due diligence in private equity and acquisitions is increasingly necessary.
-
Article 8 mins
The Evolving Threat of Cargo Theft: 5 Key Mitigation Strategies
Cargo theft in the transportation industry is escalating, driven by sophisticated criminal tactics that exploit both physical and digital vulnerabilities. Businesses must adopt proactive risk management strategies to counter these evolving threats.
-
Article 11 mins
4 Megatrends Affecting Middle Market Organizations in North America
Trade, technology, weather and the workforce are interconnected trends shaping the future of business in North America. Understanding them is key to long-term resilience.
-
Article 9 mins
Building Resilience in a Buyer-Friendly Cyber and E&O Market
Competition and capacity are dominating the cyber liability market and pricing remains favorable as a result. Taking advantage of the current buyer’s market to build sustained cyber resilience is the key to success.
-
Article 10 mins
How Risk Transfer Solutions Increase Capital Access in Renewable Energy M&A Deals
The growing renewable energy sector is boosting M&A activity. Risk transfer solutions can help unlock capital access in these transactions.
-
Article 7 mins
Managing Human Capital to Drive Innovation in Life Sciences
Digitalization presents both opportunities and challenges in life sciences, driving new organizational approaches to human capital to keep up with evolving talent needs while building a resilient workforce.
-
Article 5 mins
Connected Perspectives: Better Decisions on Digitalization for Financial Institutions
As financial institutions reshape human capital strategies for the digital age, leaders face pressure to balance the risks and opportunities of digitalization.
-
Article 9 mins
The Next Evolution of Wellbeing is About Performance
Employers are concerned that previous wellbeing strategies aren’t moving the needle enough. But when wellbeing is part of an organization’s culture, it has positive effects on costs, engagement and productivity.
-
Article 6 mins
How Human Capital Data Enhances Risk Management for Financial Institutions
Financial institutions can increase their resilience to volatile threats through enhanced risk management frameworks and innovative models powered by people data and technology.
-
Article 10 mins
How Financial Institutions can Prepare for Pay Transparency Legislation
As the deadline for implementing the EU Pay Transparency Directive fast approaches, some financial institutions feel unprepared to comply. These five steps can help guide the way through the upcoming regulatory landscape.
-
Article 9 mins
4 Ways to Foster a Thriving Workforce Amid Rising Health Costs
Thriving organizations rely on thriving employees to succeed. With healthcare costs on the rise, it’s time for employers to challenge the status quo in providing health benefits. Organizations need to consider the human side of these increases and take bold action to achieve better outcomes.
-
Article 9 mins
How Social Inflation is Impacting the Aviation Industry
The aviation industry is watching the rise in nuclear verdicts with concern as social inflation and associated risks continue to squeeze the sector. Organizations should review their risk management processes to limit the dollar value of future losses.
-
Article 12 mins
Navigating AI-Related Risks: A Guide for Directors and Officers
As AI evolves, directors and officers must maneuver through a complex landscape of regulatory and legal risks. Implementing best practices around the use of AI and robust governance-focused risk mitigation can help manage exposures.
-
Article 11 mins
A Middle Market Roadmap for Cyber Resilience
Middle market organizations face unique challenges in the ever-changing cyber environment, requiring holistic insurance solutions and enhanced resilience readiness to manage risks that could impact profitability.
-
Article 17 mins
3 Strategies to Improve Career Outcomes for Older Employees
With life expectancies and retirement ages on the rise, organizations can capitalize on the value that older employees offer and support them by fostering a workplace where both the business and its people thrive.
-
Article 8 mins
Wildfire Risk Fuels New Challenges for U.S. Communities
As climate change compounds wildfire risk, organizations play a critical role in protecting their workforce before and after an event.
-
Article 10 mins
5 Ways to Address Health and Wellbeing in the Transportation Industry
The transportation and logistics industry faces unique challenges which can negatively impact employees' health. A cultural shift to more tailored wellbeing strategies can improve health outcomes and boost company performance.
-
Article 8 mins
Workforce Shortages as a Future Risk
As workforce and skills shortages emerge as a significant future risk, companies seek winning talent and tech solutions.
-
Article 6 mins
A Streamlined Retirement Solution for Spin-Off Organizations
Pooled employer plans (PEPs) can offer a streamlined solution to the retirement planning challenges inherent in spin-off and M&A events.
-
Article 20 mins
5 Ways HR Can Partner with Finance to Drive Growth
The role of HR professionals is becoming more strategic, which requires collaboration with other areas of an organization to help drive growth. Given that people and benefit costs are a large portion of business expenses, partnering with finance is a natural step forward.
-
Article 5 mins
Remote Work and Potential Employment Practices Liability Perils
Aon analyzes employee perception about return to office policies following the COVID-19 pandemic, as well as recent actions one organization took for alleged lack of remote employee productivity.
-
Article 11 mins
The Silver Lining on M&A Deal Clouds: M&A Insurance Insights from 2023
Despite subdued global M&A in 2023, positive trends have been emerging in the M&A insurance market to help clients improve their deal-making and ‘value-protection on investment’.
-
Article 7 mins
Specialist Insights: A Deep Dive into Effective Crisis Management and Evacuation Protocols
Graeme Hudson and Ghonche Alavi from Crisis24 discuss Crisis24’s approach to Political Evacuation and Threat Management with Cara LaTorre from the Financial Services Group at Aon.
-
Article 8 mins
3 Human Capital Recommendations for Construction Contractors Entering Asia
European construction contractors are looking with increasing interest at Asia, but to expand successfully into the region, they need to overcome key workforce and market challenges.
-
Article 8 mins
How Cyber and Data Resilience Support Growth in Life Sciences
As digitalization presents new risks and opportunities for life sciences organizations, implementing cyber and data resilience ensures that innovation doesn’t result in business interruption.
-
Article 7 mins
How Insurance Companies can Sustain Profitable Growth Through the Market Cycle
For insurers, making decisions on where and how to deploy capital becomes more difficult during times of volatility.
-
Article 6 mins
Key Considerations When Exploring Captives for Voluntary Employee Benefits
Employers in the U.S. should understand the unique risks associated with voluntary benefit captives when considering alternative insurance arrangements for their voluntary benefit plans.
-
Article 7 mins
Improve Safety and Loss Control to Lower Workers Compensation Costs
Workers compensation is an area of risk management that could benefit from a more holistic approach. A safety program that incorporates wellbeing and uses data in a meaningful way can contribute greatly to lowering costs.
-
Article 8 mins
How Aon Partnered with Minnesota Firefighters to Create Crucial Health Benefits
Firefighters face a unique set of risks and long-term health consequences from their jobs. Aon worked with Minnesota firefighters to create a benefit program to address three primary health issues.
-
Article 8 mins
4 Steps to Help Mitigate the Cost of Open Workers Compensation Claims
Open legacy workers compensation claims place rising financial burdens on employers, who are faced with closing out aged claim inventory and improving their balance sheets in the process.
-
Article 5 mins
Climate Change: Evolving Property Risk to Resilience
Organizations must consider the impact of climate change on property, which will vary now and years into the future. Therefore, a thoughtful approach can enhance risk mitigation and resilience strategies.
-
Article 9 mins
Middle Market Risk, Regulatory and Compliance Strategies
Helping midsize organizations strike the right balance between risk and compliance with a comprehensive regulatory and compliance framework.
-
Article 6 mins
Empowering Employees to Make Better Health Plan Decisions
As U.S. employers balance costs with providing employees more value from their benefits, creating an annual healthcare enrollment process that includes more choice and guidance can accomplish both goals.
-
Article 10 mins
Q2 2024: Global Insurance Market Overview
With many insurers reporting healthy profits in 2023, and in response to notable improvements in the reinsurance market, the insurance market in Q2 2024 remained growth-oriented.
-