Managing Cyber Risk through Return on Security Investment
A ROSI framework allows businesses to link risk, security and insurance to help manage cyber exposure and increase cyber resilience.
Key Takeaways
-
The complex risk landscape often creates challenges for business leaders to prioritize and manage cyber risk.
-
A ROSI framework provides many benefits — including the opportunity for straightforward financial conversations with the board and C-suite.
-
With the right implementation, ROSI allows firms to make more informed cyber risk management decisions.
The number one risk facing business leaders and their organizations is a significant cyber incident. It’s not just IT systems of business that are affected by a cyber attack — the reputation, balance sheet and operations of the company are also caught up.1
Resilience is a crucial step for preventing or mitigating an impending cyber threat — and in parallel, a strong cyber posture is essential to strategic risk transfer. With the cyber insurance pricing environment showing significant improvement, businesses with best-in-class cyber risk profiles will have more choice and stronger bargaining power.2 Working within a Return on Security Investment (ROSI) framework, a business can confidently calculate its return on security investment, while linking risk, security and insurance to better manage cyber exposure and increase cyber resilience.
Here we discuss the ins and outs of a ROSI framework and how to successfully implement one into your firm for optimal cyber security decision making.
Return on Security Investment: How it Works
Leaders must effectively prioritize risk and allocate budget to manage their ever-widening cyber risk portfolio. Amid today’s complex cyber risk landscape, leaders often struggle to best prioritize and manage cyber risk. The ROSI framework provides a decision map featuring three key questions:
1. How big is the problem?
2. What budget does the organization have to spend?
3. How will leadership decide where to spend this budget?
Leaders have often found it difficult to answer these questions, especially for non-tangible, information assets. Unfortunately, businesses often do not have visibility on adequate spend or areas of focus to address cyber risk until they fall victim to an attack.
Using current modeling and quantification tools, the ROSI framework allows security and IT leaders to have straightforward financial conversations with the board and C-suite. For example: “The business has $100 million worth of exposure. We can spend $5 million to reduce exposure to $50 million, or $7 million to reduce it to $10 million.”
The framework focuses on data collection across three core points:
1. Estimated potential loss
2. Estimated risk mitigation
3. Cost of solution
To examine potential loss or exposure, organizations should take a detailed look at the threat landscape, attack surface and business model. This means viewing cyber security as a people issue.
Eight in 10 cyber security teams believe that hybrid or remote working has increased their organization’s vulnerability to cyber attacks.3
Clear metrics explain how changes in the attack surface impact exposure, like the increase of remote work. Within mitigation, it’s important to understand how each control can impact the likelihood and severity of an event. Where possible, controls are linked to three drivers of exposure and the risk can be better quantified.
Implement a ROSI Framework in Five Steps
For all businesses, five key actions should be taken to implement a ROSI framework into cyber security decision making:
1. Understand the business model. How does the business make money, and what stops it from making money? What is the future direction and does this introduce new exposures?
2. Identify key assets. What does the organization value most? For example, data or intellectual property, and where do these assets reside?
3. Set the foundation. Does the organization have fundamental security in place, like end-point protection or anti-malware? If not, stop to implement this basic protection before taking on a ROSI-framework.
4. Make a scenario-plan. Whiteboard attack scenarios that will result in the greatest impact. Socialize these potential scenarios with non-technical business leaders to solicit input.
5. Quantify the risk and identify controls. Determine which controls align to each risk scenario. Then perform a cost-benefit analysis, including a look at exposure risk and mitigation costs, as well as risk-transfer options via insurance or another vehicle.
Use Data to Inform Your Cyber Risk Decisions
To help assess your organization’s current cyber maturity and decision-making abilities, ask the following three questions:
- Do you know the total cost of cyber risk to your organization?
- Do you know where to invest security budget to get maximum balance sheet protection?
- Do you have access to scenario and financial modeling tools to measure your company’s return on security investment?
Understand the key actions to take and know where your firm stands on its cyber risk journey. A strategic approach to cyber security that is circular, iterative, and importantly, informed by data will have the best results.4 Learn more.
1 Global Risk Management Survey | Aon
2 “E&O Cyber Market Review. Mid-year Report 2022.” Aon. September 2022. Retrieved from https://www.aon.com/insights/articles/2022/eo-cyber-market-review-midyear-2022
3 Why HR Leaders Must Help Drive Cyber Security Agenda | Aon
4 “Cyber Loop: A Model for Sustained Resilience.” Aon. Report. 2022. Retrieved from https://www.aon.com/cyber-solutions/thinking/the-cyber-loop-a-model-for-sustained-cyber-resilience/
This material has been prepared for informational purposes only and should not be relied upon for any other purpose. You should consult with your own legal and information security advisors or IT Department before implementing any recommendation or guidance provided herein.
General Disclaimer
The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
Terms of Use
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.
Aon's Better Being Podcast
Our Better Being podcast series, hosted by Aon Chief Wellbeing Officer Rachel Fellowes, explores wellbeing strategies and resilience. This season we cover human sustainability, kindness in the workplace, how to measure wellbeing, managing grief and more.
Aon Insights Series UK
Expert Views on Today's Risk Capital and Human Capital Issues
Construction and Infrastructure
The construction industry is under pressure from interconnected risks and notable macroeconomic developments. Learn how your organization can benefit from construction insurance and risk management.
Cyber Labs
Stay in the loop on today's most pressing cyber security matters.
Cyber Resilience
Our Cyber Resilience collection gives you access to Aon’s latest insights on the evolving landscape of cyber threats and risk mitigation measures. Reach out to our experts to discuss how to make the right decisions to strengthen your organization’s cyber resilience.
Employee Wellbeing
Our Employee Wellbeing collection gives you access to the latest insights from Aon's human capital team. You can also reach out to the team at any time for assistance with your employee wellbeing needs.
Environmental, Social and Governance Insights
Explore Aon's latest environmental social and governance (ESG) insights.
Q4 2023 Global Insurance Market Insights
Our Global Insurance Market Insights highlight insurance market trends across pricing, capacity, underwriting, limits, deductibles and coverages.
Regional Results
How do the top risks on business leaders’ minds differ by region and how can these risks be mitigated? Explore the regional results to learn more.
Human Capital Analytics
Our Human Capital Analytics collection gives you access to the latest insights from Aon's human capital team. Contact us to learn how Aon’s analytics capabilities helps organizations make better workforce decisions.
Insights for HR
Explore our hand-picked insights for human resources professionals.
Workforce
Our Workforce Collection provides access to the latest insights from Aon’s Human Capital team on topics ranging from health and benefits, retirement and talent practices. You can reach out to our team at any time to learn how we can help address emerging workforce challenges.
Mergers and Acquisitions
Our Mergers and Acquisitions (M&A) collection gives you access to the latest insights from Aon's thought leaders to help dealmakers make better decisions. Explore our latest insights and reach out to the team at any time for assistance with transaction challenges and opportunities.
Navigating Volatility
How do businesses navigate their way through new forms of volatility and make decisions that protect and grow their organizations?
Parametric Insurance
Our Parametric Insurance Collection provides ways your organization can benefit from this simple, straightforward and fast-paying risk transfer solution. Reach out to learn how we can help you make better decisions to manage your catastrophe exposures and near-term volatility.
Pay Transparency and Equity
Our Pay Transparency and Equity collection gives you access to the latest insights from Aon's human capital team on topics ranging from pay equity to diversity, equity and inclusion. Contact us to learn how we can help your organization address these issues.
Property Risk Management
Forecasters are predicting an extremely active 2024 Atlantic hurricane season. Take measures to build resilience to mitigate risk for hurricane-prone properties.
Technology
Our Technology Collection provides access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities of technology. Reach out to the team to learn how we can help you use technology to make better decisions for the future.
Top 10 Global Risks
Trade, technology, weather and workforce stability are the central forces in today’s risk landscape.
Trade
Our Trade Collection gives you access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities for international business. Reach out to our team to understand how to make better decisions around macro trends and why they matter to businesses.
Weather
With a changing climate, organizations in all sectors will need to protect their people and physical assets, reduce their carbon footprint, and invest in new solutions to thrive. Our Weather Collection provides you with critical insights to be prepared.
Workforce Resilience
Our Workforce Resilience collection gives you access to the latest insights from Aon's Human Capital team. You can reach out to the team at any time for questions about how we can assess gaps and help build a more resilience workforce.
More Like This
-
Article 5 mins
Decentralized Autonomous Organizations: New Technology Meets Traditional Risk Management
Decentralized Autonomous Organizations (DAOs) must embrace strong governance and secure optimal insurance coverage to effectively mitigate risk and guard against negative financial impact.
-
Article 9 mins
How Social Inflation is Impacting the Aviation Industry
The aviation industry is watching the rise in nuclear verdicts with concern as social inflation and associated risks continue to squeeze the sector. Organizations should review their risk management processes to limit the dollar value of future losses.
-
Article 12 mins
Navigating AI-Related Risks: A Guide for Directors and Officers
As AI evolves, directors and officers must maneuver through a complex landscape of regulatory and legal risks. Implementing best practices around the use of AI and robust governance-focused risk mitigation can help manage exposures.