Managing Cyber Risk through Return on Security Investment

Managing Cyber Risk through Return on Security Investment
Cyber Labs

10 of 12

This insight is part 10 of 12 in this Collection.

Cyber Resilience

04 of 07

This insight is part 04 of 07 in this Collection.

May 10, 2023 7 mins

Managing Cyber Risk through Return on Security Investment

Managing Cyber Risk through Return on Security Investment Hero Banner

A ROSI framework allows businesses to link risk, security and insurance to help manage cyber exposure and increase cyber resilience.

Key Takeaways
  1. The complex risk landscape often creates challenges for business leaders to prioritize and manage cyber risk.
  2. A ROSI framework provides many benefits — including the opportunity for straightforward financial conversations with the board and C-suite.
  3. With the right implementation, ROSI allows firms to make more informed cyber risk management decisions.

The number one risk facing business leaders and their organizations is a significant cyber incident. It’s not just IT systems of business that are affected by a cyber attack — the reputation, balance sheet and operations of the company are also caught up.1

Resilience is a crucial step for preventing or mitigating an impending cyber threat — and in parallel, a strong cyber posture is essential to strategic risk transfer. With the cyber insurance pricing environment showing significant improvement, businesses with best-in-class cyber risk profiles will have more choice and stronger bargaining power.2 Working within a Return on Security Investment (ROSI) framework, a business can confidently calculate its return on security investment, while linking risk, security and insurance to better manage cyber exposure and increase cyber resilience.

Here we discuss the ins and outs of a ROSI framework and how to successfully implement one into your firm for optimal cyber security decision making.

Return on Security Investment: How it Works

Leaders must effectively prioritize risk and allocate budget to manage their ever-widening cyber risk portfolio. Amid today’s complex cyber risk landscape, leaders often struggle to best prioritize and manage cyber risk. The ROSI framework provides a decision map featuring three key questions:

1. How big is the problem?
2. What budget does the organization have to spend?
3. How will leadership decide where to spend this budget?

Leaders have often found it difficult to answer these questions, especially for non-tangible, information assets. Unfortunately, businesses often do not have visibility on adequate spend or areas of focus to address cyber risk until they fall victim to an attack.

Using current modeling and quantification tools, the ROSI framework allows security and IT leaders to have straightforward financial conversations with the board and C-suite. For example: “The business has $100 million worth of exposure. We can spend $5 million to reduce exposure to $50 million, or $7 million to reduce it to $10 million.”

The framework focuses on data collection across three core points:

1. Estimated potential loss
2. Estimated risk mitigation
3. Cost of solution

To examine potential loss or exposure, organizations should take a detailed look at the threat landscape, attack surface and business model. This means viewing cyber security as a people issue.

Eight in 10 cyber security teams believe that hybrid or remote working has increased their organization’s vulnerability to cyber attacks.3

Clear metrics explain how changes in the attack surface impact exposure, like the increase of remote work. Within mitigation, it’s important to understand how each control can impact the likelihood and severity of an event. Where possible, controls are linked to three drivers of exposure and the risk can be better quantified.

Implement a ROSI Framework in Five Steps

For all businesses, five key actions should be taken to implement a ROSI framework into cyber security decision making:

1. Understand the business model. How does the business make money, and what stops it from making money? What is the future direction and does this introduce new exposures?

2. Identify key assets. What does the organization value most? For example, data or intellectual property, and where do these assets reside?

3. Set the foundation. Does the organization have fundamental security in place, like end-point protection or anti-malware? If not, stop to implement this basic protection before taking on a ROSI-framework.

4. Make a scenario-plan. Whiteboard attack scenarios that will result in the greatest impact. Socialize these potential scenarios with non-technical business leaders to solicit input.

5. Quantify the risk and identify controls. Determine which controls align to each risk scenario. Then perform a cost-benefit analysis, including a look at exposure risk and mitigation costs, as well as risk-transfer options via insurance or another vehicle.

Use Data to Inform Your Cyber Risk Decisions

To help assess your organization’s current cyber maturity and decision-making abilities, ask the following three questions:

  • Do you know the total cost of cyber risk to your organization?
  • Do you know where to invest security budget to get maximum balance sheet protection?
  • Do you have access to scenario and financial modeling tools to measure your company’s return on security investment?

Understand the key actions to take and know where your firm stands on its cyber risk journey. A strategic approach to cyber security that is circular, iterative, and importantly, informed by data will have the best results.4 Learn more.


1 Global Risk Management Survey | Aon
2 “E&O Cyber Market Review. Mid-year Report 2022.” Aon. September 2022. Retrieved from
3 Why HR Leaders Must Help Drive Cyber Security Agenda | Aon
4 “Cyber Loop: A Model for Sustained Resilience.” Aon. Report. 2022. Retrieved from


This material has been prepared for informational purposes only and should not be relied upon for any other purpose. You should consult with your own legal and information security advisors or IT Department before implementing any recommendation or guidance provided herein.


General Disclaimer

The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

Terms of Use

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.

More Like This

View All
Subscribe CTA Banner