Framework for Calculating Return on Security Investment (ROSI) for Security-Oriented Organizations

Yaqoob, Tahreem; Arshad, Azka; Abbas, Haider; Amjad, Muhammad Faisal; Shafqat, Narmeen

doi:10.1016/j.future.2018.12.033

Cited by 14 publications

(8 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…By categorizing these contributions based on their approach and shared characteristics, the classification presented in Table 2 was obtained. Optimal investment (Gordon Loeb) /ROI/ROSI Dangerous games: A literature review on cybersecurity investments [10] Cybersecurity investment allocation for a multi-branch firm: Modeling and optimization [11] Enterprise security investment through time when facing different types of vulnerabilities [12] Optimal information security expenditures considering budget constraints [13] Optimal information security investment in a Healthcare Information Exchange: An economic analysis [14] Cyber kpi for return on security investment [15] Framework for calculating return on security investment (ROSI) for security-oriented organizations [16] Towards integrating insurance data into information security investment decision making [17] Managing the investment in information security technology by uses of a quantitative modeling [18] A2: Stakeholders contribution Economic model for evaluating the value creation through information sharing within the cybersecurity information sharing ecosystem [19] Optimum spending on cybersecurity measures [ A game theory model of cybersecurity investments with information asymmetry [24] Establishing evolutionary game models for CYBer security information EXchange (CYBEX) [25] A6: Resource-based view and organizational learning A multi-Theoretical literature review on information security investments using the resource-based view and the organizational learning theory [26] A7: Security events study Information security breaches and IT security investments: Impacts on competitors [27] A8: Risk Management Risk management, firm reputation, and the impact of successful cyberattacks on target firms [28] Source: Authors' own creation.…”

Section: Review Resultsmentioning

confidence: 99%

“…Integrating a new model to illustrate the economic effects of implementing an information security framework in a Colombian organization involves extending the current model developed by Min TIC, having into account the economic features proposed by [16] in their six-phase framework for calculating the Return on Security Investment (ROSI) into the MSPI. The MSPI structure is maintained while expanding its applicability range; phases 4 and 5 of the cost-benefit analysis of [21], including specific calculations for the total cost of implementing cybersecurity measures; and the performance evaluation and continuous improvement stages were enhanced with the metrics suggested by [15].…”

Section: Aspects For Model Integrationmentioning

confidence: 99%

See 1 more Smart Citation

Modelo Económico de implementación de un marco de seguridad de la información para las Organizaciones Colombianas.

Serna,

Villamizar-Jaimes,

Vallejo

2024

AiBi Revista de Investigación, Administración e Ingeniería

View full text Add to dashboard Cite

La limitada comprensión de cómo la gestión de la seguridad de la información impacta en las economías organizacionales dificulta el proceso de toma de decisiones de la gerencia con respecto a las inversiones en marcos de seguridad. Este desafío, junto con el aumento de las amenazas y vulnerabilidades en los sistemas informáticos, refuerza la ciberdelincuencia y conduce a pérdidas financieras sustanciales. Si bien se han desarrollado modelos económicos que incorporan variables de ciberseguridad, no evalúan completamente la implementación de un marco de seguridad específico dentro del contexto de un país específico. El modelo propuesto tiene como objetivo justificar económicamente la implementación de un marco de ciberseguridad en las organizaciones colombianas, contribuyendo así a la dirección estratégica y al crecimiento económico de las empresas. El modelo integra un marco de seguridad publicado por el gobierno colombiano con contribuciones significativas de modelos económicos seleccionados en una revisión sistemática de la literatura. Esta integración da como resultado un modelo económico novedoso que se puede implementar en varios tipos de empresas.

show abstract

Section: Review Resultsmentioning

confidence: 99%

Section: Aspects For Model Integrationmentioning

confidence: 99%

Modelo Económico de implementación de un marco de seguridad de la información para las Organizaciones Colombianas.

Serna,

Villamizar-Jaimes,

Vallejo

2024

AiBi Revista de Investigación, Administración e Ingeniería

View full text Add to dashboard Cite

show abstract

“…The ROSI model had been utilised in several literature with various case studies 14,15 . Whilst the model has provisions to calculate the return of security investment, it only provides with the maximum returns based on the ARO.…”

Section: D) Return Of Security Investment (Rosi)mentioning

confidence: 99%

تحديد عائد الاستثمارات الأمنية للشركات التقنية الناشئة

Marican,

Othman,

Selamat

et al. 2024

Baghdad Sci.J

View full text Add to dashboard Cite

Technology startups are critical to the advancement of digital initiatives in many countries undergoing smart nation agenda. Technology startups are thus vendors and suppliers of services to large organizations such as the government sector, multi-national corporations and financial institutions. As such, startups are fast becoming attack vectors for malicious perpetrators to gain entry via backdoors to large organizations. However, startups remain prudent in their cyber security spending as their north star is revenue generation by delivering their services and minimum viable product (MVP) to their customers. This study proposes an enhanced Return on Security Investment (ROSI) which helps technology startups calculate the return on security investment and justify their budget of cyber security spending. Though there are existing models to calculate the return of investments allocated to cyber security expenditure, they are rather complex and do not give management clarity in terms of the monetary value for cyber security spending. Furthermore, the existing models do not cater to the dynamics and nuances of technology startups. The enhanced model also provides technology startups the ability to appropriately adjust their cyber security investments based on the calculations of the Minimum (Min) and Maximum (Max) ROSI values. The proposed and enhanced ROSI model has been validated by 5 cyber security experts who agreed on the importance and necessity of the model to be applied to technology startups. The results of the case study on a FinTech startup enable the calculation of the Min and Max ROSI to justify the return on security investments and provide the startup with the ability to adjust the cyber security spending accordingly.

show abstract

“…This would result in a metric assessing the average improvement in system's security per unit of resource invested in implementing P re(w). Should additional information be available to the modeller, such as expected annual loss incurred by a countermeasure being not implemented in the system, security-oriented variants of the return on investment (ROI) metric, like the ones considered in [9], [31], [43], could also be employed for measuring quality of defenses.…”

Section: B Selection Based On Quality Of Defense Stepsmentioning

confidence: 99%

Security Countermeasures Selection Using the Meta Attack Language and Probabilistic Attack Graphs

2022

View full text Add to dashboard Cite

Connecting critical infrastructure assets to the network is absolutely essential for modern industries. In contrast to the apparent advantages, network connectivity exposes other infrastructure vulnerabilities that can be exploited by attackers. To protect the infrastructure, precise countermeasure identification is necessary. In this regard, the objective for the security officers is to identify the optimal set of countermeasures under a variety of budgetary restrictions. Our approach is based on the Meta Attack Language framework, which allows for convenient modelling of said infrastructures, as well as for automatic generation of attack graphs describing attacks against them. We formalize the problem of the selection of countermeasures in this context. The formalization makes it possible to deal with an arbitrary number of budgets, expressing available resources of both monetary and time-like nature, and to model numerous dependencies between countermeasures, including order dependencies, mutual exclusivity, and interdependent implementation costs. We propose a flexible and scalable algorithm for the problem. The whole methodology is validated in practice on realistic models.

show abstract

Framework for Calculating Return on Security Investment (ROSI) for Security-Oriented Organizations

Cited by 14 publications

References 12 publications

Modelo Económico de implementación de un marco de seguridad de la información para las Organizaciones Colombianas.

Modelo Económico de implementación de un marco de seguridad de la información para las Organizaciones Colombianas.

تحديد عائد الاستثمارات الأمنية للشركات التقنية الناشئة

Security Countermeasures Selection Using the Meta Attack Language and Probabilistic Attack Graphs

Contact Info

Product

Resources

About