Calculating ROIs
Designing and implementing security controls is often seen as a cost overhead. Justifying the cost and effort of implementing certain security controls to management can often be challenging. This is when one can think of estimating the return-on-investment for a vulnerability management program. This can be quite subjective and based on both qualitative and quantitative analysis.
While the return-on-investment calculation can get complicated depending on the complexity of the environment, let's get started with a simple formula and example:
Return-on-investment (ROI) = (Gain from Investment – Cost of Investment) * 100/ Cost of Investment
For a simplified understanding, let's consider there are 10 systems within an organization that need to be under the purview of the vulnerability management program. All these 10 systems contain sensitive business data and if they are attacked, the organization could suffer a loss of $75,000 along with reputation loss. Now the organization...