The CMMC Level 2.0 deadline is 10/31. Get compliant now!
Contact Us
Contact Us
Cybersecurity ROI ROSI calculator
In this article:
What are cloud managed data center services?
Cloud strategies
AWS vs. Azure vs. Google
Cloud security
Finding the right partner
đź’ˇCloud Cost Optimization Guide
Download Now

Calculating Cybersecurity ROSI

Refreshed and expanded July 14, 2025.

If you’re going to spend money on cyber security managed services, what kind of “return” should you expect?

Does that question even make sense when your goal is to avoid loss?

In this post, we’ll give you the tools to calculate cybersecurity ROI (or more properly, ROSI—return on security investment). We’ll also give you a simple calculator to help you estimate your ROSI from cybersecurity.

Last of all, we’ll help you communicate cybersecurity ROSI to the C-suite.

Let’s dive in!

Key points:
  • Cybersecurity ROSI is expressed in terms of loss avoided, not financial gain.
  • It's important to understand terms like ALE, ARO, and SLE when you calculate cybersecurity ROSI.
  • Cybersecurity is incredibly valuable when measured in terms of loss avoided.
  • The key is to communicate the value of cybersecurity effectively with the C-suite.

1. What is cybersecurity ROI or ROSI?

In a typical ROI calculation, the investment is intended to produce more revenue than its cost, as expressed in this formula:

ROI = net income / cost of investment x 100.

But cybersecurity investments are different. For example, a managed SIEM (security information and event management) solution is the bedrock of any cybersecurity program—but it doesn’t produce revenue. It can’t provide a figure for the “net income” portion of the standard ROI formula. Rather, a SIEM solution protects revenue and essential systems, providing a single dashboard in which your team (or your provider) can see security incidents and respond to them in real time.

This is why cybersecurity professionals prefer the term ROSI (return on security investment), rather than ROI. It helps highlight the fact that this is a different type of calculation.

So what is the difference between ROI and ROSI in cybersecurity?

ROSI measures loss avoided. And it expresses the concept as a percentage of the cost of the solution.  

Let’s unpack that.
Sharon Pohly, CEO, Girl Scouts of Northern Indiana-Michiana | Corsica Technologies case study

“The internet is a bit of wild, wild west. Corsica serves as our eyes on cybersecurity and ensures our staff are educated.”

—Sharon Pohly, CEO
See the Girl Scouts’ story →

What is loss avoidance in cybersecurity?

Loss avoidance in cybersecurity is the amount of financial loss that an organization avoids by implementing the proper cybersecurity controls. 

For an analogy, consider the concept of avoiding shrinkage in retail.

Physical security measures, like magnetic tags and detectors at exits, are essential to preventing shoplifting. It’s not enough to say, “We have a small store, and shoplifting probably won’t happen.” In fact, it will happen, and any good retail budget will quantify (and plan for) an acceptable percentage of shrinkage.

Once that expected shrinkage has been quantified in terms of dollars, you know how much loss you’re preventing if you invest in physical security measures. (Of course, no physical security measures are perfect, but these are rough calculations. More on that below when we get to “mitigation ratio” in cybersecurity.)

Once you have the quantified loss that you’re preventing, you can express it as a percentage of the cost of the security measures. This is the concept behind ROSI.   

What data do I need to estimate the financial impact of cybersecurity incidents?

You will need three datapoints to calculate the financial impact of cybersecurity incidents. Those datapoints are: 

  • ALE
  • ARO
  • SLE
  • Mitigation ratio

Here’s what each of these terms means. 

What is ALE (annualized loss expectancy)?

This is the total, annualized monetary loss that you can expect from the type of security incident(s) mitigated by the cybersecurity solution. It’s calculated as follows.

ALE = ARO x SLE

What is ARO (annualized rate of occurrence)?

This is an estimate of how many times a certain type of cybersecurity incident will occur in one year. If the incident in question typically occurs once per year, ARO = 1. If it typically occurs 5 times per year, ARO = 5.

What is SLE (single loss expectancy)?

This is the monetary value of the loss from one occurrence. (See below for average losses incurred by single occurrences of various types of cybersecurity incidents.)

What is a mitigation ratio?

This is the ratio at which the solution in question mitigates the security risks that it addresses. For example, if an email security solution catches 96% of phishing emails, its mitigation ratio is 0.96.

Now let’s put all these together in the formula for cybersecurity ROSI.

What is the formula for cybersecurity ROSI?

As defined by the SANS Institute, the basic formula for cybersecurity ROSI is:

ROSI = ([ALE x mitigation ratio] – cost of solution) / cost of solution

So what does a sample ROSI calculation look like?

Let’s explore that in detail below.
cybersecurity incidents going up

2. Sample loss estimates for common cyber incidents

The cybersecurity threat landscape is evolving rapidly, and every organization will experience a unique amount of security incidents. The best guide for estimating these things in your scenario is your company’s own historical data on incidents experienced.

That said, here are a few stats for illustration purposes.

DDoS

 

Phishing

 

Ransomware
Sample cybersecurity ROSI calculation - Corsica Technologies

3. Sample cybersecurity ROSI calculation

Using our example data above, let’s imagine a managed cybersecurity services agreement that addresses DDoS, phishing, and ransomware. To get our rollup number for total ALE, we’ll add up the ALEs of all three attack types. (This is not an exhaustive calculation—merely an example of how to run the calculation.)

Total ALE = $37,060,000 + $1,500,000 + $2,937,000 = $41,497,000

We also need a figure for the mitigation ratio—how effective the solution is at stopping the types of attacks it targets.

In the real world, you may need to treat the mitigation ratio separately for each control that you’re rolling up in your total ALE calculation. For the purposes of illustration, we’ll assume an 80% mitigation ratio for the solution as a whole, which is pretty conservative. This rough simplification will allow us to proceed with the example calculation.

Now let’s assume an annual cost of $120,000 for working with an MSSP. Again, this is merely an example, as costs will vary based on the services you need, the number of devices and users in your organization, and the scope and complexity of your systems.

That said, here’s the sample calculation using the above figures.

ROSI = ([ALE x mitigation ratio] – cost of solution) / cost of solution

ROSI = ([41.5M x 0.8] – 120,000) / 120,000

ROSI = 27,567%

As you can see, this particular cybersecurity investment is well worth it.

Also note that in this example, the solution as a whole costs less than the fully-loaded salary of one cybersecurity expert. These professionals make an average of $132,962 per year (2025)—yet a managed cybersecurity provider gives you access to numerous experts for less than the cost of hiring one on staff. Again, MSSP costs vary, but it’s not uncommon to get the value of an entire cybersecurity team from your MSSP relationship—for far less than the cost of hiring in house.

Communicating cybersecurity ROI to the C-suite - Corsica Technologies

4. Building consensus about cybersecurity

It’s challenging to make the case for an investment that protects revenue rather than increasing it. Without that simple, traditional ROI calculation, the C-suite may hesitate to pull the trigger on managed cybersecurity services.

The key here is to reframe the discussion. Use the loss prevention analogy from retail (discussed above), coupled with a quantified cybersecurity ROSI calculation. With this analogy and these numbers in hand, you’ll want to craft individual messages that appeal to the concerns of each member of the leadership team.

Here’s what this might look like.  

CEO/VP Sales

Ultimately, the CEO (or VP of sales) is responsible for revenue.

If you can express your cybersecurity investment in terms of revenue protected, you’ll make a great case.

You can do this by supplementing the basic ROSI calculation with a view of potential revenue loss from various outages. Consider these downtime stats and multiply them by your organization’s average revenue per minute, hour, or day.

CFO/VP Finance

The finance leader cares deeply about the final analysis on the profit and loss sheet. Lost revenue is a component of that, but it isn’t enough to give the CFO the full picture.

Instead, provide the detailed financial analysis that went into your cybersecurity ROSI calculation. The outcome of that calculation is the perfect number to convince your CFO, but they’ll want to see everything that went into your calculation. (Hint: You may want to provide far more granularity and precision than we did in our example calculation.)

COO/VP Operations

The operations leader cares deeply about productivity. They want to control cost while producing as much output as possible. They should be quite familiar with both your organization’s cost of operations per day, and the value of your production output every day.

Given that, the best case you can make involves the average outage times that you shared with the CEO or sales leader. Here, however, you’ll want to generate two stats: 1) average outage lengths multiplied by the daily cost of operations, and 2) average outage lengths multiplied by the daily value of production.

These numbers will bring home the value of cybersecurity ROSI for your operations leader.

CMO/VP Marketing

For the marketing leader, you’ll want to frame cybersecurity investments in terms of protecting brand equity and reputation. Consider these high-profile breaches that have hit well-known companies in the last few years.

If these stories feel too disconnected from your company, try googling cyberattacks in your industry. If there are recognizable brands in that list, especially competitors, this can really bring home the risk for your marketing leader.

CIO/VP IT

Chances are, the IT leader is already in your corner. (Or maybe you are the IT leader!) But if you need to do some convincing, or you want data to make a stronger case, consider how a cybersecurity investment takes out the guesswork in IT operations (and budget) related to a potential security incident. You get a single IT budget line item, the retainer for your MSSP (managed security services provider). Your MSSP will step in to mitigate any threats that occur under the terms of the agreement, relieving the burden on your internal IT team.

Now, how much of your IT budget should go to security? Consider that companies with $50M – $200M in annual revenue typically spend 22.5% of their IT budget on security, while those in the $200M – $600M bracket spend 16.1%. (IANS 2025 Security Budget Benchmark Report).

Ready to take your next step with cybersecurity?

Contact us today to strengthen your defenses and protect customers, revenue, and data.

Contact Us Now →

Moving forward with AI- Corsica Technologies
In this article:
1. What is cybersecurity ROI or ROSI?
2. Sample loss estimates
3. Sample ROSI calculation
4. Building consensus about cybersecurity
đź’ˇFREE Cybersecurity ROI Calculator
Cybersecurity ROI calculator - Corsica Technologies
Try the Calculator

Ready to talk to an expert?

We’ll respond within 1 business day, or you can grab time on our calendar.