Return On Investment (ROI) Risk Assessment Relationship

The relationship between the Risk Assessment and the Return On Investment for good security is very important to management because it creates a business case for further investment and “appropriate investment” in the IT security program.  Return On Investment is that ratio that tells you if you invest so much, you’ll get so much back in return. 

IT security directors should also be interested in Return On Investment because it has the side benefit of cost justifying the security budget and making sure you get the controls you need to support your infrastructure.

Cost justification based on the results of the risk assessment is a requirement for financial institutions and the healthcare industry — especially with the FFIEC and the DHS’ HIPAA requirement.   For example, for banks, the FFIEC Examiner’s Handbook for IT Security says, “A risk assessment provides a foundation for the remainder of the security process by guiding the selection and implementation of security controls and the timing and nature of testing those controls.”  

The selection of the appropriate security controls for an organization is based on several factors:

1.  The percent of the control that is currently in place.

2.  The cost of increasing the implementation of the control to 100%.

3.  The cost of maintaining and auditing the control over time.

Again, the idea of the Return on Investment is that the most needed controls are funded by the organization first, so that money is not applied to less critical areas, leaving the very sensitive areas, like protection of customer information, exposed.  The main components of calculating a Return On Investment are the value of the assets, and that includes not only the replacement value, but also the sensitivity and confidentiality of the information — especially the potential loss to the asset of an incident.  For example, the reputation cost of a high profile identity theft could be devastating to a bank or credit union.

To estimate asset value, the confidentiality, integrity and availability (CIA) are values that have to be included in the risk assessment because these can all cause a devastating loss to a organization.   Adding identify theft to the already long list of other threats (which also have to be factored into the ROI equation), has been addressed by the FDIC and NCUA with the new Red Flag (FACT) CFR (Federal Registry).  

Take a look at the controls your organization is planning to add to your IT infrastructure and see if they pass the ROI test. 


Caroline R. Hamilton is the Founder of RiskWatch, Inc., the original top-rated risk assessment software.  Hamilton served on the NIST Model-Builder’s Workshop on Risk Management from 1988-1995 and on the National Security Agency’s Network Rating Workshop.  In addition, she was a member of the U.S. Department of Defense’s Defensive Information Warfare Risk Management Model and has worked on a variety of risk assessment and risk management groups, including the ASIS Information Technology Security Council and the IBM Data Governance Council, created by Steven Adler.  Hamilton also received the Maritime Security Council’s Distinguished Service Award and has written for a variety of books and magazines including the CSI Alert, the Computer Security Journal, the ISSA Newsletter, The HIPAA Compliance Handbook, Defense News, Security & Design, Cargo Security and many other publications.  Based in Annapolis, Maryland, Hamilton is a graduate of the University of California.

One thought on “Return On Investment (ROI) Risk Assessment Relationship

  1. Conceptually it gives me the willies to be using the term ROI when measuring the impact of security controls. While of course my methodology has always emphasized an “ROI-like” approach of identifying critical assets and protecting those first, so as to gain the most incremental protection for the dollar, I still find the term “return” is misleading. By its use, executive managers accustomed to applying an ROI yardstick to core IT expenditures will demand similar substantiation for the “return” associated with expenditures on controls.

    The truth is that “return” is not measured the same way when you are protecting assets as it is when you are deploying assets. If a threat is projected for an asset, and a control is implemented, but it experiences no attempted breach, is the ROI zero because the absence of the control made no difference?

    One is inclined to say of course not, but then I think the definition of “return” is being corrupted, and the demands from executive leadership that “return” be measured in the traditional way can unnecessarily put the CISO in a tough spot. I’ve seen this happen before..

    I encourage an approach which calculates incremental protection from fines or breaches based on an understanding of the threat and the value of the asset, but which does not call it “ROI.”

    I’m sure you’ve seen this debate before. I’d be interested in reactions.

Leave a Reply