Home | Abstract  |  Model | Organisational Model | Questionnaire | Links  | More Links | Logbook | Contact


Return On Information Security Investment

This website will help the information security practitioner assess the costs required to implement information security in an organisation and the returns that are obtained from such an investment.  The research is part of an MBA DISSERTATION that was completed with distinction in July 2005.   The research findings can be found in Return on Information Security Investment - The Viability of an Anti Spam Solution in a Wireless Environment Paper . The International Journal of Network Security (IJNS) published this paper online. The paper will go to print January 2010.

Read the original Return on Information Security Investment Paper which introduces the subject.  If you enjoy the paper you may rate it at the InfoSec Writers webpage.  The paper was also  published at ITtoolBox.

book_cover.JPGFollowing several requests, the complete THESIS IS AVAILABLE FOR DOWNLOAD. You may BUY THE BOOK to have a quick reference which will help you devise ROISI for your organisation.

Are you over-spending or under-spending when it comes to your information security expenditure?  To answer this question, fill in the questionnaire: it will only take 2 minutes of your time.  Review the organisational model before completing the questionnaire.  If you feel lost you may want to BUY THE BOOK which will explain in depth how to use the ROISI model and apply it to your organisation.

Many requested that I publish a book targeted for the novice. Here it is: Information Security for Decision Makers. You may BUY THE BOOK to get introduced to the subject of information security.

Information Security for Decision MakersSANS (GIAC) is interested in ROISI! Read the recently published ROISI Overview Interview by Terry Martin in GIAC/SANS website. NEW! Two new articles published on GIAC/SANS: Preventative Measures—Cost to Break and Comparison of Security Management Practices.  These papers are co-authored with Terry Martin and Alexandra Bakhto.

I have compiled an extensive compendium of links on the topic of  information security , return on information security investment and other related topics.

If you are interested in this subject area, write back to amz@yahoo.com

Adrian Mizzi, Malta

March 2009


To choose a different language return to the English Version

Introduction and Rationale


As more and more organisations seek electronic ways of doing business, in particular by connecting to the Internet, they are recognising the need to do so in a secure way.  According to (Scalet 2002) information security is an increasingly high-profile problem, as hackers take advantage of the fact that organizations are opening parts of their systems to employees, customers and other businesses via the Internet.  More recently, (Cachia & Micallef 2004) in their ongoing research, conclude that security was the attribute perceived to be most important by online shoppers when conducting e-commerce transactions.

In surveys such as that of (Briney 2001) and (Briney & Prince 2002), it is evident that stringent IT budgets will only allow the applicability of a minimum subset of Information Security products and systems and thus it is necessary to prioritise in accordance with business objectives.  To date, little is known as to what the minimal subset should be and frequently information security practitioners use a best practice approach, (Liss 2001), to determine the information security budgets.  The work is more often technically oriented with little heed paid to the economic aspects (Gordon & Loeb 2002).

Although management is usually paranoid on risk management, it often takes Information Security as “for granted”, (BSI 2004), and is reluctant to invest in it, (Foster & Pacl 2002), barring the exceptional cases when the information system of the organisation is compromised.

Money spent in procedures may be less than that spent in security products themselves and this might result in cost savings, (Witty & Malik 2001), and other benefits, such as being a business enabler, (Liikanen 2004), to the company whilst maintaining the security level that the company enjoys.

Calculating the return on security investment (ROSI) may not be necessarily done in monetary terms as in (Berinato 2002), but can be analysed using techniques such as the balanced scorecard (Hunt & Symons 2003).  The business will be then in a position to understand whether it is under-spending or over-spending in the area of information security, depending on the results obtained.


Key Phrases

Information Security, Return on Security Investment (ROSI), Cost to Break (CTB), Balanced Score Card, Small and Medium Sized Enterprises, Virus, Firewall, Security Investment


Research Aim and Objectives

The logbook shows the ongoing progress.

Research Methodology


Qualitative techniques will be used to investigate the various information security strategies deployed in different organisations.  An extensive literature review is currently underway and this will be complemented with interviews and a short questionnaire to information security practitioners.

Qualitative and quantitative techniques will be used to measure the ROSI.  The possibility of using a balanced scorecard approach will be studied and if found effective will be the main tool of the research. Based on the ROSI calculated it will be possible to identify cost effective methods using quantitative analysis.


Required Resources

The research will most probably require that interviews are carried out with security practitioners in various organisations.  Information security policies of various organisations might have to be obtained.


Critical Success Factors



Bahadur, G. 2003, Developing Security Risk Metrics, Available: [http://www.foundstone.com/resources/downloads/webcast-121903/Developing_Security_Risk_Metrics.pdf] (18 April 2004).


Berinato, S. 2002, Finally, a Real Return on Security Spending, Available: [http://www.cio.com/archive/021502/security.html] (16 April, 2004).


Briney, A. 2001, '2001 Industry Survey', Information Security, pp. 34-47.


Briney, A. & Prince, F. 2002, '2002 ISM Survey', Information Security, pp. 36-54.


BSI 2004, BSI - short informations to current topics of IT Security, Available: [http://www.bsi.bund.de/english/fb/F30image_en.pdf] (17 April 2004).


Cachia, E. & Micallef, M. 2004, Towards Effectively Appraising Online Stores, Available: [http://www.cs.um.edu.mt/~csaw/Proceedings/00.pdf] (25 September 2004).


Foster, S. & Pacl, B. 2002, Analysis of Return on Investment for Information Security, Available: [http://www.getronics.com/NR/rdonlyres/ejhsokxgywr3iom4mn4vq43l73fmqzsqbsnz47jd2thnvawjlceksww2zuu3yd33tnybjcjmjbtbmyfyxa2r4nhpure/wp_analysis_return_on_investment.pdf] (18 April 2004).


Gordon, L. A. & Loeb, M. P. 2002, 'The Economics of Information Security Investment', ACM Transactions on Information and System Security, vol. 5, no. 4, pp. 438-457.


Hunt, S. & Symons, C. 2003, Aligning Security with the Business: The Balanced Scorecard, Available: [http://www.csoonline.com/analyst/report816.html].


Karofsky, E. 2001, 'Return on Security Investment: Calculating the Security Investment Equation', Secure Business Quarterly, vol. 1, no. 2.


Liikanen, E. 2004, 'European Network Security', in CEBIT, 2004 edn, Hannover.


Liss, S. 2001, 'Practical Aspects of Information Security', InfoGroup NorthWest.


Scalet, S. D. 2002, Glossary, Security and Privacy Research Center, Available: [http://www.cio.com/research/security/edit/glossary.html] (18 April 2004).


Soo Hoo, K. J. 2000, 'How Much Is Enough? A Risk-Management Approach to Computer Security', Consortium for Research on Information Security and Policy (CRISP).


Witty, R. & Malik, W. 2001, 'Security TCO Model Helps with more than cost savings', Gartner FirstTake, no. FT-13-9070.