Return On Security Investment (ROSI) is a calculation of the return on the capital invested in IT security
. Since security investments do not represent a directly calculable benefit, but merely avoid the deduction of values, the determination of the return on security investment is extremely problematic. Investments in IT security are characterized by uncertainty and fear and are determined by other influences, such as legislation, potential liability, possible impact on revenues, common industry practice or demands from business partners.
The assessment of risk and the measurement of security measures are the most important criteria for ROSI.
This ranges in risk assessment from questionnaires to checklists, attack strategies, trust models, and metrics to assess risks and safeguards. The measurement of risks includes the probable amount of damage, the effort that an attack and its defense entail, and the probability with which a particular target could be selected as an attack target.