return on security investment (ROSI)

Return On Security Investment (ROSI) is a calculation of the return on the capital invested in IT security. Since security investments do not represent a directly calculable benefit, but merely avoid the deduction of values, determining the return on security investment is extremely problematic.

IT security investments are characterized by uncertainty and fear, and are driven by other influences, such as legislation, potential liability, potential revenue impact, standard industry practice, or business partner demands.

Assessing risk and measuring security measures are the most important criteria for ROSI. In risk assessment, this ranges from question catalogs to checklists, attack strategies, trust models, and metrics for assessing risks and safeguards. The measurement of risks includes the probable amount of damage, the effort involved in an attack and its defense, and the probability with which a particular target could be selected as an attack target.