In the late 1990’s and early 2000’s there was a concept that was bandied about that was coined “Return on Security Investment” or ROSI. Borrowing from the common business term Return on Investment (ROI) where a return on a particular investment (capital investment, personnel, training etc.) could be quantified, the cybersecurity industry attempted to quantify a return on security investment.
Fundamentally, the primary failing of this concept is that it is mathematically impossible (approaches mathematical impossibility) to quantify an event “not occurring”. In short, if a company has “zero” security events that impact them deleteriously in a given year, was the $5 million security expenditure appropriate? Should it have been less since there was no security event that caused a loss? If the company experienced an event, was the return on the investment then the difference between the expenditure…
 |
Posted by: Chris Mark |
The post Quantifying CyberRisk- Solving the riddle appeared first on Cybersecurity Insiders.
March 13, 2021 at 10:00PM
0 comments:
Post a Comment