ROSI - interpreting calculated value
Hi I wonder how I should Think when i calculate my ROSI value . If I receive a positive value I should invest in that security correction and if I receive a negative value I should not invest. Have I understood it right?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
First is important to note that the interpretation will depend on how the formula considers the incident costs and security control costs.
For example, in the formula:
ROSI = cost of a realized incident - the cost of needed security controls
the results can be interpreted as you said (i.e., a positive result means that the implementation of security controls is worthy, and a negative result means the implementation is not worthy).
In case the formula is:
ROSI = cost of needed security controls - the cost of a realized incident
The results interpretation would be inverse.
These articles will provide you a further explanation about ROSI:
- Is it possible to calculate the Return on Security Investment (ROSI)? https://advisera.com/27001academy/blog/2011/06/13/is-it-possible-to-calculate-the-return-on-security-investment-rosi/
- How to make your investment in ISO 27001 profitable https://advisera.com/27001academy/blog/2015/07/13/how-to-make-your-investment-in-iso-27001-profitable/
This material can also help you:
- Free Return on Security Investment Calculator https://advisera.com/27001academy/free-tools/free-return-security-investment-calculator/
Comment as guest or Sign in
Nov 20, 2020