Abstract

Traditional return on security investment (ROSI) models often emphasize investment costs and anticipated returns but overlook risk-related factors and qualitative cybersecurity metrics. To address this oversight, this paper employs an aggregation strategy that integrates five selected qualitative and quantitative metrics with the Factor Analysis of Information Risk (FAIR) model for risk analysis and quantification. The study pioneers the fusion of FAIR-ROSI models, combining practical qualitative and quantitative indicators to enhance the granularity of the traditional ROSI model. A case study is utilized to evaluate the proposed metrics. Empirical data from pre- and post-control measures reveal a narrow margin between actual and projected loss values and a significantly higher ROI compared to total security expenditure. The integration of FAIR model and ROSI model addressed the limitations found in traditional ROSI models concerning risk assessment. Such integration fosters a holistic approach to ROI and risk management, thereby facilitating informed decision-making.

Share

COinS