Patching ROSI Math

I am going to make a dangerous assumption here… that you, dear reader, know what the losses will be, and what the likelihood is, associated with any potential exploit. Let’s pretend, for a second you do. The math is pretty straightforward to calculate the expected value of loss.

‍

Expected value of loss = cost of the bad thing happening * likelihood

‍

So let’s say it’s $50,000 cost of the bad thing happening if it occurs, and there is a 50% chance of that occurring in the next 12 months. That means the expected value of loss is $25k this year.

‍

Now let’s assume you know what the cost of a patch is prior to the breach occurring. Let’s say it’s a simple change to a WAF rule, which costs maybe 10 hours of time for one person to deploy it and another 10 hours of QA to verify the fix has had no deleterious effects. Now let’s assume to make it easy that the fully loaded headcount cost per hour is $100/hr. That’s:

‍

20 hours * $100/hour = $2,000 cost of remediation

‍

There are two ways to do the next part of the math about how you should prioritize your fix. The first is the tried and true subtraction method to find the return on security investment (ROSI):

‍

$25,000 - $2,000 = $23,000 ROSI.

‍

So we see that that number is positive, so we know it is a good fix, in a vacuum. Let’s do it again. Let’s say that it’s a $50k loss, but the likelihood is only 1%, so $500 expected value of loss.

‍

$500 - $2,000 = -$1,500 ROSI.

‍

That is a negative return on investment, and therefore a bad idea. You should not patch this unless you can find a cheaper way to do it, or unless you think the likelihood is higher for some reason, or the cost of the bad thing happening increases as you build more valuable PII into the product or whatever increases its danger to your organization.

‍

That’s the subtraction method. The other is the division method below. Let’s try those same two examples:

‍

$25,000 / $2,000 = 12.5

‍

$500 / $2,000 = 0.25

‍

So the higher the number is a more valuable fix, and the return on work is higher, compared to anything that is 1 (break even) or less than 1, which is not a positive ROSI and should not be fixed according to that math.

‍

Where you might want one over the other is if you are trying to figure out where the biggest bang for your buck is. Do you want massive immediate returns on your money? Or do you want a lot of small but impactful wins? I tend to prefer the dollars and cents (subtraction) method because it is the language of business and also because it helps you make better decisions tied to your actual budget.

‍

$5,000,000 might sound like a lot of ROSI, and it is to many companies. But some people might say, yes we did manage to reduce $5M in risk, but it was very difficult to accomplish.  It might have meant we had to spend $100M to reduce the risk by $105M, leading to a $5M ROSI. Not sounding quite as impactful, because lots of companies aren’t going to want to spend that much budget on a single patch, or have that kind of money to spend. As a side note, I have been deeply in the weeds with a few vulnerabilities that would have tanked the business to fix, so while the fix itself was cheap, the cost to the business would have been enormous to fix, due to the cost of the remediation.

‍

Companies may have a fixed budget of X and want to create the most impact for the dollars spent, in which case you rank-order all of the vulnerabilities in terms of the ROSI from highest value to lowest, removing all the ones that cost more to fix than are worth it, and then you circle the ones that are within budget, leaving off the ones that aren’t within the budget.  You may still suffer losses for vulnerabilities that your budget did not account for, but it’ll be limited to only those vulnerabilities and none of the other high-value risks.

‍

So what then? Lots of issues aren’t going to get patched. This is where Cyber Insurance and other mitigating factors come into play to reduce the financial risk of a breach, or otherwise reduce the risk in some way by reducing the likelihood of breach or removing the things that make it as risky, like the PII, etc. The risk may still be there but the losses will be smaller, as an example. This all comes down to ROSI, and it always has, it’s just that we never had the math to explain it until very recently, which is why we have had such a hard time talking to the board. We need to invest in this idea as an industry if we want to be taken seriously.