In: Finance
How can the ROSI calculation metric be used to evaluate one or more of the technologies selected for study?
In general, the organisations invest in the projects which yield positive results. The results are measured by calculating the return on the investments. The return on investments are computed on the basis of the cashflows (enhanced revenue, cost reduction etc.,) generated by the project.
However, the security investments are made with the risk management perspective i.e., to mitigate the occurrences of the risk factors and thereby prevent the possible losses for an organisation. Example : The decision to invest in the data backup and recovery system is made considering the significant losses that might arise on account of the loss of data in an organisation. Thus, the Return on Security Investment (RoSI) measures the quantum of loss that could be avoided as a result of a security investment.
Therefore, to arrive at the RoSI, it becomes essential to identify the risk that is being mitigated by the security system and the value of the asset that is being protected by the security system. The organisation shall compute the following factors to arrive at the Return on Security Investment (RoSI).
Based on the above identified factors, the RoSI shall be computed as under.
RoSI = [ ( Annual loss expectancy * Mitigation Ratio) - Cost of the security investment] / Cost of security investment |
where,
Annual loss expectancy = Amount of loss on single occurrence of the risk * No.of occurrences of the risk in a year
Hence, based on the above explanations, it is evident that the higher the RoSI , the more beneficial the investment is. Therefore, on evaluating one or more technologies, the technology with a higher RoSI shall be selected. Thus, ROSI metric identifies how much loss could be avoided by the security investment and thereby helps in the selection of appropriate technology under study.