ToolSec

📊 Compliance & Risk

Security ROI: How to Justify a Security Budget

· 6 min read · Updated June 27, 2026

Security teams are often asked to defend their budget in financial terms — and "trust us, it's important" rarely wins. Return on Security Investment (ROSI) turns risk into a number you can put in front of leadership. Here's how it works and how to use it honestly.

What is ROSI?

ROSI — Return on Security Investment — compares the loss a control is expected to prevent against what it costs. A positive ROSI means the control should save more than it costs; a higher number means a better return. It's the security version of the ROI calculation every business already understands.

The building blocks: SLE, ARO and ALE

The model rests on a few quantitative-risk terms:

  • SLE (Single Loss Expectancy) — the cost of one incident if it happens.
  • ARO (Annual Rate of Occurrence) — how many times per year you'd expect it (0.5 means once every two years).
  • ALE (Annual Loss Expectancy) = SLE × ARO — your expected annual loss before any control.

The ROSI formula

Once you have your ALE, a control that removes some fraction of the risk gives:

  • Risk avoided = ALE × mitigation effectiveness
  • ROSI = (Risk avoided − cost) ÷ cost

A ROSI of 150% means every dollar spent avoids $2.50 of expected loss — a net gain of $1.50.

A worked example

Suppose a phishing incident would cost $250,000 (SLE) and you expect one every two years (ARO = 0.5), giving an ALE of $125,000. A security awareness program costing $40,000 a year that cuts successful phishing by 80% avoids $100,000 of expected loss. ROSI = (100,000 − 40,000) ÷ 40,000 = 150%. That's a defensible case on a slide.

Grounding your SLE

The model is only as good as its inputs, and SLE is the hardest to estimate. Anchor it in realistic loss scenarios rather than guesses. Our data breach cost estimator and ransomware cost calculator help you build an SLE from records exposed or downtime hours, instead of pulling a number from the air.

Use it honestly

Quantitative risk can create false precision if you're not careful. Use round numbers, document your assumptions, and treat ROSI as a way to compare and prioritise options — not to manufacture certainty. A lower-ROSI control may still be essential for compliance or to address a specific high-impact risk; the number informs the decision, it doesn't make it.

The bigger picture

ROSI reframes security from a cost centre to a risk-reduction investment. Pairing it with concrete loss estimates and compliance drivers (like GDPR fines) gives leadership a complete, honest case — the loss you're avoiding, the cost to avoid it, and the return.

Try it

Calculate ROSI from your SLE, ARO, mitigation effectiveness and cost with our security ROI calculator, and build the loss side with the breach cost estimator.

Frequently asked questions

What is ROSI?

Return on Security Investment: (risk avoided − cost) ÷ cost. It expresses, as a percentage, how much expected loss a security control prevents relative to what it costs to deploy.

How do I calculate ALE?

ALE (Annual Loss Expectancy) = SLE × ARO, where SLE is the cost of a single incident and ARO is how many times per year you expect it. ALE is your expected annual loss before applying any control.

How accurate is a ROSI calculation?

Only as accurate as its inputs, especially the SLE and ARO estimates. Use it to compare and prioritise investments and document your assumptions, rather than treating the output as exact.

Try the related tools

Related guides