📊 Compliance & Risk
Security ROI: How to Justify a Security Budget
By Justin Le
· 6 min read · Updated June 27, 2026 Security teams are often asked to defend their budget in financial terms — and "trust us, it's important" rarely wins. Return on Security Investment (ROSI) turns risk into a number you can put in front of leadership. Here's how it works and how to use it honestly.
What is ROSI?
ROSI — Return on Security Investment — compares the loss a control is expected to prevent against what it costs. A positive ROSI means the control should save more than it costs; a higher number means a better return. It's the security version of the ROI calculation every business already understands.
The building blocks: SLE, ARO and ALE
The model rests on a few quantitative-risk terms:
- SLE (Single Loss Expectancy) — the cost of one incident if it happens.
- ARO (Annual Rate of Occurrence) — how many times per year you'd expect it (0.5 means once every two years).
- ALE (Annual Loss Expectancy) = SLE × ARO — your expected annual loss before any control.
The ROSI formula
Once you have your ALE, a control that removes some fraction of the risk gives:
- Risk avoided = ALE × mitigation effectiveness
- ROSI = (Risk avoided − cost) ÷ cost
A ROSI of 150% means every dollar spent avoids $2.50 of expected loss — a net gain of $1.50.
A worked example
Suppose a phishing incident would cost $250,000 (SLE) and you expect one every two
years (ARO = 0.5), giving an ALE of $125,000. A security awareness
program costing $40,000 a year that cuts successful phishing by 80% avoids
$100,000 of expected loss. ROSI = (100,000 − 40,000) ÷ 40,000 = 150%.
That's a defensible case on a slide.
Grounding your SLE
The model is only as good as its inputs, and SLE is the hardest to estimate. Anchor it in realistic loss scenarios rather than guesses. Our data breach cost estimator and ransomware cost calculator help you build an SLE from records exposed or downtime hours, instead of pulling a number from the air.
Use it honestly
Quantitative risk can create false precision if you're not careful. Use round numbers, document your assumptions, and treat ROSI as a way to compare and prioritise options — not to manufacture certainty. A lower-ROSI control may still be essential for compliance or to address a specific high-impact risk; the number informs the decision, it doesn't make it.
The bigger picture
ROSI reframes security from a cost centre to a risk-reduction investment. Pairing it with concrete loss estimates and compliance drivers (like GDPR fines) gives leadership a complete, honest case — the loss you're avoiding, the cost to avoid it, and the return.
Try it
Calculate ROSI from your SLE, ARO, mitigation effectiveness and cost with our security ROI calculator, and build the loss side with the breach cost estimator.
Frequently asked questions
What is ROSI?
Return on Security Investment: (risk avoided − cost) ÷ cost. It expresses, as a percentage, how much expected loss a security control prevents relative to what it costs to deploy.
How do I calculate ALE?
ALE (Annual Loss Expectancy) = SLE × ARO, where SLE is the cost of a single incident and ARO is how many times per year you expect it. ALE is your expected annual loss before applying any control.
How accurate is a ROSI calculation?
Only as accurate as its inputs, especially the SLE and ARO estimates. Use it to compare and prioritise investments and document your assumptions, rather than treating the output as exact.
Try the related tools
- Security ROI (ROSI) Calculator Compute the return on a security investment from expected loss and mitigation effectiveness.
- Data Breach Cost Estimator Estimate the financial impact of a data breach from records exposed and per-record cost.
- Ransomware Downtime Cost Calculator Estimate the total impact of a ransomware attack from downtime, recovery and ransom.
Related guides
- What Is a Data Breach? Causes, Costs and Response What counts as a data breach, the causes behind most of them, why the true cost dwarfs the headline fine, and how to prepare before one happens.
- What Is Ransomware? How Attacks Work and What They Cost How ransomware actually works, why the ransom is often the smallest cost, and the handful of defenses that make the biggest difference.
- What Is GDPR? Fines and Compliance Basics GDPR in plain English: who it covers, the rights it grants, the two fine tiers (up to 4% of turnover), and where to start. Educational, not legal advice.