ToolSec

Security ROI (ROSI) Calculator

Compute the return on a security investment from expected loss and mitigation effectiveness.

Updated: June 26, 2026

Make the business case for security spend

Security teams are often asked to justify budget in financial terms. ROSI — Return on Security Investment — does exactly that by comparing the loss a control is expected to prevent against what it costs. This calculator walks through the standard quantitative risk model so you can put a number on "is this control worth it?".

The formula, step by step

  • SLE (Single Loss Expectancy) — the cost of one incident if it happens.
  • ARO (Annual Rate of Occurrence) — how many times per year you'd expect it (0.5 = once every two years).
  • ALE = SLE × ARO — your expected annual loss before any control.
  • Risk avoided = ALE × mitigation effectiveness — how much of that loss the control removes.
  • ROSI = (Risk avoided − cost) ÷ cost — the return, as a percentage.

A positive ROSI means the control is expected to save more than it costs. A ROSI of 200% means every dollar spent avoids three dollars of expected loss (a net gain of two).

Worked example

Suppose a phishing incident would cost $250,000 (SLE) and you expect one every two years (ARO = 0.5), giving an ALE of $125,000. A security awareness program costing $40,000 a year that cuts successful phishing by 80% avoids $100,000 of expected loss. ROSI = (100,000 − 40,000) ÷ 40,000 = 150% — a clear win on paper.

Use it honestly

Quantitative risk is only as good as its inputs, and SLE/ARO are estimates. Round numbers, document your assumptions, and use ROSI to compare options and prioritise — not to manufacture false precision. Pair it with the breach cost estimator and ransomware calculator to ground your SLE figures in realistic loss scenarios.

Frequently asked questions

What is ROSI?

Return on Security Investment: (risk avoided − cost) ÷ cost. It expresses, as a percentage, how much expected loss a security control prevents relative to what it costs.

What are SLE, ARO and ALE?

SLE is the cost of a single incident. ARO is how often it's expected per year. ALE = SLE × ARO is the expected annual loss before any control is applied.

What's a good ROSI?

Any positive ROSI means the control is expected to pay for itself. Higher is better, but compare options consistently — a lower-ROSI control may still be essential for compliance or to address a specific high-impact risk.

How accurate is this?

It's only as accurate as your SLE and ARO estimates, which are inherently uncertain. Use it to compare and prioritise investments, and document your assumptions rather than treating the output as exact.

Quantify and manage risk

Teams that quantify risk formally often use:

  • GRC / risk quantification platform Model risk across the organisation (e.g. with FAIR) and track how investments change your risk posture over time.
  • Security awareness training Often one of the highest-ROSI controls — reducing the human-error incidents that drive many losses.

Learn more

Related tools