Security ROI (ROSI) Calculator
Compute the return on a security investment from expected loss and mitigation effectiveness.
Updated: June 26, 2026
Make the business case for security spend
Security teams are often asked to justify budget in financial terms. ROSI — Return on Security Investment — does exactly that by comparing the loss a control is expected to prevent against what it costs. This calculator walks through the standard quantitative risk model so you can put a number on "is this control worth it?".
The formula, step by step
- SLE (Single Loss Expectancy) — the cost of one incident if it happens.
- ARO (Annual Rate of Occurrence) — how many times per year you'd expect it (0.5 = once every two years).
- ALE = SLE × ARO — your expected annual loss before any control.
- Risk avoided = ALE × mitigation effectiveness — how much of that loss the control removes.
- ROSI = (Risk avoided − cost) ÷ cost — the return, as a percentage.
A positive ROSI means the control is expected to save more than it costs. A ROSI of 200% means every dollar spent avoids three dollars of expected loss (a net gain of two).
Worked example
Suppose a phishing incident would cost $250,000 (SLE) and you expect
one every two years (ARO = 0.5), giving an ALE of
$125,000. A security awareness program costing $40,000
a year that cuts successful phishing by 80% avoids $100,000 of
expected loss. ROSI = (100,000 − 40,000) ÷ 40,000 = 150% — a
clear win on paper.
Use it honestly
Quantitative risk is only as good as its inputs, and SLE/ARO are estimates. Round numbers, document your assumptions, and use ROSI to compare options and prioritise — not to manufacture false precision. Pair it with the breach cost estimator and ransomware calculator to ground your SLE figures in realistic loss scenarios.
Frequently asked questions
What is ROSI?
Return on Security Investment: (risk avoided − cost) ÷ cost. It expresses, as a percentage, how much expected loss a security control prevents relative to what it costs.
What are SLE, ARO and ALE?
SLE is the cost of a single incident. ARO is how often it's expected per year. ALE = SLE × ARO is the expected annual loss before any control is applied.
What's a good ROSI?
Any positive ROSI means the control is expected to pay for itself. Higher is better, but compare options consistently — a lower-ROSI control may still be essential for compliance or to address a specific high-impact risk.
How accurate is this?
It's only as accurate as your SLE and ARO estimates, which are inherently uncertain. Use it to compare and prioritise investments, and document your assumptions rather than treating the output as exact.
Quantify and manage risk
Teams that quantify risk formally often use:
- GRC / risk quantification platform Model risk across the organisation (e.g. with FAIR) and track how investments change your risk posture over time.
- Security awareness training Often one of the highest-ROSI controls — reducing the human-error incidents that drive many losses.
Learn more
- What Is GDPR? Fines and Compliance Basics GDPR in plain English: who it covers, the rights it grants, the two fine tiers (up to 4% of turnover), and where to start. Educational, not legal advice.
- What Is Ransomware? How Attacks Work and What They Cost How ransomware actually works, why the ransom is often the smallest cost, and the handful of defenses that make the biggest difference.
- What Is a Data Breach? Causes, Costs and Response What counts as a data breach, the causes behind most of them, why the true cost dwarfs the headline fine, and how to prepare before one happens.
Related tools
- Data Breach Cost EstimatorEstimate the financial impact of a data breach from records exposed and per-record cost.
- Ransomware Downtime Cost CalculatorEstimate the total impact of a ransomware attack from downtime, recovery and ransom.
- GDPR Fine CalculatorEstimate the maximum GDPR penalty from annual turnover and infringement tier.
- Password Policy GeneratorTurn your password rules into a written policy plus Linux PAM and Windows config.