A Call for a New Cybersecurity Measurement Standard

That’s why worldwide spending on information security reached an estimated $180B in 2024, per industry analyst Gartner. 

Still, translating the benefits of cybersecurity into dollars and cents has long been a challenge for security teams. This makes optimizing spending on security initiatives difficult because there’s no standard metric for comparing the impact of one versus another. It’s not because there isn’t quantifiable value. It’s because Return on Investment (ROI), the standard used for quantifying the value of an investment, doesn’t directly account for the benefits of cybersecurity measures.

Why ROI Doesn’t Cut It for Cybersecurity

We dive into more detail in our new paper, When ROI Falls Short, but here’s the net of it: the formula for calculating ROI requires a “revenue” or “net profit” value to get the result. Cybersecurity initiatives typically don’t directly generate revenue or a net profit. 

Instead, these initiatives act as a safeguard, preventing potential losses such as data breaches, business downtime, ransomware attacks, reputational damage, and loss of customer trust. As such, an ROI metric that considers profits gained but not losses avoided fails to adequately capture the true impact. 

Why Return on Mitigation (RoM) Over ROI

Security leaders need a metric that reflects the true value of cybersecurity, and ROI isn’t it. Return on mitigation (RoM) redefines how we calculate ROI for cybersecurity. Instead of focusing on net profit, RoM measures “mitigated losses”—the financial damage avoided through proactive security measures.

If you take a closer look, you’ll notice that the RoM formula is the same as ROI, except instead of "revenue," we use "mitigated loss":

By factoring mitigated losses instead of revenue, security leaders see a much clearer picture of the financial impact of their cybersecurity efforts on the bottom line—putting a dollar amount to the losses they’ve prevented.

You can see more detailed examples of how RoM is calculated in our ebook, using the cost of breach data, offensive security program results, and exploitation likelihood, or test it yourself with our light RoM calculator. 

The Call for RoM Standardization

For security leaders, adopting RoM bridges the gap between the theoretical value of cybersecurity testing and the reality of loss prevention. It empowers them to more accurately justify security budgets, communicate value to stakeholders, demonstrate quantifiable risk reduction, and prioritize their resources more effectively—all through a common financial language.

Now imagine if that common language was also common within an organization and across cybersecurity. The standardization of RoM would provide significant benefits to the entire security community. Establishing a common framework for calculating and communicating the financial impact of cybersecurity investments would enable organizations to make more informed decisions about their security strategies. 

When everyone can calculate loss prevention with the same metric, they can benchmark with peers and across industries and better evaluate vendors and solutions. Meanwhile, it also provides greater support for regulators and cyber insurers, who need clear, methodical financial loss data to design regulatory standards and assess the adequacy of cybersecurity investments. 

Conclusion

If you read my recent blog, you’ll remember my stance heading into this year: the fight against cyber threats will not be easy and we’re in this fight together. The standardization of RoM is just one practical way organizations can come together in cybersecurity; by implementing an effective, common method for measuring the value of cybersecurity investments, we’re one step closer to taking down cyber threats on a universal scale.