Platform

Unify HRM Overview

Platform

Capabilities

Identify: Human Risk Operations Center (HROC)
Dashboards

Power Insights

Benchmarks

Protect: Action Plans
Nudges: Communications & Employee Scorecards

Training: Risk Based SAT and Phishing

Orchestration: Policy Playbooks

Report: Human Risk Index (HRI)
Employee Scorecards

Manager Reporting

Board and Executive Reporting

Bundles

Unify Go
Start your journey to HRM here.

Monitor risk by:

Security Training Compliance

Phishing and Email

Unify Enterprise
Covers risk in Unify Go and adds:

Malware & Ransomware

Data Loss

Account Takeover

Featured Resources

Living Security Blog
What is Attack Surface Management?
link

Living Security Blog
Why Your Team Should Have A Business Continuity Plan
link
Solutions

Solutions Overview

Solutions

By Role

CISO
Provides CISO’s, executives, and boards a complete picture and prioritization of workforce risk by type, department, location, and more.
link

Security Awareness Team
Go beyond training completion and phishing click rates and proactively safeguard your organization from human-induced security incidents.
link

GRC
Identify, resolve and track commonly violated policies with granular accuracy to lower risk and improve workforce compliance.
link

SOC/IR
Unleash the true potential of your human firewall with data-driven insights and action plans that curb threats before they become incidents.
link

By Risk

Training Compliance
Monitor training compliance status for users and segments across the enterprise.
link

Phishing & Email
Identify the users most and least at risk to social engineering attacks and protect them.
link

Malware & Ransomware
Proactively protect users from malware including viruses, worms, Trojan viruses, spyware, adware, and ransomware.
link

Data Loss
Pinpoint when data is at risk of leaving your controlled environment through unauthorized access or malicious intent.
link

Identity Threats
Get visibility into the most susceptible users for account compromise and mitigate their risk.
link
Products

Products

Products Overview
Transform how your organization approaches Security Awareness and Training by shifting to a proactive HRM approach that creates a strong culture of security.

Living Security Blog
What is Attack Surface Management?
link

Unify Human Risk Management
Establish a proactive security loop.
Security Awareness Training
Interactive compliance training for modern threats.
CyberEscape Rooms
Put your team in the center of security scenarios
Cybersecurity Awareness Month
Create a cyber vigilant workforce in October
Cybersecurity Engagement Training Go beyond compliance training Phishing
Stop social engineering attacks in their tracks with realistic simulations and training
across phishing, vishing, smishing, and more.
HRM

HRM

Human Risk Management: Proactive Security
Human Risk Management (HRM) is the process of identifying, assessing, and mitigating risks associated with human behavior in relation to an employee's use of technology.
HRM Maturity Model
How far is your company along the path to true proactive security?

Living Security Blog
What is Attack Surface Management?
link
Resources

Resources

Resources
Level up on Human Risk Management with a comprehensive collection of webcasts, whitepapers, ebooks, and more.
Blog
Access hundreds of informative blogs with deep dives and best practices relating to the full array of cybersecurity risks we face.
Webinars
Watch dozens of webinars tackling some of cybersecurity’s biggest challenges featuring thought leaders from leading organizations.
Case Studies
See how a variety of organizations utilize Living Security’s HRM Platform, Training, and Phishing to reduce risk with proactive defense.

Partners
Human Risk Management Powered by Partners.
Technology Alliance Program
Extend the value of your offering with HRM.
Partner Support
Unlock your potential with our partner hub.

Living Security Community Share HRM best practices Newsroom Read the latest news on Living Security. Support
The more you know, the more you grow.
Why Living Security
Establish a proactive security loop.
Start Now

April 6, 2023

Know how to calculate your ROSI - Return On Security Investment?

CALCULATING THE RETURN ON INVESTMENT - ROSI

Calculating ROSI, or Return On Security Investment, can be a tough task for a company's cybersecurity department, especially when the value of possible losses is often intangible.

There’s really no way to measure alleged occurrences and the impact of all variables. But one thing’s for sure in cyber security - the cost of doing nothing is far greater. These days, the risk is just too high to bet on luck. If you continue to use hope as a tactic, the possible losses can be unimaginable.

Maybe it’s time for a different nomenclature when calculating return-on-investment in regards to cybersecurity. In many ways, ROSI is quite different from ROI, even though the objectives are the same. Start by thinking about the questions that the cybersecurity department should ask the company's board - and not the other way around.

Generally, directors want to know the return on each investment because they are naturally more focused on business results. So, like investments in marketing, they calculate investments in security with an eye on the financial increase that the initiative can bring. That’s not always how it is in cybersecurity. Let's clarify this difference before we get to the calculation.

First, don’t focus on what, on the surface, may seem like the most pressing questions:

“How can a security solution affect the productivity of your business?”

“How big is the financial impact of a threat?

“If I don't invest in security, can it really affect business?

“What is the most accessible solution?”

Instead, ask yourself these questions:

“The company needs to become more secure. How much security do we need to reach the desired level?”

“How much time and how many resources do we need to invest into our security?”

Notice that the approach is different, because the problem is omnipresent and therefore very serious. When the manager uses this inverse reasoning, he/she is calculating the investment from the standpoint of high risk, and is better able to choose among the available solutions.

CALCULATING THE ROSI

In the formula for calculating the Return on Investment in Security (ROSI), the cost of the security awareness solution is the annual expectation of losses derived from the risks.

The quantification of the ROSI formula is measured by the impact of the investment on the final result. This metric can be your best weapon in the battle to convince company directors about the need for better security. Let's figure it out step by step:

Annual Loss Expectation (ALE) - is the total expected financial loss from security incidents based on the company's history. In this case we estimate how much can be lost without investing in security. ALE is calculated by multiplying the annual rate of occurrences (ARO) by the single loss expectation (SLE).

Annual Occurrence Rate (ARO) - Also measured by history is the probability that a cyber security incident will occur within a year.

Single Loss Expectation (SLE) - is the total financial loss of a single security incident. This loss is based only on data assets that have value within the organization. It also represents the direct costs of financial loss and the indirect costs associated with precipitating data breaches.

Expected Annual Loss Expectation (EALE) - this is ALE, plus the savings that the security solution offers. This represents the percentage of threats stopped by the security solution.

For example, we can say that the cybersecurity solution has an annual investment of $100,000 USD to prevent 10 cyber security incidents that resulted in $20,000 USD in data loss. According to the cybersecurity offer, the solution will block 95% of cyber attacks.

ROSI = ((10 x 20,000) x 0.95 - $ 100,000) ÷ $ 100,000

ROSI = 90%

The calculation reveals that the investment in security generates a return of 90%, or about $100,000 USD annually. Feel free to use this example as your go-to guide for calculating the size of your Return on Investment in Security. (Source CSO,2017)

Living Security is a startup with innovative training solutions for security awareness in companies. The company's science-based approach drives user engagement and reinforces positive security behaviors across the enterprise. Living Security recognized that traditional security awareness programs were failing to move the needle and it was time for a fresh approach. Our immersive training experiences engage the enterprise using science backed techniques to motivate behavior change and refreshed content that’s relevant for the current threat landscape.