Pagoda Blog

How to Measure the ROI of Your Cybersecurity Strategy

February 3, 2022

When you think of cybersecurity, you typically don’t think of it as a revenue-generator. It’s thought of like insurance — a necessary cost that you budget for in order to ensure you’re not entirely liable for damages in the event of a cyberattack or data breach. But comprehensive cybersecurity and IT services offer so much more than your typical insurance model. To fully understand the value of cybersecurity, and budget accordingly, it’s helpful to measure its ROI.    


Cybersecurity includes not only response and recovery, as you would expect from, say, auto or homeowner’s insurance, but also policy, prevention, and detection. (Speaking of insurance, cyber liability insurance has become an important part of cybersecurity for any business that collects personally identifiable information.) 


A multi-layered security strategy works daily on an ongoing basis to ensure all your technology is up to date and optimized for both efficiency and security, allowing your operations to run more smoothly and improve productivity across your team. It ensures you have the right policies in place to ensure the protection of your company’s and your customer’s data. These policies may include both those that are specific to your business and/or industry and others that span industries, like the GDPR, California Privacy Rights Act, and even HIPAA.  


A robust, transparent cybersecurity strategy builds trust with your customers, assuring them that you’re doing everything in your power to protect their data. It is designed to insulate your company and your customers as much as possible from the wide-spreading impacts of a data breach or other compliance issue. It goes right along with establishing a cyber resiliency mindset so that your company is prepared and can act quickly and agilely in the face of a cyberattack. When disaster does strike, you have a plan in place to mitigate the damage and the downtime.


So what does this mean for calculating the ROI of your cybersecurity investment? It means that you must take into account both the proactive and reactive work that goes into keeping your company’s networks and data safe.   


How to measure your cybersecurity strategy’s ROI

The Center for Information Security created a formula to help business leaders calculate the value of cybersecurity, or as they refer to it “Risk-reduction.”  This equation will help you calculate the cost of risk vs the cost of control (e.g. the cost of a cybersecurity strategy).


ROI = (reduction in risk cost - cost of control)

cost of control


Reduction in risk = annualized rate of occurrence X expected monetary loss for a single event X reduction in probability of risk occurrence with the implemented control


Risk-reduction formula for cybersecurity ROI


The annualized rate of occurrence refers to the number of data compromises (this includes both known and suspected breaches via email, your network, social media, hardware - the list goes on) over the course of a year. 


The expected monetary loss for a single event refers to the estimated cost that data compromise would incur (this cost includes downtime due to system/network outages, notifying customers, legal fees, and even a hit to customer retention and new leads due to damage to your brand’s reputation). 


The reduction in probability of risk occurrence with the implemented control refers to your monetary investment in a cybersecurity strategy that works to mitigate that particular risk.   


Here’s an example of how to apply this formula from rThreat:


If the average business email compromise (BEC) costs a company $5000 and happens 10 times per year = 50,0000. Then a control that reduces the occurrence of BEC by 50% (saving $25,000) and costs $5,000 has a net benefit of $20,000 (25,000 -5,000).


This formula is a highly effective way to quantify how much money your cybersecurity strategy is saving your company annually and can be helpful as you decide to invest in additional cybersecurity tactics. 


As a business owner, it’s up to you to make sound financial decisions that will ensure your long-term success. Investing in a comprehensive cybersecurity strategy will ensure you’re not caught blind-sided by a cyberattack and understanding its ROI will only further contribute to your business’s fiscal resilience and long-term success. 


Ready to learn how a Managed Service Provider like Pagoda Technologies can help you improve cybersecurity and save money? Reach out for a free consultation today.  

Featured photo by Jason Goodman on Unsplash


Related reading: 

What to Look for When Hiring a Managed Service Provider (MSP)

How to Leverage Cybersecurity as a Competitive Edge for Your Business 

How to Secure Your Internet Connection: A Network Security Checklist


Want to get more posts like these once a month in your inbox? Sign up for the Pagoda newsletter and sharpen your technical skills, from cybersecurity to digital marketing



Want IT to serve you better?





About Pagoda Technologies IT services

Based in Santa Cruz, California, Pagoda Technologies provides trusted IT support to businesses and IT departments throughout Silicon Valley, the San Francisco Bay Area and across the globe. To learn how Pagoda Technologies can help your business, email us at to schedule a complimentary IT consultation.


Return to Pagoda Blog Main Page

As your trusted IT service partner, Pagoda Technologies is here to help you achieve your near and long-term business goals through reliable and affordable IT support. 

Pagoda Technologies

101 Cooper Street

Santa Cruz, CA 95060


Contact us for a free IT consultation



Get in touch 

Join our newsletter

Want IT to serve you better? 




Follow Us

Facebook LinkedIn LinkedIn