Document Actions

Return On Security Investment (ROSI)

This Guideline is intended to assist NSW Government Agency IT Managers evaluate and quantify the potential Return On Security Investment (ROSI) from implementing perimeter security systems.

The cost of information security measures should be commensurate with the security risk exposure. A good way of calculating this is by 'Avoidable Loss Expectancy' (ALE). The concept underlying ALE is that the expected loss from a security incident (ie consequence) can be compared to the expected cost of an incident if it happened. This cost reflects the probability of an incident happening over a period of time. The cost of safeguards should be less than the expected cost (loss) if a security incident occurred.

In addition to a discussion and description of the ALE method two spreadsheets are provided. The first uses simple calculations and ordinal scales, in essence it is qualitative. The second uses ratio scales and Monte Carlo simulation, it is quantitative. For best results with the latter users will need to acquire a low cost Monte Carlo simulation package.

Return on Security Investment (ROSI) (494kb) Version 2
ROSI Calculator Statistical Module (78kb) Version 2.2
ROSI Calculator (37kb) Version 1.2