ROSI Calculator EN
Step #1: Calculating the cost of an incident
Select your industry:
Please select...
Accounting
Advertising, Marketing, PR
Aerospace, Defense
Banking, Other financial services
Consulting
Education
Energy, Chemicals, Utilities
Government
High Tech
Hospital, Clinic, Doctor Office
Travel, Tourism
Legal
Manufacturing
Medical, Pharma, Biotech
Real Estate
Retail
Support, Outsourcing
Telecommunications
Transportation, Distribution
Other
Type of incident:
Please select...
Malicious activity
Unintentional human error
System errors/malfunctions
Natural disaster & force majeure
Other
Short description of potential incident:
Existing security measures:
The security measures you have already implemented that should decrease the likelihood and/or impact of such incidents - e.g. backup, antivirus protection, fire suppression systems, and other measures relevant to this incident.
How long would the negative impacts of this incident last?
Locations and business units that would be affected with this incident:
Business processes that would be affected by this incident:
Data that would be affected by the incident:
E.g. databases, software, documents in electronic format, paper documents etc.
Physical assets that would be affected by the incident:
E.g. hardware, office space, facilities, furniture, other infrastructure etc.
Currency
Please select...
USD - US Dollar
EUR - Euro
JPY - Japanese Yen
CHF - Swiss Franc
GBP - British Pound
AED - Emirati Dirham
ARS - Argentine Peso
AUD - Australian Dollar
BAM - Bosnian Convertible Marka
BBD - Barbadian or Bajan Dollar
BDT - Bangladeshi Taka
BGN - Bulgarian Lev
BHD - Bahraini Dinar
BRL - Brazilian Real
CAD - Canadian Dollar
CLP - Chilean Peso
CNY - Chinese Yuan Renminbi
COP - Colombian Peso
CRC - Costa Rican Colon
CZK - Czech Koruna
DKK - Danish Krone
DOP - Dominican Peso
DZD - Algerian Dinar
EEK - Estonian Kroon
EGP - Egyptian Pound
FJD - Fijian Dollar
HKD - Hong Kong Dollar
HRK - Croatian Kuna
HUF - Hungarian Forint
IDR - Indonesian Rupiah
ILS - Israeli Shekel
INR - Indian Rupee
IQD - Iraqi Dinar
IRR - Iranian Rial
ISK - Icelandic Krona
JMD - Jamaican Dollar
JOD - Jordanian Dinar
KES - Kenyan Shilling
KRW - South Korean Won
KWD - Kuwaiti Dinar
LBP - Lebanese Pound
LKR - Sri Lankan Rupee
MAD - Moroccan Dirham
MXN - Mexican Peso
MYR - Malaysian Ringgit
NGN - Nigerian Naira
NOK - Norwegian Krone
NZD - New Zealand Dollar
OMR - Omani Rial
PEN - Peruvian Nuevo Sol
PHP - Philippine Peso
PKR - Pakistani Rupee
PLN - Polish Zloty
QAR - Qatari Riyal
RON - Romanian New Leu
RSD - Serbia Dinar
RUB - Russian Ruble
SAR - Saudi or Saudi Arabian Riyal
SEK - Swedish Krona
SGD - Singapore Dollar
THB - Thai Baht
TND - Tunisian Dinar
TRY - Turkish Lira
TTD - Trinidadian Dollar
TWD - Taiwan New Dollar
VND - Vietnamese Dong
XCD - East Caribbean Dollar
XOF - CFA Franc
XPF - CFP Franc
ZAR - South African Rand
ZMK - Zambian Kwacha
Other
Select the currency you will be using in this calculation.
Cost of external services:
The cost of services of suppliers and partners that would occur as a consequence of this incident - technicians, cleaning, PR & marketing, legal, financial etc. These costs might be related to the business unit that is directly influenced by the incident, or related to other business units that are indirectly affected by the incident. If there would be none, just write 0
Cost of purchasing equipment/goods/materials
What equipment or goods or materials would you have to buy because of the damage caused by this incident? If there would be none, just write 0.
Employee costs of resolving the incident
E.g. travel expenses, bonuses, paid overtime etc. These costs might be directly related to resolving the incident, or indirectly related - for instance catching up on the backlog of regular work. If there would be none, just write 0.
Legal and/or contractual penalties
In case you have legal or contractual requirements for providing products/services at the predefined level, but you wouldn't be able to comply with these because of the incident. If this is irrelevant for you, just write 0.
Description of other costs not mentioned above
Amount of other costs
If there would be none, just write 0 or leave this field blank.
Average margin in your revenues (% of your revenues)
%
The margin equals to net sales minus the cost of goods and services sold.
Lost revenues from existing clients
If your company is not able to provide products/services at the expected level, you may lose part of your revenues. Take into account the lost revenues during the incident (taking into account the length of negative impacts), together with the lifetime revenues you would lose from clients that would leave you as a consequence of this incident. If this is not relevant for you, just write 0.
Lost revenues from potential clients
Because of the direct negative impacts of the incident and because your management and employees would be focused on resolving the incident, you probably wouldn't acquire new clients like as usual. Calculate the lifetime revenues you would have earned from such clients. If this is irrelevant for you, just write 0.
Insurance claims
Amount you would have received from insurance company because you have insured your assets that were impacted by the incident. If there would be none, just write 0.
Total cost of single incident = Single Loss Expectancy (SLE)
(To be calculated automatically - in your currency). SLE = Cost of external services + Cost of purchasing + Employee costs + Penalties + Other costs - Insurance claims + (Lost revenues from existing clients + Lost revenues from potential clients) * Average margin
How often could such an incident occur
Please select...
Every day
Every week
Every month
Every 3 months
Every 6 months
Once a year
Once in 5 years
Once in 10 years
Once in 25 years
Once in 50 years
Once in 100 years or less often
Take into account the threats and vulnerabilities, as well as existing security measures.
One year risk exposure to this incident = Annualized Loss Expectancy (ALE)
(To be calculated automatically - in your currency.) ALE = SLE * likelihood (how often could such an incident occur).
Step #2: Calculating the costs and benefits of protection
If the annual costs of security measures (costs of protection) are less than Annualized Loss Expectancy (ALE), then these security measures will be profitable. And vice versa.
Description of security measure(s)
Describe only one security measure (control), or a set of security measures that would be used to mitigate the negative effects of an incident from Step #1.
Incident frequency after security measure(s) are applied
Please select...
Every day
Every week
Every month
Every 3 months
Every 6 months
Once a year
Once in 5 years
Once in 10 years
Once in 25 years
Once in 50 years
Once in 100 years or less often
After applying this/these security measure(s), how often could such an incident occur?
% of reduction of Total cost of single incident
%
How much would this/these security measure(s) decrease the Total cost of single incident (i.e. SLE)? The security measure(s) might be able to shorten the reaction time for resolving the incident, shorten the duration of an incident, decrease the number of locations or business units or processes that would be affected, decrease the amount of data that would be compromised, decrease the number of physical assets that would be affected, or decrease the extent of damage to those assets. If there would be none, just write 0.
Purchase value of security measure(s)
E.g. the value of hardware and other equipment, software, consulting services, support services during implementation, etc. Make sure you also take into account the traveling costs, training costs and other costs of your employees working on implementation of such security measures.
How many years would this/these security measure(s) be used?
How many years would such measures be in effective operation before becoming obsolete or for any other reason unusable?
Value of security measure(s) after their usage
What would be the sales value of security measure(s) after their period of usage? E.g. if there is equipment that could be sold after it was used, what would be the realistic market value for such equipment?
Annual cost of external parties needed for security measure(s)
All the costs (on an annual basis) of suppliers and partners needed for normal operation of security measure(s) - e.g. maintenance, audits, analysis, consulting, periodic training, testing, lease, infrastructure costs, etc.
Annual number of employee's man-days required for security measure(s)
On an annual basis, number of man-days of employees needed for the operation of the security measure(s). The employees that will be needed to operate, maintain, analyze, test, improve and supervise such security measure(s); also take into account the time needed for regular trainings of such employees.
Average annual cost of one employee
Total costs for one average employee - gross salary, benefits, other costs. On per year basis.
Number of annual working days for one employee
Total number of available working days (for any kind of business activity) for one average employee during one year. You need to take into account weekends, holidays, leaves of absence etc., and deduct these from 365.
Description of other costs of protection not mentioned above
Annual amount of other protection costs
If there would be none, just write 0 or leave the field blank.
Annual cost of protection of this/these security measure(s)
(To be calculated automatically - in your currency.)
Conclusion
The investment in this/these security measure(s) is profitable if the last field below (ROSI) is positive.
If it is negative, then the security measure(s) are not profitable.
Total cost of single incident (SLE) - after security measure(s) have been applied
(To be calculated automatically - in your currency.) The value of Single Loss Expectancy (SLE) when the effects of security measure(s) are taken into account. SLE (with security measures applied) = SLE (initial, with no security measures) * (100 - % of reduction of SLE)
One year risk exposure to this incident (ALE) - after security measure(s) have been applied
(To be calculated automatically - in your currency.) The value of Annual Loss Expectancy (ALE) with the effects of security measure(s) taken into account. ALE = SLE (with security measures applied) * Incident frequency (with security measures applied)
Risk reduction
(To be calculated automatically - in your currency.) The amount of reduction of one year risk exposure (ALE) as a consequence of applying the security measure(s). Risk reduction = ALE (initial, with no security measures) - ALE (with security measures applied)
Return on Security Investment (ROSI) - in absolute amount
(To be calculated automatically - in your currency.) This is the value of annual profit created when investing in security measures. ROSI = monetary risk reduction − annual cost of protection
Return on Security Investment (ROSI) - as percentage of protection costs
%
(To be calculated automatically - in your currency.) This is the profit displayed as percentage of security measure(s) cost. ROSI (percentage) = ROSI (absolute amount) / annual cost of protection * 100%
Enter your email if you want these results to be sent to you:
The data from this form will be sent to this email address when you click the "Send" button.
Contact Information