Return on Security Investments – Design Principles of Measurement Systems Based on Capital Budgeting

Abstract

IT-security has become a vital factor in electronic commerce nowadays. Thus, investments have to be made in order to safeguard security. However, the benefits of these investments are often hardly visible. In most cases, such investments are made only retroactively, after incidents occur. It is necessary to measure the value before preventing incidents. For this purpose ROSI (Return on Security Investments) has gained enormous attention in research and practice. In this paper, we discuss this measure from a methodological perspective. We argue that existing approaches for calculating ROSI lack a sound methodological basis and that these approaches can be misleading for decision support. In contrast to these approaches, we suggest a new approach for the calculation of ROSI on a capital budgeting basis.