From Gut Feel to Gains: The Cybersecurity ROI Pyramid

As part of the AMS research tracks on Cybereconomics, we conducted surveys and interviews with practitioners to assess whether they use economic modelling to justify cybersecurity investment decisions and communicate these decisions to boards. Surprisingly, the majority reported that they do not apply ROSI in practice. ROSI, or Return on Security Investment, is a financial metric that evaluates the monetary benefit of security measures. It measures the value by comparing the cost of

implementing security solutions to the potential losses prevented, considering both tangible and intangible avoided costs. Essentially, it calculates the economic gain from a security investment by assessing risk reduction and cost savings against total security expenses. When asked why they don’t utilize ROSI, respondents typically cite four main challenges:

• Quantifying risks and risk reduction is difficult due to complexity and a lack of actuarial data.

• Limited analytical capabilities are often linked with the perception that complex mathematical calculations are necessary.

• Lack of time and resources to perform quantitative analyses.

• Organisational culture and preferences. Case organisations report that decision-making in IT and/or cybersecurity, based on quantification, is not part of the organisation's culture.

Leaving cultural aspects aside, the first three obstacles stem largely from perceptions of complexity associated with quantitative methods, such as ROSI. This finding prompts a closer examination of Cyber Risk Quantification (CRQ) adoption.

The problem: the perceived complexity of cyber risk quantification This perceived complexity, rather than actual mathematical difficulty, hinders the adoption of risk quantification. In many cases, organisations describe their cyber investment decision-making as based on a combination of industry benchmarks and “gut feeling”. Complementary research conducted by AMS students confirms that most organisations rely on qualitative or mixed methods, despite ~75% of respondents considering CRQ feasible, and all agreeing that quantification would enhance decision-making. A practical starting point is to replace qualitative labels with quantitative proxies and to express uncertainty as ranges rather than fixed numbers.

When examining industry benchmarks, it is evident that cybersecurity investments continue to increase year after year. If ROSI and CRQ are rarely applied, how do organisations then actually decide on cybersecurity investments? AMS research identified seven key factors that influence decision-making:

1. Total Cost of Ownership (licensing, implementation, operations, staffing, and lifecycle costs);
2. Compliance (regulatory or contractual obligations and auditability);
3. Maturity (the organisation’s current capabilities and ability to absorb the control); and
4. Risk Reduction (credible, measurable impact on likelihood and/or loss). Technical fit is addressed through
5. Technical Requirements (including integration, architecture, scalability, and performance). Business relevance is reflected in
6. Strategic Alignment (support for objectives, revenue enablement, resilience) and
7. Contextual Fit (culture, skills, processes, vendor footprint, operating environment).

Most organisations apply only a subset of these factors—often combined with intuition. This shows that security investment decisions are context-dependent and multifaceted.

Based on these findings, we conclude that organisations use a range of quantitative and qualitative factors to inform their decisions on cybersecurity investments. We argue that cybersecurity investment decisions are context-dependent and must balance interlocking factors rather than relying on a single ROI metric. We build upon the work of AFCEA in 2015, which employed a similar approach to mastering both sophisticated and non-sophisticated attacks by striking a balance between simple interventions at a relatively low cost. As a starting point, we propose applying three lenses we often use in our lecturing, which are derived from the digital risk management pyramid proposed by ANSSI as part of the eBIOS method[1]. Based on these lenses we suggest a model to facilitate the selection of decision-making factors based on the context in which investment decisions are made.

The Cybersecurity investment-pyramid considers three different perspectives for investment decisions, each requiring different criteria depending on whether the decision context is hygiene, compliance, or risk-driven. Effective governance makes these trade-offs explicit, combines quantitative evidence with expert judgment, and prioritises investments that maximise risk reduction and business value at acceptable total cost.

Base: Reliable IT & Basic cyber hygiene

Operating in a digital environment comes at a price. Certain threats are inherent to the use of technology to achieve organisational goals. To counter these inherent threats, an organisation should implement basic cyber hygiene measures such as multi-factor authentication and proper authentication and authorisation mechanisms. A precursor of basic cyber hygiene is the concept of reliable IT operations. An environment that is unmaintainable and/or unstable will pose significant challenges from a security perspective.

The set of basic cyber hygiene measures is relatively well-known and embodied in several frameworks as the “base” maturity level (e.g., CyFun Basic, CIS Controls IG1). Organisations should not seek to justify investments in these measures but rather select the most efficient approaches to operationalising controls within their organisational context.

What it is? Patching, hardening, MFA, inventory/ownership, least privilege, segmentation, and logging are implemented and measured uniformly. Representative catalogues include the protect-surface–oriented measure set (encryption in transit/at rest, IAM, segmentation, content inspection, backups, vulnerability management).

Why first? AMS breach analyses indicate that these, including lateral movement, overprivileged users, and configuration misconfigurations, are the dominant root causes and thus form the basic mitigations (inventory, access control, lateral movement barriers, endpoint detection/response).

How to value? Consider the Total Cost of Ownership (TCO) and technical requirements, balanced with contextual and strategic fit for the organisation. In terms of internal resource capabilities.

Middle: Compliance

The compliance layer encompasses all requirements imposed by internal and external regulations. These regulations aim to address common threats associated with operating in specific industry sectors (e.g., aerospace, finance, critical services have different regulatory regimes). The completeness of this layer is highly dependent on the industry sector in which the organisation operates. Highly regulated sectors will be subject to a significant set of security measures (e.g., NIS2, DORA, PCI-DSS), whereas less regulated sectors will be held to considerably lower standards and subsequent audit regimes, as well as fines and liability consequences for boards[1].

Security investments originating from this compliance perspective can be considered the barrier to entry for an organisation to operate in a given industry sector. The organisation should consider the cost of compliance in relation to the potential losses associated with non-compliance or the opportunity to play in a new regulated market. These losses will most likely involve the direct consequences of non-compliance, such as fines imposed by regulators, loss of the licence to operate, or, in some cases, direct implications for board members. Opposing the fines is the opportunity to play in new markets when companies gain new accreditations for their products or services or win new customers by complying with a specific regulatory regime.

Decisions on investments within this context should consider these direct consequences and balance them with the TCO of the proposed solutions. Other factors, such as technical requirements, resource capabilities and contextual and strategic fit, remain relevant at this level.

What it is? Controls needed to satisfy sectoral regulation (e.g., GDPR Art. 32 safeguards; NIS2/DORA capabilities) and to demonstrate “being in control” through evidence and response readiness (dashboarding, SOC/CSIRT). The company’s “trust centers” proactively demonstrate to the public the reputation of the firm’s performance in the data-cyber domain.

Why now? Regulatory exposure is often a top cost driver, well-evidenced responses and governance demonstrably lower penalties and reputational harm.

How to value? Combine cost-avoidance (expected fines/claims) with assurance value: reserve ROSI bounds using Gordon–Loeb (investing more than approximately 37% of expected loss is inefficient) and recognise operational fit/total cost of ownership

When making decisions about cybersecurity investments, it is essential to consider whether the investment is made from a cyber hygiene, compliance, or risk-based perspective. Based on this context, organisations can prioritise different factors for investment decision-making and require varying levels of evidence by tailoring their evaluation criteria accordingly.

Do not rely on fixed numbers as cybersecurity investments are highly context-dependent. Instead, use ranges and scenarios, since benchmarks and rules of thumb only capture part of the picture and may overlook strategic fit. Additionally, note that industry benchmarks offer insight into the overall portfolio of cybersecurity investments but do not aid in selecting the most valuable individual investment decisions.

When applying ROSI, remember that it is not about complex formulas. Ensure that you use ROSI in the appropriate context, where you are prepared to invest in quantifying cybersecurity risks. Even then, keep the approach simple. There should always be room for expert opinions, provided they are grounded in a conceptually coherent framework.

When we approach cybersecurity investment decisions as contextual rather than purely mathematical problems, we make better and more precise choices. Security controls that are more tailored to the strategic fit, the company's challenges, and their resource capabilities, such as knowledge and maintenance. This article argues that a significant part of cybersecurity investment is mandated from a cyber hygiene and compliance perspective. Compliance ensures we are "in control," and only after that should we optimise organisation-sector-specific, risk-based investments using quantitative methods. Organisations can now make cybersecurity investment decisions across each of these layers, using different criteria to guide these decisions. This Maslow-like pyramid also helps to initiate discussions about basic needs (hygiene) and the essentials or optional aspects of specific investments, such as outsourcing or handling tasks in-house.

To make a strong case to boards and regulators, you should consider decision-making in each of these contexts differently:

• For basic cyber hygiene decisions, provide a clear and understandable overview and clarify the total cost of ownership (TCO) of the selected options.
• For compliance-based decisions, present an overview of compliance with internal and external regulations and clarify the return on investment (ROI).
• For risk-based decisions, use simple and transparent economic analysis (ΔALE), ranges, and Bayesian updates.

Our Seven habits for cybersecurity investment decision-making are:

1. Formulas are not the issue; the real obstacles are perceived complexity, limited time and skills, and cultural constraints. Use ranges and priors, then update them with evidence.
2. Breaches tend to follow simple patterns. Hygiene- and compliance-aligned controls form the first layers of defence.
3. The ROSI pyramid – starting with hygiene, then compliance, and finally risk-based scenarios – aligns the level of quantification with the decision context.
4. Key points for cybersecurity professionals: Begin with the basics, including inventory, multi-factor authentication (MFA), hardening, segmentation, logging, and response playbooks. Then, measure coverage.
5. Quantify with a purpose: use ROSI for control selection, Value at Risk (VaR) for enterprise tail risk, and FAIR for scenario prioritisation.
6. Use ranges instead of fixed numbers and apply scenario-based thinking to update your beliefs as new data arrives.
7. Present the board with a clear story dependent on the decision context.

Verslegers, D. (2025). Decisions on Cybersecurity Investments (ROSI) technical report. Obstacles to ROSI; contextual decision model; “formulas are not the problem”.

National Cybersecurity Agency of France (ANSSI). (2019). EBIOS Risk Manager – The method. l'ANSSI. https://cyber.gouv.fr/sites/default/files/2019/11/anssi-guide-ebios_risk_manager-en-v1.0.pdf

Bobbert, Y. (2020). Digital risks to business, what do they cost? AMS Blog—scenario-based ROSI, ALE = ARO × SLE, and board communication. (Antwerp Management School)

AFCEA (2013). The Economics of Cybersecurity: A Practical Framework for Cybersecurity Investment. This paper is the result of collaboration among the members of the Economics of Cybersecurity Subcommittee of the AFCEA Cyber Committee and a set of outside advisors

Applying the pyramid: a staged method

1. Frame the portfolio by tier.

• Hygiene baseline (organization-wide): implement/verify controls from the protect-surface catalog; monitor with dashboards; instrument SOC playbooks.
• Compliance set: map mandatory capabilities to assurance evidence (e.g., incident documentation, response SLAs).
• Risk-based set: select 3–5 sector-salient scenarios (e.g., data-exfiltration via public API; ransomware on OT) and quantify with ranges; update beliefs as telemetry accumulates.

Clear “hygiene vs. advanced” distinctions

• CIS Critical Security Controls (v8/v8.1) — uses Implementation Groups:
  IG1 = “essential cyber hygiene” (minimum set every org should implement), then IG2 and IG3 add depth and rigor. (CIS)
• CIS Benchmarks (secure configuration) — each benchmark provides Level 1 (base, low business impact) and Level 2 (defense-in-depth for high-security environments) profiles. (CIS)
• UK NCSC Cyber Essentials — defines a baseline of five technical control themes as the minimum standard; Cyber Essentials Plus adds hands-on,
• independent technical verification (i.e., a more advanced assurance layer). (NCSC)
• CMMC 2.0 (U.S. DoD) — a tiered model: Level 1 (Foundational), Level 2 (Advanced), Level 3 (Expert) with progressively stricter practices. Treat Level 1 as hygiene; Levels 2–3 as advanced. (dodcio.defense.gov)
• HIPAA Security Rule (healthcare) — distinguishes “required” implementation specs (mandatory) from “addressable” specs (risk-based / context-dependent), which typically sit above the hygiene floor. (Note: HHS has proposed removing this distinction prospectively.) (HHS.gov)
• IEC/ISA 62443 (industrial/OT) — defines Security Levels (SL0–SL4) for systems/components; higher SLs counter more capable/adversarial threats (i.e., beyond hygiene). (IEC Webstore)
• Australia’s Essential Eight — a small set of “essential” mitigation strategies with Maturity Levels 0–3; Level 1 is baseline hygiene, higher levels address increasingly sophisticated tradecraft. (Cyber Tasmania)

Baselines & maturity tiers you can use as “basic → advanced”

• NIST SP 800-53B control baselines — Low / Moderate / High impact baselines (plus a privacy baseline). Map Low to hygiene, Moderate/High to advanced depth. (NIST Computer Security Resource Center)
• NIST Cybersecurity Framework (CSF) 2.0 Tiers — Tier 1 (Partial) → Tier 4 (Adaptive) indicate maturity of governance/risk management (not a control catalog), useful for phasing from hygiene to advanced operations. (nvlpubs.nist.gov)
• DOE C2M2 (all sectors, OT/IT) — Maturity Indicator Levels MIL0–MIL3 per domain; higher MILs formalize and institutionalize practices beyond hygiene. (The Department of Energy's Energy.gov)
• FFIEC Cybersecurity Assessment Tool (financial services) — Maturity levels: Baseline → Evolving → Intermediate → Advanced → Innovative across domains; “Baseline” aligns with hygiene. (ffiec.gov)

How to use these in the ROSI pyramid

• Base (Hygiene): CIS Controls IG1, CIS Benchmarks Level 1, Cyber Essentials (self-assessment), Essential Eight Level 1.
• Middle (Compliance/Assurance): HIPAA “required,” NIST 800-53 Low/Moderate or sector baselines, Cyber Essentials Plus verification, FFIEC Baseline/Evolving.
• Apex (Risk-based/Advanced): CIS IG2–IG3, CIS Benchmarks Level 2, CMMC Levels 2–3, IEC 62443 SL2–SL4, Essential Eight Levels 2–3, NIST CSF Tiers 3–4.

This mix gives you a clear ladder from mandatory hygiene to advanced, risk-tailored controls with authoritative anchors you can cite to boards and regulators.