Return on Security Investment (ROSI) is a financial and operational metric used to evaluate the value of cybersecurity initiatives within Operational Technology (OT) environments. Unlike traditional IT, where data protection is the primary concern, OT systems are directly tied to physical processes—such as power generation, manufacturing, oil and gas operations, transportation, and water treatment. As a result, calculating ROSI in OT considers not only financial impacts but also operational continuity, human safety, and environmental risks.
Formula
A widely referenced formula for ROSI is:
\text{ROSI} = \frac{(\text{Risk Exposure} \times \text{Risk Mitigation Rate}) - \text{Cost of Security Control}}{\text{Cost of Security Control}}
- Risk Exposure (RE): The potential loss if a cyberattack or system failure occurs. In OT, this can include lost production, damaged equipment, fines, or even human injury.
- Risk Mitigation Rate (RMR): The estimated percentage by which a security measure reduces the likelihood or impact of the threat.
- Cost of Security Control (CSC): The expenses of implementing and maintaining the defense, including hardware, software, staff training, and ongoing monitoring.
Application in OT Environments
In OT contexts, ROSI must account for factors beyond traditional IT concerns:
- Downtime Costs: For example, a manufacturing plant may lose millions of dollars per hour if production halts due to ransomware.
- Safety Incidents: Compromised OT systems in oil refineries or power plants could lead to worker injuries or environmental disasters, making security investments more critical.
- Regulatory Compliance: Many OT sectors (energy, transportation, water utilities) face strict requirements. Security breaches can result in severe fines and legal consequences.
- Reputational and National Security Impacts: Attacks on critical infrastructure can erode public trust and, in some cases, jeopardize national resilience.
Example
If a water treatment facility estimates that a successful cyberattack could cause $10 million in damages and operational disruption, and a segmentation solution reduces that risk by 70% at a cost of $500,000, then:
\text{ROSI} = \frac{(10,000,000 \times 0.70) - 500,000}{500,000} = 13
This means the organization gains $13 in avoided losses for every $1 spent on the control.
Benefits
- Board-Level Justification: Translates technical OT security initiatives into financial terms executives can understand.
- Prioritization Tool: Helps leaders choose which OT security measures yield the highest impact.
- Risk-Informed Decisions: Aligns security spending with the most pressing operational and safety risks.
Challenges in OT
- Complex Impact Measurement: Quantifying potential safety and environmental consequences is far more difficult than tallying IT data breach costs.
- Dynamic Threats: Attackers targeting OT often use advanced techniques, making risk predictions unstable.
- Legacy Systems: Many OT assets cannot be easily updated or patched, complicating risk reduction estimates.
- Intangible Value: Some benefits, such as maintaining public trust or preventing environmental damage, cannot always be measured in dollars.
Related Concepts
- Risk Management Framework (RMF): Structured processes for managing OT risks.
- Risk Mitigation Strategies: Controls such as network segmentation, remote access security, and incident response planning.
- Resilience Testing: Assessments of how well OT systems continue functioning under attack.
%202.svg)