What is the cost of a data breach? Assuming annual revenue of £30M, a single fine could be as much as a whopping £1.2M—the maximum 4%—when the European Union’s General Data Protection Regulation (GDPR) becomes effective in May 2018. Compare that to a database control cost factor of £750K, the cost of a database auditing and monitoring solution.
Imperva has been covering GDPR these past few months in a series of related data protection blog posts. Part 4: The Penalties for Non-Compliance, states:
“Examples that fall under this category are non-adherence to the core principles of processing personal data, infringement of the rights of data subjects, and the transfer of personal data to third countries or international organizations that do not ensure an adequate level of data protection.”
Protecting stored data does not typically result in incremental cash flows or cost savings. Viewed in purely financial terms, data protection is more about risk management. But given the (possibly significant) financial penalties for GDPR non-compliance, this “cost savings alone” approach doesn’t tell the entire ROI story. To help support our customers’ data security investment decisions, Imperva utilizes a return on security investment (ROSI) analysis approach.
Working with each client, we use this tool to present a viable business case for their solution investment. Each situation is unique, but the calculations are readily available to prove each case. In this post, we explain the ROSI calculation methodology and how it can help you provide business justification for your GDPR-related data security investments.
What is ROSI?
Traditional investment appraisals, such as payback period, net present value (NPR) and ROI calculations—while useful—only project positive results if there are identified cost savings or revenue enhancements. However, security is not generally an investment that results in profit, but rather loss prevention. When you invest in data security, you don’t anticipate benefits—instead you expect to reduce the risks threatening your assets. And in the case of GDPR, this ultimately includes fines associated with non-compliance.
Calculating ROSI for each data security control (e.g., CounterBreach, SecureSphere web application firewall) can quickly demonstrate how much potential loss your organization may be able to avoid by investing in data security.
Let’s look at a few terms used to calculate ROSI:
Single-loss expectancy (SLE) – The SLE is the estimated amount of money that will be lost should a risk occur. It can be considered as the total cost of an incident, assuming it’s a single occurrence. In our example, the £12M GDPR fine is an SLE.
Annual rate of occurrence (ARO) – How frequent a given risk might occur over the course of one year—its probability—is the ARO.
Annualized loss expectancy (ALE) – ALE is the annual monetary loss that can be expected from a specific risk for a specific asset.
Multiplying the SLE by the ARO reveals what similar breach events are going to cost your organization in total per year—its ALE. If you anticipate two such annual events, a single £12M fine becomes £24M.
The Formula Explained
Imperva uses a standard quantitative risk analysis formula. By plugging a client’s variable data into our spreadsheet model, we calculate the ROI percentage by taking their ALE and subtracting it from their modified annual loss expectancy (mALE).
There are also some income statements in our equation. We determine the cost of each control. For Imperva, this means the product costs of our solutions over say a five-year period. We are also able to evaluate total cost of ownership (TCO) to determine each control cost in relation to electricity, staff, and (VPN acceleration module, or VAM) servers.
A ROSI Example
As an example, a ROSI calculation for secure database control projects a return anywhere from 1991% for 0.9 effectiveness (a near-perfect database control) to 132% for 0.1 effectiveness (the control doesn’t stop everything, but still adds nominal value). Even at the lower effectiveness value, a highly viable return is realized.
Our spreadsheet calculations model any series of threats, with each incident type representing a unique variable. The SLE is another variable, as is the ARO. Enter these in and out come two ROSI calculations. The first is worked out on an annual basis. Then, if performing an investment appraisal of three or five years, those ROSI figures are also presented.
Cost of Compliance
In light of the costs you may incur to come into compliance with the GDPR, a ROSI calculation methodology can be useful in helping demonstrate the potential loss your organization may be able to avoid by investing in data security solutions for GDPR. As you plan your GDPR-readiness strategy, consider building ROSI into your business justification discussions.
Learn how Imperva can help you calculate your return on security investment. Contact us.