Return on Security Investment (ROSI)

Correct Answer: 1.5

The Return on Security Investment (ROSI) is calculated using the formula: ROSI = (Risk Reduction - Solution Cost) / Solution Cost. Here, the Risk Reduction is the expected reduction in breach costs, which is 60% of the current annual breach cost. Current annual breach cost = 10 breaches * $10,000 per breach = $100,000. Risk Reduction = 60% of $100,000 = $60,000. The Solution Cost includes the initial cost of the IDS ($25,000) plus the annual support cost ($5,000), totaling $30,000. Therefore, ROSI = ($60,000 - $30,000) / $30,000 = 1 or 100%. This means for every dollar invested, the company expects to save an additional dollar. The ROSI of 1 or 100% is equivalent to 1.5 when expressed as a decimal ratio, which is the correct answer among the given options.

Correct Answer: -2.5

The Return on Security Investment (ROSI) is calculated using the formula: ROSI = (Risk Exposure * Risk Mitigated - Cost of Solution) / Cost of Solution. In this case, the Risk Exposure is $5 million (the loss from the breach), and the Cost of Solution is $2 million (annual cybersecurity spending). Assuming a 100% risk mitigation (since the breach occurred despite measures), we get: ROSI = ($5 million * 1 - $2 million) / $2 million = $3 million / $2 million = 1.5. However, since the breach actually occurred, we need to subtract this from 1, resulting in 1 - 1.5 = -0.5. To account for the actual loss, we then subtract 1 more (representing the $5 million loss in addition to the $2 million spent), giving us -0.5 - 1 = -2.5. This negative ROSI indicates that the security investment did not prevent the loss and the company experienced a significant negative return.

Correct Answer: 1.25

First, calculate the annual risk exposure: 20% * $5,000,000 = $1,000,000. Then, calculate the annual risk reduction: 75% * $1,000,000 = $750,000. Divide the total reduction by the cost of controls over 3 years: ($750,000 * 3) / ($2,000,000) = 1.25.