A Better Logic for Cybersecurity Spend

Y · Why this matters. At altitude, the first question is Y: why are we here, and what happens if we do nothing? Verslegers and Bobbert argue that boards still approve cyber spend through benchmarks and instinct, which leaves value, risk reduction, and trade-offs poorly tested.

What the article finds. The article says ROSI stalls in practice less because of mathematics than because organisations treat all security decisions as if they were the same. AMS research found that most practitioners do not use ROSI, even though many believe quantification would improve decisions. The real issue is context. Basic hygiene, compliance, and targeted risk scenarios need different levels of proof.

Their answer is a pyramid. At the base, fund reliable IT and basic cyber hygiene, then choose the most efficient way to operationalise it. In the middle, treat compliance as a licence-to-operate question, balancing total cost against fines, claims, and market access. At the top, use ROSI and ALE for a small set of sector-specific scenarios, and express uncertainty in ranges rather than false precision.

Three takeaways.

• Separate hygiene, compliance, and risk-driven decisions before asking for numbers.
• Fund baseline controls for coverage and resilience, then test cost, fit, and maintainability.
• Use ROSI only where scenario-based quantification will change a board decision.

The route. The route is empirical and practical: AMS surveys, interviews, workshop findings, breach case work, and existing frameworks are shaped into a decision pyramid. That route is worth following because it matches the evidence burden to the decision, instead of forcing one formula onto every security investment.

Read the original https://www.antwerpmanagementschool.be/en/blog/from-gut-feel-to-gains-the-cybersecurity-roi-pyramid