ROSI

Y · Why this matters. Digital business runs on exposed systems, APIs, and distributed ecosystems. Y = Why: why climb into growth if the organisation cannot price the weather ahead?

What the resources findings. Bobbert argues that boards need to understand cyber risk in economic terms, not only technical likelihood and impact. The article examines a financial-services breach scenario involving more than three million active customers and models both financial and non-financial damage.

The method combines public company data, internal documents, an interview with the head of IT Security, IBM Ponemon and Verizon DBIR reference data, breach-cost analysis, gap analysis, and Return on Security Investment. The example calculates Annual Loss Exposure at €200 million. With a 50% mitigation effect and €0.5 million security cost, ROSI reaches 1900%.

The article’s stronger finding is not that one control pays back. It is that better governance may matter more than more tools. The improvement areas include risk-to-control mapping, security embedded in DevOps and agile, stronger three-lines-of-defence, proactive risk monitoring, and independent control-efficiency monitoring.

Three learnings and methodological approaches.

Quantify Business Risks through BIA, SLE, ARO, ALE, ROSI, and breach-cost scenarios before asking the board for investment.
Map threat actors, business loss data, controls, and spend into risk-impact-treatment scenarios.
Translate the security programme into a Balanced Scorecard so management sees strategy, evidence, and progress together.

The route. The method is a teaching case using interview research, public-source analysis, breach-cost modelling, gap analysis, ROSI, and Balanced Scorecard design. The route matters because it turns cyber risk from fog into navigable business terrain.

Read the original — https://www.antwerpmanagementschool.be/en/blog/digital-risks-to-business-what-do-they-cost