Enhancing Cybersecurity Investment with FAIR-ROSI: A Responsible Cybersecurity Approach to Digital Society

Investment in cybersecurity is critical to protect information system security, preserve organizational interests, and fulfil social responsibilities. However, due to the lack of a transparent process, investors often struggle to assess the effectiveness of their investments. Traditional return on security investment (ROSI) can be considered as an economic indicator which reflects investment efficiency, but it often emphasizes investment costs and anticipated returns while overlooks cybersecurity related metrics. This paper proposes the FAIR-ROSI model that integrates five qualitative and quantitative cybersecurity metrics with the Factor Analysis of Information Risk (FAIR) model. It combines practical qualitative and quantitative indicators to enhance the granularity of the traditional ROSI model. We then use a case study to evaluate the FAIR-ROSI model. The results from pre and post control measures shows a narrow margin between actual and projected loss values and a significantly higher ROI compared to the total security expenditure.