Why CIS Solutions Join CIS Resources
CIS WorkBench Sign-in CIS WorkBench Sign In CIS Hardened Images CIS Hardened Images Support CIS Support


Who We Are

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world

About Us Leadership Principles Testimonials


secure your organization
Secure Your Organization

secure specific platforms
Secure Specific Platforms

cis securesuite CIS SecureSuite® Learn More      Apply Now  
u s state local tribal and territorial governments
U.S. State, Local, Tribal & Territorial Governments

View All Products & Services  

Join CIS

Get Involved

Join CIS as a member, partner, or volunteer - or explore our career opportunities

CIS SecureSuite® Membership Multi-State ISAC (MS-ISAC®) Elections Infrastructure ISAC (EI-ISAC®) CIS CyberMarket® Vendors CIS Communities Careers




filter by topic
Filter by Topic

View All Resources  
CIS Logo Show Search Expand Menu

The One Equation You Need to Calculate Risk-Reduction ROI

CISO blog

As I have discussed in the past few blog posts (here and here), evaluating internal systems and services is a key component to understanding your organization’s security posture. One methodology is measuring your risk against the CIS Controls to determine the strength and weaknesses of risk treatment. Put simply, once you understand your risks, you’ll have a better idea of what it will take to proactively address them.

Inevitably there will be gaps – not just in your security processes and implementations, but also in the measurement of control effectiveness. These gaps should be identified and managed as action items to improve the overall security posture of your organization. The determining factor for many organizations is where to focus effort. Start by asking, “What will have the greatest effect on reducing risk?”

Calculating Risk-Reduction ROI

With any security decision, implementing new solutions and controls will likely require a monetary expense. This is where you’ll benefit from the ability to determine the cost of a potential risk versus the cost of the control. Here’s one way to calculate Return on Investment (ROI) to account for the cost of risk vs the cost of control.

Ris Reduction ROI 1


Let’s use phishing attacks as an example. Say your organization expects to get phished 5 times per year, at an estimated cost of $35,000 per successful attack. The cost to train employees to spot and avoid phishing emails is expected to be $25,000. Here’s what the security ROI would look like:

Risk Reduction ROI Example Phishing

Ris Reduction ROI equation 3

In this example, it makes monetary sense to invest the $25,000 in training to help reduce the risk of a successful phishing attack. Remember that each organization is different, and determining these variables will be based on circumstance and risk tolerance of the organization. As with any application of the CIS Controls, the cost to implement will depend on the estimation of risk reduction and other local factors.

Setting Priorities

Looking into multiple cybersecurity solutions for the same risk? To compare mitigation strategies, run each one through the risk-reduction ROI formula above and determine which is best at reducing your risk surface. You can also use this formula to determine which risks are the most cost-effective to address and which will help prioritize your defense strategy. Of course, any strategy must also be calibrated against the business’ operational and organizational goals, with respect to the risk of greatest importance or control deemed most crucial for cybersecurity. Nevertheless, this equation will prove useful in helping your organization review the cost of solutions per technical control.

Arrow Download the CIS Controls