In certain instances, we may earn revenue when a reader makes a purchase or completes a form through our pages or on a partner’s website. We adhere to a strict 
HackerOne, the largest organization of ethical hackers in the world, has warned Chief Information Security Officers (CISOs) to choose wisely how they measure the costs and benefits of cybersecurity.
The team tells CISOs and the C-suite that Return On Investment (ROI), the standard industry approach, is outdated regarding threat assessments and that it risks ignoring hidden costs and gains.
Instead, HackerOne suggests companies and organizations measure Return on Mitigation (ROM), which offers a more accurate way — especially when reporting to executives and the board — of seeing where money is going when investing in cyber threats.
Techopedia explores whether ROM is a useful metric for assessing cybersecurity — especially regarding budget questions.
Key Takeaways
- HackerOne argues ROI is outdated for cybersecurity budgeting, while security leaders say ROI overemphasizes direct costs.
- Return on Mitigation (ROM) is suggested as a way to account for hidden costs and savings.
- ROM includes brand reputation, compliance, and risk mitigation — successfully protecting your business is a profit center.
- Every breach affects customer trust, retention rates, diagnosis costs, and insurance premiums.
‘ROI Falls Short, Does Not Estimate All Costs or Indirect Gains’
How companies invest in cybersecurity depends on how CISOs present their vulnerability and mitigation management plans during budget meetings with executives.
Cybersecurity budgets are decided on how well those meetings go. Compromises are often made, and sometimes the pursuit of keeping costs down opens security flaws for an organization.
Executives understand ROI in these meetings, but HackerOne says there is a better way: using ROM.
HackerOne shared with Techopedia a new whitepaper, “When ROI Falls Short: A Guide to Measuring Security Investments with Return on Mitigation,” which comes with two main takeaways:
First, it reveals that security leaders have a negative experience or perception of ROI’s capability to measure cybersecurity’s actual value.
Second, it offers ROM as a new metric that helps security leaders put into number those costs, gains, and savings that ROI does not measure. They suggest ROM comes much closer to the reality of businesses and the indirect and unquantified costs and gains.
Where ROM Can Help in Cybersecurity
Techopedia spoke with Josh Jacobson, Director of Professional Services at HackerOne, who told us:
“ROI is the gold standard for justifying cybersecurity spending, but most security leaders don’t find it to be comprehensive enough. That’s because it fails to consider enough factors that make proactive cybersecurity efforts beneficial — and breaches so damaging.”
Jacobson explained that these gaps limit a CISO’s ability to effectively communicate how proactive security helps their business financially to justify investment.
After surveying 550 security leaders, including CIOs, CISOs, and security directors, HackerOne’s report found that the majority (77%) prioritize evaluating incident response and long-term stability in budgets.
However, more than two-thirds of security leaders (69%) believe that ROI overemphasizes direct costs and does not account for indirect costs, such as incident response and training.
More than half of leaders said ROI fails to consider different factors that add cybersecurity value, such as cost savings from avoided breaches and other indirect benefits like a strong brand reputation and customer trust.
After all, we notice when a fire consumes a building or takes a life, not the times a firefighter puts out a small kitchen fire before it grows into something bigger.
The consensus among most CISOs and security leaders is that the ROI formula [ROI = Net Profit / Cost of Investment x 100] does not give budget decision-makers the full picture of how spending on cybersecurity translates into real financial gains.
Alex Rice, co-founder and Chief Technology Officer at HackerOne said:
“When it comes to breaches, we all intuitively know that an ounce of prevention is worth a pound of cure.
“But without the right metrics, it’s hard to advocate for the value of security investments. Return on Mitigation reframes proactive and preventive work as a value driver.”
How Does the Return on Mitigation (ROM) Formula Work?
The ROI and ROM formulas look pretty much the same, except for one big difference.
Return on investment is estimated by subtracting the cost of investment from revenue, then dividing by the investment amount, and finally multiplying by 100.
Or:
ROI = (Revenue – Cost of investment) / Cost of investment x 100
If a company invests $100,000 in a cybersecurity tool that mitigates a ransomware attack that would have cost $150,000, the net profit would be $50,000.
HackerOne highlights that ROI treats mitigation costs as losses, rather than recognizing their value in preventing greater damage.
The suggestion is that Mitigation Loss is Profit, and the ROM formula does exactly that: It substitutes Net Profit with Mitigation Loss, and it is referred to as Return on Mitigation (ROM).
The formula is as follows:
ROM = (Total mitigated losses – Cost of investment) / Cost of investment x 100
Jacobson from HackerOne told Techopedia that Return on Mitigation (ROM) is a holistic metric that more accurately quantifies the complexities of cybersecurity work in financial terms.
“It measures the value of proactive cybersecurity investment in terms of losses prevented by mitigated risks like regulatory fines, legal costs, reputational damage, and business disruptions,” Jacobson said.
Why ROM Overcomes the Challenges of Factors That ROI Overlooks
The ROM formula looks simple and elegant. The problem, or the challenge, is how to calculate the total cost of mitigated losses, including factors that ROI overlooks, like stability, trust, brand reputation, or the long-term integrity of systems.
Elements that should be included in ROM calculations include:
- Data recovery costs
- Legal fees
- Compliance and regulatory fines
- Lost revenue due to business disruption
- Forensic investigations
- Increased insurance premiums
- Cost of third-party incident response
- Loss of customer trust
Each of these items, which are considered indirect costs and evasive to calculations, can still be worked out — or at least estimated. Does a breach cause customers to leave? What is the cost of a forensic investigation of a breach? Do insurance premiums go up when data is stolen?
Jacobson, Director of Professional Services at HackerOne, said:
“CISOs can use ROM to reframe cybersecurity as a value driver and clearly communicate how preventive work aligns with their company’s goals in financial terms.”
For those looking for technologies to streamline ROM calculations, the HackerOne AI copilot platform Hai, is updated to work these out.
Hai can check code, estimate costs, analyze, and even help CISOs generate content and text for efficient story-telling and budget meeting presentations.
The Bottom Line
If you are a CISO or work closely with your security team leader, then the next time a budget meeting is called, you can estimate costs and gains that, despite being incredibly significant, have not been part of the conversation before — and justify their importance.
We need to move beyond the conversation that security is a cost to a business that has no impact on revenue — without a fire crew, the whole building might burn down.
