The ROI of cyber security: proving value in 2025

In 2024, the average cyber security data breach hit £3.61 million, a 10% increase year over year. But, aside from the headline figure, the real story lies in the differences between companies that survive data breaches and those that suffer irreparable losses.

If you’re experiencing signs of a potential cyber incident and need urgent support, contact Zensec today. Our Incident Response teams are available for same-day deployment to help you contain and resolve threats quickly.

The £3.61 million wake-up call

Automation is key to reducing the costs of a data breach, with IBM’s 2024 Report highlighting reductions of around £1.63 million per incident on average.

There is fresh context for this year, too. IBM’s latest update puts the global average at £3.25 million, driven by faster detection and containment. See the headline figures on the IBM 2025 report page.

This is where Return on Security Investment (the ROI of cybersecurity) earns its place. We are not creating new revenue. We are avoiding loss. That is a business result.

Security ROI, not traditional ROI of cyber security investments

Traditional ROI asks how much money came in. Security ROI asks how much money was not lost. So, while it’s the same finance language, we’re looking at it through a very different lens. Cyber security ROI is about cost avoidance and risk reduction. That framing helps boards and budget holders align.

Sector context also matters, with healthcare sitting near the top of the range and financial services running high. However, not every benefit is easy to price. For example, brand trust is intangible and prevented incidents are invisible. Plus, the effects can last years, which is why using a simple formula can help.

A simple ROSI framework

ROSI works when inputs are honest and consistent. When you keep currency, scope, and time horizon consistent, everyone can read the numbers the same way. It’s also important to write down assumptions and use ranges. 

The basics

Before calculating ROSI, it’s important to define key terms, including: 

• Single Loss Expectancy: The cost of one incident, including downtime, recovery effort, third-party services, regulatory costs, and plausible fines. 

• Annual Rate of Occurrence: How often that type of incident happens in a year. Use internal history, sector data, tabletop results, and the maturity of your controls. 

• Annual Loss Expectancy: Multiply both Single Loss Expectancy and Annual Rate of Occurrence together to calculate the Annual Loss Expectancy, before any investment is made. 

From there, you’ll need to calculate a mitigation rate, which is the percentage reduction you estimate once controls are in place. Please review the above Calculating RSOI resource for more information. 

Use real data 

You can use real data by pulling downtime from the service desk and outage logs. It’s also beneficial to ask finance departments about the hourly costs of disruption and use security tooling for incident counts and dwell time. 

Then, review audit findings to understand any gaps and borrow loss drivers from your cyber insurance questionnaires. Add public benchmarks to anchor your sector context.

Example: 

A mid-sized organisation estimates £2 million in annual cyber loss across outages, recovery work, external help, and contractual penalties. It plans a £500,000 programme that includes controls and automation. 

A small pilot shows a likely ninety percent reduction for the targeted risks. That makes risk reduction £1.8 million. The ROSI is £1.8 million minus £500,000, divided by £500,000. The result is 2.6. One pound in. £2.60 of loss avoided. This is a method to inform decisions, not a guarantee.

Factor in sensitivity

Always test the sensitivity. If the mitigation rate were fifty percent, the ROSI would be about 1.0. At seventy percent it would be about 1.8. At ninety percent it is 2.6. Small input changes move the result, which is why you should present a range.

Key tip: 

Follow these habits to ensure accurate calculations: 

• Model residual risk after the spend

• Avoid double-counting compliance benefits

• Revisit inputs each quarter as controls mature and as new evidence arrives.

What we can measure

Boards want evidence tied to outcomes, so focus on items that move money and ensure continuity:

• Breach cost prevention. Security AI and automation correlate with lower average breach costs.

• Sector risk. Healthcare is at the top end. Finance is above the global mean. 

• Operational efficiency. Automation reduces false positives, standardises response, and shortens investigations. That means fewer hours lost and less disruption. Implementing robust cybersecurity measures improves both protection and response maturity.

• Compliance posture. Continuous monitoring and automated evidence collection make audits faster and cleaner. Preparation time falls, and findings tend to shrink. 

Turning cyber security metrics into a business story

Executives track revenue, uptime, regulatory exposure, and customer impact, so it’s vital to treat security metrics as leading indicators for those outcomes. Keep the story short, concrete, and consistent to show the financial benefits of reduced downtime and avoided losses.

Start with a clear objective 

Start with the objective and frame security in business terms: 

• Protect a revenue stream

• Keep checkout uptime above 99.95%

• Reduce outage risk during peak trading. Pick one objective and stick to it.

Map threats to the objective

Select the two cyber threats scenarios that would hurt most. Ransomware that takes core systems offline. Account takeover against a key customer portal. Name them and define the scope.

Select predictive metrics

Choose a small set of measures that predict disruption. For example: 

• Time to detect

• Time to contain

• Patch latency for the systems in scope

• Percentage of critical alerts handled automatically

• Phishing fail rate where people risk is material

Write clear definitions so no one argues about what a number means.

Set baselines and targets 

When setting targets, tie each to an unexpected change in Annual Loss Expectancy. If the time to contain falls by fifty percent, show the effect on hours of disruption and expected loss avoided.

Build a one-page scorecard

Trend each metric with a simple sparkline. Use traffic light thresholds so the status is obvious. Add one sentence under each chart that explains why the number moved.

Then tell the story with a scenario. For example: 

Without the new control, an outage in this system costs £X per hour. With the control and the observed improvement in time to contain, the expected loss avoided is £Y for the period. 

Link that back to the ROSI model so the finance and security views match.

Create a cadence 

Create a steady cadence. Review monthly operations. Update the board each quarter. Focus on trends and exceptions, not on tool output. Close with one decision on what funding should support next. Use results to plan proactive security measures that anticipate risks before they escalate.

Close the loop 

Close the loop after real incidents. Capture lessons. Adjust targets and the ALE. Refresh the ROSI range and the scenario so the numbers stay honest over time.

Why Zensec cares about ROI

Zensec focuses on outcomes that leadership can trust. Faster containment. Smaller blast radius. Clear proof.

We are listed by the NCSC as an Assured Cyber Incident Response provider. The aim is simple. Fewer bad surprises. Faster recovery. Reporting that stands up in the boardroom.

Conclusion

Cyber security ROI is avoiding losses and gaining confidence. The best way to start is by selecting and sizing one material risk with a simple ROSI model. 

From there, you can invest in the right controls, automate where it makes most sense, and track time to detect and time to contain. 

Always report outcomes in business terms and iterate each quarter to build trust, protect growth, and prove value. 

If you want support building the first model or running an incident response exercise, contact Zensec.