Return On Investment (ROI) is the typical approach to justify the spending to acquire asset.

For the sample solar renewable energy illustrated, this is simple:

  • One-off cost like equipment purchase & installation
  • Recurring cost like maintenance, insurance, administrative (if trading to grid is involved)

In a 5 or 10 years total cost model, how much energy charges could be saved, or how much revenue is generated if energy is sold back to the grid vs how much expense to paid.

However, there are risks that might affect the net gain:

  • Sufficiency of sun light intensity
  • Weather condition at the location
  • Physical security of equipment against theft or sabotage

In cyber protection technology, stake holders normally expect cyber-security is the baseline and integrated with the asset. Adding extra cost won’t be seen as ROI.  A slightly adjusted model is to calculate the avoidance cost of a single cyber-security incident vs investment.  Therefore, the justification is to be:

If we invest $X, then we could avoid spending $Y in terms of

  • Investigation cost
  • Containment cost
  • Remediation cost
  • Reputation rebuild cost
  • Litigation cost

And don’t forget, these costs are just on top of the original investment to reduce the cyber weakness from recurrence.

Leave a Reply