Return On Cyber Security Investment (ROCSI)

To be of business value, any investment must be selective and focus on high priority areas of the business. However, boards find it difficult to justify the cost of investment and formulate ROI arguments on cyber security due to their inability to fully understand and anticipate the direct and indirect impact of cyber threats. The fundamental problem is the absence of transparent ways of integrating cyber threats into the boards' decisions about investment in cyber security.

In an investment decision, organisations are required to determine business impact if the threats were to manifest, calculate the direct cost (e.g. cyber threat mitigations, cyber insurance charges) and indirect cost (e.g. impact on system performance, share price drop) to optimise the organisation's security defence capability. The key decision makers are security managers (e.g. CISO) and board members. However, they find it difficult to estimate the costs of investing and balancing these against potential benefits procured or impacts mitigated as the cyber security investments prevent potential losses but may not generate revenue directly. There is a lack of a clear way of linking cyber threat mitigations to the cyber security ROI. This is compounded by the uncertainties resulting from the changing threat landscape and business context (e.g. adding devices to the system or changing of threat mitigation decisions).

The proposed ROCSI is designed to address these challenges by comprehensively capturing threat data from multiple threat sources and integrating it into the cyber security investment decision processes. The ROCSI aims to deliver threat-informed, user-tailored and up-to-date decision support which is continuously updated as new threat data becomes available. The ROCSI will output the ROI analysis on threat mitigations in response to the business processes ranked by decision makers.

This project will deliver the foundations for a novel approach to cyber security decision making at the board and strategic level through combining multidisciplinary data and human factors to improve the transparency and quality of decision making. It will contribute to the national strategy on cyber security through the research of threat-informed decision making at the board and strategic level, with the aim of enhancing organisations' cyber defence capability and improve organisational resilience. It addresses the theme "Incentives and behaviours" of the NCSC Research Problem Book, through incentivising boards and organisations to proactively invest into cyber security and adopt positive security behaviours. The proposed research sits in the Global Uncertainties theme, where Cyber Security is listed as a priority.

This project is in a unique position to deliver impact in both research communities and industries based on the PI's previous engagement with NCSC, RITICS, RISCS, Innovate UK, and the PI's established contacts who will help shape, evaluate and refine the proposed research. this project uniquely benefits from the host organisation's strong track record in human decision making (the LUCID research lab) and behaviour science (the ESRC funded NIBS) research, its partnership with NCSC, GCHQ, and Dstl and the Horizon DER Institute that enables the widest dissemination and exploitation of research outcomes.