Cyber security is often seen as a cost centre, not a value driver.  That’s not just a problem for SMEs but that attitude is still often sound at a corporate level.  Within SMEs it’s not too rate to find it positioned as an insurance or compliance spend, not as something that enables trust, customer retention or business continuity.  Often there is no ownership at the top, no board pressure until something goes wrong.  If no one owns the risk, it stays floating below the surface.

We need to flip the mindset.  Cyber security needs to feel like it’s part of the core business and should be framed as:

• Protecting revenue not systems.
• Protecting customers not servers.
• Protecting the ability to operate.

Cyber incidents must be seen as business stopping events, not just technical inconveniences.  Once that is recognised at the top, it tends to be moved into core business territory very quickly.

Measuring ROI (Return on Investment) in cyber security solutions is tricky because unlike traditional investments, the “return” often comes in the form of avoided losses, reduced risk, and improved resilience rather than direct revenue, and is often seen as proving a negative which produces a circular argument.  In the blue corner we have the bean counters saying we don’t need to spend much because we’ve never been attacked, and in the red corner we have the techies telling management that you haven’t been attacked because we have spent on protections.  There is often no meeting of minds until we frame it in business terms. There are well-established approaches.

Here’s how ROI in cybersecurity is typically measured:

Define the Investment (Costs)

This includes all direct and indirect costs of the cybersecurity solution:

• Technology costs: licenses, hardware, software, cloud services.
• Implementation costs: setup, integration, migration.
• Operational costs: monitoring, maintenance, upgrades.
• Personnel costs: training, staff time, additional headcount.
• Third-party services: managed security providers, audits, compliance checks.

Estimate the Return (Benefits)

Returns are usually risk reductions and operational gains, such as:

• Avoided breach costs:
  • Average cost of a data breach (detection, remediation, legal fees, fines, customer churn, downtime).
  • Likelihood (probability) of an attack succeeding without the solution.
• Operational efficiency:
  • Fewer false positives, reduced downtime, less staff time spent on manual tasks.
• Regulatory compliance:
  • Avoidance of fines and penalties.
• Business continuity & reputation:
  • Reduced likelihood of lost customers and brand damage.

Cybersecurity ROI Calculator Template

This can get quite complex very quickly, so SMEs need to take from it what they need and discard the rest.  Be wary though that you understand what you need and what you don’t.  The best way of doing this is to carry out a risk assessment on the assets you are trying to protect.  Until you’ve done that the ROI will be almost impossible to predict.

If you need to understand the risk assessment procedure, then this short video will guide you:

Link   Cyber Resilience for SMEs: Navigating the Digital Wild West  synthesia.io  A short video describing cyber risk management and how SMEs should consider approaching this subject.

Once you have a good grasp of cyber risk management and you understand the threats and what you may need to do to protect yourself from those threats, then you can use this framework in Excel, Google Sheets, or whatever you use. The formulas are structured so you can plug in your own assumptions and automatically calculate:

• Annualised cyber risk exposure
• Risk reduction from controls
• Expected financial savings
• Total security investment
• ROI %

Step 1 — Define Your Baseline Risk

Annual Expected Loss (AEL):

\text{Annual Expected Loss} = \text{Probability} \times \text{Financial Impact}

Example:

• 20% × £500,000 = £100,000 expected annual loss

At the bottom:

| Total Baseline Risk Exposure | =SUM(D2:D5) |

Now clearly you need an understanding of the threat to assess the annual probability, and you need an understanding of how long it would take you to recover from that threat becoming a reality.  You may need advice or you may feel that you have sufficient information to make that calculation yourself.

Step 2 — Add Security Controls

Now estimate how much each cybersecurity investment reduces

Step 3 — Calculate Residual Risk

For each risk scenario:

Formula

Residual Risk:

\text{Residual Risk} = \text{Baseline Risk} \times (1 – \text{Risk Reduction})

Then total:

| Total Residual Risk | =SUM(D2:D5) |

In summary

Producing an ROI in cyber security is not easy and to do it you must pull together several different but related issues, starting with a good grasp of cyber risk management.  I know that when I suggest that you should get some help and guidance, I am often accused of just trying to drum up business, and OK, maybe that has a play, but by showing the calculations and what is required to identify those calculations, what I am actually trying to do is to show you that this isn’t easy and needs thought and a bit of work to achieve a good end result, which is to give leadership a financially justifiable reason for a cyber security spend.  ROI in cyber security is less about “profit” and more about quantifying avoided losses, improved efficiency, and reduced risk relative to the cost of controls.