Does security spending pay off? The ROI of controls
The ROI of a security control is the breach loss it avoids each year, minus what it costs each year, divided by that cost. The benefit side comes from your Annual Loss Expectancy: a control that reduces your expected breach cost cuts your ALE, and the size of that cut — the avoided loss — is the value the control delivers. Compare it to the control\'s annual price and you have a return on investment that turns "should we buy this?" into arithmetic. A control costing $5,000 a year that avoids $20,000 of expected annual loss has an ROI of 300%. This guide shows how to combine IBM\'s cost-mitigation factors with your own ALE to get that number, works a full example, and explains why the ROI of each control falls as you stack more on. Run the numbers with the security control ROI calculator.
Security spending as an investment decision
Security controls compete for budget with everything else a business could buy, so they deserve the same test: does the return justify the cost? The difficulty is that the "return" on a control is a loss that does not happen — an avoided cost rather than new revenue. ROI analysis makes that avoided cost visible by anchoring it to a quantified risk. The chain is short: model your breach cost, annualize it into an ALE, see how much a control lowers that ALE, and weigh the reduction against the control\'s price.
Avoided loss versus annual cost
Two numbers drive the decision.
Avoided loss is the benefit. It is the drop in your Annual Loss Expectancy when the control is in place: baseline ALE minus the ALE you would have with the control. Because ALE = ARO × SLE (explained in annual loss expectancy), a control helps by lowering the single-loss expectancy, the rate of occurrence, or both. IBM\'s research is the source for how much: its cost-mitigation factor analysis quantifies how much lower breach costs run when a given control is present.
Annual cost is the price. It includes licensing or subscription, the amortized cost of implementation, and the ongoing operating effort to keep the control effective. A control that is bought and forgotten is not the same control that was measured to reduce breach cost, so the operating effort is a real part of the figure.
Net benefit = avoided loss − annual cost
ROI = (avoided loss − annual cost) ÷ annual cost
Using IBM\'s mitigation factors with your ALE
The bridge between a control and its avoided loss is its mitigation factor — the modeled fraction by which it reduces expected breach cost. Encryption, multi-factor authentication, a tested incident-response plan, security analytics (SIEM/EDR), awareness training and tested backups each carry an indicative reduction grounded in IBM\'s analysis, listed on the security cost-mitigation factors page. To use one, take your baseline ALE, reduce the SLE (or ARO) by the factor, recompute the ALE, and the difference is the avoided loss.
A practical caution: these reductions are bounded. No realistic stack of controls drives expected breach cost to zero, which is why the breach model floors the combined security multiplier and why the mitigation factors are individually modest. Treat them as planning estimates, not guarantees of prevention.
A worked ROI example
Take the small firm from the ALE guide: a modeled breach cost (SLE) of $300,000 and a sector ARO of 0.25, giving a baseline ALE of $75,000 per year.
It is evaluating multi-factor authentication, which costs about $5,000 a year to license and run. Suppose MFA\'s mitigation factor reduces the SLE to roughly $285,000. The new ALE is 0.25 × $285,000 = $71,250. The avoided loss is $75,000 − $71,250 = $3,750 per year. Against a $5,000 cost, the net benefit is negative on the breach-cost math alone — but MFA also lowers the realistic probability of a breach, not just its cost. If MFA also nudges the ARO down from 0.25 to 0.21, the ALE falls to 0.21 × $285,000 = $59,850, the avoided loss jumps to $15,150, and the ROI becomes (15,150 − 5,000) ÷ 5,000 = about 203%. The lesson: controls that reduce both how often and how badly you are breached carry the strongest ROI, and a model that only lowers the SLE will understate them.
Now layer a tested incident-response plan on top. Its avoided loss is measured against the already-reduced baseline, so it can only recover the loss MFA left behind — its ROI will look smaller than if it had gone first. That is not a flaw in the control; it is the math of stacking.
Why ROI falls as you add controls
This diminishing return is the single most important subtlety in security ROI. Each control is credited only with the loss that remains after the controls before it. The first control you add works against the full baseline ALE and shows the highest avoided loss. The second works against a smaller baseline, the third smaller still. Rank your candidates by standalone ROI, add the best, recompute the baseline, and re-rank the rest — the ROI calculator lets you do this iteratively. The result is a prioritized roadmap rather than a wish list: buy the high-ROI controls first, and stop when the marginal control\'s avoided loss no longer covers its cost.
What ROI does and does not tell you
A positive ROI means the control is a good bet in expectation — over many possible years, it saves more than it costs. It does not mean a breach will occur, that this control would have stopped a specific one, or that the figure is precise; it inherits all the uncertainty of the ALE behind it. And it deliberately ignores benefits that resist quantification: meeting a compliance requirement, qualifying for cyber insurance, or reducing the chance of a reputation-ending incident. Use ROI to prioritize and to defend a budget, then temper it with judgment on the factors the number cannot see. To weigh retained risk against transferring it, pair this analysis with the cyber insurance calculator.
Frequently asked questions
How do you calculate the ROI of a security control?
Compare the breach loss it avoids against what it costs. ROI = (avoided loss − annual cost) ÷ annual cost, where avoided loss is the drop in your Annual Loss Expectancy when the control is in place. The security control ROI calculator does this from your ALE and the control's risk reduction.
Where do the risk-reduction percentages come from?
From IBM's cost-mitigation factor analysis, which measures how much lower breach costs are when a given control is present. The figures used here are indicative, bounded and documented on the security cost-mitigation factors dataset page; treat them as planning estimates, not guarantees.
Why does the ROI of each control fall as I add more?
Because each control reduces the baseline loss that the next one is measured against. The second control can only avoid the loss the first one left behind, so its avoided loss — and its ROI — is smaller. This is why you rank controls and re-check after each addition.
Is a positive ROI a guarantee the control will pay off?
No. ROI here is an expected value built on probabilistic inputs. It tells you the control is a good bet on average, not that a breach will occur or that the control will prevent a specific one. Use it to prioritize, alongside qualities like compliance value that ROI does not capture.
Disclaimer. BreachCostLab provides cost and risk estimates for informational purposes only, based on published industry benchmarks (e.g. IBM/Ponemon Cost of a Data Breach, Verizon DBIR) and publicly available statutory figures as of the verification date shown (Jun 25, 2026). These figures are estimates for planning, not a prediction of the cost of any specific incident, and are not legal, financial, insurance, or compliance advice. Actual breach costs vary widely; for regulatory obligations consult qualified counsel. Always verify current figures with the cited sources.