Security Control ROI Calculator
Does a security control pay for itself? Enter your annual loss expectancy (the expected yearly cost of breaches you face), the risk reduction the control delivers, and its annual cost. The calculator returns the avoided loss, the net benefit, and the return on investment — so you can compare a firewall, encryption, MFA or an incident-response retainer on the same footing. Numbers update as you type. Reduction defaults follow IBM\'s cost-mitigation factors (as of Jun 25, 2026) and every field is editable — see the data.
| Figure | Amount | What it is |
|---|---|---|
| ALE before | $150,000 | Expected yearly breach cost with no extra control. |
| ALE after | $112,500 | Expected yearly cost once the control reduces the risk. |
| Avoided loss | $37,500 | ALE before − ALE after = the risk the control removes. |
| Annual cost | $20,000 | What it costs each year to run the control. |
| Net benefit | $17,500 | Avoided loss − annual cost. Positive means the spend pays off. |
Avoided loss = ALEbefore × reduction
Net benefit = Avoided loss − Annual cost
ROI = Net benefit ÷ Annual cost (shown as a percentage)
ALEafter = ALEbefore × (1 − reduction)
How it works
The return on investment of a security control answers a simple, hard-headed question: for every dollar you spend on this control each year, how many dollars of expected breach loss do you avoid? It reframes security from a cost center into an investment that can be ranked against any other use of the same money. The arithmetic is deliberately transparent, with three inputs and no hidden assumptions.
The first input is your annual loss expectancy, or ALE. This is the expected breach cost you face in a typical year, already blending how much a breach would cost with how often one is likely to happen. In classic risk terms, ALE equals the annualized rate of occurrence multiplied by the single loss expectancy. If you do not yet have an ALE figure, build one first with the annual loss expectancy calculator, then bring the result here. Using an annual figure is what lets the ROI you get out be an annual ROI, directly comparable to the control’s annual cost.
The second input is the risk reduction the control delivers, expressed as a percentage of that annual loss. A control rarely eliminates risk; it shrinks it. Encryption, multi-factor authentication, a tested incident-response plan, security analytics and extensive automation each lower the average cost of a breach by a measurable amount in IBM’s Cost of a Data Breach research, and the dropdown pre-fills a modeled reduction drawn from those cost-mitigation factors. You can override it with a figure from your own risk assessment, a penetration test, or a vendor’s independently validated study. The avoided loss is then just the ALE multiplied by that reduction.
The third input is the annual cost of the control: licensing, subscription, the staff time to run it, and a fair share of the implementation cost spread over its useful life. Subtract that annual cost from the avoided loss and you have the net benefit — the money the control is expected to save you, net of what it costs to operate. Divide the net benefit by the annual cost and you have the ROI. A positive ROI means the control pays for itself on the average; a negative ROI means it costs more than the average loss it removes, though it may still be justified if it guards against a rare but catastrophic event.
Two cautions keep the number honest. First, do not chase a single big percentage by stacking controls additively. Reductions compound rather than add: two controls that each remove a quarter of the risk leave 56% of it, not 50%, because the second only acts on what the first left behind. Model a layered program by multiplying the surviving fractions, then weigh the combined reduction against the combined cost. Second, ROI is built on the expected loss, which is an average; it cannot see the tail of the distribution. A control that looks marginal against the average can be the clear right choice if the loss it prevents would be fatal to the business. Treat ROI as a powerful comparison tool, not the final word.
A worked example
Take the default scenario, which is pre-filled above. A mid-sized firm has done its risk homework and arrived at an annual loss expectancy of $150,000 for the data-breach risks it carries. It is weighing a control — say a managed detection-and-response service together with mandatory MFA — that it judges will cut that annual risk by 25%, a figure broadly in line with what IBM observes for organizations that adopt strong analytics and access controls. The service costs $20,000 a year, all in.
- Avoided loss = $150,000 × 25% = $37,500 of expected annual breach cost removed.
- The risk itself falls from an ALE of $150,000 to $112,500 a year.
- Net benefit = $37,500 avoided − $20,000 cost = $17,500 a year.
- ROI = $17,500 ÷ $20,000 = 87.5%.
So this control returns 87.5% a year: every dollar spent on it is expected to prevent about $1.88 of breach loss, a clear case that it pays for itself. Now change a single input and watch the verdict move. Halve the reduction to 12.5% and the avoided loss drops to $18,750, the net benefit shrinks, and the ROI falls below zero — the same control is no longer worth it against this smaller risk. Or hold the reduction and double the annual cost: the ROI collapses even though the control is just as effective. That sensitivity is the point. The calculator lets you find the break-even reduction, or the most you can justify spending, before you sign anything.
Once you can rank controls by ROI, two follow-on questions usually appear. To check whether the ALE you started from is realistic, rebuild it from first principles with the annual loss expectancy calculator. And to see where each reduction percentage comes from, with every figure dated and linked to IBM’s analysis, read the security cost-mitigation factors dataset. Together they turn a gut feeling about security spend into a defensible number you can take to a budget meeting.
Frequently asked questions
What is a good ROI for a security control?
Any ROI above 0% means the control is expected to pay for itself: the breach loss it avoids each year exceeds what it costs to run. For the default scenario here — an annual loss expectancy of $150,000, a control that cuts that risk by 25% for $20,000 a year — the avoided loss is $37,500, the net benefit is $17,500, and the ROI is 87.5%. The higher the number, the more leverage your spend has. Controls with a negative ROI still cut risk, but cost more than the expected loss they remove — which can still be worth it if you are reducing the chance of a catastrophic, business-ending loss rather than an average one.
Where does the risk-reduction percentage come from?
You can type your own, or pick one of the controls in the dropdown, which pre-fills a modeled reduction consistent with IBM's published cost-mitigation factors — for example encryption, MFA, a tested incident-response plan, SIEM/EDR analytics and AI-driven automation each map to an average cost reduction in the Cost of a Data Breach study. Those factors describe how much lower the average breach cost is at organizations that use the control. We express them here as a fraction of expected annual loss avoided. They are convenience defaults: the field is editable, so you can plug in a figure from your own risk assessment or a vendor study.
Is this the same as the control's effect on a single breach?
No — and the distinction matters. This calculator works on your annual loss expectancy (ALE), which already blends the size of a loss with how often it is expected to happen. A control that reduces ALE by 25% might do so by making breaches rarer, cheaper, or both. If you only have a single-incident figure, first turn it into an annual figure with the annual loss expectancy calculator, then bring that number here.
Should I add up the ROI of several controls?
Not by simply summing them. Controls overlap: two measures that each claim a 25% reduction do not combine to 50%, because the second one only acts on the risk the first one left behind. Model a layered program by compounding the reductions — (1 − 0.25) × (1 − 0.25) leaves 56% of the risk, a 44% combined reduction — and compare that against the total annual cost of the stack. The breach cost estimator applies exactly this compounding when you select multiple controls.
Does a negative ROI mean I should skip the control?
Not necessarily. ROI here is built on the expected (average) loss. A control can show a negative ROI against the average yet still be the rational choice if it guards against a low-probability, high-severity event that would be fatal to the business — the value of avoiding ruin is not captured by an average. Treat ROI as one input to a decision that also weighs your risk tolerance, regulatory obligations and the tail of the loss distribution, not as the whole answer.
Disclaimer. BreachCostLab provides cost and risk estimates for informational purposes only, based on published industry benchmarks (e.g. IBM/Ponemon Cost of a Data Breach, Verizon DBIR) and publicly available statutory figures as of the verification date shown (Jun 25, 2026). These figures are estimates for planning, not a prediction of the cost of any specific incident, and are not legal, financial, insurance, or compliance advice. Actual breach costs vary widely; for regulatory obligations consult qualified counsel. Always verify current figures with the cited sources.