Home  | Abstract  |  Model | Organisational Model | Questionnaire | Links  | More Links | Logbook | Contact


Return On Information Security Investment

book_cover.JPGBUY THE BOOK! The published book will provide enough guidance to understand the ROISI model. After reading the book, come back to this page and use the online calculator to apply ROISI to the needs of your organization.

The dissertation contains a comprehensive description of the calculator used in this website.

Big thanks go to Lulu for prividing the resources necessary to publish the BOOK.


Are you spending enough? Are you spending too much?

This questionnaire will quickly assess your company's return on information security investment.  After you fill in the questionnaire you will receive the results of the effectiveness of your company's security investment via e-mail for FREE.

The questionnaire is based on the organisational model.  It is advised that you read the draft paper before attempting the questionnaire.


Organisation Information

If included, you will receive a customised analysis for your organisation.  The results will be kept confidential.  If you are hesitant to fill in the details, either remain anonymous or contact me on amz@yahoo.com.

Company Name (optional) 

E-Mail address (optional)

Country (optional)

IT Assets

These values are a rough estimate of the perceived value of the organisational intangible IT assets.  You may want to consult your Financial Controller if you are not sure.

Total Value of IT Assets ($)

Include the perceived value of the IT Assets, even those that are not part of the assets that are at risk. Confused about this term: READ MORE HERE!

Total Value of IT Assets at Stake (% of Total Assets)

The percentage of the assets at risk.  If your on-line portion is a small percentage of the total IT infrastructure, put a small percentage.  Refer to the organisational model if you are confused.

Confidentiality and Integrity Loss (% of Assets at Stake)

The percentage of Assets at Stake that would be lost in one attack. E.g. if data is stolen or the integrity of data is compromised.


These values are a rough estimate of the perceived vulnerabilities of your IT assets.

Probability that there is a Vulnerability in your Information Assets (0-1)

If you have no clue of this figure, which will be the result of research on your particular system, leave the default.

Cost to Fix Vulnerabilities (Patches, Updates, Upgrades -$ per month)

This is the total cost per month that you will be charged by the IT people and suppliers to fix vulnerabilities in your IT systems.

Cost to Breach Vulnerabilities (one-time - $)

This is the amount that a hacker would have to spend to actually exploit a vulnerability of your system. If you are unsure about this figure, leave the default value.

Defence Mechanisms

Include the total cost of any defence mechanisms such as antivirus systems, firewalls, intrusion detection systems.

Cost to Build (One time - $)

The total cost including hardware and software of the infrastructure that currently defends your organisation's IT assets.

Cost to Maintain (Annual - $)

Include the maintenance costs that you pay or plan to pay on the defence mechanisms.  Include the wages paid to your IT Security personnel if you think these are relevant.


These values are a rough estimate of the perceived threats of your IT assets.

Cost to Break (One-time - $)

Include the cost that an attacker will have to incur to break into your defence mechanisms.  If unsure you are kindly asked to keep this field as default.

Probability that there is a Threat to your System in One Month (0-1)

Depending on the attractiveness of your site, and your firewall and IDS logs you may have a gut feeling on the probability that your site will be attacked.

Disaster and Recovery

Loss of Revenue if IT Assets are compromised ($ per hour of downtime)

If you are working on an e-commerce site, this may be related to the average number of sales per hour that you have transacted on this website.  If you do not use the web-site to conduct e-commerce, then you might want to put zero.

Cost to Rebuild Lost IT Assets (Total Man-hour rate -$/h)

This is the total cost per hour that you will be charged by the IT people to restore from backups the information lost or to fix the damage done to the IT assets.

Total Expected Down Time (Annual - h)

This will be dictated by the Service Level Agreement (SLA) that you have with the organisation in question.  If unsure, enter the maximum tolerable downtime period that you expect.  For a 99% availability, this will be 87.6 hours.

IT Budget

These figures relate to what you or your financial controller has budgeted for IT this year.

Value of IT budget (Annual - $)

The total annual IT budget for the current year.

Value of IT security budget (Annual - $)

The IT security budget including any maintenance costs or any licences that you will pay in the coming year (including any fees that are provisional should an attack be successful on your site).

STEP 2 - Compute Preliminary Results

You are almost done.  Press the Compute Button, Scroll Down,

Review and then Submit the results!

The first 5 people who submit the results of the questionnaire will receive a 1GB google gmail account.

STEP 3 - Review Preliminary Results

You are
 Annual ($)
Information Assets
Information Assets at Stake
Confidentiality and Integrity Loss
Vulnerability Fix
Asset Damage
Defence Damage
Total Loss of Revenue
Total Security Expenditure

STEP 4 - Submit Results

If you want to submit general feedback on this questionnaire, please do so below before submitting the results.



After you submit the results, you will receive a thorough report and detailed analysis of your security expenditure including recommendations for subsequent years.