Quantifying the Return of Security Investments for Technology Startups

Authors

  • Mohamed Noordin Yusuff Marican Faculty of Computing, Universiti Teknologi Malaysia, Johor Bahru, Malaysia. https://orcid.org/0000-0002-0040-3745
  • Siti Hajar Othman Malaysia-Japan Institute of Technology, Universiti Teknologi Malaysia, Johor Bahru, Malaysia. https://orcid.org/0000-0002-0205-4948
  • Ali Selamat Faculty of Computing, Universiti Teknologi Malaysia, Johor Bahru, Malaysia & Malaysia-Japan Institute of Technology, Universiti Teknologi Malaysia, Johor Bahru, Malaysia & MaGICX-Media and Game Innovation Centre of Excellence, Universiti Teknologi Malaysia, Johor Bahru, Malaysia & Faculty of Informatics and Management, University of Hradec Kralove, Hradec Kralove, Czech Republic.
  • Shukor Abd Razak Faculty of Informatics and Computing, Universiti Sultan Zainal Abidin, Kuala Terengganu, Malaysia. https://orcid.org/0000-0002-8824-6069

DOI:

https://doi.org/10.21123/bsj.2023.9077

Keywords:

Cyber Security Maturity Level, Cyber Security Quantification, Return of Security Investment, ROSI, Technology Startup

Abstract

Technology startups are critical to the advancement of digital initiatives in many countries undergoing smart nation agenda. Technology startups are thus vendors and suppliers of services to large organizations such as the government sector, multi-national corporations and financial institutions. As such, startups are fast becoming attack vectors for malicious perpetrators to gain entry via backdoors to large organizations. However, startups remain prudent in their cyber security spending as their north star is revenue generation by delivering their services and minimum viable product (MVP) to their customers. This study proposes an enhanced Return on Security Investment (ROSI) which helps technology startups calculate the return on security investment and justify their budget of cyber security spending. Though there are existing models to calculate the return of investments allocated to cyber security expenditure, they are rather complex and do not give management clarity in terms of the monetary value for cyber security spending. Furthermore, the existing models do not cater to the dynamics and nuances of technology startups. The enhanced model also provides technology startups the ability to appropriately adjust their cyber security investments based on the calculations of the Minimum (Min) and Maximum (Max) ROSI values. The proposed and enhanced ROSI model has been validated by 5 cyber security experts who agreed on the importance and necessity of the model to be applied to technology startups. The results of the case study on a FinTech startup enable the calculation of the Min and Max ROSI to justify the return on security investments and provide the startup with the ability to adjust the cyber security spending accordingly.

Received 05/06/2023

Revised 01/09/2023

Accepted 03/09/2023

Published Online First 25/12/2023

References

Abdullah SA, Al Ashoor AA. IPv6 Security Issues: A Systematic Review Following PRISMA Guidelines. Baghdad Sci J. 2022; 19(6): 1430-1444. https://doi.org/10.21123/bsj.2022.7312

Zuszsanna C. Startup: Hype or Tendency. J Org Culture Commun. Confl. 2020; 24(3): 1-9. https://www.abacademies.org/articles/Startup-hype-or-tendency-1939-4691-24-3-144.pdf

Ozkan BY, Spruit M. Assessing and Improving Cybersecurity Maturity for SMEs: Standardization aspects. ArXiv. 2020; 1-8. https://doi.org/10.48550/arXiv.2007.01751

Mitrofan AL, Cruceru EV, Barbu A. Determining the Main Causes that lead to Cyber Security Risks in SMEs. Bus Excell Manag. 2020; 10(4): 38-48. https://doi.org/10.24818/beman/2020.10.4-03

Ozkan BY, Spruit M. Adaptable Security Maturity Assessment and Standardization for Digital SMEs. J Compute. Inf Syst. 2022; 63(4): 1-23. https://doi.org/10.1080/08874417.2022.2119442

Sonnenrich W, Albanese J, Stout B. Return on Security Investment (ROSI) – A Practical Quantitative Model. J Res Pract Inf Tech. 2006; 38(1): 46-56. https://doi.org/10.5220/0002580202390252

Niedzela LM, Albanese J, Stout B. Categories of Approaches for IT Security Investment Decisions: A Systematic Literature Review. Wirtschaftsinformatik 2022 Proceedings; Jan 17. Nuremberg, Germany. Atlanta, GA: AIS eLibrary; 2022. p. 1-7. https://aisel.aisnet.org/cgi/viewcontent.cgi?article=1270&context=wi2022

Puangsri P. Quantified Return on Information Security Investment – A Model for Cost-Benefit Analysis. Netherlands: Delft University of Technology; 2019. https://silo.tips/download/a-model-for-cost-benefit-analysis

Hubbard DW, Seiersen R. How to Measure Anything in Cybersecurity Risk. 2nd ed. Hoboken: Wiley; 2023. 280 p. https://doi.org/ 10.1002/9781119162315

Freund J, Jones J. Measuring and Managing Information Risk: A FAIR Approach. 1st ed. Oxford: Butterworh-Heinemann; 2014. 408 p. https://doi.org/10.1016/C2013-0-09966-5

Dreyling III R, Jackson E, Pappel I. Cyber Security Risk Analysis for a Virtual Assistant G2C Digital Service using FAIR Model. 2021 Eighth International Conference on eDemocracy & eGovernment (ICEDEG); September 2021. Quito, Ecuador: IEEE; 2021. p. 33-40. https://doi.org/10.1109/ICEDEG52154.2021.9530938

Wolthuis R, Jongsma H-J, Phillipson F, Langenkamp P. A Framework for Quantifying Cyber Security Risks. Cyber Security Peer. 2021; 4(4): 302-316. https://hstalks.com/article/6342/a-framework-for-quantifying-cyber-security-risks/

Podesva L, Koch M. Comparison of the Most Important Models of Investments in Cyber and Information Security. Trend Econ Manag. 2022; 39(1): 25-34. https://doi.org/10.13164/trends.2022.39.25

Paresh R, Timo H. A Novel Model for Cybersecurity Economics and Analysis. 17th IEE International Conference on Computer and Information Technology; September 2017. Helsinki, Finland: IEEE; 2017. p. 274-279. https://doi.org/10.1109/CIT.2017.65

Yaqoob T, Arshad A, Abbas H, Amjad M-F, Shafqat, N. Framework for Calculating Return on Security Investment (ROSI) for Security-Oriented Organizations. Future Gener. Comput. Syst. 2018; 95: 754-763. DOI: https://doi.org/10.1016/j.future.2018.12.033

Rasmussen ES, Tanev S. The Emergence of the Lean Global Start-up as a New Type of Firm. Technol Innov Manag. 2015; 5(11): 12-19. http://doi.org/10.22215/timreview/941

Pawar S, Palivela H. LCCI: A Framework for Least Cybersecurity Controls to be implemented for Small and Medium Enterprises (SMEs). Int J Inform Manage. 2022; 2(1): 1-13. http://dx.doi.org/10.1016/j.jjimei.2022.100080

Chandna V, Tiwari P. Cybersecurity and the New Firm: Surviving Online Threats. J Business Strategy. 2021; 44(1): 3-12. https://doi.org/10.1108/JBS-08-2021-0146

Al Mayyahi MA, Seno SAH. A Security and Privacy Aware Computing Approach on Data Sharing in Cloud Environment. Baghdad Sci J. 2022; 19(6): 1572-1580. https://doi.org/10.21123/bsj.2022.7077

Onwubiko C, Onwubiko A. Cyber KPI for Return on Security Investment. 2019 International Conference on Cyber Situational Awareness, Data Analytics and Assessment; June 2019. Oxford, UK. Piscataway, NJ: IEEE; 2019. p. 1-8. https://doi.org/10.1109/CyberSA.2019.8899375

Downloads

Issue

2023: Online-First (7)

Section

article

License

Copyright (c) 2023 Baghdad Science Journal

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to Cite

1.
Quantifying the Return of Security Investments for Technology Startups. Baghdad Sci.J [Internet]. [cited 2024 Apr. 30];21(7). Available from: https://bsj.uobaghdad.edu.iq/index.php/BSJ/article/view/9077
Crossref
Scopus
Google Scholar
Europe PMC