This is a preview and has not been published.

Quantifying the Return of Security Investments for Technology Startups


  • Mohamed Noordin Yusuff Marican Faculty of Computing, Universiti Teknologi Malaysia, Johor Bahru, Malaysia.
  • Siti Hajar Othman Malaysia-Japan Institute of Technology, Universiti Teknologi Malaysia, Johor Bahru, Malaysia.
  • Ali Selamat Faculty of Computing, Universiti Teknologi Malaysia, Johor Bahru, Malaysia & Malaysia-Japan Institute of Technology, Universiti Teknologi Malaysia, Johor Bahru, Malaysia & MaGICX-Media and Game Innovation Centre of Excellence, Universiti Teknologi Malaysia, Johor Bahru, Malaysia & Faculty of Informatics and Management, University of Hradec Kralove, Hradec Kralove, Czech Republic.
  • Shukor Abd Razak Faculty of Informatics and Computing, Universiti Sultan Zainal Abidin, Kuala Terengganu, Malaysia.



Cyber Security Maturity Level, Cyber Security Quantification, Return of Security Investment, ROSI, Technology Startup


Technology startups are critical to the advancement of digital initiatives in many countries undergoing smart nation agenda. Technology startups are thus vendors and suppliers of services to large organizations such as the government sector, multi-national corporations and financial institutions. As such, startups are fast becoming attack vectors for malicious perpetrators to gain entry via backdoors to large organizations. However, startups remain prudent in their cyber security spending as their north star is revenue generation by delivering their services and minimum viable product (MVP) to their customers. This study proposes an enhanced Return on Security Investment (ROSI) which helps technology startups calculate the return on security investment and justify their budget of cyber security spending. Though there are existing models to calculate the return of investments allocated to cyber security expenditure, they are rather complex and do not give management clarity in terms of the monetary value for cyber security spending. Furthermore, the existing models do not cater to the dynamics and nuances of technology startups. The enhanced model also provides technology startups the ability to appropriately adjust their cyber security investments based on the calculations of the Minimum (Min) and Maximum (Max) ROSI values. The proposed and enhanced ROSI model has been validated by 5 cyber security experts who agreed on the importance and necessity of the model to be applied to technology startups. The results of the case study on a FinTech startup enable the calculation of the Min and Max ROSI to justify the return on security investments and provide the startup with the ability to adjust the cyber security spending accordingly.


Download data is not yet available.


Abdullah SA, Al Ashoor AA. IPv6 Security Issues: A Systematic Review Following PRISMA Guidelines. Baghdad Sci J. 2022; 19(6): 1430-1444.

Zuszsanna C. Startup: Hype or Tendency. J Org Culture Commun. Confl. 2020; 24(3): 1-9.

Ozkan BY, Spruit M. Assessing and Improving Cybersecurity Maturity for SMEs: Standardization aspects. ArXiv. 2020; 1-8.

Mitrofan AL, Cruceru EV, Barbu A. Determining the Main Causes that lead to Cyber Security Risks in SMEs. Bus Excell Manag. 2020; 10(4): 38-48.

Ozkan BY, Spruit M. Adaptable Security Maturity Assessment and Standardization for Digital SMEs. J Compute. Inf Syst. 2022; 63(4): 1-23.

Sonnenrich W, Albanese J, Stout B. Return on Security Investment (ROSI) – A Practical Quantitative Model. J Res Pract Inf Tech. 2006; 38(1): 46-56.

Niedzela LM, Albanese J, Stout B. Categories of Approaches for IT Security Investment Decisions: A Systematic Literature Review. Wirtschaftsinformatik 2022 Proceedings; Jan 17. Nuremberg, Germany. Atlanta, GA: AIS eLibrary; 2022. p. 1-7.

Puangsri P. Quantified Return on Information Security Investment – A Model for Cost-Benefit Analysis. Netherlands: Delft University of Technology; 2019.

Hubbard DW, Seiersen R. How to Measure Anything in Cybersecurity Risk. 2nd ed. Hoboken: Wiley; 2023. 280 p. 10.1002/9781119162315

Freund J, Jones J. Measuring and Managing Information Risk: A FAIR Approach. 1st ed. Oxford: Butterworh-Heinemann; 2014. 408 p.

Dreyling III R, Jackson E, Pappel I. Cyber Security Risk Analysis for a Virtual Assistant G2C Digital Service using FAIR Model. 2021 Eighth International Conference on eDemocracy & eGovernment (ICEDEG); September 2021. Quito, Ecuador: IEEE; 2021. p. 33-40.

Wolthuis R, Jongsma H-J, Phillipson F, Langenkamp P. A Framework for Quantifying Cyber Security Risks. Cyber Security Peer. 2021; 4(4): 302-316.

Podesva L, Koch M. Comparison of the Most Important Models of Investments in Cyber and Information Security. Trend Econ Manag. 2022; 39(1): 25-34.

Paresh R, Timo H. A Novel Model for Cybersecurity Economics and Analysis. 17th IEE International Conference on Computer and Information Technology; September 2017. Helsinki, Finland: IEEE; 2017. p. 274-279.

Yaqoob T, Arshad A, Abbas H, Amjad M-F, Shafqat, N. Framework for Calculating Return on Security Investment (ROSI) for Security-Oriented Organizations. Future Gener. Comput. Syst. 2018; 95: 754-763. DOI:

Rasmussen ES, Tanev S. The Emergence of the Lean Global Start-up as a New Type of Firm. Technol Innov Manag. 2015; 5(11): 12-19.

Pawar S, Palivela H. LCCI: A Framework for Least Cybersecurity Controls to be implemented for Small and Medium Enterprises (SMEs). Int J Inform Manage. 2022; 2(1): 1-13.

Chandna V, Tiwari P. Cybersecurity and the New Firm: Surviving Online Threats. J Business Strategy. 2021; 44(1): 3-12.

Al Mayyahi MA, Seno SAH. A Security and Privacy Aware Computing Approach on Data Sharing in Cloud Environment. Baghdad Sci J. 2022; 19(6): 1572-1580.

Onwubiko C, Onwubiko A. Cyber KPI for Return on Security Investment. 2019 International Conference on Cyber Situational Awareness, Data Analytics and Assessment; June 2019. Oxford, UK. Piscataway, NJ: IEEE; 2019. p. 1-8.