HackerOne introduces Cybersecurity Investment Metric

HackerOne has published When ROI Falls Short: A Guide to Measuring Security Investments with Return on Mitigation, a report that revealed security leaders’ negative perceptions surrounding ROI for the measurement of cybersecurity value.

  • Wednesday, 19th February 2025 Posted 2 months ago in by Phil Alsop

The whitepaper also introduced Return on Mitigation (RoM) — a new metric that helps security leaders quantify the financial value of protecting their businesses from cyberattacks.

As the average cost of a data breach grows to nearly $5 million in the US, challenges in quantifying return on investment (ROI) for cybersecurity products have led to decreased cybersecurity budgets. ROI remains the gold standard for justifying cybersecurity spending and measuring investment efficacy, yet most security leaders say applying it to cybersecurity presents challenges.

“The hardest part of ROI in security is quantifying it,” said one VP of Security at a Fortune 500 Manufacturing Company. “It's challenging to measure the cost of a vulnerability or compare solutions, especially when considering factors like reputational damage, downtime, and revenue impact."

In HackerOne’s report, 550 security leaders—including CIOs, CISOs, and security directors—revealed:

• ROI overlooks incident response and long-term stability, which over three-quarters of security leaders (77%) prioritize in evaluating their cybersecurity approach.

• Sixty-nine percent of security leaders also believe ROI overemphasizes direct costs and fails to account for indirect costs like incident response and training.

• More than half of leaders stated that ROI fails to consider enough factors contributing to cybersecurity value, including cost savings from avoided breaches and non-financial benefits like protected brand reputation and customer trust.

“When it comes to breaches, we all intuitively know that an ounce of prevention is worth a pound of cure,” said Alex Rice, co-founder and chief technology officer, at HackerOne. “But without the right metrics, it’s hard to advocate for the value of security investments. Return on Mitigation reframes proactive and preventive work as a value driver.”

RoM is a metric that security leaders can use to gain a more holistic view of the financial impact of cybersecurity initiatives and communicate how cybersecurity efforts align with an organization’s financial goals to executives and board members. RoM’s formula quantifies the financial impact of proactive cybersecurity investments by measuring avoided financial losses from a breach — costs prevented by mitigated risks like regulatory fines, legal costs, reputational damage, and business disruptions.

“Return on Mitigation’s (RoM) data-driven approach allows us to demonstrate the real impact of proactive mitigation to the board, ensuring our security investments not only protect the bottom line but also strengthen customer trust,” said Rossini Moraes, Information Security Manager at Inter&Co.

“RoM allows me to justify a $300,000 investment against a potential $5 million critical breach,” said a Head of Cybersecurity at an enterprise financial infrastructure provider. “[With this metric], I can show how mitigating vulnerabilities through continuous, offensive security testing can prevent costly breaches and justify the spend."

Commvault extends the power of its advanced Cleanroom Recovery technology to managed service providers focused on keeping enterprises resilient.

Compliance Scorecard joins Pax8 Marketplace

Posted 2 days ago by Phil Alsop
Compliance Scorecard™, a Compliance as a Service (CaaS) platform provider, has partnered with Pax8 to help managed service providers (MSPs)...

OVHcloud introduces Data Platform

Posted 2 days ago by Phil Alsop
An all-in-one, ready-to-use solution to unleash the full value of data.

Kiteworks slashes storage costs

Posted 2 days ago by Phil Alsop
Integration with Wasabi hot cloud storage delivers cost-effective cloud storage with enterprise-grade security and compliance.

Lenovo unveils new data storage solutions

Posted 2 days ago by Phil Alsop
Next generation Lenovo AI-optimised storage unleashes the power of data at any scale with 21 new ThinkSystem and ThinkAgile models for enterprise AI,...
Netwrix has released its annual global 2025 Cybersecurity Trends Report based on a global survey of 2,150 IT and security professionals from 121...

Tray.ai launches ITSM Agent

Posted 2 days ago by Phil Alsop
Automates IT support to cut costs, reduce human-handled tickets by 75%, and ensure enterprise governance and control.

Cynomi secures $37m in Series B funding

Posted 2 days ago by Phil Alsop
Latest investment for leading AI-powered vCISO platform for MSPs and MSSPs to drive product innovation and growth across service provider ecosystem.