In the previous post, we looked at how Cyber Risk Quantification (CRQ) helps organizations right‑size cyber insurance by grounding coverage decisions in quantified loss scenarios. Once risks are expressed in financial terms, a natural follow‑on question emerges:

How do we know whether our security investments are actually worth it?

Security leaders are constantly asked to justify spend. They need to present some way to measure the return on things like new tools, additional headcount, control improvements, etc., and without the right data, these answers tend to be qualitative. Investments are described as “necessary,” “best practice,” or “industry standard,” rather than evaluated as financial decisions. CRQ provides a way to change that. We can’t necessarily call it ROI, because unless the security spend can be marketed to customers as a selling point, there isn’t a real return. Spending money on cyber protections like tooling or headcounts does not provide a return, it provides a reduction in potential losses. In the same way we buy property insurance to prevent major financial losses on fires and storms, we invest in cyber programs to reduce financial losses on cyber events. 

By quantifying how controls affect loss exposure, organizations can evaluate security investments using the same economic logic applied elsewhere in the business.

Why security ROI is so hard to articulate
Security ROI is difficult not because value doesn’t exist, but because it is rarely measured in the right units.

Most organizations evaluate security investments using proxies:

• Number of vulnerabilities closed

• Control maturity scores

• Audit findings

• Benchmark comparisons

These measures can be useful for operational management, but they do not answer the question executives care about:

What is the financial impact? In dollars and cents, please!

How am I supposed to justify a $500,000 spend to move our company from G3 to G5 Microsoft licenses without looking at how the additional security capabilities will reduce exposure? At that point, the perceived benefit is nothing more than optics. This way of pitching the investment turns these conversations into subjective debates rather than financial trade-offs. 

CRQ reframes security spend as loss reduction
As we said above, security investment is about reducing expected loss. Controls do not create revenue; they reduce the likelihood or magnitude of adverse outcomes. 

CRQ makes financial outcomes tangible by tying controls directly to quantified loss scenarios in the risk register. Instead of asking whether a control is “good,” leaders can ask:

• Which loss scenarios does this control affect?

• How does it change loss frequency or magnitude?

• How much expected loss does it reduce?

This reframing turns security spend into a risk‑reduction investment, comparable to decisions made in insurance, safety, or operational resilience.

Establishing a baseline before investing
Meaningful ROI analysis requires a baseline. CRQ provides that baseline by quantifying current loss exposure across defined scenarios. This establishes:

• Expected annual loss

• Loss distributions across scenarios

• Key drivers of frequency and magnitude

Without this starting point, any claim about improvement is speculative. With it, control changes can be evaluated relative to a known exposure profile rather than an abstract notion of “better security.” 

Modeling control impact on loss exposure
Once baseline exposure is quantified, proposed security investments can be modeled as changes to the underlying risk factors. For example, a control might:

• Reduce the probability of successful phishing

• Lower the expected duration of a ransomware outage

• Limit the scope of data exfiltration

• Reduce regulatory response costs

CRQ allows these changes to be reflected directly in the loss model. The result is a revised loss distribution that can be compared to the baseline. The difference between the two distributions represents the expected risk reduction attributable to the control. From this perspective, security ROI becomes a straightforward comparison, dollar for dollar:

How much expected loss does this investment reduce relative to its cost?

Comparing investments, not just justifying them
One of the most powerful benefits of a quantitative approach is the ability to compare competing investments. Rather than evaluating controls in isolation, organizations can assess:

• Which investment reduces the most risk per dollar?

• Where do diminishing returns set in?

• Which controls address the largest drivers of loss?

This often leads to unintuitive but valuable insights. In many cases, modest investments in detection, response, or resilience reduce expected loss more effectively than expensive preventive controls. CRQ makes these trade‑offs visible. We can ignore how “flashy” something might be, and choose based on dollar for dollar, what brings a company the most bang for their buck.

Avoiding the illusion of “high ROI” controls
Quantification also helps avoid a common pitfall: overstating ROI based on worst‑case thinking. This is not to say that worst-case thinking isn’t important—it absolutely is. But in the case of justifying spending, we want to avoid using Fear, Uncertainty, and Doubt (FUD) as a way of getting a board to approve a budget increase.

Why not…try? In theory, it is easy to justify almost any security investment by pointing to a catastrophic breach scenario. I’ll walk in and tell my board that a ransomware attack will shut our operations down for 6 months, and we will never financially recover. Easy! But not all extreme losses are equally likely, and not all controls meaningfully reduce those outcomes.

By focusing on expected loss rather than anecdotes, CRQ keeps ROI analysis grounded. Controls that sound compelling but have little impact on modeled exposure are revealed as low‑return investments, regardless of how alarming the threat narrative may be.

Using ROI to inform, not replace, judgment
A quantitative approach does not eliminate judgment. It structures it. CRQ does not dictate which controls must be funded, but it provides a disciplined way to understand the economic implications of those choices. Leaders still weigh qualitative factors like regulatory expectations, strategic priorities, and risk appetite… but they do so with a clearer understanding of the financial stakes. Quantitative analysis does not eliminate the need for qualitative inputs; it enhances them. Critically, ROI analysis can help explain why some risks are intentionally accepted. Not every exposure is cost‑effective to mitigate, and CRQ provides a defensible rationale for those decisions.

Keeping ROI aligned as the environment changes
Just as with insurance, security ROI is not static. As threat patterns evolve, new technologies are introduced, or the business changes, the effectiveness of controls shifts. CRQ allows ROI assumptions to be revisited as part of an ongoing risk management process rather than treated as one‑time justifications. Over time, this creates a feedback loop where investments are evaluated, adjusted, and prioritized based on observed changes in exposure.

Why this matters
Security leaders are increasingly expected to operate as stewards of financial risk, not just technical defenses. Being able to explain how investments reduce loss and how much they reduce it changes the conversation.

CRQ allows security ROI to move from narrative to analysis. If done properly, decisions are explainable and comparable. All that time spent showing my work on my 5th grade math tests is now paying off. Forcing me to show my work set me up to make it in the CRQ big leagues! I learned that just presenting an answer without showing any work, even if it’s correct, raises concerns. Did I cheat and use a calculator? Did I just happen to make a really good guess? Successful budget requests backed by CRQ are defendable. The audience should be able to see what the inputs are, how they were used, and how they got to the final answer. This isn’t a magic trick.

And for the moment we’ve all been waiting for…
In my last few blogs, I’ve covered all the wonderful things that CRQ can do. And while it’s easy to get caught up in the adrenaline rush of monte carlo simulations and loss exceedance curves, we’re not just doing this for fun! All of this work is done so cyber teams earn their spot on the Avenger’s Squad (Enterprise Risk Management Teams). And in the next (final) blog in this series, I will walk through how that can be done successfully.