Valuing IR Preparedness: Identifying and Communicating ROI

Andrew Brosman, Senior Security Consultant, Cyber Risk Advisory

In the information security community, a proactive approach to incident response is always considered best practice. Reacting in the moment can drain resources and often, the full impact of the incident may take weeks or even months to remediate. Despite this, making a case to management for the value of a proactive approach can be difficult. Buying a new tool or service provides quantifiable efficiency returns; but how do you present your case when the return on investment (ROI) for incident response isn’t as measurable?

The simple answer is to look to your past. Retroactively analyzing past incidents can provide information into the total cost of incident remediation. Through analysis, this information can be used to arrive at an ROI for investment in incident response today. Being able to evaluate incident response costs requires an organization to advance from a compliance or audit focus to one focused on long-term sustainment and continual improvement. SANS found that 32% of 452 respondents to a 2018 Incident Response Survey said they weren’t even sure how many incidents they had responded to in the past year. If you’re not capturing incident response metrics or haven’t even identified what those metrics should be, it’s difficult to calculate the value of investment and convince management that incident response preparedness is a priority. What metrics should an organization be capturing to measure incident response effectiveness?

Metrics to focus on are dwell time, the length of time between initial compromise and detection of an incident in the environment, time to contain, and time to remediate. The shorter the dwell, the less time an attacker has to explore the environment uninhibited. By limiting containment time, an organization substantially increases the speed at which they can recover from the incident. Time to contain and time to remediate are inherently correlated: by reducing the amount of time it takes to isolate the attacker, the quicker the organization can recover systems and ultimately processes. Time to remediate is critical; in the same incident response survey, SANS found that 43.6% of respondents reported that they suffered a breach from the same threat actor more than once. Reducing the time to remediate allows an organization to fortify its defenses and limit the potential for a threat actor to return to the crime scene and exploit the same or similar vulnerabilities.

When it comes to converting those metrics into dollars and cents, consider factors such as lost employee utilization, the cost to repair systems, downtime, brand/reputational damage, and lost sales. An analysis of the costs associated with past incidents allows you to begin quantifying the benefit of incident response preparedness. If last year your company suffered a DDoS attack that resulted in 300 man-hours to remediate at $100 an hour, the incident cost your organization, excluding other factors, $30k. If you’re considering the cost of a tabletop test at $20k and the value of the test being a reduction of 50 man-hours spent coordinating incident response, you spent $20k to reap an efficiency gain of $5k. At first, this may not seem like a valuable investment; however, this is efficiency gain for just one incident in one year. By multiplying that efficiency gain by the average number of incidents your organization experiences on an annual basis, you arrive at a significant ROI. SANS found that the vast majority, 44%, of respondents to the 2018 incident response survey said they experienced more than 25 incidents in that year. These efficiency gains are also not limited to a single incident or even a single time frame; tasks such as training and testing provide long-term gains that further close the gap between cost and value. Additionally, when you start considering costs beyond just lost employee utilization, the picture becomes clear: proactive investment in incident response reaps sustainable and long-lasting returns on investment.

At Coalfire, we specialize in incident response coordination and preparedness. Regardless of the complexity or maturity of your organization, Coalfire is here to help your organization establish an organized and consistent approach to incident response. From tabletop testing to full incident response program development, Coalfire’s cybersecurity experts are fully prepared to elevate your organization’s security profile.   

Andrew Brosman


Andrew Brosman — Senior Security Consultant, Cyber Risk Advisory

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS