Calculating ROI on web security doesn’t have to be tricky. Actually, it can be pretty straightforward. And it's critical for organizations to do the calculation, since we can reasonably assume that unprotected web applications will get hit eventually.

Industry analysts suggest just one in 30 websites may be secure and security breaches get reported virtually every day. Big or small, locally-hosted or run from China, all those websites are vulnerable. So we know that the likelihood of your organization getting hacked is much higher than the probability of pretty much any other kind of business disaster, from arson to a robbery or an earthquake.

So it's safe to assume that your web app is open to abuse from hackers using cross site scripting and other tactics. Now it's time to do an ROI calculation for web security.

Now let’s imagine a medium-sized company does $1 million in sales or donations every year through its website. Every day, the website brings in about $2,740. Finally, let us assume an initial investment of about $10,000 for regular web security scanning and IT consulting over one year to fix hacker vulnerabilities.

If this security solution prevented a security breach (or several) that forced a shutdown of the website for just four days out of an entire year, the investment will have more than paid for itself (Security investment = $10,000, Retained revenue = $10,960).

This doesn't even include the money saved from not having to deal with legal costs and crisis management (potentially millions of dollars). In this calculation, ROI is similar to that for purchasing insurance.

Then there's the added value web application security ROI calculation. Looking at the same business as before, we'll add on a 15 per cent extra revenue from web trafffic conversion (Ask Dave Taylor) that a security solution can add if publicized properly (which is negated in the event of a well-publicized breach).

In this case, the extra 15 per cent means an extra $150,000 in revenue per year. This means that every day, this organization earns $410 per day extra from the web application security solution, even if there is no security breach all year long.In 24 days, the solution would pay for itself..

As we've seen, the ROI of web security can be easily demonstrated.

Other resources and ROI tips that an IT manager, marketing manager, sales manager or CFO may find helpful:

Calculating security ROI is tricky business. A Computer World article about the metrics of calculating security ROI.

WSI Website Traffic Conversion Rate Calculator. Use it to calculate how much your website traffic is worth – and how much your organization will lose if a hacker takes you down.

Hopefully, this example will help you get started on some long-overdue web security ROI number-crunching.

Vaclav Vincalek
Vaclav's Blog