Standardization of Return on Risk Investment Computation

The SEI’s CERT Division proposes standardizing the computation of ROI in practice and methodology to establish consistent measurement and standardized practice across organizations and communities. This paper explores the benefits of standardizing methodologies and introduces some novel solutions to consider for adoption. More importantly, CERT proposes these ideas while aspiring to establish enduring partnerships across academia, private industry, and the public sector to advance risk-based decision making based on comprehensive quantitative analysis. CERT’s depth of expertise in cybersecurity, risk management, modeling, and measurement would complement the expertise of many other organizations that have similar interests in collaborating to better the greater community.