1 Executive Summary

I wrote the first version of this paper as Vice President, Principal Analyst at Forrester Research. Much has changed since 2012, when the first version was published.

Modern organizations run on information. Product design, digital services, supply chains, and customer experiences are all powered by data that can be copied, stolen, encrypted, or manipulated at very low cost by increasingly professionalized threat actors. At the same time, boards and executive teams expect chief information security officers (CISOs) to justify security spend with the same financial discipline that applies to any other investment. This was true in 2012 and is still true today.

This paper presents an updated 2025 version of Forrester’s Information Security Value Model. [1] This paper reframes information security as an economic function that protects and enables revenue, rather than a pure cost center. The model helps CISOs:

1. Value information assets in business terms.

2. Quantify fixed and variable security costs.

3. Estimate expected loss using modern risk-quantification techniques.

4. Express security value as a transparent, decision-supportive financial ratio.

I also provide a practical implementation roadmap, updated terminology aligned with today’s cloud- and AI-driven environments, recommendations for enhancing visuals and dashboards, and guidance on telling a clear financial story about cyber risk to senior leadership and the board.

2 Introduction: Why Security Economics Matter in 2025

Security and risk leaders face a paradox. Cyber risk is growing in frequency, impact, and complexity, yet security budgets are not keeping pace and, in many organizations, are effectively flat in real terms. Regulators, customers, and investors expect stronger controls, better resilience, and faster incident response, while executive teams expect security to enable digital growth rather than constrain it.

In this environment, qualitative arguments and generic industry benchmarks are no longer sufficient. CISOs must demonstrate how security investments reduce expected losses, protect revenue, and align with the organization’s risk appetite. They need a security business model that mirrors the economic rigor used by attackers and their finance peers. The Information Security Value Model addresses this need by pairing information asset valuation with cost and risk modeling, enabling security to be managed as a portfolio of economic decisions.

3 The Modern Threat Landscape and Attacker Economics

Cybercriminals and state-aligned actors now operate as sophisticated businesses. Ransomware-as-a-service platforms, credential markets, and initial-access brokers have created a mature ecosystem in which each actor specializes in a segment of the value chain. Cloud environments, remote work, and ubiquitous APIs have expanded the attack surface, while automation and AI tools enable adversaries to scale operations at relatively low incremental cost.

The economics of this ecosystem are clear: attackers target the information and systems that generate the most value. This includes intellectual property, payment and customer data, operational technology, and the digital platforms that underpin service delivery. They pursue the highest payoff for the lowest effort and risk. For example, encrypting a small number of high-value databases or compromising a key cloud identity provider may yield more leverage than a broad but shallow intrusion. In effect, attackers perform their own informal cost–benefit analysis of an organization’s information assets.

If security leaders cannot explain the economic value of the information they protect, they will struggle to compete with attackers. Adopting a clear financial model for security is therefore not optional; it is a prerequisite for effective strategy and credible decision-making.

4 Information as a Revenue-Producing Asset

Traditional accounting treats information as an intangible asset, if it is recognized at all. Hardware, office buildings, and manufacturing equipment appear explicitly on the balance sheet, but the data that drives modern business models often does not. In 2025, this perspective is increasingly detached from reality. Information is a primary input to revenue-generating activities and should be managed accordingly.

For this model, we define the economic value of an information asset as the share of current and future revenue that depends on the availability, integrity, and confidentiality of that information, minus the direct and indirect costs of creating, managing, and protecting it. This definition makes information value explicitly conditional on business use: data that no longer supports products, services, or regulatory obligations has little or no economic value and should be archived or deleted.

To make this definition operational, we categorize information into three broad types:

1. Revenue-generating information: directly tied to products or services sold to customers, such as software source code, pricing models, or customer transaction data.

2. Risk- and compliance-driven information: not directly revenue-generating but required to satisfy legal, regulatory, or contractual obligations, such as employee records or regulated financial and health data.

3. Supporting information: enables internal efficiency or decision-making, such as analytics data, internal process documentation, or training materials.

5 The 2025 Information Security Value Model

The Information Security Value Model quantifies how security investment relates to the value of information assets and the risk of loss. It consists of four significant steps:

1. Map information assets to business capabilities and revenue streams.

2. Quantify fixed and variable security costs associated with those assets.

3. Estimate expected loss by modeling threat scenarios and control effectiveness.

4. Calculate security value and optimize the security investment portfolio.

5.1 Map Information Assets to Business Capabilities and Revenue

Start with the business, not the technology. Work with product, sales, operations, and finance stakeholders to identify major revenue streams and the capabilities that support them—for example, digital commerce, subscription services, manufacturing, or logistics. For each capability, identify the critical information assets that must be available and trustworthy for that capability to function.

For each asset–capability pair, assign a proportional contribution to revenue. In some cases, this will be direct and obvious—for example, an e-commerce customer database that is required for order processing. In other cases, the relationship is indirect or shared across multiple products. The goal is not perfect precision but a consistent, defensible mapping that can be refined over time.

1.1 Quantify Fixed and Variable Security Costs

Next, classify your security costs as either fixed or variable and associate them with the information assets you have just mapped. Fixed costs are those that do not fluctuate significantly with incident volume over the short term, such as permanent staff, core tools, and baseline compliance obligations. Variable costs are triggered or increased by events, such as major breaches or new regulatory findings.

Typical fixed costs include:

1. Core security tooling (identity, endpoint, network, cloud, SIEM/XDR).

2. Baseline compliance activities (audits, assessments, certifications).

3. Shared infrastructure charges for security services.

4. Typical variable costs include:

• Security staff salaries and benefits.^[1]

• Incident response and forensics.

• Legal counsel, regulatory notifications, and fines.

• Customer communication, call center surges, and credit monitoring.

• Ransom payments or operational downtime losses, where applicable.

• Post-incident technology changes, consulting engagements, and additional staffing.

Assign these costs to the information assets they primarily protect, using reasonable allocation keys such as percentage of control coverage, percentage of asset criticality, or revenue share. The goal is to determine how much you currently spend to protect each major revenue-producing or risk-sensitive asset.

1.2 Estimate Expected Loss Using Modern Risk Quantification

To move beyond qualitative heat maps, use modern risk quantification techniques to estimate the expected loss for each information asset. Frameworks such as FAIR (Factor Analysis of Information Risk) and Monte Carlo simulations enable you to model ranges of probable loss rather than single-point estimates.[2]

For each critical asset, identify plausible threat scenarios, such as credential compromise leading to data theft, ransomware affecting availability, or insider misuse of sensitive information. Assess how often each scenario could occur and estimate the potential impact on factors such as revenue loss, response costs, regulatory penalties, and long-term reputation damage. Conduct simulations to generate a distribution of annualized loss exposure rather than relying on a single number.

This expected loss is a key input to the security value calculation. It quantifies the downside risk that security controls are intended to mitigate.

1.3 Calculate Security Value and Optimize the Portfolio

With revenue contribution, cost, and expected loss estimates in place, you can now calculate the economic value of your security program. A practical way to do this is to focus on three core quantities for each major asset or asset group:

1. Revenue protected: the portion of revenue that depends on the asset being secure and available.

2. Expected loss avoided: the reduction in modeled loss due to existing or proposed controls.

3. Total security investment: the fixed and variable costs allocated to protecting the asset.

A simplified expression of security value at the portfolio level is: Security Value = (Expected Loss Avoided + Revenue Protected + Enablement Benefits) / Total Security Investment.

This approach promotes continuous improvement. Over time, you aim to increase the numerator—by enhancing control effectiveness and expanding secure digital business—while managing or decreasing the denominator through automation, consolidation, and better prioritization. Security decisions can then be evaluated using the same return-on-investment logic applied to other business initiatives.

1.4 Worked Example: Subscription SaaS Provider

Consider a hypothetical software-as-a-service company that derives 80% of its revenue from a multi-tenant cloud platform. A small number of information assets—such as the production customer database, authentication service, and billing system—are clearly critical. Using the steps above, the CISO and finance team determine the following:

1. 65% of annual recurring revenue depends on the availability and integrity of the production database.

2. 50% of that revenue would be at serious risk in a prolonged outage or a large-scale data breach.

3. The expected annualized loss exposure for the database, before control improvements, is modeled within a range that would meaningfully impact profitability.

The organization then evaluates several investment options, including enhanced backup and recovery, privileged access management, and stronger identity protection. For each option, the team estimates the expected reduction in loss and the impact on overall security investment. This analysis helps executives prioritize the controls that offer the greatest expected loss reduction relative to cost, while also considering qualitative factors such as customer trust and regulatory review.

2 Visuals, Tables, and Dashboards

To make the Information Security Value Model usable in day-to-day decision-making, present it through clear visuals and dashboards rather than dense spreadsheets alone. The following elements are particularly helpful for executives:

1. A revenue-to-asset map showing which information assets underpin which revenue streams.

2. A cost allocation table that summarizes fixed and variable security costs by asset group.

3. A risk curve that illustrates expected loss before and after key control investments.

4. A portfolio view that ranks assets by revenue contribution, expected loss, and current control strength.

For example, a dashboard might display each major asset as a bubble positioned by revenue contribution (x-axis) and expected loss (y-axis), with bubble size representing total security spend and color representing residual risk. This provides an immediate visual cue about where security investment may be misaligned with business value.

3 Communicating Security Value to Executives and the Board

Even the most rigorous model will fail to gain traction if it is not communicated in a language that resonates with executive stakeholders. CISOs should frame security conversations around business outcomes rather than technical metrics. Instead of leading with vulnerability counts or tool coverage, focus on revenue-at-risk, expected loss reduction, and alignment with the organization’s stated risk appetite.

Effective board reporting on security typically includes:

1. A concise narrative of the current threat environment as it relates to the organization’s strategy.

2. A summary of the most critical information assets and the revenue or mission outcomes they support.

3. Quantified estimates of expected loss and how key initiatives are changing that exposure.

4. A small set of leading and lagging indicators, such as time-to-detect, time-to-contain, and control coverage for high-value assets.

5. A forward-looking view of significant initiatives, dependencies, and investment decisions required in the next 12–24 months.

By consistently framing security in these terms, CISOs build credibility as business leaders who manage a portfolio of risk and return, rather than as purely technical experts seeking incremental budget.

4 Updated Terminology and Best Practices

The 2025 version of the model aligns with modern security architectures and operational practices. Key concepts include:

1. Zero Trust: assuming no implicit trust based on network location and continuously verifying user and workload identity.

2. Cloud-native security: embedding controls into infrastructure-as-code, CI/CD pipelines, and managed cloud services.

3. AI-augmented defense: leveraging analytics and machine learning to detect anomalies, prioritize alerts, and automate routine actions.

4. Continuous compliance: using automation to maintain and demonstrate adherence to regulatory and customer expectations.

5. Business resilience: integrating cybersecurity with business continuity, crisis management, and operational risk disciplines.

Incorporating these practices into the Information Security Value Model ensures that valuation and cost assumptions reflect today’s operating reality, including shared responsibility with cloud providers and the growing role of automation in both attack and defense.

5 Implementation Roadmap for CISOs

Adopting an economic model for information security does not need to be an all-or-nothing transformation. CISOs can proceed in phases, building credibility and insight along the way.

0–30 Days: Establish the foundation

1. Identify and document the top revenue streams and mission-critical outcomes.

2. Select an initial set of 5–10 critical information assets that support those outcomes.

3. Begin a simple revenue mapping exercise with business and finance partners.

30–60 Days: Build the model

1. Catalogue fixed and variable security costs and begin allocating them to the selected asset set.

2. Define a small number of threat scenarios for each asset and estimate frequency and impact ranges.

3. Use a lightweight risk-quantification approach to produce initial expected loss estimates.

60–120 Days: Operationalize and communicate

1. Refine the model using feedback from finance, risk management, and business leaders.

2. Create dashboards and visuals that present the model in executive-friendly terms.

3. Use the model to inform at least one major investment decision or reallocation of spend.

Ongoing: Iterate and expand

1. Regularly update assumptions based on new threat intelligence, incidents, and business changes.

2. Expand the asset set and improve cost allocation accuracy over time.

3. Track changes in expected loss and security value as part of quarterly performance reviews.

6 Conclusion

Cybersecurity is not a purely technical discipline. It is an economic function that protects and enables the information assets on which modern organizations depend. By treating information as a revenue-producing asset and quantifying both the costs and benefits of security, CISOs can make more informed decisions, communicate more clearly with executives, and compete more effectively with adversaries who already think in financial terms.

The Information Security Value Model presented here provides a practical framework for this shift. It enables security leaders to measure security value as a function of revenue protected and expected loss avoided, and to continuously optimize their investment portfolio in line with the organization’s strategy and risk appetite.

7 References

1. Ferrara, E.S., Determine the Business Value of an Effective Security Program — Information Security Economics 101.Forrester Research, 2012.

2. Jones, J., An Executive’s Guide to Cyber Risk Economics. 2011, RiskLens.

^[1] There is debate regarding employee salaries and benefits regarding the true variability of these costs.