Security leaders asking for budget to invest in DevSecOps tooling face a predictable request from finance: quantify the ROI. The finance team wants to know what the investment prevents, expressed in dollars. The security team knows intuitively that reducing vulnerabilities reduces breach risk, but translating that intuition into financial terms that CFOs can act on requires a structured approach.
The challenge is not that the ROI is not real. It is. The challenge is that security ROI involves probabilities and counterfactuals — what would have happened if we had not made the investment? Financial models that are comfortable with revenue projections struggle with breach probability estimates.
The FAIR (Factor Analysis of Information Risk) methodology provides a framework for structuring this analysis. Applied specifically to container security improvements, it produces financial estimates that are defensible, auditable, and directly connected to the technical controls being justified.
The FAIR Model Applied to Container Security
FAIR decomposes risk into two primary components: Loss Event Frequency (LEF) and Loss Magnitude (LM). The expected annual loss is LEF × LM.
Loss Event Frequency for container exploits:
LEF = Threat Event Frequency × Vulnerability
For container security:
- Threat Event Frequency: how often attackers attempt to exploit container vulnerabilities targeting organizations in your sector and size class. CISA reports, breach databases, and insurance actuarial data provide calibration points.
- Vulnerability: given an attack attempt, what is the probability of success? This is directly related to the CVE density and exploitability of the containers being attacked.
The key insight: reducing CVE density reduces Vulnerability in the FAIR model. An organization that reduces its container CVE count by 90% reduces the probability that any given attack attempt succeeds by a factor that can be estimated based on CVE exploitability data.
Loss Magnitude for a container breach:
Loss components for a breach originating through container exploitation:
- Response costs (IR team, forensics, containment): $100,000-$500,000 for a contained incident
- Data exposure costs (notification, credit monitoring, regulatory fines): varies by data sensitivity and scope
- Reputation and business disruption costs: varies by customer base and brand sensitivity
- Regulatory penalties: for HIPAA, PCI DSS, GDPR-affected organizations, potential fines based on data volume and negligence determination
IBM’s Cost of a Data Breach report provides industry benchmarks: average total breach cost in 2024 was $4.88M per incident, with container security gaps as a contributing factor in an increasing percentage of breaches.
The Expected Value Calculation
With FAIR components estimated:
Annual Expected Loss = P(breach per year) × Average breach cost
P(breach per year) before DevSecOps investment:
= Threat attempts × P(success | attempt)
= (e.g., 0.5 attempts/year) × (e.g., 5% P(success given current CVE density))
= 0.025 expected breaches per year
= Expected annual loss: 0.025 × $4,880,000 = $122,000
P(breach per year) after 90% CVE reduction:
= (0.5 attempts/year) × (0.5% P(success with reduced CVE density))
= 0.0025 expected breaches per year
= Expected annual loss: 0.0025 × $4,880,000 = $12,200
Annual risk reduction: $122,000 – $12,200 = $109,800
This simplified model produces a risk reduction estimate of approximately $110,000 per year from the CVE density reduction. The automated vulnerability remediation investment that produces the 90% CVE reduction is worth approximately $110,000 per year in expected breach cost avoidance.
If the DevSecOps tooling costs $80,000 per year, the ROI on breach prevention alone is 1.375x — before accounting for labor cost savings and compliance cost avoidance.
Labor Cost Savings: The More Predictable ROI Component
The FAIR calculation involves probabilities that CFOs sometimes discount. The labor cost savings from automated remediation are concrete and directly calculable:
Manual CVE remediation cost:
- 3,000 container CVEs requiring triage × 30 minutes average per CVE = 1,500 hours
- 1,500 hours × $150/hour loaded cost = $225,000 in manual triage cost
With 90% automated remediation:
- 300 CVEs requiring manual triage × 30 minutes = 150 hours
- 150 hours × $150/hour = $22,500 in manual triage cost
- Labor savings: $202,500
This calculation is auditable, conservative, and does not require probability estimates. The container CVE count, the time-per-CVE estimate, and the loaded labor cost are all verifiable inputs.
Compliance Cost Avoidance
The third ROI component is the avoidance of compliance costs from failing to meet CVE remediation SLAs:
For FedRAMP-authorized systems: Failing to remediate Critical CVEs within 30 days can trigger audit findings, remediation costs, and in extreme cases, authorization suspension. Authorization suspension for a cloud service provider can mean customer cancellation for the duration — a cost that can exceed the cost of the security program by orders of magnitude.
For PCI DSS QSAs: Non-compliance findings from a QSA assessment require documented remediation and additional validation assessments. Additional QSA engagement costs $50,000-$200,000; the internal remediation work adds more.
For regulated financial institutions: OCC or Fed findings related to vulnerability management can require expensive external consultants, board-level reporting, and formal remediation commitments with regulatory oversight.
These compliance cost avoidance benefits add to the ROI calculation but are harder to quantify without knowing the specific regulatory context and the probability of a compliance failure.
Frequently Asked Questions
How do you calculate ROI in cybersecurity?
Cybersecurity ROI is calculated by comparing the cost of the security investment against the risk reduction it delivers, expressed in financial terms. Using the FAIR methodology, you estimate the expected annual loss before the investment (breach probability times average breach cost), calculate the reduced expected annual loss after the investment, and add concrete savings from labor cost reduction and compliance cost avoidance to determine the total financial return relative to the tool cost.
What metrics and KPIs measure the success of a DevSecOps program?
Key DevSecOps metrics include CVE density reduction (percentage decrease in vulnerabilities across container images), mean time to remediate (MTTR) for Critical and High findings, the ratio of manual versus automated CVE remediations, and labor hours saved per quarter. Financial KPIs include annual breach cost avoidance estimated via FAIR modeling and compliance cost avoidance from meeting remediation SLAs that prevent audit findings or regulatory penalties.
What is the average cost of a data breach globally?
IBM’s 2024 Cost of a Data Breach Report put the average total breach cost at $4.88 million per incident. For organizations whose breaches originate through container exploits, response costs alone range from $100,000 to $500,000 for a contained incident, with data exposure, regulatory fines, and reputational damage adding substantially to the total.
How do you approach the assessment of cybersecurity costs and ROI within your organization?
The most defensible approach separates concrete savings from probability-based estimates. Start with auditable inputs — current CVE count, time-per-CVE for triage, and loaded labor costs — to calculate direct labor savings from automated remediation. Then layer in expected breach cost avoidance using FAIR methodology with explicit probability assumptions. Presenting both components together lets the CFO apply their own risk discount to the probabilistic figures while the labor savings stand on their own.
Presenting the Model to Finance
The presentation structure that works with CFOs:
- State the current CVE exposure (specific number, auditable from scan records)
- State the CVE reduction achieved by the investment (specific percentage)
- Calculate the labor cost savings (concrete math with auditable inputs)
- Estimate the expected breach cost avoidance using FAIR methodology (with explicit assumptions)
- Present the total: labor savings + breach cost avoidance versus investment cost
- Add compliance cost avoidance as a risk adjustment
This presentation separates the concrete from the estimated, lets the CFO apply their own risk discount to the probability-based components, and gives a complete picture of the value case. The security leader who presents this model is having a different conversation than the one who says “we need to invest in security” — they are presenting a business case with verifiable inputs and calculable outputs.