Warning message

You must login or register to view this form.


ROI Methodology is a structured process for evaluating the return of investing in cybersecurity solutions (such as the PANACEA toolkit or parts of it). Its purpose is to support the HCO decision makers in taking the investment decision.

It considers both economic and non-economic returns.

Returns are evaluated in terms of difference between two situations:

  • the investment is not done: this is named “WITHOUT case” and is the baseline situation
  • the investment is done: this is named “WITH case”.

For instance, if we consider only the economic evaluation, the process builds two cashflows (WITH and WITHOUT) and makes the difference between them, building the differential cashflow. Then calculates indicators, such as the net present value.

Objectives of the topic session

In order to contextualize the nudging interventions, we have structured the process in four steps and we aim at understanding how to contextualize each one of them

The process may be articulated in four steps:

  1. Scoping, to describe the investment and to state the time horizon, i.e. the number of years over which the investment is evaluated
  2. Future threat scenarios definition, to make reasonable assumptions on the future possible attacks
  3. WITH and WITHOUT cases description, to describe what happens in case of attack (and between attacks) in case the investment is done (WITH case) and in case investment is not done (WTHOUT case)
  4. ROI evaluation, to elaborate indicators of the differences between the WITH and the WITHOUT cases.