The question "how much does a penetration test cost?" accounts for thousands of monthly searches, but a more strategic question is: what does cybersecurity cost when you don't invest in it? This guide provides a framework for calculating cybersecurity return on investment that translates technical risk into business terms your CFO and board will understand.
The Cost of Doing Nothing
Cybersecurity ROI is fundamentally a risk-reduction calculation. You are not buying a product — you are reducing the expected annual loss from security incidents. The formula is straightforward:
Annual Expected Loss = Probability of Breach × Average Breach Cost
For a mid-market organization, the key inputs are:
- Breach probability: roughly 27% over a 24-month period for a material breach involving ~10,000 records (Ponemon Institute / IBM, Cost of a Data Breach Study) — on the order of a 1-in-7 chance in any given year
- Average breach cost: $4.44M global average (IBM Cost of a Data Breach Report 2025); significantly higher for regulated industries and for U.S. organizations (U.S. average $10.22M)
A managed security program (24/7 monitoring, regular penetration testing, incident response planning) lowers both the likelihood of a breach and its cost once one occurs. Organizations with both an incident-response team and a regularly tested IR plan averaged $2.66M lower breach costs than organizations with neither (IBM/Ponemon, Cost of a Data Breach 2022). Weigh that reduction against your actual managed-security spend to estimate ROI for your organization.
Industry-Specific Breach Costs
Average breach costs vary dramatically by industry. The figures below are from the IBM Cost of a Data Breach Report 2025 (global average $4.44M), except the Professional Services row, which is from the 2024 report — IBM's 2025 global industry chart does not break out that category. Use these figures when building your business case:
| Industry | Average Breach Cost | Key Regulatory Driver |
|---|---|---|
| Healthcare | $7.42M | HIPAA, HITECH, NY SHIELD |
| Financial Services | $5.56M | NY DFS 500, PCI DSS, SEC |
| Technology | $4.79M | SOC 2, GDPR, contractual |
| Legal / Professional Services | $5.08M | ABA Rules, privilege and client-data obligations (IBM groups law firms under "Professional Services," 2024 report) |
Beyond Direct Costs: The Full Impact
The IBM breach cost figure captures direct costs, but the full business impact extends further:
- Regulatory fines: HIPAA civil money penalties carry an annual cap of about $2.19M per identical-provision violation category per calendar year (45 CFR 160.404, inflation-adjusted effective January 28, 2026). NY DFS / NY Banking Law § 44 penalties run in tiers of $2,500, $15,000, and $75,000 per day depending on the violation category. PCI DSS itself imposes no fines — card brands and acquiring banks enforce compliance contractually, passing monthly penalties and higher fees to merchants and threatening loss of card-processing privileges.
- Customer attrition: Lost business — customer turnover, operational downtime, and post-breach support — accounts for roughly $2.8M of the average breach cost (IBM Cost of a Data Breach 2024), and reputational damage compounds over time.
- Operational downtime: Ransomware recovery is slow and expensive — the average recovery cost excluding any ransom paid is $1.53M (Sophos, State of Ransomware 2025), with operational downtime stretching for weeks. Downtime costs compound rapidly when factoring in lost revenue, SLA penalties, and recovery expenses.
- Cyber insurance impact: A filed claim typically raises renewal premiums and tightens terms — lower limits, higher retentions, new sub-limits or exclusions — and after a significant incident some carriers decline to renew altogether, leaving the organization to re-shop coverage in a harder market.
- Competitive disadvantage: SOC 2, ISO 27001, and security questionnaire failures increasingly disqualify vendors from enterprise procurement.
Building the Business Case
When presenting cybersecurity ROI to executive leadership, frame the investment as risk transfer — not as a cost center:
- Quantify current exposure: Annual expected loss without investment (breach probability × cost)
- Quantify residual risk: Annual expected loss with investment (reduced probability × reduced cost)
- Calculate net benefit: Risk reduction minus security investment = net annual benefit
- Add compliance value: Cost of non-compliance (fines, audit failures, contract losses) avoided
- Add insurance impact: Premium reduction from improved security posture (typically 10–25%)
For most mid-market organizations, a comprehensive managed security program — including managed network infrastructure, 24/7 monitoring, annual penetration testing, and architecture hardening — typically pays for itself well before the first serious incident. With the U.S. average breach now at $10.22M (IBM Cost of a Data Breach Report 2025), avoiding or containing even one incident generally outweighs years of program cost; the relevant comparison is not the monthly fee but the avoided cost of detection delay, downtime, forensic response, and regulatory exposure that an unmanaged environment absorbs in full.
Try our interactive ROI calculator to estimate the specific return for your organization based on your industry, company size, and current security posture.