For small businesses, non-profits, municipalities, and other small organizations, cybersecurity is often underfunded and misunderstood — until an incident strikes. But how do you justify proactive spending on tools like vulnerability scanning when there’s no obvious return? The answer lies in a calculation called Return on Mitigation (RoM) — a powerful way to quantify how much financial risk you’re reducing by investing in cybersecurity.
In this post, we’ll walk you through how to calculate RoM for a vulnerability scanning service, using a small fictitious municipality as a case study. To help you fully understand it, we’ll break down the calculation in reverse, starting with how cyber risk is modeled.
Step 1: Understanding ARO (Annual Rate of Occurrence)
ARO estimates how often a specific type of cyber incident is expected to occur in a year. For small organizations, common threats include:
| Threat Type | ARO Before Mitigation | ARO After Mitigation |
| Unpatched Software Vulnerabilities | 5 | 2 |
| Phishing Attacks | 9 | 2 |
| Malware (non-ransom) | 4 | .75 |
| Website/Service Outage | 0.5 | 0.1 |
| Ransomware | .75 | 0.2 |
| Credential Theft | 3 | .75 |
| Average ARO | 3.71 | .96 |
| Total ARO | 22.25 | 5.8 |
Because our proposed solution—vulnerability scanning—has the greatest impact on unpatched software vulnerabilities, we will focus our analysis solely on that threat category.
We assume the organization is already performing regular patching but does not currently use vulnerability scanning.
Based on public sector trends, we estimate the Annual Rate of Occurrence (ARO) for unpatched software vulnerabilities in a municipality with approximately 200 devices (and no vulnerability scanning) to be around 2.5 incidents per year.
With the implementation of regular vulnerability scanning, this could reasonably drop to 0.5 incidents per year—representing an 80% reduction in likelihood.
It’s important to note that when evaluating the impact of a security service, totaling ARO values across the specific risks it mitigates may be necessary to reflect its full value.
The type of threats your specific industry faces, the frequency of incidents, and the impact to your organization can vary considerably. If you are looking for specific details to help dial in your ARO, here are some resources you can use:
- Verizon Data Breach Investigations Report (DBIR) – Offers statistics on breach frequency by industry, incident types, and targeted industries. Recognized widely for its detailed industry breakdowns and trends.
- Identity Theft Resource Center (ITRC) Annual Report – Provides breach counts by sector and tracking of incidents over time.
- IBM / Ponemon “Cost of a Data Breach” Reports – Reports average breach cost by industry (e.g., healthcare, finance, tech).
Step 2: Estimating SLE (Single Loss Expectancy)
SLE is the cost of a single successful cyberattack. For a municipality, a realistic estimate includes:
- $5,000: Incident response and recovery
- $4,000: Downtime costs
- $3,000: Legal and compliance obligations
- $3,000: Public trust/reputation damage
- $2,000: Administrative overhead
That totals to an SLE of $17,000 per incident.
Again, these are just estimates. If your organization has experienced a cybersecurity incident in the past, you may have actual figures to plug in. If not, the resources listed above in Step 1 will help determine values in calculating SLE.
Step 3: Calculating ALE (Annualized Loss Expectancy)
Now that we know how often incidents may occur and how much they cost, let’s get out the ol’ chalk board and calculate ALE:
Before mitigation:
After mitigation:
Step 4: Risk Reduction
The Risk Reduction is simply the difference between the two ALE values:
Therefore:
This is the financial value of risk you’re avoiding each year by implementing vulnerability scanning.
Step 5: Calculating Return on Mitigation (RoM)
RoM helps you understand how much value you’re getting from your cybersecurity investment.
Let’s say a vulnerability scanning solution costs $400/month, or $4,800/year.
Therefore:
That means every $1 spent returns $8.85 in avoided risk (or a $7.85 net benefit) — a powerful case for funding even on a tight budget.
So What’s a “Good” RoM?
| RoM % | Interpretation |
|---|---|
| < 0% | ❌ Cost outweighs benefit |
| 0 – 100% | ⚠️ Modest return |
| 100 – 300% | ✅ Cost-effective |
| 300 – 600% | 🔒 Strong investment |
| 600% + | 💰 Exceptional return |
Final Thoughts
Small organizations don’t have the luxury of massive IT teams, but that doesn’t mean they have to accept unnecessary cyber risk.
By measuring Return on Mitigation, you can make informed decisions and justify cybersecurity spending with real numbers — not fear.
A simple investment in a cybersecurity service such as vulnerability scanning could reduce your exposure by tens of thousands of dollars a year — and help protect the public trust.
