Over the past 8 months, Luke (hakluke) Stephens and I have spoken with 10 security executives, surveyed over 550 security professionals, and incorporated insights from HackerOne’s CISO Advisory Board. A key challenge emerged repeatedly in our conversations: security leaders need a better way to measure and justify their investments—one that accounts for the financial impact of mitigated risks.
In this blog, we are excited to announce our white paper on Return on Mitigation (RoM), a framework we designed to quantify the financial impact of security programs in a way that speaks to business leaders.
Why traditional ROI falls short in cybersecurity
Organizations that apply traditional ROI models to cybersecurity often focus on cost-cutting measures like reducing headcount or operational expenses. However, this approach fails to account for security’s primary function: risk reduction and breach prevention.
As one CISO put it in our research:
“Security is often viewed as a cost center, not a revenue driver. ROI doesn’t work because you can’t always show direct returns—it’s about preventing damage, not generating income.”
By nature, security efforts protect revenue, brand reputation, and operational continuity by preventing financial losses rather than generating direct profit. Yet, these benefits are often difficult to quantify, making them harder to justify through traditional financial models.
Introducing the Return on Mitigation (RoM) framework
RoM offers a new way to approach cybersecurity justification by reframing security investments to avoid future losses—much like an insurance policy.
Instead of measuring revenue gained, RoM calculates mitigated losses. Instead of asking, “What revenue did this investment generate?” RoM asks, “What losses did we prevent by investing in cybersecurity measures?”
It does this by factoring in:
By replacing traditional ROI’s “net profit” with “avoided losses,” RoM can concretely quantify cybersecurity’s financial impact.
The RoM Calculator: A practical tool for security leaders
One of the biggest takeaways from our research was that security leaders need more than theory—they need tools and models to run these calculations in real-world scenarios.
The first-of-its-kind RoM calculator we developed in this study integrates security program results, the likelihood of exploitation through the concept of Exploitation Likelihood Score (ELS), and industry benchmarks to calculate total mitigation savings. It provides organizations with defensible metrics for demonstrating the value of their security programs.
I had the opportunity to run countless real-world calculations on HackerOne customers to measure the financial impact of their security programs in the last 2 months. The results each time confirm that:
With RoM, it is now possible to demonstrate how every dollar spent on proactive security directly protects the bottom line.
A security leader at a global financial infrastructure provider describes it best:
“RoM allows me to justify a $300,000 investment against a potential $5 million critical breach. With this metric, I can show how mitigating vulnerabilities through continuous security testing prevents costly breaches and justifies spending.”
While the advanced RoM calculator is available to customers, we have also developed a light version that allows anyone to explore the concept and run their calculations using high and critical severity findings.
HackerOne customers can run RoM calculations in real time
The RoM framework is now available to HackerOne customers, who can use the RoM calculator to measure their security investments in real financial terms.
With the HackerOne AI Copilot, Hai, customers can automate RoM calculations on every vulnerability submitted to the HackerOne platform. This means customers can instantly assess the potential financial impact of each vulnerability and prioritize mitigation efforts based on real risk data. By incorporating things like program history, industry benchmarks, and other key factors—such as assigned CVSS, CVE, or EPSS figures—we can bring in various dimensions to our analysis and make these assumptions as realistic, defensible, and actionable as possible, all within the HackerOne platform.
And that’s just the beginning!
The future of RoM and how you can contribute
RoM provides security teams with a clear, quantifiable way to demonstrate their impact, making it easier to secure buy-in, budgets, and long-term investment in proactive security measures. However, for RoM to become a widely adopted industry standard, we need ongoing input from security professionals.
We’re actively refining RoM to ensure it remains a practical, defensible, and actionable framework for security investment justification. If you’d like to test the RoM calculator and provide feedback on how we can improve it, contact us (or message me on LinkedIn)— we’d love your insights.
To learn more, you can read the full white paper and join HackerOne’s webinar, “Quantify the Financial Impact of Cybersecurity with Return on Mitigation,” on March 12, 2025. In this webinar, we’ll discuss real-world applications of RoM and how you can use it in your organization!