ROI was never designed to measure preparedness against compounding business loss. Ransomware has evolved into a constant, tangible threat, yet many organizations still rely on ROI frameworks that work well for efficiency gains but were never intended to assess catastrophic business disruption. In this context, the metric leaves critical risk entirely unmeasured. During a serious breach, what starts as a containment effort can quickly escalate far beyond the initial incident. A ransom demand may only be the beginning: ransomware can trigger regulatory scrutiny, mandatory public disclosure, customer churn, operational downtime and a prolonged financial tail. In the middle of an unfolding incident, there is no meaningful “return” to calculate. ROI remains valuable for evaluating operational efficiency, but it was never built to model asymmetric, compounding loss during a crisis—cyber resilience requires an entirely different lens.
Recovery time is important, but it cannot be treated as the primary indicator of preparedness. Systems may return to service quickly while reputational, financial and regulatory consequences continue to unfold. This limitation highlights why traditional ROI frameworks are insufficient for evaluating resilience.
This is where Return on Risk as a response enters the conversation as a more relevant decision-making framework. ROI asks “What do we gain from this investment?” Return on Risk asks “What do we avoid losing and with what level of confidence?” Return on Return on Risk reframes and prioritizes cybersecurity as a function of preparedness and impact reduction instead of simply as a function of productivtiy. Rather than asking how security investments improve efficiency, Return on Risk asks how effectively they reduce blast radius, limit financial loss and preserve enterprise value when an attack occurs.
The need for this shift is urgent as ransomware has increasingly become more prevalent, more covert and more costly. Attack methods have evolved from opportunistic encryption events to now more coordinated multi-stage events that involve data exfiltration, corrupted backups and extortion. Threat actors increasingly target backup repositories driving massive downtime and recovery costs in the millions. At the same time, new SEC disclosure rules and expanding regulatory oversight are raising the stakes by requiring faster and more transparent reporting of breach and attacks. With this increased accountability, organizations are not just being judged by an attack but how effectively they respond.
The power of Return on Risk becomes clear when recovery capability is verified. Organizations with verified recovery capabilities are better positioned to resist ransom demands and negotiate from a position of strength. Instead of asking if the organization can afford to pay, it can evaluate whether payment is necessary at all. When clean, recoverable data can be validated quickly, uncertainty decreases and executive teams can make decisions based on evidence rather than fear. Over time, this capability also reinforces confidence among regulators, insurers, and boards. This is Return on Risk in action: resilience measured by leverage denied, exposure contained, and confidence preserved.
At its core, Return on Risk moves the conversation from the cost of investment to the cost of exposure. Instead of centering the conversation on investment levels or efficiency gains, it directs attention to exposure, containment capability and decision-making confidence during a crisis. By grounding cybersecurity in measurable risk reduction rather than operational performance alone, organizations elevate resilience from a technical function to a core business safeguard.
About the Author
Jim McGann is CMO of Index Engines. Jim is a globally experienced marketing and business development executive instrumental in developing key relationships and brand development at Index Engines. Jim is experienced with both large established software firms and emerging startups and is a frequent writer and speaker in the areas of ransomware recovery, cyber resilience and unstructured data management.
Jim can be reached through the company website at https://indexengines.com/
