1 Introduction

Users connect to the internet because of the rapid development of internet technology. Unfortunately, cyber-attacks directly target both public and private entities [1]. Cyberattacks are growing exponentially from internet-connected devices like mobile phones; laptops are essential to daily life. While a single attack may have little to no impact, repeated attacks can cost financial loss to an organization. Data breaches exceeded 17% in September 2021, the same as the previous year, according to ITRC data [2]. Data loss in 2021 includes Comcast 1.5 billion, Facebook 533 billion, LinkedIn 500 billion, and Bykea 400 billion [3]. 83 security incidents affecting 5,127,241 records were officially disclosed in February 2022 [4]. By 2025, cybercrime will reach 10.5 trillion annually [5]. To minimize losses, business organizations need proactive approaches to security measures.

The proliferation and sophistication of cyber-breaks render preventive efforts ineffective [6]. Cyber threat protection techniques by themselves cannot identify threats. Consequently, cyber events present two critical questions to private and public sector enterprises: What kind of cyber investment is the best, and how much money should be devoted to safeguarding corporate entities? They link to public education research well [7,8,9]. The value of detection and containment procedures is jeopardized by the reluctance of many organizations to discuss their exposures. For instance, an email is the first step in 75% of targeted attacks; In 86% of organizations, users try to link to fraudulent websites, and 86% of attacks aim to bring in money [10]. Further, some businesses spend six months than necessary to discover a data breach [11].

The network architecture of a business may appeal to dishonest competitors. There have been known cyber-attacks on these systems, which have disrupted customer service and cost the corporation money [12]. A corporate network can be attacked for several reasons, from employees’ careless online behaviour to a delay in patching vulnerabilities [13]. The under-investment and lifetime management of cyber security investments presents additional challenges for enterprises. Before making a financial choice, senior management wants to support the investment concerning returns. The effects of security breaches across the entire organization are what they are worried about, not the security apparatus. Educating the board about the effects of crucial network infrastructures is a massive task for the security manager. Funding security does not equate to financial advantages but can significantly reduce corporate losses [14]. The under-investment and lifetime management of cyber security investments presents additional challenges for enterprises. Before making a financial choice, senior management wants to support the investment concerning returns. The effects of security breaches across the entire organization are what they are worried about, not the security apparatus. Educating the board about the effects of crucial network infrastructures is a considerable task for the security manager. Funding security does not equate to financial advantages but can significantly reduce corporate losses.

Different ROSI techniques support making decisions; however, cyber security still has challenges [14]. Existing frameworks do not estimate the likelihood of Specific exposure. Employee exposure and experience, instead of attack probability, determine an attack. Since businesses frequently get mixed results under the same circumstances, it is difficult to accurately estimate risk using the same methods [15]. Further, conventional methods enable concerned professionals to approximate budget advantages to a particular situation.

Investments in network security can either directly or indirectly shield essential assets from various threats. Maintaining a complete view of the network security budget is crucial for defence against various attacks. Several studies have been conducted on calculating ROSI, but only a few on computing RONSI. We developed a framework to compute ROSI in network systems and calculate the impact of an attack on essential network resources throughout the enterprise. With a g great certainty, the likelihood of a cyberattack is estimated on network resources using the Bayesian theorem [16]. The significant contribution of the work is as follows.

  1. 1.

    Instead of approximation and user experience, the traditional approach of computing return on investment, the proposed Return on Network Security Investment (RONSI), is based on the Bayesian theorem.

  2. 2.

    To validate the proposed RONSI framework, the CVSS dataset, two scenarios, and a comparison to prior work are utilized.

  3. 3.

    The findings demonstrate that the yearly loss without applying a security plan is relatively significant ($7548). The loss is decreased to $1887 using the analytical technique to calculate the RONSI.

  4. 4.

    An organization can persuasively explain investments in network-related infrastructure using the proposed RONSI framework, which promotes confidence, trust, and reputation.

The remaining paper is formulated as follows. The related works and the current ROSI methodologies are discussed in Sect. 2. A proposed technique for RONSI computation is illustrated in Sect. 3, which facilitates senior management to justify investment decisions for network systems. The evaluation of the framework and the comparison with existing studies are conferred in Sect. 4. The discussion and the limitations of the work are presented in Sect. 5. Finally, the paper is concluded in Sect. 6 with the future research direction.

2 Related works

In this section, the existing ROSI frameworks are studied, deviated, and analyzed to demonstrate the most valuable techniques for developing an enhanced ROSI framework [17]. The NIST article [18] described the evaluation process for initiatives ROI, and the ENSA study [19] designed a ROSI metric using risk elements. Despite this, there are some restrictions in the report. Since the computation is based on static data, a particular threat may impact assets. Attack maps and Bayesian networks are combined in the study to show how cyber threats can be misunderstood [20]. Bistarelli et al. [21] evaluated the information technology security budget, employed defense trees, and placed countermeasures on each leaf. They determine the defenders’ return on investment, security benefit, and single and annual loss probabilities. To evaluate attack strategies and preventive security techniques, Roy et al. [22] provided trees of defense in depth. Attack-countermeasure trees and prevention techniques, such as detection and mitigation, are included on each node.

Ji et al. [23] proposed trees of defence countermeasures, like identification and mitigation, on each node. The graphical security models evaluate network-based protection in terms of success or failure. A list of countermeasures can be used to prioritize security measures. Shawn [27] presented a security attribute-based technique that weighs potential investments against one another to choose the best investment. The model produces quantitative cost estimates but only calculates annual losses. Pontes et al. [28] proposed a model for calculating ROSI based on the Fibonacci sequence. It is possible to acquire security-related notifications, but they do not address the likelihood of the events they concern. Aguiar et al. [29] presented a survey technique that underlined the importance of analysis using ROSI and estimations despite the lack of mathematical processes. Huang et al. [30] discussed the relationship between security spending and hazards while disseminating health information based on economic studies. The research employed a network-based methodology to analyze the financial considerations when investing. The proposed model uses the prior matching returns on security investment ideas. Using game theory, Yonge et al. [31] calculated security investments for carefully planned affiliate invasions. According to the findings, the amount spent on security should rise in direct correlation with the probability of lost gains, and collective investments can boost security while reducing expenses. Sonnenreich et al. [32], based on past knowledge, interviews, and assumptions, a method for assessing return on investment was proposed.

Fielder et al. [33] suggested a choice of three paths, and a combination of game theory and combinatorial optimization determines their viability in the investment decision. Yaqoob et al. [34] presented framework organizations emphasizing security that can use to calculate Bayesian ROSI. Despite providing a thorough mathematical analysis to calculate ROI and annual loss, the authors of this paper place a disproportionate amount of emphasis on the recovered CVVS dataset while mostly ignoring the penetration test findings. Skoufis et al. [44] proposed a techno-economic model to assess the project’s cost viability via the prism of three possible migration routes.

Mamane et al. [45] presented a multi-criteria scheduler for 5G enhanced Mobile Broad Band (eMBB) communications transmission in a busy metropolitan environment. The method combines perceptron weight management with weighted sum multi-objective optimization employed in neural networks. Eswaran et al. [46] covered private 5G networks, deployment scenarios, spectrum considerations, and security issues. Vajanapoom et al. [47] presented a risk-based method for designing resilient networks. The fundamental design challenge is allocating funds for implementing a survivability approach in various network segments based on risk management, given a functioning network and a fixed budget. Kliks et al. [48] summarised discussions between scientific researchers and network device builders to determine a model’s most likely effective operation in such a complex network environment. In cooperation with a skilled network architect, these suggestions were created. Gardikis et al. [49] examined how Software Defined Networking (SDN) as well as Network Functions Virtualisation (NFV) technologies might be applied to satcom platforms and identified. They identified and difficulties of integrating satellite infrastructures into future software-based networks. Zghaibeh et al. [50] proposed a lottery-based pricing system to improve the degree of sharing in peer-to-peer (P2P) networks and aid in the spread of more objects. A comparison of the existing ROSI frameworks is illustrated in Table 1. This study further aids in developing an enhanced RONSI framework by covering the gaps in the existing study.

Table 1 Study of existing approaches
Full size table

3 The proposed framework of return on network security investment

This section proposes a redesigned ROSI framework, return on network security investment (RONSI), based on conventional ROSI methodologies to encourage monetary investments in network security. It is assumed that an organization’s network would regularly receive patches from a cybersecurity vendor. With justification, our framework and method for estimating investment in network systems estimate the best methods. Figure 1 depicts the eight crucial phases of the proposed framework.

Fig. 1
figure 1

Proposed RONSI framework

Full size image

Identification of assets is the first phase. In an organization, there may be thousands of networks and related resources. Identification of assets and network inventory preparation is a thus crucial process. The classification of network assets is the next phase. Finally, the worth of an asset is determined by its severity, which also activates all of the organization’s critical network assets. The third phase of the framework includes a vulnerability scan to look for weaknesses. A listing of vulnerabilities found by internal and external experts using the tool and their subject-matter expertise is produced by the framework’s fourth phase, which involves internal and external penetration testing. Bayes’ statistical theorem determines the probability of a connected threat in the fifth phase [20]. An invasion’s probability is determined using datasets derived from actual cases [35]. Besides, if the vulnerability is exploited, the annual loss is calculated. By mapping the defects, the sixth phase documents potential defences to reduce the risks. It maps the significance of preventative countermeasures to align with the organization’s business objectives and priorities. In the next phase, the cost–benefit analysis is determined. The final phase offers practical RONSI recommendations. The RONSI methodology predicts the likelihood of an attack on all critical network resources within an organization using a vulnerability scan report as input, validating the model. The model’s practical importance can only be widely applied with a validation procedure. Using a dataset comprised of CVSS results from a vulnerability assessment and threat modelling, the proposed method can predict the frequency of attacks on an organization’s critical network assets. To fully comprehend the phases of the proposed framework, this study combines methods for conducting threat investigations and attack mitigation strategies described in [36].

A hypothetical penetration testing scenario has been used as the test case in Fig. 2 to comprehend the phases of the proposed framework. A secure web application running over the internet is available. Firewalls, routers, switches, and intrusion detection systems verify user credentials before granting them access to restricted resources. The various invaders and attackers flood the network with traffic, implant malware, and monitor user activities like successful and unsuccessful logins to gather information on the system’s operation. This process investigated significant assets, accompanying exposures, and related hazards. The countermeasures are examined, and RONSI is calculated using this analysis. The sections that follow each phase’s components are illustrated.

Fig. 2
figure 2

The context for penetration testing case

Full size image

3.1 Phase 1: asset identification

To purchase connected vital assets that could significantly impact the business if compromised. Identifying networks and other related assets in operating the business is crucial at this point. The ISO 27001 Framework is applied [38]. Table 2 illustrates the asset identification step of our method.

Table 2 Asset recognition
Full size table

3.2 Phase 2: asset categorization

This step determines the criticality of assets in terms of confidentiality (C), integrity (I), and availability (A) using Eq. 1.

$$ {\text{Criticality}} = C + I + A $$
(1)

C, A have, and I value ranging from 1 to 5. The higher critical value denotes the asset’s need for critical protection. We have labeled the router, firewall, IDS, and database server as critical assets in the diagram, as shown in Table 1. The monetary cost of assets can be calculated using Eq. 2.

$$ {\text{Monetary}}\;{\text{ value}} = {\text{Critical}}\;{\text{ value}} \times {\text{Physical}}\;{\text{ cost}}\;{\text{ of}}\;{\text{ asset}} $$
(2)

3.3 Phase 3: vulnerability scanning

This stage locates user privacy occurrences, also known as vulnerabilities [39]. It can be accomplished using technologies for protection, readily available resources, skilled security professionals, and advisory services. Figure 3 displays how traffic flooding, scanning, and the injection of malicious software in the given context might cause DDoS and information theft attacks. The man in the middle, phishing and getting access, is the assault target. The three methods used are user action, injection, and input verification.

Fig. 3
figure 3

Example scenario of penetration testing

Full size image

This step outlines all operational and security procedures and system configuration flaws that could lead to successful security violations, as shown in scenario 1. In the hypothetical situation, DDoS assaults are simulated, and systems are tested by being inundated with network traffic. Attackers looking to steal information employ numerous systems, including servers, routers, firewalls, intrusion detection systems, and user behaviour, to uncover gaps in the infrastructure. The attacker gathers relevant data. Table 3 illustrates the target, tactics, and attack simulation details.

Table 3 Simulation of attack
Full size table

3.4 Phase 4: penetration testing

Vulnerability scanning warns organizations of their code’s pre-existing defects. Penetration tests exploit a system’s exposures to determine whether unauthorized entry or other adversary action is achievable and which weaknesses jeopardize the application. Penetration testing is carried out both internally and externally at this phase. Internal penetration testing is carried out inside a company while considering the surroundings. External penetration testing, on the other hand, is carried out by a different organization. Figure 3 represents the goal: to identify open ports that should not be utilized, active apps that can be attacked, and the status of brings with it several updates and threats to the program and systems.

Figure 3 depicts how to attack modelling using a quantitative design analysis method to identify pertinent weaknesses early in the design process. Such techniques offer comprehensive information on how to attack a specific application or system by identifying critical data flows, vulnerabilities, and access points, as illustrated in Figure and a penetration testing report exhibited in Table 4.

Table 4 Report on penetration testing
Full size table

Input verification contributes to up to 65% of attacks, according to vulnerability and penetration scanning, which reveals that unnecessary network ports, operating services, and new patches are not deployed. According to a scan, user activity and the introduction of malware account for 25% and 10% of online application vulnerabilities, respectively. A scan shows that because of unintentional open ports in networks, attackers can delay network activity and consume large amounts of bandwidth. The events’ exemplification could result in severe financial and identity loss if realized.

3.5 Phase 5: impact analysis

This phase estimates the likelihood and consequences of an effective violation concerning the asset’s severity. The limitation of the current approaches is that since they rely on the employee’s knowledge, assessments of the chance that a threat will materialize cannot make an objective claim. As a result, different values will be obtained using the same methodology when RONSI is calculated under identical conditions. The proposed methodology overcomes these constraints by including a robust statistical prediction model based on the Bayesian theorem to systematically analyze the likelihood of assaults on network systems [34]. The dataset includes the following components of the fictitious scenario that assisted in foreseeing the threat’s appearance.

For specific servers, the number of unpatched and known vulnerabilities.

  • Criticality of devices in terms of ratings.

  • The vulnerabilities disclosure rate.

The Bayesian theorem explains how to calculate the odds that the general population will test and accept a sample’s hypotheses. There are many advantages to applying mathematical procedures and uncertainty estimates correctly. The Bayesian probability is calculated using Eq. 3.

$$ P\left( {A\left| B \right.} \right)\frac{{P\left( A \right) *P\left( {A\left| B \right.} \right)}}{{P\left( B \right) + P\left( {A^{\sim } \left| B \right.} \right)*P\left( {A^{\sim } } \right)}} $$
(3)

A and B are events.

P(A|B) give the probability that A will happen given B.

P(B) demonstrates the probability that event B will take place.

P(A˜) shows the probability that event A would not happen.

P (A˜|B) denotes the absence of the event B with the conditional probability.

The likelihood in the given scenarios with the support of some prior statistics. The Bayesian approach is practical and only responds to some individual estimates. Uncertainty in the prophecies is logically confounded by a trustworthy predictive measure [41]. In the sample, using a web server to launch a DDoS assault that displays all the files in a requested directory but leaves out the default base file to gain access, introduce malware, or provoke attacks. Attack data shows that the input verification method changes 35% of events. Malware injection allows for unauthorized access to 45% of systems, which are then attacked by opening unauthorized network ports, while user login-related problems attack 20% of systems.

In contrast to attacks that steal information, 40% of systems are hacked because of problems with input validation, 50% because of problems getting access through malware injection, and 10% because of human activity. According to the findings of the network scans, which were previously detailed in Sect. 2, there is a 65%, 25%, and 10% likelihood that an asset will be vulnerable to penetration testing, input verification, malware insertion, and user activity. How likely are DDoS and data heist attempts to hit our system due to these flaws? The likelihood of a DDoS attack and the likelihood of data theft is calculated using Eq. 4.

P(A) = possibility that input verification was not thorough enough.

P(B) = Possibility of introducing malware.

P(C) = Potential for user activity.

P (A|D) = likelihood of a DDoS attack because of inadequate input verification.

P(D|B) = DDoS likelihood in the event that the input verification phase is skipped.

P (D|P) = likelihood of DDoS should problems with user activity continue.

$$\begin{aligned} {\text{P}}\left( {{\text{A}}\left| {\text{D}} \right.} \right)& = \frac{{{\text{P}}\left( {\text{A}} \right){\text{ * P}}\left( {{\text{D}}\left| {\text{A}} \right.} \right)}}{{{\text{P}}\left( {\text{A}} \right){\text{*P}}\left( {{\text{D}}\left| {\text{A}} \right.} \right) + {\text{P}}\left( {\text{B}} \right){\text{*P}}\left( {{\text{D}}\left| {\text{B}} \right.} \right){ } + {\text{ P}}\left( {\text{C}} \right){\text{ * P}}\left( {{\text{D}}\left| {\text{C}} \right.} \right){ } + {\text{ P}}\left( {{\text{D}}^{\sim } \left| {\text{A}} \right.} \right){\text{*P}}\left( {{\text{A}}^{\sim } } \right)}} \\ &= \frac{{0.35{*}0.65}}{{0.35{*}0.65 + 0.50{*}0.25{ } + 0.10{*}0.10 + { }0.35{*}0.60}} = 0.{398} \end{aligned}$$
(4)

Similar estimates are made for the likelihood that inserting malicious code will result in a DDoS attack using Eq. 5.

P(A) = Probability of insufficiency of input verification.

P(B) = likelihood of introducing malware.

P(C) = likelihood of user activity.

P(A|D) = likelihood of a DDoS attack due to inadequate input verification.

P (D|B) = DDoS likelihood in the event that the input verification phase is skipped.

P (D|P) = likelihood of DDoS should problems with user activity continue.

$$ \begin{aligned} P\left( {A\left| D \right.} \right) &= \frac{{P\left( A \right) * P\left( {D\left| A \right.} \right)}}{{P\left( A \right)*P\left( {D\left| A \right.} \right) + P\left( B \right)*P\left( {D\left| B \right.} \right) + P\left( C \right) * P\left( {D\left| C \right.} \right) + P\left( {D^{\sim } \left| A \right.} \right)*P\left( {A^{\sim } } \right)}}\\ &= \frac{0.50*0.25}{{0.50*0.25 + 0.40*0.65 + 0.10*0.10 + 0.50*0.75}} = \, 0.162 \end{aligned}$$
(5)

Similarly, Eq. 5 determines the likelihood that a DDOS attack would occur due to a code execution vulnerability. Therefore, the earlier method is used to evaluate the risk that a DDoS attack may happen due to user behaviour.

P(A) = likelihood of inadequate input verification.

P(B) = likelihood of introducing malware.

P(C) = likelihood of user activity.

P(A|D) = likelihood of a DDoS attack due to inadequate input verification.

P(D|B) = likelihood of a DDoS attack should the input validation process go unchecked.

P(D|P) = likelihood of DDoS should problems with user activity continue.

$$ \begin{aligned} &= \frac{0.10*0.10}{{0.10*0.10 + 0.40*0.65 + 0.50 * 0.10 + 0.90*0.90}}\\& = 0.0085\end{aligned} $$

By adding up specific vulnerabilities aimed at the successful attack realization, the chance of an information theft assault can be estimated.

$$ {\text{Probability }}\;{\text{of}}\;{\text{ attack }} = \, 0.{398} + 0.{162} + 0.00{85} = 0.{568} $$

As a result of input verification, we estimate the probability of information theft.

P(A) = likelihood of inadequate input verification.

P(B) = likelihood of introducing malware.

P(C) = likelihood of user activity.

P(A|D) = likelihood of information theft owing to inadequate input verification.

P(D|B) = The likelihood of information theft in the case of the input verification process is disregarded.

P(D|U) = Probability of information theft in the event of malware injection.

P(D|P) = Probability of information theft in the event that user activity problems continue.

$$ \begin{aligned}&= \frac{0.40*0.65}{{0.40*0.65 + 0.25*0.50 + 0.10*0.10 + 0.60*0.60}}\\ &= 0.344\end{aligned} $$

Calculations are made to determine how likely it is that information will be stolen as a result of malware injection.

P(A) = likelihood of inadequate input verification.

P(B) = likelihood of introducing malware.

P(C) = likelihood of user activity.

P(A|D) = likelihood of information theft owing to inadequate input verification.

P(D|B) = likelihood of information theft owing to inadequate input verification.

P(D|U) = likelihood of information theft in the event of malware injection.

P(D|P) = likelihood of information theft should user activity issues persist.

$$ \begin{aligned}&= \frac{0.10*0.10}{{0.10*0.10 + 0.40*0.65 + 0.25*0.40 + 0.90*0.90}} \\ &= 0.0084\end{aligned} $$

The likelihood of an information theft attack by user behaviour is calculated using the earlier method.

P(A) = likelihood of inadequate input verification.

P(B) = likelihood of introducing malware.

P(C) = likelihood of user activity.

P(A|D) = likelihood of information theft owing to inadequate input verification.

P(D|B) = The likelihood of information theft in the case of the input verification process is disregarded.

P(D|U) = Probability of information theft in the event of malware injection.

P(D|P) = Probability of information theft in the event that user activity problems continue.

$$\begin{aligned} &= \frac{0.25*0.40}{{0.25*0.40 + 0.40*0.65 + 0.10*0.10 + 0.75*0.90}} \\ &= 0.0956\end{aligned} $$

It is feasible to calculate the probability of information theft or intrusion by compiling all of the vulnerabilities that led to assault realization.

$$ Attack\; \, probability \, = 0.344 \, + 0.0084 \, + 0.0956 \, = \, 0.448 $$

According to information in Table 5, three key assets—a router, a firewall, and a database server—make up the presented scenario’s total number of DDoS attack losses ($). The following calculation can be used in the impact analysis [32] to determine the likely loss resulting from realizing significant asset risks using Eq. 6.

$$ \begin{aligned} {\text{Impact}}& = \sum\limits_{a = 1}^{n} {\text{expose factor}}_{a} *{\text{value of asset}}_{a} \\ &\quad + {\text{recovery cost}}_{a} \end{aligned}$$
(6)

where a = number of assets;\(recovery {cost}_{a}\) is the price of recovery to restore an item to its initial condition.

$$ \begin{aligned} {\text{Impact}}& = \sum\limits_{a = 1}^{3} \left( {25/100*2500 + 375 } \right) \\ &+ \left( {25/100*3750 + 560} \right) + \left( {65/100*4000 + 628} \right) \\ & = \$ 1000 + \$ 1498 + \$ 3228 = \$ 5726 \\ \end{aligned} $$
Table 5 The DDoS attack’s effects
Full size table

This economic loss ($) in the scenario that is being presented is calculated using the information in Table 6 [34]; there are six essential resources: a firewall, router, web server, database server, and application server.

$$ \begin{aligned} {\text{Impact}} = & \mathop \sum \limits_{a = 1}^{6} \left( {40/100*2500 + 375 } \right) \\ &+ \left( {40/100*3750 + 560} \right) \\&+ \left( {40/100*3125 + 500} \right) \\ & + \left( {50/100*1250 + 125} \right) \\&+ \left( {50/100*4000 + 625} \right) \\&+ \left( {50/100*1560 + 250} \right) \\ & = \$ 1375 + \$ 2060 + \$ 1750 + \$ 750 \\&+ \$ 2625 + \$ 1030 = \$ 9590 \\ \end{aligned} $$
Table 6 Impact information on the information theft attack
Full size table

Equation 7 can be used to compute annual loss.

$$ Annual loss = Impact*likehood $$
(7)

The annual loss due to DDoS attacks ($) is

$$ {\text{Annual }}\;{\text{loss}} = 5726 \times 0.568 = \$ 3252 $$

The annual loss due to theft of information attacks ($) is

$$ {\text{Annual}}\;{\text{ loss}} = 9590*0.448 = \$ 4296 $$

Total annual loss can be calculated ($) using Eq. (8)

$$\begin{aligned} {\text{Total }}\;{\text{annual }}\;{\text{loss}} &= AL {\text{due}}\;{\text{ to }}DDoS{\text{ attack}} \\ &+ AL {\text{due }}\;{\text{to }}\;{\text{theft }}\;{\text{of }}\;{\text{information}}\;{\text{ attack}}\end{aligned} $$
(8)
$$ {\text{Total }}\;{\text{annual}}\;{\text{ loss}} = \$ 3252 + \$ 4296 = \$ 7548 $$

We estimate prevalent annual loss because our system realizes usable invasions using Eq. 9.

$$ {\text{Annual}}\;{\text{ loss}} = a_{0} + \mathop \sum \limits_{t = 1}^{n} {\text{loss}}_{t} \times {\text{likehood}}_{t} $$
(9)

where t is the number of threats, \({loss}_{t}\) is loss of assets due to t, \({likehood}_{t}\) is the occurrence of t threats.

3.6 Phase 6: information mapping and business priority alignment

This level involves identifying credible threats and connecting them to relevant information. The company’s processes, goals, and priorities align with the dangers. This facilitates understanding of organizational threat scenarios for business owners.

3.7 Phase 7: cost–benefit analysis, RONSI

Since it estimates the annual loss before and after protective measures are implemented, the cost–benefit analysis aids in determining the significance of the countermanded. The case studies presented show a difference between the two annual losses. The loss is barely noticeable after the countermeasure.

We examine every factor affecting the estimation and cost, and budget justification are crucial. We evaluate gaps and the effects of investments on a company’s core business function rather than utilizing traditional methodologies. Discussions with industry experts and a panel of subject matter experts have taken place to take other considerations into account when calculating the total investment cost. Based on the interview, critical parameters are included in this study: cost of implementation, advisory charges, installation, annual maintenance charges, and training. These five parameters are considered in this study while calculating the total cost of investments using Eq. 10.

$$ \begin{aligned} {\text{Total}}\;{\text{ cost}}\;{\text{ of}}\;{\text{ investment}} &= \mathop \sum \limits_{c = 1}^{n} {\text{Cost }}\;{\text{of }}\;{\text{implemention}}\;\\ &\quad { + }\;{\text{Cost}}\;{\text{ of}}\;{\text{ advasiory}}\;{\text{ charges}} \\ & \quad + \;{\text{Cost }}\;{\text{of}}\;{\text{ installtion}}\; \\ & \quad+ \;{\text{Cost }}\;{\text{of }}\;{\text{annual}}\;{\text{ maintenece}}\;{\text{ charges}} \\ & \quad+ \;{\text{Cost}}\;{\text{ of}}\;{\text{ traning}} \\ \end{aligned} $$
(10)

j denotes the number of treatments to handle the occurrence of the event.

$$ \begin{aligned}{\text{Total}}\;{\text{ cost }}\;{\text{of }}\;{\text{investment}} &= \$ 3750 + \$ 30 + \$ 125 \\ & \quad + \$ 60 + \$ 30 \left( {20} \right) = \$ 3995 \end{aligned}$$

The RONSI calculation based on cost–benefit analysis is a concern of ours. Preventative actions were covered earlier. The likelihood of risk realization should be below after the preventative measures in the plot are put into practice. The likelihood of risk realization drops to 0.25 [42], demonstrating the benefit of preventative action for the organization. The cost–benefit analysis is essential in measuring the impact of preventative measures because it compares the annual loss before and after the distribution of preventative measures. We can tolerate a noticeable fluctuation in both annual losses in the figure. After precautions, the loss is reduced to $7548*0.25 = $1887 from $7548, a rather significant loss.

3.8 Phase 8: justification procedure

The organizational loss can be computed using Eq. 11, and RONSI offers senior management a convincing defence of the purchase and its value.

$$\begin{aligned} RONSI &= \mathop \sum \limits_{n = 1}^{\infty } 100\\ & *\frac{{ALE_{i,j} - mALE_{i,j} \left( j \right) - {\text{cost }}\;\;{\text{of }}\;\;{\text{solution}}}}{{{\text{cost }}\;\;{\text{of }}\;\;{\text{solution}}}} \end{aligned}$$
(11)

RONSI identifies the value of a potential investment. The effective yield indicates the financing decisions; otherwise, the investment is not worthwhile. Zero return, however, shows that the reason is the most useful.

4 Evaluation

Comparing the proposed method to the existing one provides better accuracy. Unlike conventional techniques, which mostly rely on hypotheses, we evaluate the possibility of an invasion using CVSS datasets and the expertise of subject matter experts. Traditional ROSI frameworks rely on prior information, contributor data, and the examination of false inferences. The suggested framework offers a mathematically based way of computing a single loss, in contrast to the conventional methodology. The annual loss is restricted using the Bayes’ technique, even though traditional frameworks compute loss based on beliefs obtained from employees’ experiences, comprehension, and consequences. This fills a gap in existing methodologies’ inability to analyze the impact of network infrastructure expenditure. The study’s findings show that the annual loss without a security plan is quite significant, at $7548, and that the proposed RONSI model reduces it to $1887. Table 6 summarizes the comparison between the standard and suggested procedures.

The proposed RONSI method is evaluated by comparison and evaluation of the results. This model’s performance in calculating network security investment shows that the suggested methodology is effective and efficient compared to other methods and approaches like Return on Network Security Investment (RONSI). A comparison to the existing methods Security Attribute Evaluation Method (SAME), Return on Security Investment (ROSI), and Volatile Transaction Authentication Insurance Method (VTAIM). The pictorial exhibits the accuracy (%) rate the recommended approach applies for a false rate and complexity. The process of choosing the most beneficial features based on the outputs of models and forecasts is known as feature engineering. Table 7 summarizes the comparison between the standard and proposed procedures.

Table 7 Analytical framework
Full size table

The accuracy is calculated using Eq. 12, the corrected prediction divided by the total number of forecasts. Figure 4 illustrates the accuracy of the proposed system. The consumption prediction of accuracy in existing systems and the proposed system is denoted. SAEM has attained 52%, ROSI has acquired 73%, VTAIM has reached 89%, and the proposed system has attained 98% accuracy. The proposed approach is more effective, illustrated in Table 8.

$$ {\text{Accuracy = }}\frac{{{\text{Correct }}\;{\text{prediction}}}}{{{\text{Total}}\;\;{\text{ number }}\;\;{\text{of}}\;\;{\text{ prediction }}}} $$
(12)
Fig. 4
figure 4

Accuracy

Full size image
Table 8 Accuracy
Full size table

The false Rate technique computes the false rate detection and transaction information analysis to build volatile insurance and safety features at various time intervals and prevent false rates. Figure 5 portrays the false rate of the proposed system. SAEM has achieved 92%, ROSI has acquired 72%, VTAIM has attained 63%, and the proposed system attained a 43% false rate. It shows that the proposed method is high compared to the current work, presented in Table 9.

Fig. 5
figure 5

False rate

Full size image
Table 9 False rate
Full size table

Complexity risk mitigation in the final product depends on user transaction interest verification for volatile insurance authenticity, which does not make suggestions through transaction features. Session time and transaction support are based on complexity analysis in online banking services. Figure 6 shows the complexity of the proposed system. SAEM has attained 71%, ROSI has acquired 62%, VTAIM has reached 81%, and the proposed system has attained 52% complexity. It demonstrates that the proposed approach has more practical, shown in Table 10.

Fig. 6
figure 6

Complexity

Full size image
Table 10 Complexity
Full size table

An optimal amount through mathematical modeling demonstrated the relationship between vulnerability and the ideal degree of information security investment. The optimal amount spent on information security will always be at most 37% of the anticipated harm brought on by the security incident. Besides, investing in the files with the most significant risks is very costly, as shown in Fig. 7.

Fig. 7
figure 7

The optimal value of security investments as a function of vulnerability

Full size image

5 Discussion

Without using quantitative estimations and models, the chance of an assault is only estimated based on documented data or personal experience, which results in an erroneous assessment. The platform includes exact asset classifications, threat models, and methods to study the impact. The proposed system employs Eqs. 1 and 2 to calculate and emphasize assets. Additionally, it collects ISO 27001 techniques for asset lists. These are reasonable first steps to determine which assets risk significant losses. Identification of the assets on which the manifestation of a threat could inflict considerable damage depends on asset classification and priority. The suggested method calculates the statistical likelihood of a danger materializing using the potent Bayesian theorem (Eq. 3). The CVSS attack dataset, vulnerability scan, internal and external penetration test reports, and threat modeling results are used as input to calculate the likelihood of threat scenarios in an organization. The proposed RONSI framework employs a practical, forward-looking Bayesian methodology to reduce the likelihood of danger. As shown in Tables 4 and 5, traditional methods frequently need to offer a way to estimate exposure and pertinent dangers. Traditional ROSI frameworks rely on conjecture, historical data, employee knowledge, and estimation. Traditional ROSI frameworks rely on conjecture, historical data, employee knowledge, and estimation.

In contrast to existing approaches, the proposed approach includes a mathematical formula to compute single losses. Equations 7 and 8, based on validities and attacks in the provided framework, determine the likelihood of the annual loss and the overall investment cost in network systems. This makes it more manageable to investigate how network security investments affect the overall infrastructure, which needs to be addressed by more traditional approaches.

An analyst or investigator conducts structured interviews with I.T. and security managers for the initial data as part of SAEM’s quantitative risk and benefit evaluation [27]. A variation of the well-known accounting statistic used to compare ROI (Return on Investment) investments, the return on security investment (ROSI) calculation method, was developed. ROSI measures the value an organization receives for each dollar spent [34]. The volatile Transaction Authentication Insurance Method (VTAIM) employing banking services aims to increase security services in the online banking platform for available customers by lowering the false rate and failures based on the transaction server [51]. Table 7 emphasizes the comparison between the proposed method and the existing approach. A comparative study in terms of accuracy, false rate, and complexity is presented in Tables 8, 9 and 10, respectively.

5.1 Threats to validity

The primary concern of categorizing cyber security threats by data sets and selecting patterns is evaluated. The first significant step combines attack statistics, vulnerability scan results, and penetration test reports. The possibility of new attacks could change, affecting priority setting and effect evaluations.

5.2 Limitation of the study

The study is considered using a specific attack dataset, a vulnerability and penetration testing report, and the proposed RONSI methodology. The study does not assess other losses, including reputational damage and potential legal action due to data loss. Further analysis of diverse network attack datasets is needed to support investment choices.

6 Conclusion and future work

The proposed network-based investment framework (RONSI) is presented for adequate network security controls and related systems to justify the investment. The paper extends current frameworks and compares and analyses the various ROSI models. There are several ROSI-related approaches presented. The complexity of attacks, however, makes it challenging to predict how investment affects multiple aspects of an organization. Similar to how the current understanding of attack occurrences is rampant with uncertainty, considerably required to overcome.

The relationships between the critical components and methods for determining the RONSI are demonstrated. Different approaches are provided for calculating the likelihood and consequences of a network attack. The proposed framework is validated using CVSS datasets and compared with existing studies. The results demonstrate that, after implementing the security strategy plan and using the suggested analytical model to compute RONSI, which has been significantly decreased, the annual loss has been reduced by 75%. The evaluation’s discoveries exhibit that the proposed method effectively considers uncertainty. Automating a thorough exploratory analysis of the suggested RONSI approach in various organizational scenarios is paramount.