RONSI: a framework for calculating return on network security investment

This competitive environment is rapidly driving technological modernization. Sophisticated cyber security attacks are expanding exponentially, inflicting reputation damage and financial and economic loss. Since security investments may take time to generate revenues, organizations need more time to convince top management to support them. Even though several ROSI techniques have been put out, they still need to address network-related infrastructure. By addressing gaps in existing techniques, this study delivers a comprehensive framework for calculating Return on Network Security Investment (RONSI). The proposed framework uses a statistical prediction model based on Bayes’ theorem to calculate the RONSI. It is validated by Common Vulnerability Security Systems (CVSS) datasets and compared to existing studies. The results demonstrate that the annual loss is reduced to 75% with the proposed RONSI model after implementing a security strategy, and the proposed model is compared with existing studies. An organization can effectively justify investments in network-related infrastructure while enhancing its credibility and dependability in the cutthroat marketplace.


Introduction
Users connect to the internet because of the rapid development of internet technology.Unfortunately, cyber-attacks directly target both public and private entities [1].Cyberattacks are growing exponentially from internet-connected devices like mobile phones; laptops are essential to daily life.While a single attack may have little to no impact, repeated attacks can cost financial loss to an organization.Data breaches exceeded 17% in September 2021, the same as the previous year, according to ITRC data [2].Data loss in 2021 includes Comcast 1.5 billion, Facebook 533 billion, LinkedIn 500 billion, and Bykea 400 billion [3].83 security incidents affecting 5,127,241 records were officially disclosed in February 2022 [4].By 2025, cybercrime will reach 10.5 trillion annually [5].To minimize losses, business organizations need proactive approaches to security measures.
The proliferation and sophistication of cyber-breaks render preventive efforts ineffective [6].Cyber threat protection techniques by themselves cannot identify threats.Consequently, cyber events present two critical questions to private and public sector enterprises: What kind of cyber investment is the best, and how much money should be devoted to safeguarding corporate entities?They link to public education research well [7][8][9].The value of detection and containment procedures is jeopardized by the reluctance of many organizations to discuss their exposures.For instance, an email is the first step in 75% of targeted attacks; In 86% of organizations, users try to link to fraudulent websites, and 86% of attacks aim to bring in money [10].Further, some businesses spend six months than necessary to discover a data breach [11].
The network architecture of a business may appeal to dishonest competitors.There have been known cyber-attacks on these systems, which have disrupted customer service and cost the corporation money [12].A corporate network can be attacked for several reasons, from employees' careless online behaviour to a delay in patching vulnerabilities [13].The under-investment and lifetime management of cyber security investments presents additional challenges for enterprises.Before making a financial choice, senior management wants to support the investment concerning returns.The effects of security breaches across the entire organization are what they are worried about, not the security apparatus.Educating the board about the effects of crucial network infrastructures is a massive task for the security manager.Funding security does not equate to financial advantages but can significantly reduce corporate losses [14].The under-investment and lifetime management of cyber security investments presents additional challenges for enterprises.Before making a financial choice, senior management wants to support the investment concerning returns.The effects of security breaches across the entire organization are what they are worried about, not the security apparatus.Educating the board about the effects of crucial network infrastructures is a considerable task for the security manager.Funding security does not equate to financial advantages but can significantly reduce corporate losses.
Different ROSI techniques support making decisions; however, cyber security still has challenges [14].Existing frameworks do not estimate the likelihood of Specific exposure.Employee exposure and experience, instead of attack probability, determine an attack.Since businesses frequently get mixed results under the same circumstances, it is difficult to accurately estimate risk using the same methods [15].Further, conventional methods enable concerned professionals to approximate budget advantages to a particular situation.
Investments in network security can either directly or indirectly shield essential assets from various threats.Maintaining a complete view of the network security budget is crucial for defence against various attacks.Several studies have been conducted on calculating ROSI, but only a few on computing RONSI.We developed a framework to compute ROSI in network systems and calculate the impact of an attack on essential network resources throughout the enterprise.With a g great certainty, the likelihood of a cyberattack is estimated on network resources using the Bayesian theorem [16].The significant contribution of the work is as follows.
1. Instead of approximation and user experience, the traditional approach of computing return on investment, the proposed Return on Network Security Investment (RONSI), is based on the Bayesian theorem.2. To validate the proposed RONSI framework, the CVSS dataset, two scenarios, and a comparison to prior work are utilized.
3. The findings demonstrate that the yearly loss without applying a security plan is relatively significant ($7548).
The loss is decreased to $1887 using the analytical technique to calculate the RONSI.4.An organization can persuasively explain investments in network-related infrastructure using the proposed RONSI framework, which promotes confidence, trust, and reputation.
The remaining paper is formulated as follows.The related works and the current ROSI methodologies are discussed in Sect. 2. A proposed technique for RONSI computation is illustrated in Sect.3, which facilitates senior management to justify investment decisions for network systems.The evaluation of the framework and the comparison with existing studies are conferred in Sect. 4. The discussion and the limitations of the work are presented in Sect. 5. Finally, the paper is concluded in Sect.6 with the future research direction.

Related works
In this section, the existing ROSI frameworks are studied, deviated, and analyzed to demonstrate the most valuable techniques for developing an enhanced ROSI framework [17].The NIST article [18] described the evaluation process for initiatives ROI, and the ENSA study [19] designed a ROSI metric using risk elements.Despite this, there are some restrictions in the report.Since the computation is based on static data, a particular threat may impact assets.Attack maps and Bayesian networks are combined in the study to show how cyber threats can be misunderstood [20].Bistarelli et al. [21] evaluated the information technology security budget, employed defense trees, and placed countermeasures on each leaf.They determine the defenders' return on investment, security benefit, and single and annual loss probabilities.To evaluate attack strategies and preventive security techniques, Roy et al. [22] provided trees of defense in depth.Attackcountermeasure trees and prevention techniques, such as detection and mitigation, are included on each node.
Ji et al. [23] proposed trees of defence countermeasures, like identification and mitigation, on each node.The graphical security models evaluate network-based protection in terms of success or failure.A list of countermeasures can be used to prioritize security measures.Shawn [27] presented a security attribute-based technique that weighs potential investments against one another to choose the best investment.The model produces quantitative cost estimates but only calculates annual losses.Pontes et al. [28] proposed a model for calculating ROSI based on the Fibonacci sequence.It is possible to acquire security-related notifications, but they do not address the likelihood of the events they concern.
Aguiar et al. [29] presented a survey technique that underlined the importance of analysis using ROSI and estimations despite the lack of mathematical processes.Huang et al. [30] discussed the relationship between security spending and hazards while disseminating health information based on economic studies.The research employed a networkbased methodology to analyze the financial considerations when investing.The proposed model uses the prior matching returns on security investment ideas.Using game theory, Yonge et al. [31] calculated security investments for carefully planned affiliate invasions.According to the findings, the amount spent on security should rise in direct correlation with the probability of lost gains, and collective investments can boost security while reducing expenses.Sonnenreich et al. [32], based on past knowledge, interviews, and assumptions, a method for assessing return on investment was proposed.
Fielder et al. [33] suggested a choice of three paths, and a combination of game theory and combinatorial optimization determines their viability in the investment decision.Yaqoob et al. [34] presented framework organizations emphasizing security that can use to calculate Bayesian ROSI.Despite providing a thorough mathematical analysis to calculate ROI and annual loss, the authors of this paper place a disproportionate amount of emphasis on the recovered CVVS dataset while mostly ignoring the penetration test findings.Skoufis et al. [44] proposed a techno-economic model to assess the project's cost viability via the prism of three possible migration routes.
Mamane et al. [45] presented a multi-criteria scheduler for 5G enhanced Mobile Broad Band (eMBB) communications transmission in a busy metropolitan environment.The method combines perceptron weight management with weighted sum multi-objective optimization employed in neural networks.Eswaran et al. [46] covered private 5G networks, deployment scenarios, spectrum considerations, and security issues.Vajanapoom et al. [47] presented a risk-based method for designing resilient networks.The fundamental design challenge is allocating funds for implementing a survivability approach in various network segments based on risk management, given a functioning network and a fixed budget.Kliks et al. [48] summarised discussions between scientific researchers and network device builders to determine a model's most likely effective operation in such a complex network environment.In cooperation with a skilled network architect, these suggestions were created.Gardikis et al. [49] examined how Software Defined Networking (SDN) as well as Network Functions Virtualisation (NFV) technologies might be applied to satcom platforms and identified.They identified and difficulties of integrating satellite infrastructures into future software-based networks.Zghaibeh et al. [50] proposed a lottery-based pricing system to improve the degree of sharing in peer-to-peer (P2P) networks and aid in the spread of more objects.A comparison of the existing ROSI frameworks is illustrated in Table 1.This study further aids in developing an enhanced RONSI framework by covering the gaps in the existing study.

The proposed framework of return on network security investment
This section proposes a redesigned ROSI framework, return on network security investment (RONSI), based on conventional ROSI methodologies to encourage monetary investments in network security.It is assumed that an organization's network would regularly receive patches from a cybersecurity vendor.With justification, our framework and method for estimating investment in network systems estimate the best methods.Figure 1 depicts the eight crucial phases of the proposed framework.Identification of assets is the first phase.In an organization, there may be thousands of networks and related resources.Identification of assets and network inventory preparation is a thus crucial process.The classification of network assets is the next phase.Finally, the worth of an asset is determined by its severity, which also activates all of the organization's critical network assets.The third phase of the framework includes a vulnerability scan to look for weaknesses.A listing of vulnerabilities found by internal and external experts using the tool and their subject-matter expertise is produced by the framework's fourth phase, which involves internal and external penetration testing.Bayes' statistical theorem determines the probability of a connected threat in the fifth phase [20].An invasion's probability is determined using datasets derived from actual cases [35].Besides, if the vulnerability is exploited, the annual loss is calculated.By mapping the defects, the sixth phase documents potential defences to reduce the risks.It maps the significance of preventative countermeasures to align with the organization's business objectives and priorities.In the next phase, the cost-benefit analysis is determined.The final phase offers practical RONSI recommendations.The RONSI methodology predicts the likelihood of an attack on all critical network resources within an organization using a vulnerability scan report as input, validating the model.The model's practical importance can only be widely applied with a validation procedure.Using a dataset comprised of CVSS results from a vulnerability assessment and threat modelling, the proposed method can predict the frequency of attacks on an organization's critical network assets.To fully comprehend the phases of the proposed framework, this study combines methods for conducting threat investigations and attack mitigation strategies described in [36].Defence trees The method disregards computer problem instances The organizations' general reluctance to share attack information with the public because of the potential harm to their image, it may be difficult to quantify the impact of an attack The optimal security investment [22] Attack trees Impact analysis and vulnerability analysis results are not considered in the study

Despite not addressing model scalability difficulties, dynamic intrusion response
The cybersecurity analysis for cyber-physical systems [23] Attack defense trees The study did not consider asset identification based on practical implementation or vulnerability assessment, so the study emphasized calculating attack costs, ROI, and impact Defenders should focus on concerns related to potential assaults that hackers can use maliciously to undermine network security while discovering system vulnerabilities The security investment analysis [25] T-HARM This approach dealt with patterns while utilizing data

If the network is dynamic, it is challenging to analyze such investments
Cost-benefit evaluation based on security [27] Cost-benefit study Financial information and cost estimations are not evaluated in the study Assessing security technology without considering an organization's information system environment is difficult The ROSI calculation framework uses risk management.[28] Fibonacci sequence This study does not consider the risk management framework Many traders have difficulty understanding the findings due to the intricacy of the data for reading The optimal security investment in healthcare [30] Economic analysis Instead of using actual data, the study makes use of mathematical models that are based on hypotheses It is predicated on the notion that rational economic actors and only economic equilibrium exist Using decision support systems, invest in cybersecurity [32] Game Theory, Combinatorial Optimization, and Hybrid approach Practicing the techniques suggested in this study in organizations is challenging That we could enter a Nash equilibrium in certain circumstances cannot be explained by it Framework for calculating ROSI [33] Bayesian approach The study focused on annual loss estimation using CVVS data, ROI calculation, and vulnerability assessment as inputs, but it lacked live data and penetration test report specifics There is no way to build a network from widely acknowledged data Fig. 1 Proposed RONSI framework Fig. 2 The context for penetration testing case A hypothetical penetration testing scenario has been used as the test case in Fig. 2 to comprehend the phases of the proposed framework.A secure web application running over the internet is available.Firewalls, routers, switches, and intrusion detection systems verify user credentials before granting them access to restricted resources.The various invaders and attackers flood the network with traffic, implant malware, and monitor user activities like successful and unsuccessful logins to gather information on the system's operation.This process investigated significant assets, accompanying exposures, and related hazards.The countermeasures are examined, and RONSI is calculated using this analysis.The sections that follow each phase's components are illustrated.

Phase 1: asset identification
To purchase connected vital assets that could significantly impact the business if compromised.Identifying networks and other related assets in operating the business is crucial at this point.The ISO 27001 Framework is applied [38].Table 2 illustrates the asset identification step of our method.

Phase 2: asset categorization
This step determines the criticality of assets in terms of confidentiality (C), integrity (I), and availability (A) using Eq. 1.
C, A have, and I value ranging from 1 to 5. The higher critical value denotes the asset's need for critical protection.We have labeled the router, firewall, IDS, and database server as critical assets in the diagram, as shown in Table 1.The monetary cost of assets can be calculated using Eq. 2.

Monetary value Critical value × Physical cost of asset
(2)

Phase 3: vulnerability scanning
This stage locates user privacy occurrences, also known as vulnerabilities [39].It can be accomplished using technologies for protection, readily available resources, skilled security professionals, and advisory services.Figure 3 displays how traffic flooding, scanning, and the injection of malicious software in the given context might cause DDoS and information theft attacks.The man in the middle, phishing and getting access, is the assault target.The three methods used are user action, injection, and input verification.This step outlines all operational and security procedures and system configuration flaws that could lead to successful security violations, as shown in scenario 1.In the hypothetical situation, DDoS assaults are simulated, and systems are tested by being inundated with network traffic.Attackers looking to steal information employ numerous systems, including servers, routers, firewalls, intrusion detection systems, and user behaviour, to uncover gaps in the infrastructure.The attacker gathers relevant data.Table 3 illustrates the target, tactics, and attack simulation details.

Phase 4: penetration testing
Vulnerability scanning warns organizations of their code's pre-existing defects.Penetration tests exploit a system's exposures to determine whether unauthorized entry or other adversary action is achievable and which weaknesses jeopardize the application.Penetration testing is carried out both internally and externally at this phase.Internal penetration testing is carried out inside a company while considering the surroundings.External penetration testing, on the other hand, is carried out by a different organization.Figure 3 represents the goal: to identify open ports that should not be utilized,  active apps that can be attacked, and the status of brings with it several updates and threats to the program and systems.Figure 3 depicts how to attack modelling using a quantitative design analysis method to identify pertinent weaknesses early in the design process.Such techniques offer comprehensive information on how to attack a specific application or system by identifying critical data flows, vulnerabilities, and access points, as illustrated in Figure and a penetration testing report exhibited in Table 4.
Input verification contributes to up to 65% of attacks, according to vulnerability and penetration scanning, which reveals that unnecessary network ports, operating services, and new patches are not deployed.According to a scan, user activity and the introduction of malware account for 25% and 10% of online application vulnerabilities, respectively.A scan shows that because of unintentional open ports in networks, attackers can delay network activity and consume large amounts of bandwidth.The events' exemplification could result in severe financial and identity loss if realized.

Phase 5: impact analysis
This phase estimates the likelihood and consequences of an effective violation concerning the asset's severity.The limitation of the current approaches is that since they rely on the employee's knowledge, assessments of the chance that a threat will materialize cannot make an objective claim.As a result, different values will be obtained using the same methodology when RONSI is calculated under identical conditions.The proposed methodology overcomes these constraints by including a robust statistical prediction model based on the Bayesian theorem to systematically analyze the likelihood of assaults on network systems [34].The dataset includes the following components of the fictitious scenario that assisted in foreseeing the threat's appearance.
For specific servers, the number of unpatched and known vulnerabilities.
• Criticality of devices in terms of ratings.
• The vulnerabilities disclosure rate.
The Bayesian theorem explains how to calculate the odds that the general population will test and accept a sample's hypotheses.There are many advantages to applying mathematical procedures and uncertainty estimates correctly.The Bayesian probability is calculated using Eq. 3.

P(A|B ) P(A) * P(A|B ) P(B) + P( A
A and B are events.P(A|B) give the probability that A will happen given B. P(B) demonstrates the probability that event B will take place.
P(A˜) shows the probability that event A would not happen.
P (A˜|B) denotes the absence of the event B with the conditional probability.
The likelihood in the given scenarios with the support of some prior statistics.The Bayesian approach is practical and only responds to some individual estimates.Uncertainty in the prophecies is logically confounded by a trustworthy predictive measure [41].In the sample, using a web server to launch a DDoS assault that displays all the files in a requested directory but leaves out the default base file to gain access, introduce malware, or provoke attacks.Attack data shows that the input verification method changes 35% of events.Malware injection allows for unauthorized access to 45% of systems, which are then attacked by opening unauthorized network ports, while user login-related problems attack 20% of systems.
In contrast to attacks that steal information, 40% of systems are hacked because of problems with input validation, 50% because of problems getting access through malware injection, and 10% because of human activity.According to the findings of the network scans, which were previously detailed in Sect.2, there is a 65%, 25%, and 10% likelihood that an asset will be vulnerable to penetration testing, input verification, malware insertion, and user activity.How likely are DDoS and data heist attempts to hit our system due to these flaws?The likelihood of a DDoS attack and the likelihood of data theft is calculated using Eq. 4  According to information in Table 5, three key assets-a router, a firewall, and a database server-make up the presented scenario's total number of DDoS attack losses ($).The following calculation can be used in the impact analysis [32] to determine the likely loss resulting from realizing significant asset risks using Eq. 6.
Impact n a 1 expose factor a * value of asset a + recovery cost a (6) where a number of assets;recover ycost a is the price of recovery to restore an item to its initial condition.This economic loss ($) in the scenario that is being presented is calculated using the information in Table 6 [34]; there are six essential resources: a firewall, router, web server, database server, and application server.Annualloss I mpact * likehood ( The annual loss due to DDoS attacks ($) is Annual loss 5726 × 0.568 $3252 The annual loss due to theft of information attacks ($) is Annual loss 9590 * 0.448 $4296 Total annual loss can be calculated ($) using Eq. ( 8) Total annual loss ALdue to D DoS attack + ALdue to theft of information attack ( Total annual loss $3252 + $4296 $7548 123 We estimate prevalent annual loss because our system realizes usable invasions using Eq. 9. Annual loss a 0 + n t 1 loss t × likehood t (9) where t is the number of threats, loss t is loss of assets due to t, likehood t is the occurrence of t threats.

Phase 6: information mapping and business priority alignment
This level involves identifying credible threats and connecting them to relevant information.The company's processes, goals, and priorities align with the dangers.This facilitates understanding of organizational threat scenarios for business owners.

Phase 7: cost-benefit analysis, RONSI
Since it estimates the annual loss before and after protective measures are implemented, the cost-benefit analysis aids in determining the significance of the countermanded.The case studies presented show a difference between the two annual losses.The loss is barely noticeable after the countermeasure.We examine every factor affecting the estimation and cost, and budget justification are crucial.We evaluate gaps and the effects of investments on a company's core business function rather than utilizing traditional methodologies.Discussions with industry experts and a panel of subject matter experts have taken place to take other considerations into account when calculating the total investment cost.Based on the interview, critical parameters are included in this study: cost of implementation, advisory charges, installation, annual maintenance charges, and training.These five parameters are considered in this study while calculating the total cost of investments using Eq.10.The RONSI calculation based on cost-benefit analysis is a concern of ours.Preventative actions were covered earlier.

Total cost of investment
The likelihood of risk realization should be below after the preventative measures in the plot are put into practice.The likelihood of risk realization drops to 0.25 [42], demonstrating the benefit of preventative action for the organization.The cost-benefit analysis is essential in measuring the impact of preventative measures because it compares the annual loss before and after the distribution of preventative measures.We can tolerate a noticeable fluctuation in both annual losses in the figure.After precautions, the loss is reduced to $7548*0.25 $1887 from $7548, a rather significant loss.

Phase 8: justification procedure
The organizational loss can be computed using Eq.11, and RONSI offers senior management a convincing defence of the purchase and its value.

RO N S I
RONSI identifies the value of a potential investment.The effective yield indicates the financing decisions; otherwise, the investment is not worthwhile.Zero return, however, shows that the reason is the most useful.

Evaluation
Comparing the proposed method to the existing one provides better accuracy.Unlike conventional techniques, which mostly rely on hypotheses, we evaluate the possibility of an invasion using CVSS datasets and the expertise of subject matter experts.Traditional ROSI frameworks rely on prior information, contributor data, and the examination of false inferences.The suggested framework offers a mathematically based way of computing a single loss, in contrast to the conventional methodology.The annual loss is restricted using the Bayes' technique, even though traditional frameworks compute loss based on beliefs obtained from employees' experiences, comprehension, and consequences.This fills a gap in existing methodologies' inability to analyze the impact of network infrastructure expenditure.The study's findings show that the annual loss without a security plan is quite significant, at $7548, and that the proposed RONSI model reduces it to $1887.Table 6 summarizes the comparison between the standard and suggested procedures.

Specification
Proposed approach ROSI for security organization [34] Cost-benefit analysis [27] Practical model [32] The methodical approach of identifying the likelihood The proposed RONSI method is evaluated by comparison and evaluation of the results.This model's performance in calculating network security investment shows that the suggested methodology is effective and efficient compared to other methods and approaches like Return on Network Security Investment (RONSI).A comparison to the existing methods Security Attribute Evaluation Method (SAME), Return on Security Investment (ROSI), and Volatile Transaction Authentication Insurance Method (VTAIM).The pictorial exhibits the accuracy (%) rate the recommended approach applies for a false rate and complexity.The process of choosing the most beneficial features based on the outputs of models and forecasts is known as feature engineering.Table 7 summarizes the comparison between the standard and proposed procedures.
The accuracy is calculated using Eq. 12, the corrected prediction divided by the total number of forecasts.Figure 4 illustrates the accuracy of the proposed system.The consumption prediction of accuracy in existing systems and the proposed system is denoted.SAEM has attained 52%, ROSI has acquired 73%, VTAIM has reached 89%, and the proposed system has attained 98% accuracy.The proposed approach is more effective, illustrated in Table 8.

Accuracy =
Correct prediction Total number of prediction (12) The false Rate technique computes the false rate detection and transaction information analysis to build volatile insurance and safety features at various time intervals and prevent false rates.Figure 5 portrays the false rate of the proposed system.SAEM has achieved 92%, ROSI has acquired 72%,  VTAIM has attained 63%, and the proposed system attained a 43% false rate.It shows that the proposed method is high compared to the current work, presented in Table 9. Complexity risk mitigation in the final product depends on user transaction interest verification for volatile insurance authenticity, which does not make suggestions through transaction features.Session time and transaction support are based on complexity analysis in online banking services.Figure 6 shows the complexity of the proposed system.SAEM has attained 71%, ROSI has acquired 62%, VTAIM has reached 81%, and the proposed system has attained 52% complexity.It demonstrates that the proposed approach has more practical, shown in Table 10.
An optimal amount through mathematical modeling demonstrated the relationship between vulnerability and the ideal degree of information security investment.The optimal amount spent on information security will always be at most 37% of the anticipated harm brought on by the security incident.Besides, investing in the files with the most significant risks is very costly, as shown in Fig. 7.

Discussion
Without using quantitative estimations and models, the chance of an assault is only estimated based on documented data or personal experience, which results in an erroneous assessment.The platform includes exact asset classifications, threat models, and methods to study the impact.The proposed system employs Eqs. 1 and 2 to calculate and emphasize assets.Additionally, it collects ISO 27001 techniques for asset lists.These are reasonable first steps to determine which assets risk significant losses.Identification of the assets on which the manifestation of a threat could inflict considerable damage depends on asset classification and priority.The suggested method calculates the statistical likelihood of a danger materializing using the potent Bayesian theorem (Eq.3).
The CVSS attack dataset, vulnerability scan, internal and external penetration test reports, and threat modeling results are used as input to calculate the likelihood of threat scenarios in an organization.The proposed RONSI framework employs a practical, forward-looking Bayesian methodology to reduce the likelihood of danger.As shown in Tables 4  and 5, traditional methods frequently need to offer a way to estimate exposure and pertinent dangers.Traditional ROSI frameworks rely on conjecture, historical data, employee knowledge, and estimation.Traditional ROSI frameworks rely on conjecture, historical data, employee knowledge, and estimation.
In contrast to existing approaches, the proposed approach includes a mathematical formula to compute single losses.Equations 7 and 8, based on validities and attacks in the provided framework, determine the likelihood of the annual loss and the overall investment cost in network systems.This makes it more manageable to investigate how network security investments affect the overall infrastructure, which needs to be addressed by more traditional approaches.
An analyst or investigator conducts structured interviews with I.T. and security managers for the initial data as part of SAEM's quantitative risk and benefit evaluation [27].A variation of the well-known accounting statistic used to compare  7 The optimal value of security investments as a function of vulnerability ROI (Return on Investment) investments, the return on security investment (ROSI) calculation method, was developed.ROSI measures the value an organization receives for each dollar spent [34].The volatile Transaction Authentication Insurance Method (VTAIM) employing banking services aims to increase security services in the online banking platform for available customers by lowering the false rate and failures based on the transaction server [51].Table 7 emphasizes the comparison between the proposed method and the existing approach.A comparative study in terms of accuracy, false rate, and complexity is presented in Tables 8, 9 and 10, respectively.

Threats to validity
The primary concern of categorizing cyber security threats by data sets and selecting patterns is evaluated.The first significant step combines attack statistics, vulnerability scan results, and penetration test reports.The possibility of new attacks could change, affecting priority setting and effect evaluations.

Limitation of the study
The study is considered using a specific attack dataset, a vulnerability and penetration testing report, and the proposed RONSI methodology.The study does not assess other losses, including reputational damage and potential legal action due to data loss.Further analysis of diverse network attack datasets is needed to support investment choices.

Conclusion and future work
The proposed network-based investment framework (RONSI) is presented for adequate network security controls and related systems to justify the investment.The paper extends current frameworks and compares and analyses the various ROSI models.There are several ROSI-related approaches presented.The complexity of attacks, however, makes it challenging to predict how investment affects multiple aspects of an organization.Similar to how the current understanding of attack occurrences is rampant with uncertainty, considerably required to overcome.
The relationships between the critical components and methods for determining RONSI are demonstrated.Different approaches are provided for calculating the likelihood and consequences of a network attack.The proposed framework is validated using CVSS datasets and compared with existing studies.The results demonstrate that, after implementing the security strategy plan and using the suggested analytical model to compute RONSI, which has been significantly decreased, the annual loss has been reduced by 75%.The evaluation's discoveries exhibit that the proposed method effectively considers uncertainty.Automating a thorough exploratory analysis of the suggested RONSI approach in various organizational scenarios is paramount.

Fig. 3
Fig. 3 Example scenario of penetration testing

Table 1
Study of existing approaches

Table 3
Simulation of attack

Table 4
Report on penetration testing

Table 5
The DDoS attack's effects

Table 6
Impact information on the information theft attack

Table 7
Analytical framework

Table 9
False rate