🤖 AI Summary
Cyber threat intelligence (CTI) investments face justification challenges within conventional cost-benefit frameworks due to the “negative evidence problem”—the difficulty of quantifying value derived from prevented, rather than observed, incidents.
Method: This paper proposes a data-driven CTI return-on-investment (ROI) quantification framework that integrates an extended Gordon-Loeb model with the Factor Analysis of Information Risk (FAIR) methodology. It introduces the Threat Intelligence Effectiveness Index (TIEI)—a weighted geometric mean of quality, enrichment level, integration maturity, and operational impact—thereby systematically transforming negative evidence into interpretable ROI metrics. The framework further incorporates empirical parameters—including mean time to detect (MTTD), mean time to respond (MTTR), and attacker dwell time—to enable multidimensional assessment across financial loss reduction, adversary coverage, and business enablement.
Results: Validated across financial services, healthcare, and retail sectors, the framework supports CTI’s strategic repositioning from a cost center to a value-generating investment, demonstrating cross-industry replicability and capacity for continuous refinement.
📝 Abstract
The valuation of Cyber Threat Intelligence (CTI) remains a persistent challenge due to the problem of negative evidence: successful threat prevention results in non-events that generate minimal observable financial impact, making CTI expenditures difficult to justify within traditional cost-benefit frameworks. This study introduces a data-driven methodology for quantifying the return on investment (ROI) of CTI, thereby reframing it as a measurable contributor to risk mitigation. The proposed framework extends established models in security economics, including the Gordon-Loeb and FAIR models, to account for CTI's complex influence on both the probability of security breaches and the severity of associated losses. The framework is operationalized through empirically grounded performance indicators, such as reductions in mean time to detect (MTTD), mean time to respond (MTTR), and adversary dwell time, supported by three sector-specific case studies in finance, healthcare, and retail. To address limitations in conventional linear assessment methodologies, the Threat Intelligence Effectiveness Index (TIEI) is introduced as a composite metric based on a weighted geometric mean. TIEI penalizes underperformance across critical dimensions: quality, enrichment, integration, and operational impact; thereby capturing bottleneck effect where the least effective component limits overall performance. By integrating financial quantification, adversarial coverage, and qualitative assessments of business enablement, the proposed hybrid model converts negative evidence into a justifiable ROI explanation. This approach offers a replicable means of repositioning CTI from an expense to a strategic investment, enabling informed decision-making and continuous optimization across diverse organizational contexts.