Quantifying Business Risk Reduction and ROI

Justifying Threat Emulation By The Numbers

Today, businesses face the daunting task of not only defending against a myriad of cyber threats but also justifying investments in their cybersecurity programs. SCYTHE, a cutting-edge cyber attack simulation platform, offers a unique solution by enabling organizations to quantify the overall reduction in business risk and the return on investment (ROI) through comprehensive threat insight. 




This blog delves into how SCYTHE can be used to shorten timelines necessary to understand and mitigate vulnerabilities throughout the cyber kill chain, provide deep insights into threat exposure, and ultimately demonstrate the tangible value of cybersecurity initiatives.





Understanding the Cyber Kill Chain

The cyber kill chain concepts, such as Lockheed Martin’s 7-stage Cyber Kill Chain (reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives) or SCYTHE’s 3-stage BAM model (reconnaissance, initial access, and post-access actions) are critical frameworks in cybersecurity. These frameworks outline the stages of a cyber attack from the initial reconnaissance to the final actions on objectives. By understanding each stage security teams can better identify and disrupt cyber attacks.


SCYTHE allows teams to simulate attacks at each stage of the kill chain, giving a unique vantage point into an attacker's possible pathways and techniques. This not only helps identify vulnerabilities at each stage but also aids in deploying specific countermeasures effectively.

Emulating Attacks for Greater Insight

One of the core features of SCYTHE is its ability to emulate a wide range of realistic cyber attacks based on real-world tactics, techniques, and procedures (TTPs). By emulating these attacks within a controlled environment, organizations can:

  • Identify exposures: Before an attacker exploits weaknesses, SCYTHE helps organizations emulate attacks, driving identification, understanding and possible attack paths an adversary might take.
  • Test defenses: Regular testing of security controls against emulated attacks ensures that defensive measures are both effective and optimized for the most likely threat scenarios.
  • Train teams: Through continuous exercises, security teams can improve their skills and response strategies, ensuring preparedness against actual attack scenarios.

Measuring Exposure and Mitigating Risks

SCYTHE’s platform facilitates a granular analysis of an organization’s threat exposure at each stage of the kill chain. This analysis provides valuable insights into potential and actual security gaps that could be exploited by adversaries. 

By utilizing SCYTHE, organizations can:

  • Map current security posture: By emulating attacks, companies can get a clear picture of their existing security posture and how it might hold up against different types of cyber threats.
  • Prioritize risks: Not all threats are created equal. SCYTHE helps prioritize which threats to address first based on their potential impact on business operations.
  • Optimize security investments: By understanding which defenses are most effective against emulated attacks, businesses can allocate resources more efficiently, ensuring that spending is directed towards measures with the highest impact.

Calculating Threat Emulation ROI

The return on investment in cybersecurity can be challenging to quantify due to the preventive nature of the field. However, using SCYTHE’s threat emulation, organizations can approach ROI calculation in several ways:

  • Reduction in Incident Costs: By preventing attacks through better preparedness and response strategies, SCYTHE helps reduce the potential costs associated with data breaches, such as system downtime, lost revenue, and regulatory fines.
  • Efficiency Gains: SCYTHE streamlines the cybersecurity process by identifying the most critical security gaps and optimizing defensive strategies, leading to significant efficiency gains in security operations.
  • Improved Compliance Posture: Many industries have stringent compliance requirements regarding cybersecurity. By ensuring that security measures are effective and up-to-date, SCYTHE helps avoid penalties associated with non-compliance.
  • Improved Telemetry Time: Reducing the mean time to detect within each stage is also a key metric most new regulations track. Longer dwell and/or activity is a direct correlation to impact, so less time is always better.

Cyber Threat Scorecard KPIs with SCYTHE

To fully understand the impact and efficacy of cybersecurity investments, organizations need to develop comprehensive metrics that go beyond anecdotal evidence of security improvements. A well-structured cyber scorecard with key performance indicators (KPIs) provides a quantifiable method to assess the benefits of using tools like SCYTHE. In this section of our blog, we'll discuss specific KPIs and calculations that can be integrated into an organization's cyber scorecard to measure the benefits derived from SCYTHE threat emulations.

Key Performance Indicators (KPIs) for Cybersecurity

Integrating the following KPIs into your cyber scorecard will help in quantitatively assessing the effectiveness of SCYTHE in your cybersecurity framework:

1. Threat Exposure Identification Rate (EIR):
Measures the rate at which exposures are identified as a result of simulated attacks.


EIR = Number of simulations conducted / Number of exposures identified

2. Incident Response Time Reduction (IRTR):

Tracks the reduction in average time it takes for the cybersecurity team to respond to incidents after training with SCYTHE.

IRTR = (Average response time before SCYTHE − Average response time after SCYTHE) / Average response time before SCYTHE


3. Threat Detection Improvement (TDI):

Measures improvement in the ability to detect threats post-implementation of SCYTHE, measuring improvements in visibility (logged, alerted, blocked) and time (dwell).


TDI = (((Number of threats detected after SCYTHE − Number of threats detected 

before SCYTHE) / Number of threats detected before SCYTHE) +

((Visibility after SCYTHE − Visibility before SCYTHE) / Visibility before SCYTHE) +

((Time to Detect after SCYTHE − Time to Detect before SCYTHE) / Time to Detect before SCYTHE))


4. Risk Reduction Percentage (RRP):

Quantifies the percentage reduction in overall cybersecurity risk due to mitigations applied from insights gained through SCYTHE simulations.


RRP = (Risk score before SCYTHE − Risk score after SCYTHE) / Risk score before SCYTHE) × 100%


5. Return on Security Investment (ROSI):

Calculates the financial return on investing in SCYTHE by comparing cost savings from avoided security incidents against the cost of the tool (and tool stack).


ROSI = ((Cost savings from avoided incidents − Cost of SCYTHE) / Cost of SCYTHE) × 100%


Step-by-Step Calculation of Cyber Threat Preparedness Index (CTPI)

1. Define Weighting for Each Metric: 

Assign a weight to each metric (EIR, IRTR, TDI, RRP, ROSI) based on its relative importance to the organization’s cybersecurity goals. For instance, a business more concerned with response capabilities may assign higher weights to IRTR and TDI.

2. Standardize Metrics: 

Convert each metric into a standardized score (e.g., on a scale from 0 to 1) to ensure uniformity in comparison. This can be achieved by setting benchmarks or targets for each metric. For example:

  1. EIR: Target could be identifying 95% of potential exposures through simulations.
  2. IRTR: Aim to reduce response time by 50% compared to baseline.
  3. TDI: Target a 50% improvement in the detection rate.
  4. RRP: Aim for a 40% reduction in overall risk.

3. Calculate Adjusted Scores: 

Multiply each standardized score by its respective weight. For instance, if IRTR is weighted at 30% and the organization achieves 60% of the target reduction, the adjusted score would be 0.18 (0.6 * 0.3).

  • Sum Adjusted Scores to Create Index: 

Add all the adjusted scores together to form the Cyber Threat Preparedness Index. This index provides a comprehensive measure of the organization's cybersecurity improvements, influenced by how well it identifies vulnerabilities, responds to incidents, detects threats, reduces risks, and achieves a financial return on security investments.

  • Monitor and Update: 

Continuously monitor these metrics and update the index periodically (e.g., quarterly or annually). This allows the organization to track improvements over time and adjust strategies as needed.

Example Calculation: Assuming an organization sets the following weights based on their strategic priorities:

- EIR: 20%
- IRTR: 25%
- TDI: 30%
- RRP: 25%

And achieves the following standardized scores, based on SCYTHE customers following our comprehensive cyber fitness strategy:

  • EIR: 0.90 (90% of exposures identified)
  • IRTR: 0.70 (70% of target response time reduction achieved)
  • TDI: 0.85 (85% of threat detection improvement target achieved)
  • RRP: 0.80 (80% of risk reduction target achieved)

The calculation for the CTPI would be: 

= 0.90×0.20 + 0.70×0.25 + 0.85×0.30 + 0.80×0.25 

= 0.18 + 0.175 + 0.255 + 0.2 

= 0.81


Thus, the CTPI is 0.81, indicating a strong overall cybersecurity posture. This index helps the organization visualize the effectiveness of its cybersecurity investments and guides future decisions to maintain or enhance its cyber fitness.

Calculating Cyber Attack Savings Using the CTPI

The CTPI not only measures an organization's readiness and overall cybersecurity posture but can also be used to estimate potential savings from averting cyber incidents. Given the high costs associated with cyberattacks, understanding these savings is crucial for justifying cybersecurity investments. This section will detail how organizations can use their CTPI to calculate potential savings based on current average costs of cyber incidents in 2023.

Understanding the Costs of Cyber Incidents

As of 2023, the financial impact of cyber incidents can vary significantly depending on the nature and severity of the attack. Costs include direct expenses such as forensic investigations, legal fees, and regulatory fines, as well as indirect expenses like reputational damage and lost business. For the sake of this calculation, let's use a generalized average cost of a significant cyber incident, which is often cited in industry reports (e.g., Cost of Data Breach 2023) as approximately $4.45 million.

Steps to Calculate Potential Cyber Attack Savings:

1. Determine the Baseline Incident Cost:

Establish the average cost of cyber incidents relevant to the organization's industry and size. For example, use $4.45 million as a baseline for a significant cyber incident.

2. Assess Risk Reduction from CTPI:

The CTPI quantifies how much risk is mitigated through improved cybersecurity measures. For example, if an index of 0.81 implies a 81% effectiveness in cybersecurity readiness, then the residual risk could be considered as 19%.

3. Calculate Expected Incident Cost with Improved Cybersecurity:

Multiply the residual risk percentage by the baseline incident cost to estimate the expected cost of a cyber incident after improving cybersecurity measures.


Expected Incident Cost = Baseline Incident Cost × Residual Risk

   = $4.45M × 19%

   = $845,500


4. Calculate Potential Savings:

Subtract the expected incident cost from the baseline incident cost to determine the potential savings.


Potential Savings = Baseline Incident Cost − Expected Incident Cost

          = $4.45M − $845,500

     = $3.6M



Compare recommended SCYTHE platform and advisory services compared to potential savings.


Potential SCYTHE ROI = Potential Savings / SCYTHE Cost

  = $3.6M / $250K 

  = 14.4X


Using Potential Savings to Drive Strategy and Investment:

Budget Allocation 

The calculated potential savings can guide how much should be invested in cybersecurity without exceeding the benefits. If saving nearly $3 million per incident is possible, investing up to a fraction of this amount in preventative measures can be economically justified.

Strategic Decisions

By understanding the economic impact of improved cybersecurity, organizations can make more informed decisions regarding technology upgrades, staffing, and training.

Stakeholder Communication

Quantifying potential savings in financial terms is a powerful tool for communicating the value of cybersecurity investments to stakeholders and securing the necessary funding and support.

The CTPI provides a snapshot of an organization's security effectiveness but also a robust tool for forecasting the financial implications of cyber incidents. By calculating the potential savings from averting such incidents, organizations can more clearly articulate the value of their cybersecurity initiatives, ensuring alignment with their overall business objectives and financial planning. This proactive approach to budgeting and risk management supports a stronger, more resilient cybersecurity posture in an era of ever-increasing cyber threats.

Long-term Value of SCYTHE

Beyond immediate ROI, SCYTHE provides long-term value by enhancing an organization’s cybersecurity maturity. The continuous insights gained from attack simulations enable ongoing improvements and adaptation to new threats. This proactive approach not only reduces the likelihood of successful attacks but also builds a robust security culture that can adapt and evolve with the threat landscape.

Benefits of Using SCYTHE Visualized in a Cyber Scorecard:

  • Data-Driven Decisions: Using quantifiable data from the scorecard, decision-makers can justify cybersecurity spending and optimize their investments based on areas showing the greatest improvement or need.

  • Strategy Optimization: Continuous feedback from the scorecard helps refine and adjust cybersecurity strategies to focus on areas where SCYTHE shows significant risk reduction or improvement in incident response capabilities.

  • Stakeholder Communication: Clear metrics and understandable KPIs facilitate communication with non-technical stakeholders, showing tangible outcomes from cybersecurity investments, which is crucial for continued support and funding.

  • Optimized (and reduced) Labor: Using pre-packaged threat content, combined with modules, will dramatically speed up red/blue/purple teaming as teams will not be forced to operationalize CTI themselves. Additionally, less experienced teams will be able to perform more advanced testing.


Cyber threats continue to create severe implications for business continuity and reputation. Investing in advanced simulation tools like SCYTHE offers a strategic advantage. By enabling organizations to test, measure, and enhance their security postures, SCYTHE plays a crucial role in reducing business risk and providing measurable ROI on cybersecurity investments. With its ability to provide comprehensive threat insights and facilitate a deeper understanding of security vulnerabilities throughout the cyber kill chain, SCYTHE is an invaluable tool for any organization serious about enhancing its cybersecurity efforts.

Author Attribution: 

Written by Marc Brown (@marc_r_brown), SCYTHE’s VP Product & Sales, dynamic leader with diverse executive roles, startup enthusiast, lover of technology, innovation, and all things ‘nerdy’ cool. 

Contributions By: 

* Bryson Bort, SCYTHE Founder/CEO

* Trey Bilbrey, SCYTHE Labs