The concept of Return on Security Investment (RoSI) has evolved from a mere financial indicator into a comprehensive system for informed decision-making. Software-intensive organisations face mounting pressure to justify security expenditure in financially rigorous terms. Existing Return-on-Security-Investment (RoSI) models rely on deterministic approximations that ignore probability distributions over threats, temporal decay of vulnerability windows, and intangible cost categories. This paper presents a probabilistic RoSI framework grounded in the FAIR taxonomy that integrates: (i) expected-loss differentials with Bayesian updating; (ii) shift-left cost amplification across the software dev... More >