Calculating ROI is wrong, it should be NPV. If you are not using NPV then you're out of court, because so much of security investment is future-oriented.Iang's entry also says that we can't even really do Net Present Value (NPV) because we have no way to calculate or predict actual costs with any accuracy. He also says that security people need to learn about business, which I've also been harping on. I bet if many security people knew what NPV was, they'd be claiming they had it as much as they're claiming they have ROI.
— ROI: security people counting with fingers? Iang, Financial Cryptography, July 20, 2007
My point remains that this whole emphasis on calculation is part of the problem. Security people tend to be engineers, whose whole orientation is to be able to build, fix, and calculate to do so. To quote PricewaterhouseCoopers again:
``But what about those areas, like reputational risk, that are both harder to measure and more sudden and severe in their impact?''Banks and financial institutions that have been dealing with financial risk for centuries are still having some trouble admitting that some risks can't be prevented, fixed, or even accurately predicted: only mitigated. Increased measurement and better detailed calculation will shift which risks can be handled which way, but there will always be risks that are uncertain, big, and sudden. Both security people and business executives need to get used to dealing with them. Those who don't, well, their companies will be like U.S. automakers trying to catch up and produce hybrid cars, or like most airlines trying to catch up to Southwest, which spent money to hedge its fuel prices even though it couldn't predict exactly how much that would save or when.
Risk management isn't just about calculation. It's not just about tactics. It's also about strategy.