Rather than trying to derive the ROI of security investments, a much better strategy is to work on the related issues of deriving an optimal (or at least desirable) level of information security investments and the best way to allocate such investments. This strategy is the focus of the Gordon-Loeb Model (for a brief summary of the focus of this model, and a link to the actual paper, go to:Belva reads the recommended paper and finds it to say:
— Email from Dr. Lawrence Gordon: Security ROI possible but not optimal, use other metrics, Posted by Kenneth F. Belva, bloginfosec.com, 18 July 2007
The Gordon-Loeb Model also shows that, for a given level of potential loss, the optimal amount to spend to protect an information set does not always increase with increases in the information set’s vulnerability. In other words, organizations may derive a higher return on their security activities by investing in cyber/information security activities that are directed at improving the security of information sets with a medium level of vulnerability.From which Belva concludes that "we do understand Information Security to have a return." Well, yes.
But it seems to me the main point is that trying to emulate a common CFO practice of justifying expenditures by ROI isn't appropriate for information security, which isn't about directly producing income or directly saving money. Information security is (or should be) a form of risk management.
Also, while the cited paper is no doubt correct that investing in protecting medium vulnerabilities may produce a higher rate of return in the near term, because more of those will be exploited, nonetheless it would be prudent to do something about unlikely yet high risk of loss vulnerabilities. And that something is probably not just applying traditional technical security measures, which won't stop fires, hurricanes, floods, or a net-wide zero-day exploit. The even more traditional measure of insurance would be appropriate, plus other methods of pooling risk, along with software and hardware diversity. These things also have a return on investment, but it's rather indirect, in terms such as ability to list on big stock exchanges (now, London, soon, New York), customer comfort, and greater agility and resilience of the technical workforce.
PS: Seen on Emergent Chaos.