Thanks,
Ken

http://taosecurity.blogspot.com/2007/07/no-roi-no-problem.html

If you still believe what you posted you should check back in with a business class.

Ken,

The “nerve” is my utter dismay when I see terms hijacked and distorted to serve an agenda, or to speak the language of a manager who doesn’t understand the scope of his job.

I would be happy to be quiet when the term ROI is never associated with security again.

Why security ROI touches a nerve with some InfoSec professionals is beyond me.

Perhaps such a discussion is worthy of a bulletin board or wiki of some type for those truly zealous in one direction or the other in regards to InfoSec ROI.

If so, I’d be more than happy to let them come to a consensus for our field that we can all standardize on.

Until then I do not plan to spend too much time on InfoSec ROI as I have other projects to which I must attend.

If you spend money on a security project, those flows will include the cost of the project and the expected benefits it brings by reducing other costs. Calculate the NPV of the flows under the “do the project” and the “don’t do it” scenarios, and whichever is higher is the one you go with.

Clearly, calculating the cash flow out to five decimal places is preposterous, just like calculating the bump in sales an advertising campaign will bring is. However, nearly every firm in the country (even GE, I hear :^)) makes decisions about spending ad money.

What is the big deal here?

In it the ISACA author(s) write: “Downtime assessment can provide an important postmortem analysis of lost productivity during a security incident. Productivity loss must also be considered in calculating the ROI of security solutions.”

So according to ISACA, security solutions have an ROI. They ALSO have a ROSI. The next sentence after the one quoted above is:

“IS auditors should be aware that there are number of ways in which lost productivity can provide meaningful estimate of risk exposure, any of which could be used to calculate ROSI.”

I’ll continue to use ROI in the manner described above when is it appropriate to help facilitate and communicate information security decisions. When it no longer becomes appropriate to use ROI in terms of savings I’ll stop. It’s a pragmatic choice: it shows the ability to communicate effectively in the same language that is being used by others; and it shows open mindedness.

Do you recognize that the so-called “definition” you cited is from here

http://technology.findlaw.com/law-technology-dictionary/roi.html

and that is a “law” site? Try looking at ALL of the other definitions — none of the others mention loss prevention as ROI.

Next you’re going to tell me that these “finance” people think they “save” $10 when they buy a $100 shirt for $90. Keep following that plan and they’ll be millionaires no doubt!

Finance people usually discuss ROI in this way:

“Acronym for return on investment. ROI refers to the amount of profits or savings a business will realize from any given use of money.”

See:
http://www.google.com/search?hl=en&q=define%3AROI&btnG=Google+Search

ROI does not necessarily mean revenue derived from a particular activity (see definition above). Loss prevention has an ROI: investing $10 to prevent a loss of $100 has an ROI of $90.

Thanks for your thoughts. Here’s a brief response.

1. That is a good clarification — but again I contend that assumptions matter here.

2. Apparently your friend doesn’t understand ROI either. Please ask him to describe why preserving integrity is NOT loss prevention.

3. See point 1.

Your unnumbered points are good too.

I’m blending just fine, thanks. And no one I’ve encountered in security here believe ROI for security exists either.