Email from Dr. Lawrence Gordon: Security ROI possible but not optimal, use other metrics

Due to the discussions produced over the last few days, I took the time to ask Dr. Lawrence Gordon and Dr. Martin Loeb their opinion on the security ROI issue. For those of you who do not know, Gordon and Loeb wrote the book Managing Cyber Security Resources: A Cost-Benefit Analysis. I’d like to thank Dr. Gordon for his reply.

Here is the email of Dr. Gordon in full:

Dear Ken:

Thanks for your e-mail message concerning the question: Does Information Security have an ROI? It is important to realize that there is a very large body of academic and practitioner oriented literature in accounting and economics (going back to at least the early 1900s) that addresses the more fundamental issues of: (1) ROI vs. a real economic rate of return (usually called the IRR), and (2) maximizing the ROI (or IRR) is, in general, not an appropriate economic objective. The above noted, it is conceptually possible to compute the ROI for information security investments, but there are significant measurement problems with such a metric. Accordingly, those who argue that you can compute an ROI for information security investments are technically correct. However, those who argue that an ROI for information security investments has significant measurement problems and therefore should not be computed, certainly raise a valid concern.

Rather than trying to derive the ROI of security investments, a much better strategy is to work on the related issues of deriving an optimal (or at least desirable) level of information security investments and the best way to allocate such investments. This strategy is the focus of the Gordon-Loeb Model (for a brief summary of the focus of this model, and a link to the actual paper, go to: (



Following the link in Dr. Gordon’s email we find part of the Gordon-Loeb model described as such:

The Gordon-Loeb Model also shows that, for a given level of potential loss, the optimal amount to spend to protect an information set does not always increase with increases in the information set’s vulnerability. In other words, organizations may derive a higher return on their security activities by investing in cyber/information security activities that are directed at improving the security of information sets with a medium level of vulnerability.

From the description above, we do understand Information Security to have a return.

At this point , I thank everyone for their security ROI comments: debate makes the blogosphere healthy. That said, I plan not to debate the security ROI issue in the future. Simply put: I’ll leave it others who are more knowledgeable in this particular area of information security.

(I also hope that all those who participated in the Security ROI debate link to this page! Yes, this means you, you, you, you, and even you!)


  1. Cutaway Jul 23, 2007 at 12:27 pm | Permalink

    Don’t worry. I linked to you as well. 🙂

    Go forth and do good things,

  2. Richard Bejtlich Aug 8, 2007 at 11:59 pm | Permalink

    I’m reading the Loeb/Gordon book now, and they define “return” throughout the book as “cost savings” and “avoiding loss.” I will have more to say on this when I post my review.

  3. Gary Hinson Aug 27, 2007 at 7:45 pm | Permalink

    Of all the fascinating topics in information security, the ROI (or ROSI) debate seems to ruffle the most feathers, more even than the feasibility of “assessing” risks.

    Part of the problem, I believe, is the vocabulary and mindset. Most infosec pros are well versed in infosec terms but some get well out of depth when speaking or writing on finances and economics. It reminds me of the misunderstandings that occur when journalists interview scientists: when the latter say that such-and-such “could happen”, the former report it as forgone conclusion that such-and-such *will* happen. The issue of ‘return’ meaning ‘profit’ to some and ‘lower net costs’ to others is a classic example.

    I’m a bit puzzled at your paper on “virtual trust”. The concept of security as a business enabler (giving management the confidence to run with business processes that would otherwise be too risky) has been around for ages, and I see no need to give it a shiny new name – or am I missing something?

    Anyway, thanks for contributing to the debate. We’ve been discussing ROI on CISSPforum for a couple of weeks, again, and we’re still no nearer a genuine consensus. Give it a few months and the living corpse of another undead discussion will return to haunt us.

    Kind regards,

Post a Comment

Your email is never published nor shared. Required fields are marked *