Posted by:
admin
17 years, 1 month ago
I was fixing to post on some of the ROI posts floating around, with my usual usual dainty prose. But Anton Chuvakin did a much better job than I could - though it appears he has a ringer on his team.
My favorite quote:
The phrase "return in the form of savings," that I saw on some blog, caused my "in-house economist" to utter a completely unprintable word and then follow up with: "what an idiot! it is either return or savings!"
His close is a bit weak, though:
At the same time, I think this debate will be resolved thus: there is rate of return (definition from economics) and there is "ROI/rate of return" (hijacked definition that developed its own life and started to mean simply "usefulness" or "value proposition") There is "ROI" of security and there is no ROI of security...
You can analyze/estimate the value of a security investment. One way to effectively separate out different security investments possibilities and to create scenarios from them. I did a simple comparison of a vpn with and without two-factor authentication. The savings comes from the overall project, then I subtract and AALE from the savings. You could do different scenarios to see which security investment was "optimal".
Estimating AALE might be problematic, but the exercise would still be beneficial.
ROI is a crappy measure because it does not include an interest rate. While estimating AALE might be difficult, getting your company's weighted-average cost of capital is very simple. (Hint: ask your CFO.)
Share on Twitter Share on Facebook