Another good ‘essay’ from Bruce - the general idea of using ROI as a measure of judging good vs. bad investments doesn’t fly perfectly when it comes to security since so much is based on potential risk rather than solid numbers.

This is a post that CFO’s need to read (and more importantly understand) as I often run into IT or IS personnel that are fighting with finance to fund projects and programs that they can’t ‘guarantee’ are going to save the company money - they are mitigating risk…

This is another example of understanding, philosophically, how to look at security - it’s not a cut-and-dry situation, it is risk-management situation and that requires that finance executives understand how to look at these investments in the manner that is appropriate for the type of investment.

Schneier on Security: Security ROI.