Comments on: Can you “prove a negative” to demonstrate Return on Security Investment (ROSI)? http://spiresecurity.com/?p=283 Risk and Cybersecurity Analysis Wed, 21 Aug 2013 23:28:51 +0000 hourly 1 http://wordpress.org/?v=3.5.1 By: Pete http://spiresecurity.com/?p=283&cpage=1#comment-388 Pete Thu, 13 Sep 2007 14:31:45 +0000 http://spiresecurity.com/blog/?p=283#comment-388 Hi, Gustavo -

They don’t talk about ROSI directly, since the topic is not information security, but they are essentially performing the same calculations that ROSI requires.

The challenge with ROSI is that it is difficult to say how much risk was reduced. With the LoJack scenario, they quantified the risk savings – this is the “prove a negative” problem we have.

The broader point is that you can prove a negative if you have two or more groups to compare – one with the control measure and one without.

Hope this helps.

Pete

]]> By: Gustavo Bittencourt http://spiresecurity.com/?p=283&cpage=1#comment-387 Gustavo Bittencourt Thu, 13 Sep 2007 13:55:48 +0000 http://spiresecurity.com/blog/?p=283#comment-387 Hi

I read the paper and I couldn’t find any reference about ROI (or ROSI) on it.

]]> By: Dan Weber http://spiresecurity.com/?p=283&cpage=1#comment-386 Dan Weber Wed, 12 Sep 2007 19:18:46 +0000 http://spiresecurity.com/blog/?p=283#comment-386 Kristof gives more numbers here, for those who can’t get through the paywall but want more specifics:

http://www.nytimes.com/2005/06/28/opinion/28kristof.html?ex=1277611200&en=54885fd31890c085&ei=5090&partner=rssuserland&emc=rss

]]>