Comments on: Ten Points about Security ROI and ROSI http://spiresecurity.com/?p=296 Risk and Cybersecurity Analysis Wed, 21 Aug 2013 23:28:51 +0000 hourly 1 http://wordpress.org/?v=3.5.1 By: Rob http://spiresecurity.com/?p=296&cpage=1#comment-416 Rob Tue, 24 Jul 2007 15:47:57 +0000 http://spiresecurity.com/blog/?p=296#comment-416 The point I tried to make earlier was that there is a portion of operating budget under security that is regarded as a mimimum cost that comes from using inherently flawed IT systems. One does have the choice of spending nothing, but I suppose the time until you were owned, your data was tampered with or not available, your IP stolen and your customer’s trust was stolen might be measureable in hours, if not days.

If you really don’t have an option to opt-out, is it not really a sunk cost, no matter where it appears on the financial statment?

]]> By: Richard Bejtlich http://spiresecurity.com/?p=296&cpage=1#comment-415 Richard Bejtlich Sat, 21 Jul 2007 18:52:15 +0000 http://spiresecurity.com/blog/?p=296#comment-415 Hi Pete,

In an earlier post you said “if you don’t want to call it ROI, that is fine – you can perform the same calculations to get to cost/benefit comparisons and TCO differences.”

Given that caveat I think I agree with everything you’ve written in those earlier posts and this one too.

]]>