Multi-factor Authentication for Online Banking: Security or Snake Oil?DCT, MPack developerThe Nduja Job: Into The World Of XSS WormsLessons Learned From the Deployment of a Smartphone-Based Access-Control SystemMeasuring Privacy Loss and the Impact of Pri

I think that people forget that we have an immediate sunk-cost associated with using IT models that have inherent design flaws. An enterprise must automatically spend 4-12% of their IT budget on security on a sliding scale depending on what they are trying to protect and the protection profile required.

If they have determined that they are required to spend 8% of their budget to attain a tolerable risk level, and a new technology can reduce that spending level to 5 or 6% for the same risk level, then that is a return on investment due to the fact that you become more efficient in your overall productivity by reducing costs of operation.

It seems to me that a reduction in sunk costs is the same as extra revenue on the bottom line.

- I have no doubt that I have my own personal biases. Everyone does – do you recognize it in yourself?

- unless you happen to *be* the person in Anton’s house, or a good friend of that person, or Anton, why on earth would you magically agree with his “expert”?

- financial managers, not economists, are better sources of information on ROI. I recommend googling “DuPont ROI” if you are really interested in the sorted past and current uses.

- Put ten financial managers, economists, or what have you in a room and they will all disagree to some extent as to how a term like ROI is used.

- I am not a Humpty Dumpty expert, so not sure how a question about ROI belief makes anyone a master.

- The money under your mattress is (currently, anyway) depleting its wealth. Ask Anton’s economics expert how this can be true. (I suspect you already know this but were trying to make a point?)

* Idiot CEO’s demand everything gets explained to them in terms of ROI.
* Security people cannot answer this question.
* Security gets screwed.

And so people like Richard come up with a solution: (http://taosecurity.blogspot.com/2007/07/no-roi-no-problem.html )

* Don’t use ROI for security.
* If anyone does, belittle them.

It might help long-term, because CEO’s will get it through their little pinheads that they shouldn’t make one number the answer to everything.

But in the short-term, it hurts CSO’s who can make legitimate claims about “spending this $2000 will mean our company will have $5000 more at the end of the year.”

And, yes, some problems don’t fit into the ROI category, such as merely protecting assets. In that case, go figure out how the physical plant group justifies their fire insurance, and then use that model to get your security budget approved.

Pete, I absolutely agree with you, and I find it terribly amusing that you manage to do your ad hominem attacks indirectly, by impugning unflattering motives to anyone who disagrees with you (they’re afraid, they’re threatened, they’re lazy …).

Nobody’s “threatened” by the misuse of a financial term. If you want to make the words “return on investment” mean whatever you want them to mean, more power to you. As Humpty Dumpty said, it’s a question of who’s to be the master, that’s all. But I’ll certainly bow to Anton’s in-house economics expert if I want to use the words correctly.

Meanwhile, I’ll go take a look at the money under my mattress to see whether it’s currently creating or depleting.