There is nothing magical or mysterious about ROI; there are no GAAP standards for calculating it; there isn’t even a standard definition of it. I don’t understand why security folks feel compelled to pigeonhole the value of security, but so be it. On the other hand, any Finance major (like me ) can walk you through the calculations.

The ROI attainment is a function of how you frame the investment you are making. ROI calculations can be applied to individual purchases, projects, and even companies. It is almost always calculated against "net" profit/loss.

There are a handful of pitfalls in attaining security ROI:

1. You don’t believe security is a "core" requirement for the project being evaluated. If you think of security as optional, then you shouldn’t really be calculating an ROI for it.
2. You don’t believe cost reduction should be included in the calculation. I don’t know why, since the dollars are recognized the same at the bottom line. (This has a nice aside of suggesting that any cost center – HR, Accounting, Legal, Admin, etc.. – can’t get ROI either.)
3. You aren’t spending any money on security, and you aren’t losing anything. Very lucky.

The easiest places to get security ROI are:

1. Automating password resets.
2. Replacing leased lines with Internet VPNs.
3. Automating patch management.

It isn’t really that hard. Still feel uncomfortable? Then just call your ROI "lower TCO" or "higher benefit, lower cost" or whatever. Don’t get caught up in semantics. In the end, the only opinions that matter are those of the management team using the information.