Setting the Record Straight on ROI in security

Trust me, I have no interest in bringing this up, but since someone else did, I feel compelled to respond to set the record straight. I had been casually following the Securosis work on business justification of data security and saw their paper pop up in the SANS reading room. As I was perusing the table of contents, I came across the item "Why there is no ROI in Data Security."

Trust me, I have been there and done that with the whole ROI in security thing. And I honestly thought I would read the section that said you can't get ROI because security doesn't generate revenue (I don't think that matters), along with the "and another thing" that ROI isn't even a very good model to use anyway.

Instead, I found this (my comments in between italicized excerpts):

Return On Investment (ROI): Repeat after me: There is no ROI for security spending. Anyone who tells you otherwise is wrong. Here’s why: When applying ROI to data security, you attempt to quantify loss, and then substitute loss as revenue.

No, you don't attempt to quantify loss, you quantify your costs and hold the revenue constant. That means ROI comes from reduced costs. Typically, you don't factor in losses, though that is a possibility for the high-frequency recurring events.

Besides always producing a negative result, this model is a fundamentally flawed way to approach security spending for a couple of reasons.

The "always producing a negative result" doesn't really make any sense when you apply the model to two different alternatives (your current state and the modified state).

The first is that security precautions do not create a return or generate revenue, so by definition they cannot be used to calculate revenue.

This is the standard 'no-revenue' objection which I disagree with but understand. The slip in the final part of the sentence perhaps explains the faulty reasoning – you aren't calculating revenue, you are calculating a return (based on the net between revenue – held constant – and costs).

 The equation is abused by substituting potential losses that cannot be reasonably quantified for ‘Return’, in place of quantifiable financial gains.

This is incorrect.

Further, expenses such as disaster recovery, legal costs, and regulatory costs can be estimated with a fair degree of accuracy; but indirect costs such as “loss of reputation”, brand impairment, and loss of future business cannot be accurately be
[sic] assigned dollar amounts.

ROI generally comes from increased productivity – the gain that comes from substituting computing for human labor over a period of time. This, by the way, is the goal of essentially all IT. The items discussed above are again associated with losses and though they can be quantified as well, that is where ROSI comes in, not ROI. 

ROI is a well understood and commonly used financial equation, but it does not account for many of the relevant variables effecting
[sic] revenue, or the non-linear costs for multi-incident breaches. The calculation is fine for controlled academic problems, but in context of losses due to data breach, it is a case of garbage in, garbage out.

I certainly agree with garbage in, garbage out.

Further reading:

Can you get ROI from reduced costs?

Ten Points about Security ROI and ROSI

What is threatening about ROI in security?

ROI is about value

Return on Security Investment (and a little ROI)