chapter  5
66 Pages

Measuring Return on Investment (ROI) in Physical, Personnel, IT, and Operational Security Controls

If the IT industry has been wandering in the desert for years when it comes to IT security resilience metrics, it has been meandering in a fog for an equivalent amount of time concerning security ROI (return on investment) metrics. A few feeble attempts have been made to dispel the haze, but they proved a temporary mirage. Historically, security ROI metrics, like security metrics in general, have been considered “too hard.” The old paradigm was that “you had to implement security and it had to be as good as possible.”