ABSTRACT
With certain notable exceptions, there are fundamental
differences and perceptions between information security
practitioners and senior executives. For example, how can
information security professionals provide the type of cost-
justification or return-on-investment (ROI) figures given
the current limited types of tools? A risk analysis or similar
approach to estimating risks, vulnerabilities, exposures,
countermeasures, etc. is just not sufficient to convince a
senior manager to accept large allocations of resources.