ABSTRACT
It is easy to get security money after you are attacked, but
the problem is trying to get the money before that happens.
How do you quantify what security gets you? If you spend
an additional $3,000,000 this year on security, how do you
justify it? What is the return on that investment? As a
security professional, you see different vulnerabilities and
attacks on a daily basis and it may be very clear to you that
your enterprise needs to be more secure. But from a busi-
ness perspective, it is not always that clear. Executives
realize that threats are a reality, but they want some way
to quantify these threats and know what the cost is for
implementing a security measure or the financial conse-
quences if they do not.