ABSTRACT
It is curious that so little has been said on what we feel is such an extremely important topic. Sure, there are some rather academic reasons why the accountants might prefer net present value over payback period when assessing the projected value of security investments, but in practical terms and in some situations, payback period may have redeeming qualities that make it the more valuable security metric. Other security metrics books belabor the differences between ordinal and cardinal numbers or metrics, measurements, and measures, but few information security practitioners truly understand or even care much about such arcane details, valid as they are. We simply need relevant, useful information in order to manage and deliver adequate information security while our managers and other stakeholders are clamoring for assurance that we have things under control.
