Return on Investment (ROI) is a touchy topic for many information security professionals. It was well-covered in the Great Blogging Debates the early 21st century, and it continues to touch a nerve. Let's see why that might be.
People often use the word "investment" to describe a worthwhile expense that offers some benefits to the spender. As the result, the term Return on Investment (ROI) in the security context—also sometimes called Return on Security Investment (ROSI)—is sometimes used to justify any security expense from which the organization might benefit.
The problem is that ROI in the financial industry—where the term originates—has a more specific meaning that focuses on income, rather than cost savings. Though several variations on the term exist, ROI is usually considered a relative metric for comparing courses of action to find the one with the highest likely rate of return. According to Gale Encyclopedia of Small Business:
ROI "compares the amount of income derived from an investment with the cost of the investment. ROI is known as a profitability ratio, because it provides information about management's performance in using" the available resources to generate income.
Infosec purists, such as Bruce Schneier, pointed out that:
"Security is not an investment that provides a return, like a new factory or a financial instrument. It's an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings."
Richard Bejtlich clarified that those who advocate using ROI in the context of security "equate savings with return. The key principle to understand is that wealth preservation (saving) is not the same as wealth creation (return)."
In other words, avoiding a loss is different from generating income. However, many people in the security community don't care about the distinction. This is irritating to some.
The point of tension often occurs when security vendors adopt the term ROI to explain why their products or services effectively pay for themselves and are, therefore, a worthwhile "investment." They do this to use business speak as a way of explaining that the purchaser will save money as the result of the purchase. To an ROI purist, they incorrectly imply that the product or service will generate returns for the purchaser.
Another issue stems from the way in which ROSI calculations determine the likely savings by attempting to estimate the amount of potential financial loss from a security incident. The New School of Information Security points out that:
The loss is "typically calculated using annualized loss expected (ALE), which is the probability of a loss event multiplied by the expected cost of the event… The problem today is that the probability of the loss event is very hard to predict, as is (to a lesser extent) the event's expected impact."
Security professionals need metrics to justify expenses and must speak the language of business executives if they hope to participate in high-level strategic discussions within their organizations. The challenge is how to use the terminology and which metrics to compute to facilitate fruitful discussions. Using ROI can help get the conversation going, but might not hold up to closer scrutiny.
This note is part of my 3-post series on the subjects that tend to rattle security folks. Other posts look at Advanced Persistent Threat (APT) and insider threat.