Everything new is old again – ROSI
Return On Investment. (In security.)
Return On Security Investment.
It doesn’t exist. But it keeps on coming back from the grave, no matter how many times we try to kill it.
OK, we can say that spending money on security keeps you from losing more money somewhere down the road. But “investing” in security isn’t going to bring in revenue. (Well, unless you want to try and estimate the extra business you got from being a “safe” company to do business with.)
We can also try to do quantitative risk assessment or analysis, and therefore be able to do something of a cost/benefit analysis of individual controls. (Of course, a lot of people have done a “quick and dirty” qualitative cost/benefit analysis, and figured out that the cost of doing a quantitative risk analysis outweighs any possible benefit in terms of the greater accuracy of your cost/benefit analysis.)
Undeterred, now that we are in an economic quagmire, the media has started to spin ROSI as the way to ensure that you get the most out of your security investment.
Columnists love fairy tales …