information security: RoSI: R.I.P.
There's an interesting link over at Axel Eble's blog to a report that, hopefully, people are geting round to the throught that security is not something that you calculate the R.O.I on, more that you view it like insurance or fire control system, as loss avoidance.
The problem with calculating ROSI has always been quantification, and it's always struck me that people that suggest it as a good way of justifying security spend, come up very short on specifics when asked, how it would actually be implemented.....
