I don’t read Schneier’s blogs. Why? Because everything cool he says will get linked or sent over by other people I read. So it was with Schneier’s latest essay on security ROI. An excellent article, although it echoes what others in the industry (including myself) have really kinda known for a few years now. But he concisely brings up the issues we have when trying to value threats, risks, and countermeasures in formulating ROI.

Before I get into the details, there’s one point I have to make. “ROI” as used in a security context is inaccurate. Security is not an investment that provides a return, like a new factory or a financial instrument. It’s an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings. The term just doesn’t make sense in this context.

In the end, this is just all so much guesswork and the only things you can count on are using such measures as a general guideline and trying to be as consistent as possible when measuring and using them.

As usual for Bruce’s blog, the comments are many and fairly well-informed. Skimming through them reveals just how difficult the idea of security ROI or security cost really is, and possibly how non-universal every “answer” is.

So, we harp about FUD, but isn’t that what you have to do in the face of a lack of ROI? Is that how insurance sells itself, whether spoken or just subtly implied?