I red for three days ago what Richard Bejtlich wrote on his blog. Before this blog I refused his idea and put my reply with a little bit explanation. But, really I became confused. Richard said it is wealth saving instead of wealth return. But, What is the difference as long as this will keep your initial investment and your revenue secure. I mean you may earn £500 by investing £1000 but you could lose this revenue if you didn't secure it. The other point is Information Technology as a whole increase the ROI by reducing(saving) the operations cost. I may agree on the regulation certifications' aren't ROSI because it mandatory by LAW and we should consider it in the operation cost.
Now, Where is what I got. Kenneth F. Belva sent Dr. Lawrence Gordon and Dr. Martin Loeb asking their opinion and here what they sent to him:
'
Dear Ken:
Thanks for your e-mail message concerning the question: Does Information Security have an ROI? It is important to realize that there is a very large body of academic and practitioner oriented literature in accounting and economics (going back to at least the early 1900s) that addresses the more fundamental issues of:
(1) ROI vs. a real economic rate of return (usually called the IRR), and
(2) maximizing the ROI (or IRR) is, in general, not an appropriate economic objective.
The above noted, it is conceptually possible to compute the ROI for information security investments, but there are significant measurement problems with such a metric. Accordingly, those who argue that you can compute an ROI for information security investments are technically correct. However, those who argue that an ROI for information security investments has significant measurement problems and therefore should not be computed, certainly raise a valid concern.
Rather than trying to derive the ROI of security investments, a much better strategy is to work on the related issues of deriving an optimal (or at least desirable) level of information security investments and the best way to allocate such investments. This strategy is the focus of the Gordon-Loeb Model (for a brief summary of the focus of this model, and a link to the actual paper,goto (http://www.rhsmith.umd.edu/faculty/lgordon/Gordon%20Loeb%20Model%20cybersecurity.htm).
Sincerely,
Larry
'
I think this answer will close this debate.
1 comment:
That is update form
Kenneth F. Belva
Post a Comment