Tuesday, July 24, 2007

ROI, ROSI, RROI and Harry Potter Tales

OK, let's step back a bit and review what was said in the latest installment of the Great ROI Saga ...

In response to Richard's post, I thought and said that: "So, let's see whether you can compute (and thus "have") a rate of return on buying a security product. Sorry, the economics answer will be a solid 'no.'"

Ken Belva then argued (using Dr Gordon as an information source) that: "those who argue that you can compute an ROI for information security investments are technically correct." However, he mentioned some minor "measurement problems."

Pete Lindsrom first opined that: "I really don't understand why people are so threatened by the notion of ROI in security. Why on earth should they care whether someone can leverage the concept in support of their security goals? [...] I would suggest that since you can reduce recurring costs with, say, a patch management solution, you are contributing to higher net income and therefore can get ROI." and then added a few fun pointers in his piece called "Ten Points about Security ROI and ROSI": "ROI in security typically comes by reducing your existing, known cost basis such that the net profit (in the broadest sense, of your organization) is higher. These are real costs that show up, or will show up in the case of anticipated ROI, in an organization's financial statements." He then adds his own firewood ....eh ... term to the fire: ROSI.

Iang on FC blog stated that: "The issue here is a simple one of negative numbers and the distinctions between absolute and relative calculations. [A.C. - huh?] [...] Calculating ROI is wrong, it should be NPV. If you are not using NPV then you're out of court, because so much of security investment is future-oriented. [...] Predicting the "savings" from a security investment is hard." Hopefully, somebody got that ...

Mike Murray first said that he hates ROI, mentioned a spherical horse on a vacuum :-) and then added: "How much does my business increase its net profit because I have purchased this technology/implemented this process/bought more toilet paper/hired this person/etc.? - Ask that question, and the debate about whether you call it ROI, IRR, Rate of Return, Cost Reduction, or any number of other things goes away."

Chris Hoff chimed in with a sensible: "It seems that the unofficial scoring has the majority of contributors to the debate suggesting that Security ROI does not exist...sort of. The qualification of the word "return" really seems to be the important lynchpin here as contribution (margin, profit, etc.) versus cost avoidance really is what sends people off the deep end." Also, he issues a pacifying line: "If they want ROI, then fine...define the "R" appropriately and move on." He then piles his own firewood ....eh ... term to the fire: RROI.

Richard then summarized with: "I am only concerned with the Truth as well as we humans can perceive [A.C. - italic is mine here and above] it." But nobody else seemed to :-)

In other words, the above "discussion" tells me that one can use whatever term to call whatever thing nowadays: it is indeed a free enough country (nobody will stop you, no matter how stupid you will look while doing it!)

Overall, if you want to call an apple "an orange," I am not the one to stop you. If you insist on calling security savings or other financial benefits from security "ROI", I am not the one to stop you. Still, I would prefer (and will use ;-)) the term "fake ROI" since it is certainly not what the finance and economics books (and people) call Return on Investment...

Now, some of you may be wondering, what the title of the post has to do with its content. Alas, this is left as an exercise for the readers :-)

Technorati tags: ,

2 comments:

Anonymous said...

If what we do is risk management...


and if risk is a probability function...

*then*

maybe we just cannot make state of nature statement (ROI) based around what, is essentially, a belief statement (state of knowledge).

Anton Chuvakin said...

>a belief statement

Yup, that is the story.

Well, remember, no ROI - no problem! There are plenty of other tools to justify security to your business, which are less flaky than ROI...

Dr Anton Chuvakin