One of the lead articles in the December issue of CSO Magazine states “ROI for security is difficult. But it’s also the key to selling your budget.” (Source: Calculated Risk: Return on Security Investment). Yes ROSI - Return On Security Investment- is difficult, nearly impossible, very subjective, somewhat arbitrary etc. etc. ROSI is supposed to enable you to make decisions based upon the numbers (i.e. facts) but the article concludes “ROSI is empirical, but in many ways it’s emotional, believe it or not.” What? If I am CEO or CFO I am not going to buy into a security budget based upon the fuzzy math that goes into these ROSI calculations. More on point is a statement in a second article in the same issue titled The Art of Uncertainty. In an interview, Frank Barnhard of Omni Consulting Group, states that security should be considered “not as an ROI problem but as an economic value discussion.” “I don’t think people have a hard time understanding that security is something we have to offer because, if we don’t, we’re open to liability. That’s a secondary outcome. And if we’re open to liability, we may get sued. So we want to do those things that are obvious within man’s control. That’s the litmus test?that it’s within a reasonable person’s control to mitigate risk and ensure that they’re not liable…..What results are you trying to achieve and, in this case, what risks are you willing to mitigate, to bring it back to a cost basis?”