Corporate clients have
a high level of demand when it comes to ROI version which could denote that a
specific security provides the ideal return on investment. Also, dealers push
ROI for security because they have to convince the customer in order to part
with their capital (purely for business purpose).
When security requires
funding their projects, business wants the idea of what they will gain in
return. According to me, this could be a fitting design as an abstract, but
practically it ends up as a bunk.
Security cannot be
looked upon as an investment and the organizations should not be expecting to
yield a profit out of it. Security should be completely focused on prevention of loss and not about gaining
returns. In cybersecurity world, risks exist because of hackers. Mostly risk
models depend upon figuring out what hackers might be doing to break the
security factors. (Not only what hackers could do to hack in the current
situation, but also for a longer run.) For security engineering, the need for
firewalls and encryptions is a known factor even without particular
calculations being performed. Also, the need for session and authentication to
pass the security sockets layer. It is always better if these are set as the
main focus for which the risks need to be analyzed (which is required beyond
the security sockets).
Also, each time a
business is looking for an investment to improve the cybersecurity model, and
then the company is likely to have other potential need areas where that benefitted
amount could be spent. In this case, instead of expecting a return from the
investment on security, the organization can always invest in stocks (or any
other kind of investment) so that they can collect the interest.
Instead of following
the ROI models for security purpose, it would be better if the risk analysis is
being performed. If the risk analysis, to begin with, is lacking, then
performing ROI computation becomes valueless. Also, security is not to be
considered as revenue producing investment but the one which prevents