Thanks to a tip-off from Gideon Rasmussen on the insider threat email reflector, I've come across a series of information security podcasts by CERT, aimed at 'business leaders'. The podcast on security Return On Investment (ROI) contains an interesting comment relating to research by "a couple of economists at the University of Maryland named Lawrence Gordon and Martin Loeb" who are said to have determined that a security control investment should only go ahead if the cost is no more than 37% of the expected return. I find this a very curious statement: from a purely economic point of view, almost any net positive return is financially worthwhile provided that (a) there is sufficient funding available for the investment (i.e. it is not outranked by other higher return investments) and (b) the projected costs and returns are realistic ... which is perhaps the issue here. Security projects in the main create returns by reducing risks and hence reducing projected future losses compared to the do-nothing option. The economists seem to be saying the security and risk professionals are seriously overestimating projected savings. They may have a point.
More security awareness and risk management resources