This is a simple model. No doubt CSOs, consultants and vendors withtheir own ideas will hue and cry that we've presented ROSI in thisparticular, facile way. But we're only trying to provide a guidingprimer. To attempt more in this space would be a fool's errand. (Forexample, we didn't even approach the concept of Net Present Value,which takes into account costs and benefits over time as if all themoney were here now. Ask your CFO.)

Don't take this as a final "how to" but rather as a starting point todevelop your own ROSI. But don't forget: The most important message isto do the homework. Collect as much data as possible so that there'splenty to crunch.

ROSI is empirical, but in many ways it's emotional, believe it or not.It is about coming up with numbers, but those numbers are only usefulin the context of how executives feel about them. ROSI is riskeconomics that paints a picture of your organization's attitude towardsecurity. What level of risk is the enterprise comfortable with? Howdoes the company prioritize its limited resources? Is technology orawareness more valuable as a tool? Suddenly you're answering businessquestions based on the security numbers.

"The numbers right now show patch management automation doesn'tprovide a positive return for this organization," Nigriny says. "Sowhy would I do it? It just doesn't make sense." Just by coincidence,it seems, ROSI has aligned Nigriny with the business.