PRECISION IS NOT THE GOAL. One of the reasons that ROSI might feellike an endless path comes from the fact that there has been a naturaltendency in the tech sector toward approaching problems with theprecision a software engineer would expect. The "hard numbers" Mogullassumes are required.

"This is a classic problem that technologists have," says Kevin SooHoo, a researcher at security consultancy @Stake doing ROSI studies,and who at Stanford University wrote his thesis, dense with economictheory, on the subject. "They don't understand that you can make roughguesses to work out a problem. We dive into an ROSI study, and theengineers are focused on the minutiae and want to argue for dayswhether some variable should be .6 or .55. It doesn't matter," Soo Hoosays emphatically, as if he's been through this more than a few times."Choose one!"

With ROSI, like all risk assessment, the goal instead needs to beaccuracy, which isn't at all the same thing as precision. Notice thatthe ASSE study suggested about $3 for every $1. There was no attempthere to delineate the exact return, because that's not the point. Thepoint is to provide a set of guiding principles from which you, yourCEO and CFO can make good decisions about what's acceptable. In otherwords, the CEO doesn't (or shouldn't) care if a return is precisely$3.13 for every $1 spent or $2.97. He cares that it's accurate tosuggest about a 3-to-1 return, and not a 1-to-1 return or, worse, a1-to-3 return.

THE DOGMATIC I.T. MIND-SET MUST BE ELIMINATED. It's obvious why ITtends to approach problems with binary thinking. It is, after all, thelanguage of the trade. But an on-off, "either we've been hacked or wehaven't" view of the problem will make ROSI an impossible task. (Somebelieve it helps to eliminate binary terms from their discussions sothat security becomes risk management and threats aren't eliminated,they're mitigated and so forth.)

Back to the fire extinguishers. A binary thinker might suggest that,since there was no fire last year, there was no ROSI. If that is theattitude at your company, it's time to initiate some awareness andeducation because that's not how risk mitigation works. Think of itthis way: If you wear your seat belt but don't get in a car accident,does that mean you ought not invest in a seat belt because there wasno return?