• Gordon, Lawrence A. and Martin P. Loeb, “Return on Information Security Investments: Myths vs. Reality,” Strategic Finance, November 2002, pp. 26-31.

Although measures of return on investment have gained increased attention as a financial tool to evaluate information security projects, conceptual and practical problems of these measures have been largely ignored. This paper highlights several of these problems. The paper shows that the common accounting measure of return on investment is different from the economic measure of return on investment, and that the accounting measure is inappropriate for both the ex ante and ex post evaluation of information security projects. The paper also recommends focusing on selecting a profit maximizing level of information security investment as opposed to the investment level that maximizes a measure of return on investment.