Martin P. Loeb
ˇ@
Deloitte & Touche Faculty Fellow
Van Munching Hall 3351
Robert H. Smith School of Business
The University of Maryland
College Park, MD 20742, USA
Phone: (301) 405-2209

ˇ@

Book

Managing Cybersecurity Resources: A Cost-Benefit Analysis

RETURN ON SECURITY INVESTMENT

Although measures of return on investment have gained increased attention as a financial tool to evaluate information security projects, conceptual and practical problems of these measures have been largely ignored. This paper highlights several of these problems. The paper shows that the common accounting measure of return on investment is different from the economic measure of return on investment, and that the accounting measure is inappropriate for both the ex ante and ex post evaluation of information security projects. The paper also recommends focusing on selecting a profit maximizing level of information security investment as opposed to the investment level that maximizes a measure of return on investment.

ˇ@

ˇ@

ˇ@