Reading my colleague’s Stuart King’s blog posting on the financial impact of security incidents reminded me of the continuing obsession that many parts of industry and academia still seem to have for achieving the Holy Grail of perfect ROI measurement. Many of them miss the point. The problem we face is not proving that each investment in security has a positive NPV, but demonstrating that such spending is a sensible idea. In large organisations, it’s about making a business case that passes the investment appraisal criteria. In the case of small businesses or home users, it’s about putting together a convincing argument. You don’t have to, and you can’t always, present hard evidence that guarantees a payback within a particular time period. There are other criteria for justifying investments. Like regulatory compliance requirements for instance, or the fact that your business will collapse under viruses and spam if you don’t take preventative action. Many things in life are simply not knowable or not measurable, especially in the shadowy and fast-changing world of security.