“ROI (or bang for the buck) can’t be applied perfectly to information security because often the return on information security purchases and deployments is intangible. Security is a way to deal with risk, which is the probability of loss. Donald Trump does not receive any return on the investment he makes in bodyguards. Those who perform network security monitoring are more aware of these threats than the average CISO. NSM operators possess network awareness, thanks to the sorts of information they collect. Security is an art with opaque threats, we have trouble choosing the appropriate level of security for our networks.”]
Source: https://taosecurity.blogspot.com/2004/04/calculating-security-roi-is-waste-of.html