Return on Investment(ROI) is a reliable business metric in most industries. The simplest description of ROI is the ratio of an investment’s return less its cost less its return to the cost of the investment. Bruce Schneier revealed some of the flaws that cast doubt on the quality of infosec ROI metrics. Schneier: Cybersecurity [ROI] is considerably harder, because there just isn’t enough good data. A cogent value statement combined with a best-effort ROI can enhance both the bottom line and the security posture.”]
Source: https://www.csoonline.com/article/2137082/infosec-value-statement-vs-roi.html