Security vendors have long been criticized for making grandiose claims about the efficacy of their wares. Bruce Schneier argues that calculating a specific product’s potential ROI “is mostly bunk in practice” The value of information should be determined at the highest levels of the organization, Schneier says. Schneier also makes well-reasoned cases for the use of ALE, or Annualized Loss Expectancy, a risk view of security budgeting. The greater the time it takes to detect and react to the event, the greater the risk.”]
Source: https://www.csoonline.com/article/2123283/security-can-be-measured.html