Conclusion
Giving an accurate and satisfactory answer is never easy. A customer should be made to understand his organisation's view of risk as this in turn will determine how much he should spend on information security.
Quantifying ROI is not an easy task; however, it is every information security professional's responsibility to indicate to the management the risks facing his business.
For a risk-averse organisation, the issue of ROI is often relatively unimportant. For an organisation willing to take the risk, the ROI will be an important criterion in the decisionmaking.
…
