Threat, Vulnerability and Consequence: A Framework for Managing Security

The Conference Board uses cookies to improve our website, enhance your experience, and deliver relevant messages and offers about our products. Detailed information on the use of cookies on this site is provided in our cookie policy. For more information on how The Conference Board collects and uses personal data, please visit our privacy policy. By continuing to use this Site or by clicking "OK", you consent to the use of cookies.

Sign in
Forgot Your Password?

Keep me signed in on this computer

Create an account

Members of The Conference Board get exclusive access to the full range of products and services that deliver Insights for What's Ahead^TM including webcasts, publications, data and analysis, plus discounts to conferences and events.

If you are not a Member yet, we invite you to explore a variety of our products and services, as our guest.

Become a member

Explore how membership in The Conference Board can benefit you and your organization.

Visit our Preference Center

Tell us what you are interested in and we'll send you related content.

Tags

Full Listing

Threat, Vulnerability and Consequence: A Framework for Managing Security

Authors:
Thomas E. Cavanagh
Publication Date:
June 2006

It is difficult to evaluate security expenditures using traditional ROI calculations because the return on security “investments” are not based on tangibles such as profits or incomes. Instead, returns on security investments come in the form of events that do not happen. Companies should use the Security Risk Equation, which defines security risk by three variables: threat, vulnerability, and consequence, as well as the risk-based return on investment (RROI) equation. RROI can be used to evaluate competing proposals for security initiatives.