Soon I will begin a research project into quantifying and expressing return on security investment. From conversations I've had with many conference attendees, there's a need for developing a basic understanding of how to measure ROSI so that budget money for security magically becomes unlocked. I plan to assemble a presentation on this for 2006's events.
If any of you have personal thoughts on ROSI, or some tips that work for you, please comment here or email me (firstname.lastname@example.org). I'd love to include your ideas. Thanks!