You can't spell "Really pointless flamefest" without R-O-I
Rich Bejtlich, with whom I do not want to argue about definitions unless I have a much thicker dictionary than he, has taken aim at the (mis?)use of ROI by security people.
EC readers may be interested in a blog post by Ken Belva [link to http://www.bloginfosec.com/2007/07/18/email-from-dr-lawrence-gordon-security-roi-possible-but-not-optimal-use-other-metrics/ no longer works], in which the guy who literally (co)wrote the book on establishing a methodologically sound and empirically defensible business case for information security spending — Lawrence Gordon — weighs in via email.
Hopefully, Gordon is a sufficiently authoritative source to put this question to bed for a while.
This is just confusing models of comparison with definitions. The Savings that are talked about are not savings in economic terms (cash-at-bank-on-interest) but are sunk costs. Which means he doesn’t have them at all, and his revenues are simply shrunk by that amount. The “savings” don’t exist, but in accounting terms, are quite happily increased revenues if you ever see them come back.
More on FC.