Ted Ritter, an information security and telecom veteran, has recently written a very informative article on how to make intelligent decisions about cybersecurity spending.
His research analyzes the various approaches organizations have adopted so far, and explains why current ROI models are flawed and need to be replaced with methodologies that are better suited for cybersecurity such as:
You can read the full article here.