Why is it so hard?

• Public ROI much broader than traditional ROI

• Differing methods & cultures of assessment:
  accounting v. evaluation v. social science

• Public returns are far from the IT in time & space

• Security is a complex and dynamic domain

• Looking back is much easier than looking forward

• Little consistency among existing models