Return on investment, while not completely overt in a security architecture, is a meaningful success indicator for a security solution. ROI can mean saving a company from costly hack attempts/successful intrusions, expensive downtime due to compromised equipment, and loss of credibility due to leaked information. While all of these may not exactly have a monetary value, protecting them can be more valuable than any tangible bit of company property or earned income. As Professer D stated before, KFC's secret recipe may not have a value in itself, but protecting that recipe protects the company from a devaluation as a whole.

ROI results allow the company to pin point the highest priorities, identify top-level security risks, establish a comprehensive security baseline, and also help shape the INFOSEC framework using business critical security elements. INFOSEC offers ROI features to increase safe, secure operations of it systems.

I agree with Andre to an extent, we cannot place and exact dollar amount on every aspect of the data a security system has to protect; so it becomes an issue of quantitative vs. qualitative information. A bean counter in most cases won't sign off on the purchase of a $1million system, because it could protect data worth "a lot of money". Sometime we have to assign a value of intangible assets by estimating the amount of money that is cost to develop, the amount of time, or even the amount of profit it has brought to the company over an X period of time. This information might not be 100% accurate, but some decision makers need to see a number.