This chapter expands upon standard methods of calculating the return on security investment (ROSI) in several ways. First, it accounts for the dynamic nature of threats, vulnerabilities, and defenses as they apply to the finance sector. Second, it takes a more holistic view of security investments using a portfolio method. The protection of information assets can be viewed in two ways. One is the hierarchical view of security measures, such as avoidance, deterrence, and prevention. The other is defense in depth, wherein various security tools and processes, such as firewalls, identity and access management, and intrusion detection and prevention products, are combined for greater overall protection. The reader will gain a deeper understanding of the factors that affect the risks and returns of investments in security measures, tools, and processes and will find that using the portfolio approach leads to more cost-effective security.