Stephen Pao, Vice President of Product Management at Barracuda Networks (, says:

How do you know you’re making the right security investments? Absent a more formal ROI process, there are some common sense guidelines around ensuring basic protection where threat vectors are most prolific. For example, with over 95% of email connection attempts on the Internet being associated with spam or viruses, most organizations recognize that email security to prevent spam and email-borne viruses is generally regarded as a best practice.
Other security investments at this level involve other common Internet threat vectors, including protecting your organization’s Web site, your users’ Web browsing activities, remote access to corporate networks and filtering IM traffic.