The second issue that appears constantly on the minds of CIOs is how to measure return on investment (ROI). After a major catastrophe, measures can be made, but all IT staffs are dealing with how to measure ROI for security. Tina LaCroix, chief of information security at Aon Cor, indicated that "This elusive packaging of the ROI formula to validate our existence is one that may take us down an endless path." (4)