Much is said about the importance of investing in information security [5, 10], but little is known on the extent and effectiveness of such security programmes [4]. A model that analyses the mechanics of an information security programme is presented. The model attempts to put an upper-bound on the information security expenditure. The concepts of ”viability of security expenditure,” ”successfulness of attack” and ”motivation to attack” are introduced. The Return on Information Security Investment (ROISI) model is tested in a real life organisation to determine the viability of an anti-spam solution in a conventional setting and later adapted to a wireless environment.