Not a surprise that more than a quarter of executives see security as a negative ROI. I think the simple answer is they are not measuring it correctly. Not faulting them as ROSI (Return on Security Investment) is a very difficult beast to corner and quantify with any accuracy. Traditional ROI methods and tools are not effective for cybersecurity as they are for other traditional project management use-cases where the value and costs can easily be quantified.
But here is the kicker: just because they could not quantify the ROI to determine the value, they likely still went forward with instituting some security. This is a good first step, because it is unrealistic to apply the same decision criteria methodology when the ROSI can't be determined. We must think out of the box and if necessary use qualitative measures and metrics to move closer to the optimal level of security that balances risks, costs, and usability.