Skip to content

The Pros and Cons of a Cost-Benefit Analysis Approach to Cyber Security

5 min read

The cost-benefit analysis approach to cyber security is perhaps the most popular in helping prove ROI and put a figure on cyber security expenses vs costs. But should it be the number one way to assess the value of cyber security?

We discuss the pros and cons of cost-benefit analysis and suggest the reasons why some teams might choose to supplement this strategy for a more holistic view of their investment.

 

The Pros: Putting a Price on Cyber Security

Cost-benefit analysis of any kind always yields hard figures and facts — an essential element of any investment. Without performing a cost-benefit comparison, companies can only talk about cyber security in conceptual terms, ignoring that cyber security solutions often require a significant investment to implement.

 

Pro #1: Provides Quantitative Evidence

The primary pro of a cost-benefit approach is it’s a strategy that spits out a figure at the end. As with any mathematical equation, the cost-benefit analysis gives us a clear ‘yes’ or ‘no’ as to whether something is worth it. 

Suppose you have some money left over after subtracting all the possible expenses from the hypothetical cost of an attack. In that case, there’s a return to be made in cyber security support and it’s worth shelling out for. 

It might be looking at the problem in its most basic form, but cost-benefit analysis gives clarity to cyber security teams. 

 

Pro #2: Helps Sell Cyber Security to the Board

With facts and figures comes buy-in. This is hard evidence for boards whether cyber security solutions, support and insurance should use up space in next year’s budget.

Imagine coming to a board meeting without some maths to back up your argument. It likely wouldn’t go down very well. Showing the potential of cyber security investment in monetary terms immediately communicates its value and speaks to seniors in their language. 

After all, decision-makers are always concerned about their bottom line. Cost-benefit analysis allows them to consider cyber security in the context of their biggest problem. 

Ultimate accountability for IT and information governance rests with the board. It is the governing body of the organisation that must oversee that the responsibilities for IT are managed, appropriately resourced and sufficiently defined. ROI provides a mechanism to demonstrate the protection of information technology against cyber-attacks and the impact it may have on organisations is a board consideration.

In summary, cyber security risks are integrated into organisation-wide risk management and mitigation of the risks associated with a loss of confidentiality, integrity and availability of technology and information are considered a required investment.

 

Pro #3: Forces CISOs to Keep In-the-Know

Taking a cost-benefit analysis approach to cyber security forces CISOs to research the costs of a cyber-attack, which changes year on year. It helps the right people stay in the know and understand cyber security on a granular level.

Looking at data breach statistics from 2021, we can see that medium-large businesses in the UK fared the worst. While charities had the lowest costs to pay, they surprisingly didn’t fall short of small companies, on average. 

Knowing this makes your cost-benefit analysis more accurate as you can create comparisons with context, considering the size of your organisation, its industry and infrastructure to come up with the correct figure. 

 

Pro #4: Lists Expenses in Their Entirety

Engaging in a cost-benefit analysis activity prompts us to define the expenses we’re fighting for. CISOs and their teams might know they want more budget to play with to build better digital defences, but the specific solutions, software or other forms of support might still be a question mark in their mind.

Totalling costs in this equation, therefore, is useful in understanding what you need.

Worldwide security and risk management spending is predicted to exceed $150 billion this year worldwide. But how much of that global spend will you fork out and in which areas? Is application security high up on your agenda? Or does identity access management feel like it should be more of a priority?

Performing cost-benefit analysis gets the cogs turning in CISOs’ minds to start thinking about the answers.

 

Pro #5: Requires Less Market Research

So, the cost-benefit analysis gets us thinking about what’s going on externally and what we should do about it internally. Before you know it, you’ve spent time doing a boatload of market research that will save you resources down the line. 

Directors don’t have to send you back to get more information. Instead, you can come into budget negotiations armed with all the right knowledge, as well as a clear picture of what you’d like to see implemented shortly.

 

The Cons: Only a Piece of the Puzzle

While cost-benefit analysis is undoubtedly helpful in building a business case and getting to grips with the basics of cyber security, it fails to show the entire picture, overlooking some crucial pieces of the puzzle.

 

Con #1: Creates an Overly Simplistic Argument

The cost-benefit analysis approach to cyber security is popular because it’s so simple to generate an argument for spending more on cyber support. But in doing so, you’re choosing logic that only goes so far, with nothing else up your sleeve to impress.

With cost-benefit analysis alone, the presentation is short. It’s a quick equation you did on your lunch break with a hypothetical figure to push forward. It doesn’t necessarily feel compelling or driven by carefully considered thought. The investment into cyber security doesn’t feel inspiring or linked to initiatives on board members’ minds. 

They won’t think about it because it’s relevant to the digital transformation topic they’re tossing and turning over at night. They’ll only recall a speedy sum — that’s if they remember it at all.  

 

Con #2: Downplays Cyber Security ROI

No matter how big or small it sounds, a figure downplays the gravity of cyber security ROI. It doesn’t communicate major operational overhauls, avalanches of brand affinity and sensitive data spills, all of which describe the fallout of a data breach.

Instead, it just positions cyber security as something nice to have in that it could save us some money...at some point.

Other approaches, such as giving examples of cyber security disasters and playing each organisational outcome out to increase awareness, do a better job of creating an emotional, long-lasting response.

 

Con #3: Overlooks Important Elements

Something that feels criminal about the cost-benefit analysis approach is its complete inability to include intangible benefits into the mix. Benefits such as driving digital transformation projects and freeing up employee time make cyber security worthwhile, even without its primary pro of keeping your environment safe. 

Plus, it overlooks some of the bad stuff too. Many hidden costs of a cyber-attack often aren’t all calculated in a cost-benefit analysis. Looking at things like insurance premiums and the devaluation of a company can impact the outlook of not investing in cyber security.

To get the entire picture, you need to go beyond the certainties of cyber-attacks and look at the what-ifs.

 

Con #4: Shows the State of Cyber Security Right Now

The results of cost-benefit analysis age as the costs of a cyber-attack increase. Year on year, as more intelligent infiltration is introduced and more sensitive data is stored, attacks become more costly. The figure produced a year or even six months ago might be ten-fold if your business grows or if a new wave of cyber-attacks emerge. 

So, while it yields some sort of figure, the cost-benefit analysis only shows us the state of cyber security right now — an issue for something so volatile. 

Taking a cost-benefit analysis approach means reiterating that approach repeatedly to keep its answer up to date. Really, you need more inclusive ways of predicting ROI to forecast for the future and validate cyber security investments in the present. 

 

Con #5: Risks Dismissal From Decision Makers

You might give your boss a reason to protect their bottom line with clear-cut cost-benefit analysis, but the argument just as well might fall flat without robust reasoning. While cost-benefit analysis is a popular take on proving ROI, it isn’t a foolproof plan for the fact that it doesn’t show the complete picture. 

Read our more in-depth guide, The Information Security Investment Guide, to see how you should supplement your cost-benefit analysis strategy. 

 

Build a Strong Business Case With Our Guide

This resource will help you include everything cyber security solves to form the most failsafe and evergreen argument for investment. What’s more, we show you exactly how to build a business case, so no matter which sector or size of organisation you work in, you can get the whole business behind your initiative. 

Download now by clicking on the link below.

Information Security Investment

Latest Blogs

Visit the blog

Overcoming the Most Pressing Challenges CISOs Face Today

It’s no secret that CISOs have some of the toughest roles in any organisation, especially with the...

Read More

How to Calculate a Return on Investment (ROI) of Cyber Security

Cyber security is a minefield for many, not just in terms of its intricacies and ever-changing...

Read More

6 Ways Cyber Security Can Be Improved at Your Company

We know the old ways of working, well, don’t work — and they call for innovative, forward-thinking...

Read More

7 Business Growth Benefits of Cyber Security You Should Know

All organisations understand that cyber security is now an essential expense, helping companies cut...

Read More

The Pros and Cons of a Cost-Benefit Analysis Approach to Cyber Security

The cost-benefit analysis approach to cyber security is perhaps the most popular in helping prove...

Read More

Let's Talk

Get on a first-name basis with the Bridgeway team. Let’s chat about your organisational objectives and any critical cyber security concerns you need to cover.

Let's talk

default-image