Bringing 'Opportunity Cost' to Cybersecurity Investment

August 20, 2020  Brett Kourey

It's a common concept in business – the loss of a potential gain by choosing one investment opportunity over another. Now, for security programs where the ultimate goal is to reduce risk or financial loss exposure, the concept of opportunity cost can be applied to cybersecurity investments as well, using the capabilities of the RiskLens platform and the FAIR™ model to compare risk reduction strategies.

With so many organizations today looking for creative new ways to prioritize and justify spending in the face of shrinking budgets, this is a tactic worth considering for CISOs. But many CISOs today face this problem: The qualitative methods they used gave them no financial visibility to effectively rank risks. In fact, qualitative risk assessments often overly weight individual variables such as likelihood, frequency or magnitude because they are not based on a model that identifies loss exposure in financial terms.

Brett Kourey is an Enterprise Account Executive for RiskLens

As a result, an organization may choose to invest in reducing a $250K risk versus a $1M risk creating a risk reduction opportunity cost of $750K.

Even worse, this opportunity cost would be compounded should an unnecessary loss event occur as a result of mis-prioritizing and not investing in reducing the $1M risk

The ripple effect across dozens of investment decisions each year begins to tie up more and more budget in areas that don’t represent the highest risk or financial loss exposure, therefore compromising the primary goal of the security program  to invest and receive a return represented as risk reduction.

Applying Opportunity Cost Analysis to Cybersecurity

Let’s say a CISO has a (reduced) budget to invest in three of the top eight end-of-life software risks. Running the Rapid Risk Assessment capability on the RiskLens platform can show how the eight risks would stack up by probable loss exposure. In many cases, the risks will turn out to be more or less serious than qualitative ratings had claimed.

Loss exposure in dollar terms makes the opportunity cost implications clear. For instance, mis-prioritizing and investing in risks E, F, and G ($1.8M average annual loss exposure [ALE]) versus A, B, and C ($5.5M Avg ALE) would represent an opportunity cost of $3.7 million.






While this is a simple demonstration of the power of FAIR quantitative analysis on the RiskLens platform, there’s a bigger point: Rendering cyber risk into financial terms opens the way for cybersecurity analysis to be included in the standard techniques of enterprise risk management.