Never spend more than 37% — the golden rule of security spending

Knowing how much to spend on security products is hard. Sales reps trump up the fear of a breach, solutions return supposed savings instead of revenue, and the probabilities of an actual loss seem miniscule. Faced with opaque costs and benefits, most people end up avoiding this decision entirely.

Thankfully, some economists came up with an economic framework to help us estimate how much we should shell out. It’s called the Gordon-Loeb model, and it’s awesome.

The fundamental principle starts out simple enough: the benefits of any investment should be greater than the costs. The framework takes three variables into consideration:

1. Potential loss of value from a cybersecurity breach
2. Probability of a breach
3. How cybersecurity investments reduce probability of breach

With those variables in place, the framework offers 4 steps to help us arrive at an optimal level of security spending.

• Segment information sets and estimate the value or potential Loss (L) for each information set.
• Estimate the probability that an information set will be breached and assign each set a vulnerability score.

• Taking the steps above, develop a grid ranging from low value/low vulnerability to high value/high vulnerability information sets. Each grid cell tracks to the expected loss (L) absent any additional investment in cybersecurity. The expected loss represents the potential benefits of cost savings from security spending.

• Put your cybersecurity dollars where they’ll be most productive in terms of reducing expected losses. Keep in mind that benefits from investments increase at a decreasing rate.

Working through this framework helps impose some semblance of order in an otherwise obscure situation. There are 2 big findings to bear in mind regardless of what amount you arrive at.

1. Spending should not exceed 1/3 or roughly 37% of the total expected losses
2. The optimal amount to spend to protect information does not always increases with an information set’s vulnerability

Be frugal! More spending doesn’t equate to more value!

Hope this is helpful! You can explore the full paper here and example applications here. If you have any other methodologies you use for determining how much you spend on security, I’d love to see it!

Darrell leads business development at Clef. If two-factor authentication has been in your backlog for months, but still hasn’t gotten prioritized, check out Clef’s new product Instant2FA.com — it’s two-factor authentication that takes minutes to integrate instead of weeks.