Tips & best practices

Cost-benefit analysis of cybersecurity spending


Cost-benefit analysis of cybersecurity spending w3b 1400x800

As new data breaches are making the headlines, cybersecurity is becoming one of the most critical elements of a long-term business strategy. To protect their sensitive data and mitigate potential risks, businesses are actively looking for ways to move into the 21st century regarding their infrastructure. However, as many soon discover, cybersecurity integration within an existing business is rarely a one-click solution.

Even putting all the technical questions aside, cybersecurity raises many questions regarding return on investment. This article will provide a broad overview of how to approach cybersecurity spending. We'll briefly cover what makes up cybersecurity costs, what factors could affect them, the financial impacts of cyberattacks, potential benefits, and some guidelines on approaching cybersecurity estimates in your company.

Costs of cybersecurity

Cybersecurity spending can mean several things. The exact route will depend on the business case and the risks the company is trying to mitigate. Still, no matter which options your company is considering, this is something where budget constraints will have to become a consideration.

1 cybersecurity costs breakdown

Let's look at the costs from different cybersecurity ecosystem components: solutions, services, personnel, and training.

Solutions

One of the go-to routes for organizations looking to shield themselves against cyberattacks is purchasing cybersecurity hardware or software solutions. This allows companies to integrate them into the infrastructure flexibly, strengthening the areas needing attention.

As such, businesses have numerous options available. Cybersecurity hardware and software provide easy access to firewalls, antivirus, access control mechanisms, intrusion detection and prevention systems. When used collectively, these technologies work together to halt cyberattacks or mitigate their impact if they do occur.

While it's also true that their costs depend on various factors (which we will address later on), let's look at the average industry costs associated with multiple cybersecurity solutions. Please note that the distinction between solutions and services isn't set in stone as it used to be due to modern service delivery models (like SaaS) and the popularity of cloud computing.

Firewalls

If an organization relies on a network, a firewall is a must as it monitors and controls network traffic. Acting as a barrier between the internet, other untrusted networks, and your private network, it's the first defense against malicious connections based on predefined rules.

The tricky part for the comparison is that they can be implemented at different levels of the network stack, i.e., from the network layer (filtering packets) to the application layer (proxy servers). Finally, they can be hardware- or software-based, affecting the final price tag.

Therefore, an average firewall configuration can range between $450 and $2,500 (as a one-off investment, not factoring in its maintenance, which costs extra). That doesn't consider setup or maintenance costs, so the final cost can be higher.

Antivirus software

Antiviruses are still staples to protect computer systems from malware, viruses, and other security threats. As an essential component of comprehensive cybersecurity strategy, they can be used as the last line of defense. Usually, in business settings, they're across an organization to protect all connected devices.

It's often the case that antiviruses also include additional features like firewalls, intrusion prevention systems, and email filtering to provide further protection against cyber threats. This also makes our comparison more difficult.

Still, if we're low for rough estimates, which is what we're dowe'reere, basic antivirus usually costs between $3 to $5 per user and $5 to $8 per server monthly. While the final price tag will entirely depend on your organization, the estimate could be at least $30 monthly if you have around five users.

Spam filters

Business communication primarily still takes place over emails. This is something that hackers are exploiting in phishing attacks. For this reason, having spam filters is essential to identify and block harmful emails before they end up in employees' inboxes. Spam filters rely on various technologies to analyze the content and metadata of incoming messages to determine whether they are legitimate.

Some email providers offer spam filters already integrated into their suite. Meanwhile, for other cases, it's required to set up a spam filter on top of it. It's estimated that the price ranges between $3 – $6 per user per month.

Services

What makes cybersecurity services different from cybersecurity solutions is that they rely on a third-party provider, who may offer the service on a subscription basis. While a cybersecurity service may include various cybersecurity solutions, the two concepts are not interchangeable. Cybersecurity service, by definition, encompasses ongoing protection against cybersecurity threats.

Frequently, this also means that cybersecurity services can help against threats of greater sophistication. This makes them a good pick for organizations looking into securing their digital assets and preventing unauthorized access, theft, and exploitation of sensitive information.

VPN

With plenty of employees working remotely, businesses need a secure way for their employees to access company resources. VPN encryption seals the sensitive data in a secure tunnel, enabling secure exchanges with the company. This additional protection layer also helps mitigate cyber threats by masking the user's Iuser'sess.

Yet, as with most cybersecurity components, there are multiple routes to consider here. A VPN could be a hardware stack with ongoing third-party maintenance fees or a software-only solution. This is something that can skew the price.

While the software-only is cheaper and can be up to $10 per user, the hardware setup can range up to $3,500 per device. That's a prominent gap between them, while both options provide similar functionality. The particular business case will be a deciding factor.

Consulting and testing

Cybersecurity consulting and testing service providers have a high level of expertise in identifying and mitigating security risks. This is something that few companies can manage to achieve out of their resources. Specialized cybersecurity professionals perform various checks to properly evaluate the effectiveness of the cybersecurity measures and outline the most critical areas.

Due to the nature of their services, this can be a pretty expensive endeavor. A vulnerability assessment for a network with up to three servers would cost $1,500 to $6,000. It goes without saying that if the scope of investigations needs to be broader, this will only add up to the final price tag.

Endpoint detection and response

Businesses turn to endpoint detection and response (EDR) services because they provide high protection against cyber threats by monitoring and detecting potential security breaches. This allows businesses to detect and respond to cyber threats quickly and before they cause significant damage to the organization's reputation and financial standing. EDR solutions typically operate through a combination of software agents and cloud-based systems.

Endpoint detection and response solutions cost around $5 to $10 per month per device. Yet, as with most subscription-based services, there are discounts: with more devices, EDR usually becomes cheaper per single device. Still, EDR solutions come in different depths and feature sets so that the final cost can be higher.

Personnel

Personnel is one of the most critical cybersecurity assets at any company. These specialists will protect your data from various cyberattacks and ensure minimal risks. Whatever cybersecurity solutions or services you have, the IT personnel will set up and maintain those tools.

Cybersecurity isn't an integral part of an organization by purchasing some subscriptions. It needs to be cultivated. One way to ensure this is sustainable is to develop security policies and protocols — exactly what cybersecurity personnel will do.

Network administrators

Network administrators are responsible for setting up and maintaining the organizaorganization's infrastructure. They must ensure the network is secure from unauthorized access and that all transmitted data is protected from interception and other potential threats. The administrators will configure and manage firewalls, block specific ports, manage user permissions, monitor the network, and patch system components.

As for their cost, you can look at conflicting data sources depending on the region, experience, market saturation, and other factors. Still, if we're looking for a broad view based on data from Payscale, this should be within $63,244 per year.

Compliance officers

Compliance officers are specialists who ensure an organization's cybersecurity by implementing policies and procedures to align compliance with regulations and industry standards. They identify risks, monitor security measures, and provide employees with security protocols. These key people outline how an organization should handle sensitive data, access controls, and incident response.

Based on publicly available data, a compliance officer's salary is $73,255 a year. Compliance is one of the trickiest landscapes to navigate, so these specialists must periodically refresh their knowledge to stay updated with the latest policy changes.

Security analysts

Security analysts identify potential threats to an organization's network, systems, and data. They're using various tools and techniques to detect and prevent cyberattacks before they can cause damage. Security analysts identify vulnerabilities in an organization's systems and infrastructure by conducting risk assessments.

Security analysts are crucial in protecting an organization's assets and cyber threats. Based on Glassdoor data, their salaries, on average, are around $90,283 a year. Due to the increased frequency and complexity, professional cyber security analysts are in high demand, which can further increase their salaries.

Training

The cybersecurity landscape is constantly changing. Therefore, employees' skills and knowledge need to be periodically refreshed. This is where cybersecurity training and certifications ensure that employees know the best practices for protecting this information and can identify potential threats. These trainings can be expensive, and organizations must ensure they are effective.

Courses

Cybersecurity courses can be an invaluable resource in helping to understand the importance of protecting company data from cyberattacks. By teaching employees how to identify potential security threats and how to take preventative measures, companies can reduce the risk of data breaches and protect their sensitive information. Nowadays, there are plenty of resources, ranging from in-person training to online lectures.

For this reason, cybersecurity training costs vary significantly and can range from freely available online resources to $5,000 or more. Mind you, the price is affected by factors like depth and competencies. Courses intended for niche specializations will always cost more than a basic introduction.

Certifications

Cybersecurity certifications provide credibility to professionals working in the field, demonstrating that they have met rigorous standards and have the necessary knowledge and skills to protect against cyber threats. Using certification as a standardized measure allows for aligning the team and ensuring that best practices are applied when making organization-level cybersecurity improvements.

There are several popular cybersecurity certifications widely recognized in the industry. For example, the Certified Information Systems Security Professional (CISSP) exam costs around $699. Certified Ethical Hacker (CEH), another critical pick for cybersecurity professionals, costs around $1199. Along with GIAC Security Essentials (GSEC) certification and exam, it is priced around $1699, which makes it one of the more expensive courses.

Factors that affect cybersecurity

It's essential to note that the cybersecurity costs provided in the previous section are only rough estimates. The final price will depend on numerous factors, including the critical differentials from business to business when calculating cybersecurity costs. Let's look at some of them to see how they factor into the final price tag.

Size

The size of an organization is one of the most critical factors that can drastically alter cybersecurity costs. As larger companies have more complex IT infrastructures, more employees to train, and a higher risk of cyber attacks due to their visibility and financial resources — their security naturally costs more. When compared to smaller organizations, the difference might be night and day.

Keep in mind that, in some cases, some cybersecurity tools will need to be adjusted. They cannot operate that well when used in corporate settings, which are within a completely different pricing category. However, numerous reports confirm that small businesses are three times more likely to be targeted by cybercriminals than larger companies. So, while the risks remain high, not all companies are as well equipped to tackle the potential dangers.

Industry

The industry in which an organization operates and any regulatory requirements it must comply with can impact its cybersecurity costs. Organizations in highly regulated industries like healthcare and finance will have higher cybersecurity costs because more regulations apply to the data they hold.

As a side note, the industry determines an organization's risk tolerance. Different sectors can have very different thresholds for acceptable risk levels. This means that the scope of security will have to be aligned, which will also, in turn, affect cybersecurity costs. In addition, businesses in specific industries seem to fall victim to more cyberattacks than others, which is also a factor.

Financial impact of cyber attacks

While up until this point, you got the impression that cybersecurity is expensive, let's move on to an overview of the financial impact of cyber attacks. Depending on what business operations are targeted, the attack scope and the kinds of data leaking to the public all constitute significant financial losses. Let's look at revenue losses, legal fees, and reputational damage.

Revenue

Cyberattacks can disrupt average organizations' day-to-day operations and compromise sensitive data. This can easily make an organization's systems and networks inaccessible or unusable. The downtime when the IT team is trying to patch together a solution and get the operations back up and running costs time, which also translates into lost revenue.

2 financial impact of cyberattacks

The recovery costs can also be factored in as damaged equipment needs to be replaced, and systems need to be restored from the backups. It is not a coincidence that a quarter of companies that have experienced a cyber attack have lost between $50,000 and $99,999 in revenue. These are steep numbers and don't factor in the costs of getting the operations back up and running.

Legal fees

After data breach remediation and operations restoration, the trouble isn't over. Especially in cases of a significant data breach, companies need to hire legal counsel, forensic experts, and other professionals to help manage the aftermath. There is the precedent of estimation and cleaning up.

3 post-breach legal fees breakdown

Additionally, depending on the severity of the data breach, the company may also be held responsible for the damage suffered by affected customers or clients. If there are lawsuits, this can quickly mount legal fees, including settlement costs. For smaller companies, that is an instant endgame as they often just aren't equipped to handle such expenses. For instance, it's estimated that legal costs range from $50,000-$148 million, with a median of $1.6 million and a mean of $13 million.

Reputational damage

A data breach leaves a permanent black mark on a company's reputation. Companies will need to spend a lot of resources to repair their image and reassure the customers that they have learned from their mistakes and won't happen again. This lengthy process involves public statements and social media management and should be an aspect of long-term customer trust remediation.

4 cybersecurity reputational costs

According to various reports, the proportion of the total costs attributed to reputational costs like abnormal customer turnover and loss of goodwill was around $1.57 million. This affects companies for a long time, even if a company recovers from a data breach.

Benefits of cybersecurity spending

Cybersecurity spending can minimize various risks associated with revenue, reputation, or legal fees. While this is a solid argument advocating for cybersecurity solutions, this is far from the only benefit. A functioning infrastructure with a cybersecurity-focused mindset generates a positive outcome for organizations. Let's look at some of the indirect benefits of cybersecurity spending.

Better compliance alignment

Many compliance regulations, like the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA), require organizations to implement specific security measures to protect sensitive data. Therefore, investments in cybersecurity help to achieve two goals simultaneously:

  • The risk profile is contained, and the organization is more resistant to cyberattacks.
  • The organization ensures it has all the necessary technologies and policies to meet compliance requirements.

Reports confirm that achieving substantial compliance goals requires holistic and integrated security solutions, ensuring that every aspect of an organization is covered. For this alone, cybersecurity investments should be at the top of the manager's list.

Increased productivity

Cybersecurity matters can often be a catalyst for workplace modernization. While this may not always be a seamless transition, the change usually allows the work to be performed more efficiently and securely. An excellent example is the remote and hybrid work trend, which became very popular after the global pandemic.

Securing identities and endpoint devices enables users to work quickly and securely from anywhere. Nowadays, there are many ways of working, and cybersecurity can be an excellent contributor to breaking the cycle of outdated tech and enabling all ways of working.

How to apply cost-benefit analysis for your organization

Our rough estimates demonstrate that data breach costs outweigh cybersecurity expenses. While this is a valid statement, it doesn't provide clear guidelines on what actionable steps should be taken when considering cybersecurity spending. Businesses have finite resources, and cybersecurity is just one area that needs to be addressed. Thankfully, there are some models that we can use as a basis to evaluate cybersecurity costs and benefits.

Let's start by looking at one of the most widely used schemes: the National Institute of Standards and Technology (NIST) Cybersecurity Framework. This is a helpful document consisting of standards, guidelines, and best practices to manage cybersecurity risks. It's beneficial because it applies to companies from all industries.

The problem is that while it recognizes that the management of cybersecurity risks is always organization-specific, which will also shape how the final cost-benefit evaluation will look, it doesn't outline how the cost-benefit analysis should be provided. For this reason, some researchers suggest integrating mathematical models Lawrence A. Gordon and Martin P. Loeb developed into the NIST Cybersecurity Framework. The model calculates an optimal investment in cybersecurity based on the cost of an attack, the expected probability, and the effectiveness of the security measures put in place.

The basic premise of the Gordon-Loeb model is that there is a tradeoff between the cost of an attack and the cost of investing in cybersecurity. Organizations want to minimize the total price, including the cost of an attack and the security investment. The model assumes that the cost of an attack is proportional to the value of the information assets that could be compromised.

The model also considers the probability of an attack occurring, which is a function of the number of potential attackers, the likelihood that they will attempt an attack, and the effectiveness of the security measures. The effectiveness of security measures is assumed to be proportional to the level of investment in cybersecurity.

To calculate the optimal investment in cybersecurity, a balance must be found between the level of investment and the expected total cost. This relies on the relation between the expected cost of an attack and the cost of the security investment. This leaves us with a four-step approach:

  1. The value of protected information should be estimated as it represents the potential loss (L)
  2. The probability of the data being breached should be calculated (v)
  3. These first two values should be combined to derive the expected loss (vL)
  4. Cybersecurity investments should be allocated to the information based on the productivity and cost of the investments, so an optimal investment level (z)

Putting this data in the graph gives us some perspective on the diminishing returns. Suppose the values of v and L are small, for instance, when v equals 0.1 and L equals $1M. In that case, extensive investments in cybersecurity aren't optimal, as the expenses are higher than the benefits.

However, as the values of v and L increase, the optimal investment amount (z) and the expected loss resulting from a cybersecurity breach (vL) increase in this scenario.

5 graph showing optimal cybersecurity spending

In other words, the more valuable data an organization has, the more it has to lose. Once that threshold is met, not investing in cybersecurity is sitting on a powder keg. It's a simple exercise to evaluate your organization's cybersecurity standing. As a rule of thumb, the study's authors suggest that organizations should generally invest less than 37% of the expected loss from a cybersecurity breach. The actual number must be individually calculated based on your organization's specifics.

Improve your cybersecurity with NordLayer

Investing in cybersecurity is not just about protecting against potential threats in today's digital business landscape. It's also about building a robust enterprise cybersecurity framework. The cost-benefit analysis of cybersecurity spending demonstrates that while the costs are significant, the potential losses from cyberattacks are considerably higher. 

By investing in the proper cybersecurity measures, businesses do more than just safeguard their data and systems. They strengthen their overall enterprise security posture. This commitment to security is essential in a world where cyber threats constantly evolve and become more sophisticated.

Understanding the factors influencing cybersecurity costs, such as industry size and type, is essential in this context. Most cyber-attacks are financially motivated, targeting companies with sensitive data. However, it's crucial to recognize that no organization, regardless of industry or size, is immune to digital threats. 

That is why organizations need modern cybersecurity solutions that adapt to the changing complexities of today's working environments. Every organization has valuable information that needs protecting, making all communication channels potential targets for hackers.

With NordLayer's solutions, organizations can secure access to sensitive information and prevent reputational, legal, and financial damage. No matter what industry, NordLayer can be your reliable ally in staying secure.


Senior Creative Copywriter


Share this post

Stay in the know

Subscribe to our blog updates for in-depth perspectives on cybersecurity.