Security and risk are clearly related; the more at-risk a system or data set is the more security is desirable to protect it. Discuss how prices for security products may be tied to the degree of risk. That is, will people or organizations be willing to pay more if the risk is higher?
Absolutely, maybe, hmmm, what a complex world we live in. There is seemingly a direct correlation between, value of assets, reputation, etc… and the risk associated with a potential vulnerability, a successful exploit and what an organization is willing to pay to protect themselves. Some market segments make the decision to spend on security products clearer by imposing regulatory requirements that make the cost of non-compliance steep enough to mandate compliance.
For example:
Processing credit card transactions? You are subject to PCI DSS.
Do something regulated by the FDA? You are subject to Title 21 of the Code of Federal Regulations (21 CFR Part 11) Electronic Records
Do pretty much anything in health care? You are probably subject to Health Insurance Portability and Accountability Act (HIPAA) and The Health Information Technology for Economic and Clinical Health Act (HITECH) which means you better keep that patient data secure.
These regulations and other make the decision to invest in security products seemingly straightforward, but not everything is what it seems. Major breaches like Target who had 40 million credit and debit card records 70 million customer records (including addresses and phone numbers) lifted from their systems netted a loss of only 0.1% of their 2014 sales. The same is true of Home Depot who in 2014 had 56 million credit and debit card numbers and 53 million email addresses lifted from their systems which netted a loss of only 0.01% of their 2014 sales. These and many other firms have Cyber Liability Insurance to mitigate their losses, between payments from insurance and tax right offs the losses diminish, and so does the incentive to invest in security products.
When we look at sites like http://map.norsecorp.com/#/ that depict the velocity of attacks, and we think about the attack surface of an online entity the idea of “if there is a breach” probably should be replaced with “when there is a breach”. I would say there is some hedging occurring in the enterprise, where there is the balance between investments and projected losses due to a breach. No investment makes you hack proof, and if and when you are hacked having invested millions in technology to protect against a hack garners no reputation points so being smart about your security posture but not over investing and rolling the dice (it’s happening regardless) may be a prudent business decision. Stuxnet proved that even a facility which is off the grid is vulnerable to attack.
References
Data Breach & Cyber Liability Insurance. (n.d.). Retrieved April 19, 2017, from https://www.thehartford.com/data-breach-insurance
Michael Kassner | April 9, 2015, 12:45 PM PST. (n.d.). Data breaches may cost less than the security to prevent them. Retrieved April 19, 2017, from http://www.techrepublic.com/article/data-breaches-may-cost-less-than-the-security-to-prevent-them/
Staff, C. (2012, December 19). The security laws, regulations and guidelines directory. Retrieved April 19, 2017, from http://www.csoonline.com/article/2126072/compliance/compliance-the-security-laws-regulations-and-guidelines-directory.html#Electronic-Fund-Transfer
Zetter, K. (2014, November 03). An Unprecedented Look at Stuxnet, the World’s First Digital Weapon. Retrieved April 19, 2017, from https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/