How much you spend on information security?

The balance between money spent and security achieved is one of the most important aspects of information security. If a company has unlimited funds it could invest the funds into security and become “unhackable”. An effective example of this approach in physical world is security of country leaders. However, most of organizations have limited funds and have to figure out a reasonable balance. Where is this balance? How much you need to spend on information security?

protect information with dlpLet’s look what is spent by cybercrime. How much it costs to take control of 1,000 computers? There is a whole underground industry that provides services for this. A shopper would need:

  • Exploit pack which can target recently found vulnerabilities in browsers and their plugins – $200-2,000, assuming infection ratio of 10-20%;
  • Abuse resistant service to host the acquired exploit pack – $300/month;
  • Traffic to the exploits host – $500-1,000. The cost depends on the target countries, e.g. according to Fyodor Yarochkin prices for 1,000 unique visitors: AU – $300-550, UK – $220-300, IT – $200-250, NZ – $200-250, ES/DE/FR – $170-250, US – $100-150.

The total is $1,000-3,300 for a thousand computers or $1-3.30 for an infected computer.


Obviously the defense costs more as it requires regular updates of all installed software, hardening of browser settings, education of users and so forth. After all that it is still vulnerable to zero day attacks for which there are no patches. Moreover it addresses only one threat –malware attacks. By statistics malware is liable only for 1% data leaks and 99% others belong to targeted attacks (a.k.a. APT), malicious insiders, inadvertent insiders, devices loss and theft.


So, what is the right amount? The typical approach to the question is calculation of ROI. For IT security ROI is usually calculated with assumed probability of accident and cost of damage. The problem here that there is no sufficient statistical data to properly evaluate accident probability and estimate immaterial damages such as from brand reputation. Some call ROI out of IT security a statistical alchemy.


The truth is that there is no right answer to this question at the moment. So each company gets it by trial and error developing their own security metrics. At BeyondTrust we have developed a unique set of metrics evaluating data leak threats. Using these metrics, PowerBroker DLP identifies anomalies and prioritizes them according to the posed risk. Besides the data loss prevention, our metrics provide valuable measures for assessment of various IT security policies. With the measures you can see effect of your security policies for firewall, access control, malware, web and email security.