After completing a cyber risk assessment, you come away with a list of recommendations. Some may be little to no cost, while others could mean an investment that was not budgeted. How can you determine how much is reasonable to spend to defend your organization?
Computing costs of risks can be challenging. For cyber risk, you need to include the costs of downtime, investigation (with possible digital forensics), remediation to get back up and running, notifications and possible fines if data is exposed, and potential litigation. Fortunately there are cyber breach risk calculators to help you put some real numbers in place based on the type(s) and amount of sensitive data you maintain.
Next you can determine the costs of prevention and protection. Some investments could be offset by other benefits. For example, adding 24/7/365 monitoring of your network may decrease cost for cyber insurance, or give you a competitive edge when targeting new clients who are concerned about cyber security and will only do business with those who have similar protections in place.
In the end, you should have a matrix of possible exposures and the costs to protect against them. If the cost of avoidance far outweighs the potential losses, this helps you to make the business case for a proactive approach. If the cost of avoidance is much higher, and you are not under a compliance mandate to take preventive measures, you may choose to accept the risk.