At times, it is hard to justify since organizations do not envision the risk right. So ROI is of course an issue, but also in general, if nothing bad happens, what is the motivation (this is psychological). Then if there is an incident and a service is cut for sometimes, or reputation is lost, the damage can be assessed and suddenly one sees increase in spending. In short, organizations do not do risk analysis right so they have to learn the hard way. Even if they do they try to save since until an attack the organization does not grasp its problems.

My past experience is that it can be difficult to show the return on investment (ROI) of security spending.   If you spend $1 million of your organizations money on security and you prevent problems from happening, how do you show the value of that, vs spending $2 million or $500,000?  I don't know if there are any better models of security loss now, say comparable to a credit card companies fraud models, that are good for calculating ROI.  There are some absolute baselines, though - you don't want to spend more money protecting an asset than the asset is worth.

At times, it is hard to justify since organizations do not envision the risk right. So ROI is of course an issue, but also in general, if nothing bad happens, what is the motivation (this is psychological). Then if there is an incident and a service is cut for sometimes, or reputation is lost, the damage can be assessed and suddenly one sees increase in spending. In short, organizations do not do risk analysis right so they have to learn the hard way. Even if they do they try to save since until an attack the organization does not grasp its problems.

I agree with Moti, humans are not good at handling low probability/high damage scenarios. In 99.99% of the cases nothing bad happens anyways (that you can take notice of), so managers feel smart that they saved unnecessary expenses. In 0.01% of the cases all your customers' credit card data is stolen, your vital database wiped, or all your computer systems are basically remote-controlled without your knowledge, leading to huge losses.

It's similar to nuclear power plants, you always feel quite sure that they will blow up somewhere else first.

Dear Prof. Jalali,

                             I feel inclined to answer your question partly beacuse it falls under the new field of Econophysics I am trying to develop especially String Theoretically which I have shown has considerable implications in terms of development of the Econophysics field theory (which the European Physical Society has been kind enough to mention in my membership citation which has made me a Fellow of the Society indirectly as i am a foreign member) by analysing with Profs. Krichel and Novarese, please see our joint paper on Econophysics analysis of Digital Libraries listed on my RG page which has been published in the journal of DAM and which has been subsequently developed by me into String Theoretic Econophysical Stock Market Physics by using research field driven market potential forces and their kinematics as the relevant quantum mechanical systems theory. Of course the original introduction to this financial engineering of Arrow-Debreu type market potentials, which forms the state-preference theory of capital asset pricing, was shown to work with infinity calculation by using circuit breakers in stock exchanges which solves the problem of infinite variability of stock prices and short sales, in my PhD dissertation at NYU Economics Dept. in 1993. Hence, if the econophysical engineering contained in the circuit breakers which now is used by most bourses is a type of cybersecurity device, preventing internal manipulations of stock exchanges by wash sales for e.g., it becomes only necessary for the type of genetic string theoretic quantum mechanical machines that stock exchanges are which operate in time and space of clock time and financial instruments which operate in conditional  Hilbert Spaces of Energy and Information to make stock market econophysical trading potentials possible. You can take a look at my String Theoretic Econophysics Haag's Theorem paper on my RG page to see what the prototype of the New Stock Markets look like when embedded in particular historical and geographical geophysical environments. Therefore the reasons for using cybersecurity measures are specific to systems and geophysics, because the value of G matters for profits for e.g. which affects Stock Market Returns and therefore the effectiveness of cybersecurity which ensures systems closure. Earl Prof. (Sir Ashutosh Mukherjee University Institute Chair Professor) Dr. (D.Phil.) SKM QC EPS Fellow (Indirect) MES MRES MAICTE

“You don't want to spend more money protecting an asset than the asset is worth”    Jeff said the key words. Beside the evaluation of the asset, I would think trust and reputation of the enterprise are also important factors to be considered (difficult to quantify those factors though).

These articles may interest you and assist you to build a baseline:

http://www.securityweek.com/calculating-cyber-security-roi-enterprises

https://zeltser.com/touchy-security-topics-roi/

I would like to share a remark from a security product supplier, he says, “My best customers are those who got hacked”. It is not the managers are not taking security seriously, they are just following the priority. 

Dear Mohammad S. Jalali 

Greetings,

Please find the attached file bout your topic may be useful for you,  very related for  What you need to know about cyber security.

Best Regards

Your question is absolutely correct if you look at the results of a recent study by EY. For more than half of the companies, cyber security is not an integral part of their IT strategy and business plans. Obviously, many companies play for time. Without a specific negative security incident, 63 percent tend not to want to increase their spending. Many companies are also unsure whether they can successfully identify attacks and incidents. Sometimes they feel they are in a false sense of security and are not aware of the consequences at all. I believe that such inability is also a very important reason for explanation.

Here is the link to the study:

https://www.ey.com/Publication/vwLUAssets/ey-global-information-security-survey-2018-19/$FILE/ey-global-information-security-survey-2018-19.pdf

One more note about your model for cyber-security capability development: COBIT 2019 can/will also be used for the management of cybersecurity and includes a capability model that is based on CMMI V2.0. This could be helpful for your work.

The reasons are many for the organizations relaxed approach to cybersecurity. The reasons include organizations inability to keep pace with ever evolving cyber threats, cybersecurity is not a priority but growth and profitability, insider threats, negligence in detection and remediation of systems downtime, non-compliance with set regulations, inherent system faults, and so on.