We need to articulate the economics angle whenever we buy or sell security. This should enable us to make rational (economics-based, rather than fear-based) decisions when it comes to security. Let’s not allow fear or the latest technological fad to cloud our judgment. We can and should place economic value on security measures, be they technology, people or processes. If we adopt an economic approach, we can demystify Information Security and make it a friend of the organization. This should benefit both the ‘buy’ and the ‘sell’ side of the market.
Next time you turn on your system at work and it asks you to change your password, you know you’re facing an economic decision. It is always cheaper to comply than to clean up after a security incident. The economic benefit of complying with the security policy will accrue to both you and your organization. Then, you can concentrate on doing what you do best, knowing you’ve done “your bit” to keep your information safe. You know it makes (economic) sense.