The information that must be protected at any Olympic Games is so valuable that it justifies all efforts to guard it. However, in companies, where the scale of the IT structure is not usually on the level of the Olympic Games, financial investment in security is not always enough to protect information. On the one hand, it is possible that security investment is insufficient, and therefore inefficient. On the other hand, it is just as absurd to leave a system unprotected, as it is to overprotect it, as, in this case, money invested becomes money wasted.
When you evaluate the expenditure to be made on an IT security structure, there are three aspects that must be taken into account. First, you must know the value of the data or systems to be protected. This is probably some of the information most difficult to obtain in a company. How much is a company's know how? Or even more difficult, what is the current value of the project of a new product that is still at the development stage? The number of variables to be considered is endless, and in many cases, impossible to quantify objectively. The best way to obtain this data is through indirect calculation, that is, by measuring not total losses, but financial loss caused by loss of information.
Just imagine, for example, the cost of having your company's network halted for an hour. If you divide your annual turnover by the number of working hours, you will see the cost of having your servers at a standstill for an hour.
The second aspect to be considered is the investment to be made on security systems. Under no circumstance should you have a budget that exceeds the value of the information to be protected. This would be like keeping an old stained rag in a safe, as the cost of the safe is greater than the cloth. A security system like this would be redundant. (Unless of course the rag was stained by Leonardo da Vinci, and called the Mona Lisa, then maybe some additional expenditure on extra security measures might be in order).
Finally, you have to calculate how much it would cost for an attacker to breach security measures and access protected information. This should be very high, that is, to obtain certain information must be far more costly than the information itself. In this way, you are setting up an intangible barrier that is very difficult to get over, since, if it is not worth breaking into a system, almost nobody will try to do it. At least, most attackers will be dissuaded from doing it.
As usually happens when you try to assess a security risk, establishing the right measuring standards is rather complicated, as there is no perfect metric and, even if there was, it needs to be capable of adapting to every business alternative. In fact, a parameter which is valid for a certain business vision is completely different for another, irrespective of how similar businesses might be.
Luckily enough, you can be helped by computer security experts with the necessary experience and knowledge to draw up a close approximation of your IT security needs and the investments to be made. On the contrary, to establish an investment policy based on the opinions of unknowledgeable people can lead to highly undesirable effects.
To sum up, leave computer security to experts that are up-to-date with this area and know the issues involved. This is the best way to ensure that you are investing just what you need in security systems, no more, no less.