The Very Hungry Defender: Metamorphosing Security Decision-Making by Incorporating Opportunity Cost

Information security is often seen as a drain on the organization and defenders struggle to prove the value of their decisions to the rest of the organization. Security teams usually consider the narrow benefits of implementing a defensive measure for their own goals while ignoring the variegated costs they impose on the organization, its employees, its users, and even society. Therefore, information security is in continual danger of suboptimal outcomes and missed opportunities.

Opportunity cost can help transform information security programs from an organizational drag to an uplifting force by considering the foregone benefits of alternative options. This talk explores the importance of opportunity cost in security decision making and why defenders must incorporate different forms of cost in every decision. Drawing on cross-disciplinary research on opportunity cost in complex system domains, we will examine the tangible and intangible costs and effects that practitioners must take into account when evaluating defensive options. Through this lens, we’ll discuss negative externalities beget by security investments and how “cost” is far more than just money. To make these concepts more concrete, we’ll close with practical examples from the realm of application security to demonstrate why opportunity cost – and an appreciation of the kaleidoscopic nature of "cost" – is essential when making defensive decisions.