Diminishing Returns in Cybersecurity Spending
One of the most important concepts in cybersecurity economics is diminishing returns. Each additional dollar spent on security reduces less risk than the previous one. Understanding this principle is essential for optimal budget allocation.
How Diminishing Returns Work
Consider phishing risk. MFA might reduce phishing-related losses by 45%. An email security gateway adds another 45% reduction — but 45% of the remaining 55%, not the original total. The actual additional reduction is about 25%. Adding security training on top provides another layer, but again only reduces the already-diminished residual risk.
Mathematically, residual risk after multiple controls equals the product of (1 − effectiveness) for each control. Three controls each rated at 40% effectiveness do not provide 120% reduction — they provide approximately 78% combined reduction.
Strategic Implications
- Breadth over depth: Spreading investment across multiple risk scenarios often delivers better total risk reduction than concentrating on one area
- Marginal analysis: Always evaluate the next control based on its marginal benefit given existing controls, not its standalone effectiveness
- Optimal stopping point: At some point, additional controls cost more than the residual risk they reduce. This is the economically optimal security posture
Practical Application
When presenting to the board, show the diminishing returns curve. It demonstrates that you are not asking for unlimited budget — you have identified the point where investment delivers meaningful returns and stops making financial sense.