Estimates range from amounts per employee to percentages of expected loss in absence of security.
Estimates range from amounts per employee to percentages of expected loss in absence of security.

It's no secret that calculating an individual's or company's risk is not easy task as the economic benefits of cybersecurity are quite confusing and uncertain, but there are a few yardsticks that can be used to determine how much to spend to obtain a proper security level.

The methodology on how much to spend range from using a set amount per employee to percentages of expected loss in absence of security. But before spending a dime on cybersecurity products experts advise firms to consider simple things such as training employees on best security practices and ensuring all products and services are patched and up to date are low cost measures that go a long way.

However, cybercriminals are always looking for the upper hand. Whether targeting low hanging fruit within organizations with poor security measures or using spearphishing attacks to target valuable safely guarded information, companies need to purchase security products as a precaution to combat these and similar threats.  

One of the issues when deciding what level of cybersecurity to bring on board is ensuring a balance between protecting an organization's sensitive assets, employee productivity and business continuity, Bufferzone Chief Executive Office Israel Levy told SC Media.

“When creating a cybersecurity budget, companies must make sure they invest in technologies that will make the most business sense and should especially look at allowing for a strong perimeter defense as well as frictionless employee productivity,” Levy said. “We believe prevention-based technology is the strongest perimeter defense there is. For every $1000 spent in prevention, this is worth hundreds of thousands in detection.” 

Agencies should also consider the number of employees involved when budgeting for cyber spending.

“The amount a company should spend should also be related to the number of users in an organization not specifically based on a percentage of the company's budget,” Votiro Chief Executive Officer Itay Glick, “It should also relate to the number of people who are working in tech departments in each organization.”  

He went on to say that $200 per user per year seems about right to spend on security. 

Knowledge of the expected threat landscape should also factor into the cybersecurity budget.

Source Defense Co-founder Avital Grushcovski told SC Media that instead of trying to set an amount, and stick with it, first map out your vulnerability points and the damage each of them might cost you; and from there, creating a budget should be easier

“Buying cyber products is a lot like buying insurance, nobody wants to think about it -- it might feel like throwing money down the drain,” Grushcovski said. “A lot of organizations will spend the minimum required of them and leave it at that; They think, " what's the worst thing that could happen?"