This week's lesson involved more of the business and financial aspects of information security. Companies want to be protected but they also want to know exactly how much that protection will cost.  Why?

Because the cost to secure them could be greater that incurring the actual threat. Strange? Possibly but it could be true. 

Now, there are different layers to be considered when we talk about information security protections: 

1. How much would a single incident cost the company?
2. How many times a year would it be anticipated for this incident to occur?
3. How much money would this incident cost the business?
4. How much does an annual solution cost?

Information security professionals have to be well rounded in not only areas of security but the financial impacts that a business leader must pay.  That may be the MOST unpleasant part of the conversation but it is obviously one of the MOST important parts. 

Helpful and detailed information like being able to articulate the cost benefit analysis is also added skill we need. 

This article gives some helpful insight on analyzing costs and why they are important for information security. 

http://www.notablesoftware.com/Papers/SecCost.html