Financial and insurance industries have built an entire discipline around predicting the chance of an injury or loss, protecting against it and reaping the benefits if bad things never happen. Information security is a whole new game in which the economic goal is clear: Spend the smallest amount of money necessary to protect the enterprise. Companies are starting to calculate a return on security investment based on cost of security, cost of breach and probability that it will happen. Legal precedents and emerging standards will make it easier to quantify exactly when companies have done enough.”]
Source: https://www.csoonline.com/article/2113099/risk–information-security–and-economics.html