[jnorthrop]

> These companies can afford good cybersecurity but don't want to spend more money than the damages they would incur from a successful attack.

A bit off your "real" point: No company should ever spend more mitigating a risk than the potential cost they could incur from the risk. That is just good business, but the reality is that companies generally won't spend more on cybersecurity than their peers (either as a percentage of revenue or percentage of IT spend). Whether that is the proper balance for a risk/spend calculation is the real topic.

The problem is that we can't accurately calculate the probability of a cyber event and the cost impact of that event. So the company is stuck waiting for an attack on themselves or one of their cohorts so they can adjust.

[jacquesm]

> No company should ever spend more mitigating a risk than the potential cost they could incur from the risk

Funny, after the fact they are usually out a lot of money and they decide that they now do want to mitigate that risk.

[hluska]

It’s genuinely interesting how poorly companies perform when you gauge their ability to cost out a successful attack. Pre-attack, many seem to make an economic decision not to mitigate it. Post attack, the fifth CISO in four years gets fired, the CEO vows to do better and the cycle repeats all over…

[LogonType10]

>No company should ever spend more mitigating a risk than the potential cost they could incur from the risk.

I've heard hospital administrators make this argument after I've warned them about their security infrastructure being vulnerable to ransomware. I'm not convinced.

[trhway]

>No company should ever spend more mitigating a risk than the potential cost they could incur from the risk.

basically you summed up the opening scene from the FightClub. The human life cost H millions, so until it is going to kill N such that N * H >= cost of the fix ...