[ryandrake]

Doesn’t the existence of a ransom “out” put a cap on how much money/seriousness a company willingly puts into infosec? Why would a company invest $22M into security if they can just pay criminals when they get owned?

If ransom was off the table, maybe they’d be motivated to actually secure their data? I don’t know—I’m not in infosec. It’s probably not that simple.

[toomuchtodo]

Correct. You calibrate your budget to your risk appetite (board/C-level tolerance, industry specific compliance requirements, civil considerations, etc). Every company puts a budget on how much they're willing to spend, as resources are finite. Even the US DoD has a budget, there are limits. We risk accept what we deem within our risk tolerance, or too expensive to derisk.

I think on HN, there is this belief that you can use incentives to force organizations to have perfect security, which does not exist. Employees are human, people make mistakes, budgets constrain staffing as well as control implementations and operations; there are simply limits to what you can do. You can use policy and incentives to encourage good/best behavior, but failures will still occur. The goal is attempts at desired outcomes, measuring those outcomes, and iterating; not 100% success (as that is impossible).

[hiatus]

> how much money/seriousness a company willingly puts into infosec? Why would a company invest $22M into security if they can just pay criminals when they get owned?

Because it's not a one-time cost. If attackers know you have weak security and deep pockets they will persist.