A Cost-Benefit Analysis Approach to Cyber Security (Updated for 2026)

What is Cost-Benefit Analysis in Cyber?

Cost-benefit analysis (CBA) is a method used to evaluate a project by comparing its losses and gains — essentially a quantified and qualified list of pros and cons. CBA is a useful way to assess business projects because it reduces the evaluation complexity to a single price figure. As you can imagine, this makes CBA an invaluable tool when it comes to explaining the intricacies and selling the value of a robust cyber security strategy to key stakeholders.

Pro tip: Today’s executives report being more open to new cyber security strategies than ever before. In 2025, a Gartner survey found that 85% of CEOs said that cyber security is critical for business growth. Use this as an opportunity to build foundations that will help create a sustainable and safe future. 

Pay Now or Pay Later — The Cyber Security Dilemma

One of the most important things to emphasise in your CBA is the inherent trade-off between paying to prevent a mess versus paying to clean up a mess. In 2025, cybercrime was forecast to cost governments and businesses a whopping $10.5 trillion. In the UK, the average cost of a significant cyber-attack for an individual business is almost £195,000. While UK insurers offer cover for ransomware demands — relieving some of the financial pressure on businesses — the ‘hidden’ costs of an attack can still have a devastating effect on operations and a company’s bottom line. For instance, in 2025:

• Jaguar Land Rover (JLR) lost an estimated £50 million per week as a result of a cyber-attack.
• Marks & Spencer’s profits were almost wiped out as a cyber-attack cost them an estimated £136 million.
• Co-op said a cyber-attack cost it £206m in lost sales.

Of course, investing in preventative cyber security measures also comes at a cost. Worldwide end-user spending on information security is projected to reach $240 billion in 2026.

With that said, there is no reliable way to measure a ‘typical’ cyber security budget, as spending varies from business to business and industry to industry. Cyber security spend isn’t necessarily a strong indicator of cyber security maturity, however, as we cover in our newly published Business Resilience Index 2026. 

Despite this, though, one thing remains crystal clear: for most businesses, the cost of prevention pales in comparison to the cost of a breach. 

Getting Started with a Risk Assessment

If you’re serious about proving the value of investing in a strong, agile cyber security system to stakeholders, the best place to begin is with a cyber security assessment. The NIST Cyber Security Framework 2.0 is an updated, voluntary framework that helps organisations manage and reduce cyber security risks. By taking a NIST Cyber Security Framework 2.0 Assessment you can better understand your cyber security posture and minimise the risks you face.

The assessment helps you understand your security efficacy at a strategic level:

• Establish cyber security best practices. Establish a systematic approach to implementing best practices at an operational level.
• Cyber security risk management. Achieve effective information and cyber security risk management and governance.
• Mitigate risks. Comprehensively manage and mitigate information and cyber security risks.

Applying a Cost-Benefit Analysis to Your Risk Management Profile

Remember, applying a CBA to your risk management profile is all about determining the risks you are willing to accept and comparing the costs of those risks against the benefits. This involves thinking about the direct and indirect risks you face, as well as the direct and indirect costs that could arise as a result of taking these risks. Examples of each include:

• Direct costs: Ransom payments, or expenditure associated with identifying, mitigating and quarantining a threat. 
• Indirect costs: Downtime, operational disruption, reputational damage, time and internal resources, and legal and non-compliance fees. 

It’s helpful to think about both direct and indirect factors when applying a CBA to your risk management strategy. For instance, you might compare:

• The cost of business income disruption (direct) and lost productivity (indirect) due to a ransomware attack vs the cost of preventing a data breach by investing in an endpoint security system.
• The cost of operational disruption (direct) and a decrease in future revenues (indirect) vs the cost of preventing an attack by investing in building an in-house team.

Much of a CBA involves coming up with options that you could undertake to achieve your project’s objectives — so you’ll want to keep breaking things down and playing with various risks, costs and outcomes. For instance, you might look at the costs vs benefits of factors like:

• Varying timescales for executing the strategy, or different components of the strategy.
• Various budgets for the project. The NIST Cyber Security Framework 2.0 can be helpful here; the framework focuses on six core functions: Govern, Identify, Protect, Detect, Respond, and Recover.
• The costs of outsourcing cyber security services vs achieving them in-house.
• The potential costs of protecting individual data assets and vulnerabilities vs the cost of these assets being breached.

Strategising effectively is all about placing risk within the context of your own business and its unique appetite for risk. However, you’ll probably start to see a pattern emerge: preventative cyber security measures usually more than pay for themselves — particularly if approached in a cost-effective way. 

Pro tip: To really highlight a cyber security strategy’s value to stakeholders, you might also find it helpful to include a ‘do nothing’ or ‘do minimum’ option.

Doing More with Less

At the end of the day, you should always be looking for the most effective way to deliver the outcomes you need. There is generally a cost/benefit trade-off between investment and risk. However, not all investments are equally costly.

For example, managed detection response (MDR) services, such as those we offer at Six Degrees, are a great solution that delivers increased security and agility at an optimal cost.

To learn more, read What is MDR?

Simply put, upfront investment with strategic partners delivers more robust security outcomes than the alternatives. One of the greatest benefits of forming a strategic partnership with a managed service provider is that they provide access to economies of scale, allowing you to sidestep the cyber security skills shortage. 

In addition to delivering on-demand talent, working with a service provider enables you to:

• Develop a more flexible, iterative and future-proof approach to cyber security.
• Gain access to insider threat intelligence and risk insights.
• Stay focused on core business competencies.

Pro tip: Full protection is never guaranteed. In the unfortunate event of an attack or failure, savvy management and effective response can significantly reduce the impact on your business — another instance of the benefit outweighing the cost. 

Preventative Action Can Be Cheaper  

Risk management is all about managing uncertainties. When it comes to preventing costly attacks, there’s significant value to be found in investing upfront in order to avoid paying a higher price later. 

Ultimately, cyber security is a journey, not a destination. Any investment you make should be agile and flexible enough to meet both current and future demands. Six Degrees offers the capabilities and expertise you need to ensure business resilience in 2026 and beyond. 

Ready to learn more about how we can keep your business secure? Get in touch today!