The script is always the same: first, an estimation of the expected loss from an intrusion or attack is provided; then, a proposal of countermeasures that are some orders of magnitude cheaper that the expected loss is suggested; in conclusion, the solution being offered features such a high ROI that only a fool will discard it, so runs the argument. Repeat for every antivirus, IDS, firewall or whatever security product being sold.
This myth is based on a loaded use of language that equals the notion of expending on security with that of an investment, a misleading and self-serving broken framework of economics that isn’t taking into consideration other variables like opportunity and hidden costs. As in the parable of the broken window, disregarding the ideal world in which nothing gets broken and the resources could be better put into use for other much more productive purposes leads to very misguided conclusions. That is, security is not an investment, and insecure programs don’t carry debts.
Computer security is a tax.
Different operating systems carry different levels of taxes: desktop Window carry a higher level of computer security taxes due to malware. And programming languages also differ: the tax bracket for ColdFusion is higher than the one for C, which is higher than the one for Java/C#.
And since software vendors aren’t liable for their insecure products, they have no incentive to internalize the hidden costs of security breaches and transfer them to customers, who must spend resources to protect their real assets, like the taxes citizens pay to governments to provide for security services.