e-Crime Germany: It's all about risk
Compliance and security budgets follow the risks. Operational risks are hard to measure, but companies have their own historical data on losses, and can create models of probability and therefore future expected losses for given risks. In this way, they can compare the expected losses across their risk portfolio and allocated budget appropriately. Information sharing would improve this, but it's not happening. Cybersecurity teams have long resisted this type of analysis, portraying cyberrisk as 'different', 'existential', and therefore not subject to normal risk pricing.