Rethinking Cybersecurity as Capital Allocation
This research paper by Dr. Ana Zavgorodnia argues that cybersecurity spending should be managed through the same capital allocation discipline used in other major business domains. Although tools for quantifying risk exist, many boards currently approve security budgets based on compliance or technical narratives rather than financial materiality. To bridge this gap, the author introduces a framework featuring Exposure-Adjusted Estimation to identify risk concentrations and a Risk Efficiency Ratio to prioritize investments based on their marginal return. The model also categorizes spending into four functional domains to help leadership maintain a balanced security portfolio. By aligning with 2023 SEC disclosure rules, this approach transforms the CISO’s role into one focused on economics and risk-adjusted decision-making. Overall, the text provides a structured mechanism for boards to exercise substantive oversight by treating cyber defense as a strategic financial priority.