The Million-Dollar Question: Are You Spending Too Much on Risk Prevention?

Written By Paolo Carner

Why the smartest risk investment might be knowing when to stop spending.

A Question That Keeps Business Leaders Awake

You are the CISO of your organization, sitting in a boardroom, and someone asks you the ultimate business riddle: "So, how much should we spend to prevent a million-dollar loss?"

Wanting to be of help, your first instinct might be to say, "Well, whatever it takes!" However, there may be a better answer. Here's the thing – mathematics has a surprisingly definitive answer that might shock you: Never spend more than 37% of your expected loss on preventing that loss. I know what you're thinking. "Wait. 37%? That seems oddly specific…" And you're right – it is specific, and there's fascinating science behind it.

The bottom line is that, whether you're a business leader trying to make smart security investments or a cybersecurity professional helping your organization allocate resources wisely, applying this principle will change how you think about risk.

A Universal Concept

In reality, this conversation might extend beyond cybersecurity and is relevant to any decision-makers who need to evaluate how to tackle risk; from supply chain disruptions to workplace safety, the math is the same.

In our specific case, understanding this principle will help you craft compelling business cases and avoid the trap of "security at any cost" thinking, which can damage both your credibility and that of your organization.

If you're still with me, let me explain why this 37% rule isn't just an academic theory and why this piece of practical wisdom may save your organization millions.

Thinking Like Insurance Companies

Insurers have been mastering risk evaluation for centuries. How do they do it? They don't try to prevent every possible loss; instead, they calculate the optimal amount to spend on prevention versus the cost of paying claims. If you like the analogy, they act like professional gamblers who are good at math.

Developed in 2002, the Gordon-Loeb model confirmed what insurance companies had known intuitively: all risk mitigation investments follow the law of diminishing returns. The way it works can be summarized this way: your first dollar spent on security is like buying a deadbolt for your front door – it has a huge impact. Your thousandth dollar might be like adding a motion sensor to monitor your mailbox – technically more secure, but probably not worth the cost!

Here's a practical example:

Consider a data value of €1,000,000, with an attack probability of 15% and an 80% chance of a successful breach. The potential loss is €1,000,000  ×  0.15  ×  0.8 = €120,000. Based on the Gordon-Loeb model, the company’s security investment should not exceed €120,000  ×  0.37 = €44,000

(Source: Wikipedia)

This 37% rule emerges from something called exponential decay functions – basically, the mathematical way of describing how things get less effective the more you do them. It's the same principle that explains why:

  • The first slice of pizza is terrific, the fourth slice is okay, and the eighth slice makes you feel terrible

  • The first employee you hire transforms your business, but employee number 100 has much less individual impact

  • The first security control you implement blocks most attacks, but the 20th control might only catch a few more

The math shows that the optimal spending point always equals 1/e (approximately 0.368, or, in short, 37%), and it seems as fundamental as gravity.

As mentioned at the outset, what makes this principle so powerful: it applies to every type of risk, not just cyber threats. Here are some examples:

  • Supply Chain Resilience: Facing a potential $10 million disruption? Don′t spend more than 3.7 million on backup suppliers and redundancy.

  • Workplace Safety: Preventing accidents that could cost 5 million? Cap your safety investments at 1.85 million.

  • Natural Disaster Preparedness: Building Flood Barriers for a facility worth $50 million? Maximum rational investment: 18.5 million.

  • Quality Control: Preventing defects that could trigger 2 million in recalls? Optimal ceiling: 740,000.

The list could go on and on. Think of it like having a universal translator for risk decisions across your entire business.

A Practical Framework

So, the next time you are asked that question, think of this 37% rule. Are we trying to mitigate a 1M risk? It may not be wise to spend more than 370K. You could depict this as a traffic light system for risk spending:

🟡 Yellow Light (Below 37%): You're likely under-investing. Additional expenditure will deliver solid returns. It's like finding money on the ground – pick it up!
🟢 Green Light (Around 37%): You're in the optimization zone. You're likely making wise choices.
🔴 Red Light (Above 37%): Time to pump the brakes. Those dollars might deliver better value elsewhere.

Now, a word of caution: the real world is messier than mathematical models. You can't always quantify expected losses precisely (though you should try). And sometimes regulations force you to spend more than the math would suggest. Also, some investments protect against multiple risks simultaneously, which complicates the calculation.

However, the beauty of the Gordon-Loeb framework is that it imposes mathematical discipline on emotional decisions. Instead of making risk investments based on fear ("What if we get hacked?") or gut feeling ("This feels like enough"), you have an economic foundation for rational decision-making.

Concluding

Even 20 years after its publication, the Gordon-Loeb model remains relevant because it addresses a fundamental business challenge: how to allocate limited resources in the face of unlimited uncertainty.

The 37% rule isn't a rigid spending cap, but rather a mathematical guardrail that helps you think systematically about risk and investment. It's like having a GPS for risk decisions that keeps you from driving off the financial cliff.

Whether you're managing cyber threats, supply chain vulnerabilities, safety hazards, or regulatory risks, the math provides the same guidance: diminishing returns are real, and they kick in sooner than most leaders expect.

How does your organization's risk spending align with the 37% principle? Are you spending smart money on smart risks, or are you paying premium prices for diminishing returns? More importantly, what challenges do you face in quantifying and optimizing risk investments? The math is straightforward, but the implementation is where the real work begins. Remember: the goal isn't perfect security – it's optimal security, and optimal security is as much about knowing when to stop spending as about knowing when to start.

A variation of this article appeared first on my LinkedIn Newsletter 'My CISO Adventure” on June 25, 2025.

Paolo Carner
Previous

Insider Threats might be your Biggest Overlooked Risk
Next

What losing my Smartphone taught me about Incident Response and Business Continuity