Every executive must justify their organization and its expenditures; the CISO role is no exception.  

A central challenge in demonstrating the value of a security organization is that its primary objective is to reduce the financial impact of adverse events that may or may not occur. A common approach is to estimate a likelihood (for example, a 10% annual probability) and multiply it by an expected loss (for example, $100,000). Under this model, if you can address the issue for less than $10,000, the investment appears justified.  

However, this approach does not adequately reflect the full range of potential outcomes. For example, compromised credentials belonging to the CEO do not carry the same impact as those of an intern. It is also difficult to assert that a risk has been fully eliminated, and reductions in risk are not easily demonstrated with simple arithmetic.  

Applying probability and statistical methods provides a more flexible framework for representing these dynamics. In the diagram, we illustrate two curves: one representing the current state, and one representing the state after implementing additional security controls. The risk threshold defines an agreed-upon level of acceptable risk exposure, expressed in financial terms.