Back to Insights
risk managementeconomicsstrategyrisk appetitemarginal analysis

The Intersection Myth: Where Security Optimization Really Happens

The optimal security investment isn't where cost equals risk—that's a common misconception. It's where the next dollar spent reduces risk by exactly one dollar. Here's how marginal analysis changes security decision-making.

Levente Simon

Levente Simon

creator of dethernety

September 27, 2025·8 min read
The Intersection Myth: Where Security Optimization Really Happens

The Intersection Myth: Where Security Optimization Really Happens

Why the "sweet spot" isn't where Cost equals Risk—and how to find the real optimization point.

Picture this: You want to implement a new security tool that costs $500K annually and will reduce breach probability by 15%. Meanwhile, your CFO is evaluating a new product line using standard NPV calculations that completely ignore security risks.

Both of you are making suboptimal decisions. You are solving for safety, they are solving for profit, and because neither model connects to the other, you are both missing the crucial piece of the puzzle

The Problem: Isolated Decision Making

Most organizations make two types of decisions in isolation:

Financial decisions use the familiar formula: $$Profit = Revenue - Cost$$

Risk decisions happen separately, often focused on minimizing threats regardless of cost.

This separation leads to expensive over-protection in some areas and dangerous under-protection in others.

The Solution: The Three R Framework

Every business decision actually involves three interconnected factors:

  • Revenue (what we gain)
  • Resources (what we spend)
  • Risk (what we might lose)

Think of these as three forces pulling against each other:

  • To increase revenue, you might need more resources or accept more risk
  • To reduce risk, you might need more resources or accept lower revenue
  • To save resources, you might accept more risk or lower revenue

The key insight? You can't optimize one without considering the other two.

Why "Minimize Risk" is Wrong

Here's where most security professionals go astray: the goal isn't to minimize risk—it's to optimize it.

Why? Because risk reduction follows a curve of diminishing returns. Going from 90% protection to 95% might cost as much as going from 0% to 90%. At some point, the cost of additional protection exceeds the value of the risk you're reducing.

Common Misconception: Where the Curves Cross

Warning: A lot of articles get this wrong. You'll often see claims that the "sweet spot" is where your cost curve intersects your risk curve, where the money you're spending equals the risk value remaining.

This is mathematically incorrect.

The optimal point isn't where cost equals risk. It's where the rate of change of cost equals the rate of change of risk reduction. In other words, you want the point where spending one more dollar reduces risk by exactly one dollar, not where your total spending equals your total remaining risk.

Think about it: if you have $10M in risk exposure and you've spent $10M on security (the intersection point), you might still be able to reduce risk by $2 for every additional $1 spent. That's obviously worth doing: you haven't reached the optimal point yet.

The correct approach is marginal analysis, not intersection analysis.

The Math (Simplified)

The key insight most people miss is that it's not about comparing total costs to total risk reduction. It's about marginal analysis—what happens when you spend one more dollar.

The optimal security spending is where the next dollar spent reduces risk by exactly one dollar.

  • If spending $1 more reduces risk by more than $1 → spend it
  • If spending $1 more reduces risk by exactly $1 → you've found the sweet spot
  • If spending $1 more reduces risk by less than $1 → accept the risk

This is why "minimize all risk" is wrong. As you add more security controls, each additional dollar typically yields less risk reduction than the previous dollar. Eventually, you hit a point where additional spending isn't worth it.

For example, your first $100K in security might eliminate $500K in risk exposure. But your second $100K might only eliminate another $150K in risk. The third $100K might only eliminate $75K in risk. You keep going until the next $100K would only eliminate $100K in risk—that's your optimal point.

Why Uncertainty Matters (And Why Risk Assessment Quality is Critical)

Here's where it gets more nuanced: risk isn't a fixed number—it's uncertain. This uncertainty means your optimal point isn't a single spot, but a range.

The width of this range depends on how accurate your risk assessment is:

  • Poor risk assessment = high uncertainty = wide optimal range
  • Better risk assessment (based on actual system dependencies, not guesses) = lower uncertainty = narrow optimal range

This is why investing in better risk assessment capabilities isn't just academic, it directly improves your decision-making by narrowing the "sweet spot" range where optimal security spending should fall.

Your organization's risk appetite should be positioned somewhere within this optimal range. If your risk appetite falls outside the range, you're either under-spending (accepting too much risk) or over-spending (wasting resources on diminishing returns).

Practical Implementation

To apply this framework effectively, you need two things: the right mindset and the right tools.

The Tools You Need: Most organizations struggle with this approach because they lack the analytical capabilities to perform accurate risk assessments. Traditional risk matrices and gut-feeling approaches create such wide uncertainty ranges that you can't tell if you're in the optimal zone or not.

Graph-native threat analysis tools can help by mapping the exact blast radius of a threat. This replaces the 'high/medium/low' guessing game with concrete data, collapsing the uncertainty range and making the marginal analysis calculation precise:

  • Providing more accurate risk quantification
  • Reducing the uncertainty range around your optimal spending point
  • Enabling scenario analysis to test different security investment levels
  • Making the marginal analysis calculations practical and repeatable

Platforms that are specifically designed to enable this kind of sophisticated risk analysis, helping organizations move beyond subjective risk assessments to quantitative, data-driven security investment decisions.

For CISOs and Security Teams:

  • Stop presenting security as "priceless"—quantify the risk reduction value
  • Consider business impact when prioritizing controls
  • Look for the point where additional spending yields diminishing returns
  • Invest in analytical tools that enable accurate risk quantification

For Business Leaders:

  • Include risk calculations in financial decisions
  • Understand that some security spending actually improves ROI
  • Don't treat all security as pure cost
  • Support investments in better risk assessment capabilities

For Everyone:

  • Make decisions considering all three Rs together
  • Focus on optimizing rather than minimizing risk
  • Remember: "no risk, no reward" applies to security too
  • Recognize that assessment quality directly impacts decision quality

The Bottom Line

Security isn't about eliminating all possible risks—it's about finding the optimal balance between protection, cost, and business objectives to maximize the results. When you integrate risk thinking into financial decisions (and financial thinking into risk decisions), you get better outcomes for everyone.

The best security programs aren't the most comprehensive - they're the most intelligently balanced.

The framework described here isn't just theoretical - it's implementable today with the right analytical tools. Organizations that move beyond traditional risk matrices to quantitative threats can start making these sophisticated optimization decisions immediately, often discovering they can reduce both costs and risks simultaneously.

-- This article originally published on Medium

Levente Simon

Levente Simon

Principal Consultant specializing in technology strategy, architecture, and leadership. 25+ years building and leading across Europe.

LinkedIn Twitter

Found this useful? Share it with your network.

Discuss this topic →

Related Insights

project managementeconomics

From Binary Trade-offs to 3R Optimization

The Iron Triang le gives teams a convenient excuse for failure. The 3R Optimization Model—Revenue, Resources, Risk—forces them to do the math. Here's why marginal analysis beats binary trade-offs.

risk managementorganizational design

Risk Ownership Is a Label. Responsibility Is a Burden

Risk owner' sounds like a real role, but it's often just a name in a cell. True responsibility requires personal stakes: authority to act, accountability for outcomes, and capability to execute. Here's how to move from documentation to action.