I regularly participate in discussions about the "right" amount of money to spend on security. I know two correct answers to the security budget question. First, don't spend all your money on security. Second, spend some money on security. The problem is the middle part, finding that magic number where your systems are secure but you're maximizing dollars to spend on business functionality.

The most common rule of thumb I hear about is 5-10% of the development budget for a new system should be allocated to security controls. For example, if a system is allocated $250,000 in development money they should be spending about $18,000 on security controls. This might include a firewall, software development to integrate with an auditing system, or paying for third-party security services like penetration testing.

However, the 5-10% guidance doesn't take into account the sensitivity of the system, the nature of the business, the complexity of the system, etc. In other words, there are a lot of variables to consider.

One of the other methods used to estimate security budgets is to predict the cost of a security incident. For example, recently a report was published by the Ponemon Institute (http://www.encryptionreports.com/index.html) that concluded that the cost of a data breach could be as high as $204 per record. This is a bit of a stretch (they include a lot of indirect costs to reach $204) but it's worthwhile to note that there are a lot of costs associated with a data breach. I prefer another number they cite, about $60/record in direct costs. Using that number, you can extrapolate to the maximum security budget. In other words, it's not worth spending more than ($60 * (number of records)) because at that point you're better off paying the cost of the breach than fixing the problems ahead of time.

This is a pretty classic approach to risk management and it has downsides, namely incredible backlash when the public realizes an organization deliberately chose to create security problem in order to save money. We've seen issues like this in the car industry where it was cheaper to pay the lawsuit costs than fix all the vehicles on the road.

In the end it's simply a question of using these available rules of thumb, risk managemnet tools, and experience to make a guess about the budget.

My intuition usually suggests that a new system will have several thousand dollars in security costs regardless of the size, those are simply fixed costs associated with running a modern information system. Moving into the enterprise environment, costs can escalate into the hundreds of thousands and millions of dollars very quickly as things become mission critical and require 99.999% uptime, encryption of data in transit and at rest, access by millions of clients, etc. Just think for a second about how much money travels across these Internet connections we all use. It's staggering and an incredible target for thieves, militaries, and competitors.

Reference: 2009 Annual Study: Cost of a Data Breach; Understanding Financial Impact, Customer Turnover, and Preventive Solutions; Ponemon Institute, LLC; January 2010; URL: http://www.encryptionreports.com/costofdatabreach.html, last visited on January 26, 2010.