A frustration for many people is calculating the expected benefit of a given choice. What is the value in spending four hours reading a new book rather than practicing the violin? Considering alternatives is not a default human tendency, but these are not impossible questions to answer, even absent absolute dollar values.
Cost is usually associated with monetary value. Financial resources spent on one opportunity means those resources are not spent on something else. Businesses calculate the financial cost of various components, including licensing, capital expenses, and the fully loaded cost of labor. The monetary cost and benefit of a specific choice are often considered in isolation, rather than taking into account its externalities—the cost and benefit imposed on other entities by the choice.12 A classic example of a negative externality is pollution. A company can perform a cost-benefit analysis to calculate its optimal production rate, but this will consider only the cost incurred to make a widget and the benefit the company receives by selling thewidget. It will not consider the costs imposed on the local community by lowering the quality of drinking water, nor the costs imposed on society through carbon emissions. In
cybersecurity, implementation of an application security tool may present a positive ROI for the security team but may also result in a negative externality of slower or fewer software releases, imposing a cost on the software engineering team(s), the organization, and its customers. The costs and benefits are likely to be quite different from the perspective of a security team, the organization and other teams within it, the users and customers, and the society around them. A benefit for one stakeholder may beget a cost for another. Tables 1 and 2 untangle this complexity by illustrating the costs and effects of opportunity cost in cybersecurity. It distinguishes tangible from intangible costs/benefits and highlights that these apply to several key groups: employees, organizations, and society.
Time is an important component of opportunity cost but is often neglected in practice. It takes time to answer help-desk tickets and to develop new security policies. The investment of time also has second-order impacts, such as on employee satisfaction, burnout, and turnover. Emotional experience, such as anxiety, frustration, and confusion, is often overlooked as a cost when evaluating options, despite its well-documented salience during human decision-making.10 The stress of time pressure can exacerbate users’ frustrations with a security tool’s lack of usability, making-