Cost/benefit of new security?

["Bridges, Robert A." <bridgesra () ORNL GOV>]

Hi, we’re interested in how organizations make decisions on what security practices, tools, postures, to enact, buy, 
change. Specifically,

Does your organization do a cost-benefit analysis of mitigations to try to quantify the cost vs. savings of security? 
If so how do you quantify risk, cost of potential breaches, operators’ time to use new tools, etc.

Are new security measures driven by policy/law, reactions to previous attacks, forward looking predictions, or 
something else?

Regardless of the techniques used to drive decisions, are the underlying inputs to the process more based on intuition 
or systematic deduction?

Thanks,
Bobby

--
Robert A. Bridges, PhD, Research Mathematician, Cyber & Information Science Research Group, Oak Ridge National 
Laboratory