B < P x L

What does the formula B < P x L, also known as the “calculus of negligence” have to do with cybersecurity? It is a test of whether or not the cost of prevention is less than the cost of damage.

This algebraic expression was made famous by judge Learned Hand in the 1947 case United States v. Carroll Towing Co. In the case a barge loaded with United States flour broke loose from its mooring in New York Harbor, hit a tanker and sank. The barge operator was found negligent. The judge ruled that the barge owner's duty of care was a function of three variables:

1. The probability that the barge will break away;

2. The gravity of the resulting injury, if she does;

3. The burden of adequate precautions.

If the cost or burden (B) of implementing precautions is less than the risk [probability(P) times loss (L)] of the event, then the duty of care has been met.

On the other hand if the cost of implementing precaution outweighs the damage one is trying to prevent then the duty of care has not been met.

In cybersecurity we face this duty of care test all the time. For example, imagine company x suffers a data breach and the attackers steal customer data. Company x is sued for failing to protect the data. Company x loses in court because the plaintiffs successfully argue that the cost of preventing this high risk event (e.g. implementing MFA and patching systems) was cheaper than the damage it caused (e.g. system recovery and credit monitoring for customers).

So when your organization is faced with evaluating the costs of mitigating high risks, make this calculation part of your duty of care analysis, otherwise a judge might do the analysis for you.

https://law.justia.com/cases/federal/appellate-courts/F2/159/169/1565896/