After a few conversations, and having seen (part of) Russell Cameron Thomas’ post on the topic, I am beginning to realize that people are making a common mistake about Lindstrom’s Razor, which states:
The digital assets in question must be worth at least as much as you pay for them.
It is important to recognize that these costs are NOT associated with security spending to protect the assets; they are the amount spent on the asset itself. This is pure digital asset value as opposed to ALE (annual loss expectancy). So if I spend $5 million dollars on a new manufacturing application, that application is worth the $5 million to the enterprise.
ALE is risk adjusted and factors in costs related to losses that aren’t related to value. One of the other confounding factors in all this is that digital asset value is not the only component, and may be only indirectly related to consequences/impact/losses.