How the Cost of Interventions provides Insight into Security Decisionmaking

In 1994, Tengs, et.al. published the research paper “Five-Hundred Life-Saving Interventions and Their Cost-Effectiveness.” (pdf) The research reviewed 587 different interventions and calculated the “cost per life-year saved” as a normalized metric across over 200 different studies on economic costs.

So, for example, using available data they calculated that automatic fire extinguishers in airplane lavatory trash receptacles cost $16,000 per life year saved. (This was in 1993 – maybe smoking was still allowed then?)

Interestingly, these costs ranged from “those that save more resources than they consume to those costing more than 10 billion dollars per year of life saved.” The median cost per life year saved was $42,000. The paper also breaks down amounts by type of intervention, prevention stage, and even provides some data on proposed govt regulations by regulatory agency (FAA median $23,000; EPA median $7,600,000).

As a quick aside, the existence of this data helps one understand that even though circumstances where “success means nothing happened” (in this case, death didn’t happen), there is still plenty of opportunity to assess the benefit of some particular intervention.

These types of “revealed preference” study results can be eye-opening to those that suggest we should spend “whatever it takes” to address some particular concern. In looking at the large variance in costs, perhaps that isn’t the best course of action. It is nice to think we have unlimited resources, but at some point they run out. When they do, not only does that impact overall effectiveness, but opportunity costs come into play.

What does this mean for cybersecurity? Though it is not fair any more to say there is no data available to our profession, it certainly is difficult to leverage the data coming out in ways that are helpful to an organization. However, we can start thinking in terms of estimates and measures that make sense. In particular, we can evaluate and compare costs of various controls to each other and factor in some notion of anticipated risk reduction.

We can learn a lot from studies like these.