Cost-benefit analysis as a tool to strengthen organisational cyber resilience

Abstract

Organisations face a wide range of cyber threats with significant operational, financial and reputational impacts. Strengthening resilience therefore requires not only technical and organisational measures, but also clear economic justification. Cost–Benefit Analysis (CBA) is a well-established method that compares the costs of security measures with their benefits, such as reducing the likelihood of incidents, limiting their impact or shortening recovery times. In line with NIS2 and ISO/IEC 27001:2022 and ISO/IEC 27005:2023, CBA supports proportionate, risk-based and cost-effective security. This paper outlines the methodology, its role in decision-making, and a practical example of its application in enhancing cyber resilience and trust.