Determining the appropriate level of investment in an enterprise cybersecurity program is not
straightforward. This is due to the fact that the ROI (return on investment) for cybersecurity can be
difficult to calculate, as published loss data is difficult to source, verify and relate to current enterprise conditions. It can, in some cases, be less expensive to invest in cybersecurity defences than to pay for the aftermath of a hack, which can include the costs of data restoration, malware mitigation, etc.

Read the full recommendation here.