Blog

The invisible cost of interest: why 'security expenses' are an economic myth

I've written a new blog post about "The invisible cost of interest", explaining why the claim "security costs money" is often an economic myth and a truth with qualifications.

We readily calculate licences, consultants and incidents. But we almost always overlook what actually becomes the most expensive: lost business when trust falters, internal friction when structures break down, and an innovation brake when risk frameworks are unclear. That cost doesn't show up in the budget line, but it accumulates every day.

The point is simple: it's not security that costs — it's insecurity. And when we start measuring outcomes (time, tests, capability) rather than PDF volume, security suddenly becomes the lubricant for faster decisions, better collaboration and stronger competitiveness.
Robert Willborg

Co-founder and Chief Security Officer at OneMore Secure.

I've often heard the phrase "security costs money". It sounds reasonable. Tools cost money. Consultants cost money. Incidents cost money. But every time I review the calculations, I see the same blind spot: we almost only count what is visible and miss the invisible cost of interest. That cost is disorder, low trust and hesitation.

The real cost is not security but insecurity.

We only account for what is visible

When we talk money in security, we tend to focus on licences, hours and incident-related expenses. These are tangible. They fit in the budget. But we rarely account for the large, silent effects: deals that fall through because the counterpart lacks trust, extra overhead caused by weak structures, and an innovation brake when the risk framework is unclear. The World Economic Forum puts it plainly: cyber risk has become business risk, and trust has become a market factor influencing speed, capital and partnerships (World Economic Forum, 2024). The OECD expresses the same with a different voice: digital security must be managed as an economic risk within core business, not as a side project (OECD, 2022).

The invisible cost of interest in everyday life

In practice, I see three recurring patterns ticking away in the background, even when everything seems "calm" on the surface.

The cost of trust

A potential customer hesitates when due diligence reveals weak governance or inconsistent routines. Discussions drag out. Sometimes the deal quietly falls through. This cost doesn't appear in a security line in the budget, but it shows up in lost revenue. Trust is built when the counterpart sees traceability and capability that hold firm even under pressure, which is also part of why cyber resilience is increasingly linked to growth and investment (World Economic Forum, 2024).

The cost of friction

When structure is lacking, micro-delays accumulate during the working day. More manual steps. More exceptions. More stops and restarts. This consumes time and energy that never appear in licence costs. The EU's occupational safety agency highlights how digital work with many small decisions increases psychological strain and can reduce quality over time (EU-OSHA, 2023/2024).

The innovation brake

When the risk framework is unclear, new ideas come to a halt at the last moment. Not because the idea was bad, but because uncertainty was high. The OECD emphasises that clear risk frameworks encourage organisations to act faster: without a framework, security becomes a roadblock; with one, it can become an accelerator (OECD, 2022).

Add to this what European situation reports indicate: attacks often come through people and supply chains. More gadgets won't help if climate and structure are missing. Then both quality and trust suffer (ENISA, 2023).

Why we tend to avoid this

It's easier to say "security costs money" than to admit that insecurity is expensive and that our decision models sometimes price security negatively. Numbers on licences and hours are easy to question. Numbers on lost business, slower pace and lower engagement are harder. But just because they're hard doesn't mean they're small. When risk is seen as a core management issue, the gap between what we measure and what we actually need shrinks: faster decisions, fewer surprises and more robust relationships (OECD, 2022; World Economic Forum, 2024).

Final note: security as a lubricant

I don't see security as an extra cost. I see it as the lubricant in the engine. Without lubricant, things run fast for a while. Then they overheat, seize up, and everything that seemed cheap becomes expensive. With proper lubrication, the machine runs faster over time. Decisions become clearer. Partnerships become easier. Energy lasts longer.

When we can show that security enables faster decisions, better partnerships and less internal friction, we can also compete on trust. Then the question isn't "what does security cost?", but "how much interest do we save when insecurity decreases?" and the answer is usually: more than we think (World Economic Forum, 2024; OECD, 2022; ENISA, 2023; EU-OSHA, 2023/2024).

References

· ENISA. (2023). ENISA Threat Landscape 2023. European Union Agency for Cybersecurity.

· European Agency for Safety and Health at Work (EU-OSHA). (2023/2024). Digitalisation and workers' wellbeing: psychosocial risks & evidence base.

· OECD. (2022). Recommendation of the Council on Digital Security Risk Management. Organisation for Economic Co-operation and Development.

· World Economic Forum. (2024). Global Cybersecurity Outlook 2024.

Robert Willborg

What digital sovereignty really means

Sovereignty isn't geographical. It's control.

Robert Willborg

From an economy of insecurity to trust

A story about an industry that lost its way.

Robert Willborg

Airworthiness for the digital society

NIS2 wants us to fly safely, not just fill in paperwork.

Robert Willborg

EU Data Act

When the EU builds "emergency exits" in your data corridors (and no one's read the signs yet).
Go to blog page