In an ideal world, it may be true, but the reason for this misconception is actually the fact that managers need to justify their expenses and tend to put a price shield on everything.
How much would cost you if
– your website gets hacked?
– your network gets infected?
– Confidential data lands in the hand of hackers?
– user/customer information gets stolen?
Easy to make guess, but they are just wild guesses.
Best is to create a risk analysis and try to put tags on these risks like:
Probability to happen: High/Medium/Low
Cost to repair: <can be money, time>
Impact: <can be quantified in downtime, in hours of work in which people can’t work, reputation loss, etc.>
This is much better than to put a simple amount of money. It actually shows the exact impact on the company.All these and many more topics are in the free eBook "Improve your security" available here: www.improve-your-security.org.