Economists make the distinction between “stated” and “revealed” preferences—loosely defined as what we say versus what we do—when analyzing decisions and looking for utility. Luckily, in technology risk management the “what we do” part is readily available. It makes itself known in all our resource allocation decisions. When we determine a mix of activities to perform, we spend people money. When we make purchasing decisions, we spend service or capital investment money. All of these decisions reveal something about the perceived value of the activity relative to other actions.
Everyone who goes to their boss lobbying for more budget believes they have an honest reason for doing so. But they don’t. It’s like how everyone believes they are an above average driver. The source of this belief cannot be an honest appreciation of the facts. Therefore, it must be a dishonest belief in one’s own worth. Cybersecurity have this in spades. They’ve raised their profession into some sort of quasi-religion. Cybersecurity has become some sort of moral duty rather than a rational cost/benefit or threat analysis.
The competition would try to get software developers to think about security as they were writing software and other applications, said John Colley from the ISC Squared security certification organisation. "It costs 100 times more to retro-fit security to an application than it does to do it from the start," he said. No wonder (ISC)2 is getting a bad reputation, if they’re making such stupid and unsubstantiated claims. BBC News - UK seeks software writers with Cyber Security Challenge