Confessions of an Ex-MBA Professor: You Can't Spend Your Way to a Secure Network (Any More Than You Can Tax Yourself Into Prosperity)
Anyone? Anyone?
Class, let's dive into expected value—the beating heart of finance and decision-making. In the unemployment capital of America, I'd watch MBA students mortgage their futures with six-figure debt, utterly convinced the law of large numbers would smooth their path to prosperity: more classes, more networking, averaged success. I'd pull up live manager-level job listings—zero—and let the silence hit. "You've financed delusion," I'd say. No sugarcoating. Truth is the only professor that never lies.
We modeled their Plan B hustles too: mobile car washes chasing a million in profit. Crunch the NPV—equipment, fuel, insurance, marketing, 200,000 cars washed at razor margins. Twenty years of life evaporated, trading finite time for capped returns. Wages have ceilings; profits scale. But diminishing marginal returns? Relentless. Past the inflection point, extra effort yields negative ROI fast.
Anyone? Anyone spotting the exact parallel in internal network defense?
Small businesses treat security the same way: pile on tools, subscriptions, and "layers," praying the law of large numbers averages out the risk. More spend must mean more safety, right? Wrong. Insurers live the law of large numbers—they pool thousands of independent risks into predictable averages, price premiums profitably. A single dairy, corner shop, or clinic? No pooling. One uncorrelated breach isn't averaged away; it's catastrophic ruin. You can't subscribe your way into an insurer's portfolio.
The Gordon-Loeb model—empirically battle-tested for two decades—nails it: optimal cybersecurity investment never exceeds 37% of expected annual loss (expected loss = probability × impact). Beyond that threshold, marginal returns plummet toward zero, often negative as complexity spawns new vectors, alert fatigue, and maintenance drag. It's frivolous spending—pure economic waste.
Recent data (IBM Cost of a Data Breach 2025; Verizon DBIR 2025 on 12,195 incidents) hammers the point:
88% of SMB breaches involved ransomware—attackers feast on low-hanging fruit with no law of large numbers to save you.
Global average breach: $4.88 million (up from 2024), but for everyday operations, even "small" hits cascade into existential threats.
Real cases—no hypotheticals, no averages. These are the operations just like the dairies and farms you visit:
A family-owned mom-and-pop retail store: POS malware infiltrated, quietly exfiltrated customer card data after initial compromise. Realized loss: $50,000 in fraud investigations, reimbursements, and legal fees. 37% optimal spend? Roughly $18,500 upfront on efficient protection. Anything more is frivolous theater.
Westend Dental (Indianapolis): 2020 ransomware—initial access, then unchecked east-west lateral spread across internal protocols until encryption locked everything. Alleged delayed reporting and cover-up attempts. Settlement: $350,000 with Indiana Attorney General. 37% caps wise investment around $129,500. Extra tools didn't stop the internal crawl—only added blind spots.
First Choice Dental (Wisconsin): 2023 ransomware breach exposed data of 159,000 patients, triggering class-action fury. Settlement: up to $1.225 million. 37% lands under $453,000 optimal. Past that, you're paying for complexity that fails when lateral movement goes unseen.
Anonymous US farm: 2021 ransomware shut operations temporarily—no ransom paid, still $9 million in production losses. Even here, 37% optimal caps around $3.33 million. For most family farms? The principle scales brutally down.
These businesses almost certainly had the basics—strong passwords, antivirus, backups. It didn't matter. Attackers breached once (phishing, weak RDP, outdated software), then spread east-west laterally through the network unseen: SMB shares for privilege escalation, RDP hops, quiet exfil—until the ransom note or lawyers arrived. Recovery basics let you wipe and restore (tell them to fuck off and rebuild), but prevention? Zero visibility into the darkness where the real damage brews.
Class question from the floor: Conservative probability for small ops sits 20-30% annually (DBIR patterns). Expected loss on a realistic $200,000 impact event? $40,000-$60,000 per year. Gordon-Loeb sweet spot: $15,000-$22,000 max efficient spend. Nail that with high-ROI tools, and your expected value skyrockets. Overspend into diminishing returns? You're trading life for illusion, just like those car-wash dreams.
So now what, professor? Minimum Viable Security—maximum expected value.
A targeted Blackbox NDRdeployment is the finance-approved play: passively monitors the precise high-risk ports and protocols attackers exploit for east-west lateral movement and exfiltration (SMB, RDP, WinRM, exploit alternates, backdoor favorites), surgically filters multicast/SSDP noise that buries threats, and delivers clean, timestamped evidence of internal scans, spreads, or data theft early—before encryption, lawsuits, or shutdowns. No bloated attack surface added. No endless subscriptions bleeding cash. Just the visibility that prevents the hit, keeps you firmly in the 37% sweet spot, and frees your hours for living.
Because finance is unforgiving: you can't spend your way to security any more than you can tax your way to prosperity. Build the efficient, minimalist system once. Protect real expected value. Thrive.
Questions from the floor?
Class dismissed. -PC (Professor Chell)
References
SKADI Cyber Defense. "Case Study: Payment breach at a local mom-and-pop shop." https://skadicyber.com/payment-breach-at-a-local-mom-and-pop-shop/
HIPAA Journal. "Indiana AG Agrees to $350,000 Penalty to Resolve Egregious HIPAA Violations at Westend Dental." https://www.hipaajournal.com/indiana-ag-westend-dental-hipaa-violations/
First Choice Dental Data Settlement official site. https://www.fcdgdatasettlement.com/ (and related HIPAA Journal coverage)
FBI Internet Crime Complaint Center (IC3). Private Industry Notification, September 2021. https://www.ic3.gov/CSA/2021/210907.pdf