Recently, Anup Ghosh wrote an excellent post around optimizing security investments against the kill chain. However, there was one line that stood out for me that I think requires a deeper look
Anup writes "the incident response dollar... is equivalent to one million times an equivalent prevention dollar."
I would argue that this statement is a stretch based on risk math. The equation for risk (from a Bayesian perspective) is often times referred to as: