In one sense, you’re right, it is obviously correct. *Iff* you can actually do the calculation well, honestly, and convincingly, that is.
In practice, it’s really hard to do that in a way that is consistent and principled. Most who try end up succumbing to various forms of motivated reasoning. And even when you do manage it, you have to make a lot of assumptions and extrapolations that get you really wide error bars, and a result that no one is going to believe unless they already want to believe your conclusion.
The other problem is you can’t assume the analysis still holds if any of all those assumptions change. Two people, each with credible proposals to reduce the risk and cost of cybercrime in that sense, they can both make similar cost and benefit claims, but clearly effects are not additive; your estimate defines a max not a sum. This is always strictly the case, but if you use a narrower analysis than you can often treat them as approximately independent. If you want to make real-world decisions, you should include a sensitivity analysis as well.
In one sense, you’re right, it is obviously correct. *Iff* you can actually do the calculation well, honestly, and convincingly, that is.
In practice, it’s really hard to do that in a way that is consistent and principled. Most who try end up succumbing to various forms of motivated reasoning. And even when you do manage it, you have to make a lot of assumptions and extrapolations that get you really wide error bars, and a result that no one is going to believe unless they already want to believe your conclusion.
The other problem is you can’t assume the analysis still holds if any of all those assumptions change. Two people, each with credible proposals to reduce the risk and cost of cybercrime in that sense, they can both make similar cost and benefit claims, but clearly effects are not additive; your estimate defines a max not a sum. This is always strictly the case, but if you use a narrower analysis than you can often treat them as approximately independent. If you want to make real-world decisions, you should include a sensitivity analysis as well.