Every enterprise has a minimum viable security posture. Fall below it, and you’re not just vulnerable — you’re indefensible. Here’s what the line is, what sets it, and how it’s computed.
The Cybersecurity Poverty Line is the minimum annual security investment and control posture below which an organization cannot maintain a defensible position against its actual threat environment — a floor determined not by industry averages or framework checklists, but by the organization's own threats, regulatory obligations, business model, data sensitivity, capacity, and risk tolerance. Below the line, breach is a matter of when. The line is different for every organization, and it can be computed.
The term has a lineage worth knowing. Security strategist Wendy Nather coined the "security poverty line" in 2011 to name a condition the industry preferred not to see: a large class of organizations — small businesses, schools, local governments, low-margin enterprises — structurally unable to afford a baseline security posture, no matter how many best-practice guides they were handed. It was, and remains, one of the most clarifying diagnoses in security. What it never had was an instrument. The poverty line existed as a metaphor; nobody could tell a specific organization where theirs was. That's the part we built. The Cyber Poverty Line® in Foundations is the operationalized version of Nather's insight: not "some organizations are below a line," but "your line is $1.8M and you're $340K under it."
The cybersecurity industry has a measurement problem. We've convinced ourselves that security is binary: you're either "secure" or you're not. But that's not how risk works.
In economics, the poverty line represents the minimum income required to meet basic needs. Fall below it, and you can't survive. Exceed it by 10x, and you're comfortable — but there's a point of diminishing returns. Cybersecurity works the same way. Every enterprise has a poverty line: the minimum security posture required to survive in its threat environment, given its risk profile, industry, regulatory obligations, and organizational capacity.
"The problem isn't that we're spending too little on security. The problem is we have no idea what 'enough' looks like for OUR organization." — CISO, Fortune 500 financial services firm
Traditional approaches can't tell you where your poverty line is. They sell you best practices that might be overkill for a regional manufacturer or catastrophically insufficient for a critical infrastructure provider. They tell you to "adopt zero trust" without asking whether your organization can actually implement and sustain it.
A regional manufacturing company and a multinational bank have fundamentally different threat profiles, regulatory requirements, and risk tolerances — yet most security frameworks recommend the same controls for both. The fix isn't a better generic baseline. It's a context-aware one: a minimum posture calculated from your specific threat environment, regulations, business model, data sensitivity, and capacity to sustain controls.
Six factors define your minimum viable security posture:
Who's targeting you? Nation-states, ransomware gangs, opportunistic attackers? Your adversaries determine your minimum defensive posture.
HIPAA, PCI-DSS, CMMC, GDPR, state privacy laws — regulatory obligations create non-negotiable minimums.
SaaS company? E-commerce? Critical infrastructure? Your revenue model and customer commitments define risk exposure.
What data do you hold? PHI, financial records, trade secrets, or public information? Data value determines attack motivation.
Team size, budget, technical debt, and culture. You can't implement what you can't sustain.
Board appetite for risk, insurance coverage, incident history, and business resilience capabilities.
| Below your poverty line | Above your poverty line |
|---|---|
| Breach is a matter of when, not if | Risk reduced to acceptable, quantified levels |
| Regulatory penalties likely exceed the cost of fixes | Compliance requirements demonstrably met |
| Insurance claims may be denied for failure to maintain controls | Insurance position strengthened at renewal |
| Business continuity at serious risk | Board can justify security investment with numbers |
And one consequence that extends beyond your own walls: organizations below the line aren't just exposed — they're the soft entry point into everyone they connect to. Supply-chain attacks consistently route through the least-resourced link, which is why primes interrogate subcontractors, enterprises interrogate vendors, and insurers interrogate everyone. Your poverty line is increasingly other people's business.
This is the difference between the metaphor and the instrument — a poverty line finding in the form Foundations delivers it (illustrative):
Your line: $1.8M/year minimum viable posture. Current spend: $1.46M — $340K below the line, with the deficit concentrated in detection & response and incident readiness. Closing the gap reduces modeled annual loss by an estimated $2.7M — a 7.9× return on the deficit spend.
The real Cyber Poverty Line® is computed from your assessment data — the methodology below. But a directional estimate is better than no number at all, so: five inputs, public benchmark patterns, an indicative range. Treat it as a conversation starter, not a budget.
Directional estimate derived from public spending-benchmark patterns. This is not the Cyber Poverty Line® calculation — the real line is computed in Foundations from your threat environment, regulatory obligations, architecture, and organizational capacity, and routinely lands outside ranges like these for organization-specific reasons. That difference is the point.
Privacy & disclaimer: This estimator runs entirely in your browser. Nothing you enter is collected, transmitted, stored, or shared — no analytics, no tracking, no data leaves this page. Results are provided for informational and educational purposes only and do not constitute security, financial, legal, or professional advice; do not rely on them for budgeting, compliance, insurance, or investment decisions. Risk Aperture makes no representations or warranties regarding the accuracy or applicability of these estimates to any specific organization.
Methodology built on 20+ years of DoD and Fortune 500 experience:
We analyze your industry, geographic presence, business model, and digital footprint to identify likely threat actors and attack vectors. This isn't speculation — it's grounded in threat intelligence and a decade of incident response experience.
Every applicable regulation, standard, and contractual obligation is mapped to specific control requirements using OSCAL frameworks. These create your non-negotiable baseline.
What are your crown jewels? Which systems, if compromised, would cause existential harm? We quantify business impact across confidentiality, integrity, and availability.
Team capabilities, technical debt, budget constraints, cultural factors. Your poverty line must be achievable — we factor in what you can actually implement and sustain.
Combining all factors, we calculate the minimum control set required to keep your residual risk within acceptable bounds — and price it. This is YOUR poverty line: contextualized, quantified, and defensible.
Foundations doesn't just locate your poverty line — it shows the gap between where you are and where you need to be, prioritizes investments by impact, and tracks progress over time. Board-ready dashboards, executive summaries, and detailed technical roadmaps, personalized to your organization.
A benchmark tells you what peers spend — an average of other organizations' accounting. Your poverty line is computed from your threats, obligations, and capacity. Two companies with identical revenue can have poverty lines that differ by multiples, and a benchmark will never show either of them that. (For the full argument about why benchmarks can't answer spending questions, see How Much Should You Spend on Cybersecurity?)
Absolutely — they're different failure modes. The poverty line is a floor: below it, you're structurally indefensible. Above it, allocation quality takes over: overlapping vendors, over-armored domains, blind spots. The ceiling question — where additional spend stops buying meaningful risk reduction — is the optimal investment point, and the healthy region between floor and ceiling is what we call the Goldilocks Zone. Foundations computes both ends.
The opposite, if anything. Nather's original insight was about the under-resourced: small and mid-sized businesses, healthcare providers, schools, local agencies, low-margin companies. Those are precisely the organizations that can't afford to guess — and that now face poverty-line questions from the outside, as enterprise customers, primes, and cyber insurers demand evidence of a defensible posture before signing. A computed line is how a 60-person company answers a 400-question security questionnaire with a straight face.
Constantly. New regulations raise the regulatory floor, threat actors reprice industries (ask manufacturing about ransomware), your own growth changes your exposure, and acquisitions change everything at once. That's why the poverty line in Foundations is a tracked metric with quarter-over-quarter trending, not a one-time consulting artifact.
Beginning with our next publication cycle, Risk Aperture will publish anonymized, aggregated benchmark data from Foundations assessments: where the poverty line sits by organization size and vertical, what share of assessed organizations fall below it, and where the deficits concentrate. The poverty line has been a metaphor since 2011. We intend to give the industry its first recurring measurement of it.
Stop guessing. Stop overspending. Stop underspending. Foundations computes your minimum viable security posture—contextualized, quantified, and defensible.