I'm a student and fairly new to the IT security field. Most articles and books say you should only patch a vulnerability if the costs of a breach are higher than the costs of patching the vulnerability. However, I can't find any explanation that can give me at least some basic knowledge and skills about this issue.
As a security professional, it is often best to 'outsource' this calculation to the business. For example, if you identify a vulnerability which you can demonstrate is easy for an unskilled attacker to exploit to destroy the customer database, and the operations team estimate bringing it back from backups will take 4 hours, including checks, ask the business owner what that will mean to them in terms of cost or impact.
The business should have a view on indirect costs created by customers avoiding the company, and an advertisement complain to restore confidence.
Once they have told you the cost, your side - helping to define protection - is much easier, as @growse said.
The equation usually does not work on a one-to-one though. You'd think if cost of breach is higher than cost to fix then carry out work to fix, but more commonly we see it being more like if cost of breach is more than 10x cost to fix then remediate.
I think that to answer this question, you need to have a solid understanding of the value of the assets you are trying to protect. If we think of information security as providing confidentiality, integrity, and availability (CIA), we can also try to determine the cost to the organization if these assurances are undermined.
C: Given the value of some proprietary information, use that to estimate the cost if this data is disclosed.
I: Given the value of some operational data, use that to estimate the potential loss or disruption of operations if this data is maliciously (or accidentally) modified without detection for some time.
A: Given the revenue produced by a service (e.g., e-commerce website), or the productivity enabled by a system (e.g., internal email system), use that to estimate what financial loss would occur if the service or system was to go down for a given period of time. It helps if you have an idea of how long a service disruption is likely to last before being identified and corrected.
As others have mentioned, I would recommend involving the data and service owners in your business to help calculate better value estimates. Not only will your results be more accurate and have more meaning, but you will also increase buy-in from management in the process.
In short, it's not easy.
Pretty much all IT security decisions should be made in context of what the "business" is trying to do (when I say "business", I mean "people paying for the system and making money from it" - usually a business).
To estimate the cost of an incident, you have to weigh in all related costs related to recovering the system back to business as usual. If your entire customer database is stolen, and then deleted, there may be significant costs in downtime, regulatory fines (if your government doesn't think you were protecting the data properly), loss of business through customer reputation etc. Obviously, costs for different incidents may vary wildly.
The cost of mitigating a vulnerability is usually easier to work out, it's just the amount of stuff you have to buy + the amount of time it takes you to enforce the control and run the process. If you need to hire an extra full-time person to work a particular control (e.g. IDS), that's a fairly significant cost and may not be worth the expense compared with the likely incident that may happen if you didn't implement the control.
Hopefully that makes some sort of sense.
As previous questions have peripherally touched on, there are lots of formal frameworks for risk management, which cost estimation is an important part of. Fundamentally, though, a security breach is going to be a business cost more than an IT cost. The owner(s) of the data that gets destroyed, compromised, or rendered temporarily inaccessible will have to have a lot of input into your cost estimate. That part of the cost will usually dwarf the "reinstall the server OS, patch the hole they got in through" part.
