Information security is most reliably done in a layered model, a consideration of which fact leads to a couple of interesting economic points.
The basic idea behind the layered model is that several successive security measures must be bypassed before data can be accessed. The outer layers protect large sets of data, like firewalls at the boundary of a corporate network, while middle layers protect sets of machines, like the traffic isolation provided by switched wired networking and VLANs. Inner layers protect smaller amounts of data, like that accessible from a single server, protected by the authentication and authorization infrastructure of the operating system. The innermost layers protect only part of this data, such as GPG encryption on a single data file.
The amount of data protected by a security measure is significant because of a simple fact: it is bad business to spend more money to secure a thing than the thing is worth. There’s no point in building a $500 safe box to protect a $10 bill.
Consequently, the outer layers of a security model, which protect the most data, can and generally do cost the most, since their cost can be amortized across all the data in the company. Corporate firewalls and VPNs and AAA infrastructure have a very significant per-seat licensing, hardware, and administration costs, but since they protect all corporate data, the total cost to protect a petabyte of data for a year is relatively low.
Move toward the inner layers of the onion, however, and because less data value is being protected, both the expected and actual costs drop spectacularly. At the single-server level and below, standard layered security measures are generally available for “free”. They ship with the operating system or are freely available, and the sole cost associated with them is administration, updating the installed base to fix any vulnerabilities found, education of the work force in the proper use of the security tools, and auditing and compliance remediation costs.
Those costs are not free, nor are they particularly low, but, again, they can be amortized over more than one set of data. This leads to the second point:
Because marginal “per-seat” costs at the inner layer of the model drop to near zero, but the administrative and educational overhead stays the same, it is much more economical to use the same security technology for a given layer across the enterprise than to support multiple competing technologies. It also follows that this is more true at the inner layers of the model than the outer.