In 2013, the US president as part of a an executive order designed to protect the nation’s infrastructure against critical attacks, directed the National Institute of Standards and Technology (NIST) to develop security frameworks that would serve as a standard for companies and provide bare minimum protection against attacks. While this is a starting point, enforcing these frameworks on organizations is a challenge in the absence of incentives. Incentives for corporates typically imply return on investment or need to be monetary. The paper reviews the cost of attacks to firms and finds that the cost is not significant enough for organizations to undertake a significant investment in cybersecurity.