What is the true cost of information security? How should an architect measure this cost?

What is the true cost of information security? How should an architect measure this cost?