How secure is your company? Are you spending too much or not enough on security? How would you know? We don’t have a 1,000 years of statistical data to build orderly models with nice normal distributions (if in fact this is the underlying distribution, most likely not.)
Much of what is spent is to fix an irritation or meet a regulation. I know a company that first introduced anti-virus into the enterprise because the CEO was angry at all the emails that filled his inbox due to an email virus. In this case it was purely reactive. When I was a senior security analyst inside a large multinational, we are able to go three straight years without a worm or email virus getting into our network. This was at a time when Microsoft vulnerabilities were a constant cascade and Microsoft responded to everything released on bugtraq like it was a malicious lie. We managed this on a relatively small budget and a user base with admin access over their local machines. It is possible to have tight security without spending a fortune. Despite this, I knew we were not spending enough on security because we had little to no defense against the insider threat. The best defense against the insider threat is an ethical corporate culture and good hiring practices, an area often overlooked. Of the triad in security, prevention, detection and clean up, prevention is frequently the most expensive when using technology. Prevention is a lot cheaper if you don’t hire losers in the first place or you don’t build up resentment by stealing from your employees with understaffed teams, overworked associates and no bonuses except for the C suite.
At this point lacking a wealth of statistical data, most companies can’t say if they are spending too little or too much unless they ask an outside expert. If they ask the question inside the company, they will most likely get the answer weighted for self preservation, if they are asking at all.