How do we make those choices? Is it intuition? What we hear going on the in the industry? Best practices? As a society as a whole, we are very bad at making those choices. Bruce Schneier's recent post on the disproportionate amount of attention paid to peanut allergies illustrates this point. Is the same misappropriation of resources at play in IT management?
There is a severe lack of data on information security budgeting and resource allocation. Entire industries have mushroomed around particular threats - anti-virus, hacking, firewalls, you name it. But which solution offers the most threat reduction per dollar and man hour spent? As an industry I think we are going to start to see this question addressed with increasing frequency (assuming the industry does not disappear first).