The amount of money companies should spend on identity management can be measured through risk analysis.

Spending on identity management should be guided by risk analysis. By assessing how credential-related threats could affect important assets, estimating the likelihood of those threats and the potential impact, you can quantify the risk and weigh it against the cost of controls like strong authentication, centralized provisioning, access reviews, and passwordless options. This approach helps determine an appropriate level of investment to reduce risk to an acceptable level, rather than guessing or relying solely on financial returns. ROI can be part of the picture, but it isn’t the sole basis for security budgets; risk-based budgeting prioritizes reducing the greatest risks first, even when exact dollar-for-dollar ROI is hard to measure, and it accounts for residual risk and regulatory considerations.