The amount of money companies should spend on identity management can be measured through risk analysis.

Measuring how much to spend on identity management through risk analysis starts with valuing the risk identity-related threats pose to the organization. By identifying assets that rely on identity controls, the possible threats (credential theft, account compromise, insider misuse), and weaknesses in current IAM processes, you can estimate how likely those threats are and the potential impact if they occur. This leads to a quantification of risk, often expressed as the expected annual loss (for example, SLE times ARO). Identity management solutions—like multi-factor authentication, privileged access management, automated provisioning/deprovisioning, and identity governance—reduce either the likelihood of an incident or the impact of one. By comparing the estimated risk reduction from these controls to their cost, you determine an appropriate level of spending aligned with the organization’s risk tolerance. In short, risk analysis provides a framework to justify and size investments in identity management, so spending can be guided by quantified risk rather than guesswork.