Recent research conducted by analyst firm Forrester indicates that organizations are spending millions on security, but not in the areas where the risk is greatest.

"There has been a lot of spending on network security, but the perception is there is not a lot of risk in that area," says Forrester senior analyst Tim Sheedy. "But there is very little spending around insider abuse, social engineering or even paper theft, which are major risks to the organization."

Sheedy claims that in a few years IT security will be measured much like other business metrics. Businesses will be able to factor in the actual information security risk, based on factors such as employee behaviour, system readiness and the financial ramifications of employees who expose an organization's most sensitive information - either willingly or by accident.

"Putting actual metrics - and particularly financial metrics - around security is going to be a major trend," Sheedy said. For example, Sheedy suggests firms will be able to gauge the financial implications of employees who are not trained in certain security protocols.

"You could state because 20 percent of employees operate in an [insecure] way, they represent a $300,000 risk to the organization," he said.