Technology managers trying to justify and prioritize IT security spending are searching for some way to quantify the risk management benefits. But a lack of standard processes and the wide variability of factors that affect risk are making it hard for companies to collect such metrics, users said last week at a conference here organized by Gartner Inc. “There is an increasing focus on measuring security effectiveness,” said Carl Cammarata, chief information security officer at automobile association AAA Michigan in Dearborn. Companies are realizing that “you can’t manage what you can’t measure.” Driving the trend is the fact that security budgets have been rising by 20% annually over the past couple of years, said Richard Hunter, an analyst at Stamford, Conn.-based Gartner. Full Story