Daniel Geer and Bob Blakely recently published a security metrics paper asking the question "Are you smarter than the TSA? (Hint: No)". The paper takes a position the value (aka 'smarts') of the TSA is based upon the investment they commit per passenger and does a comparison to attackers and security programs in large enterprises. Using ballpark figures, they estimate TSA spends about $10 per passenger boarding, while other security programs spend only pennies per customer.
Daniel Geer is one of the most well respected security metrics expert in the industry. But I just can't follow this line of analysis...
I think it is dangerous to distill the value of security based only upon the expenditure. Although an obvious relationship exists between security spending and controlling loss, I doubt it is linear. Increasing the TSA budget by 300% to $24B will not equate to 3x the level of security people feel or benefit from when boarding a plane. Will 3x more terrorists be caught or hijackings will be reduced to 1/3 current levels? Doubtful. Spending more does not mean security will improve at the same rate.
The attackers likely don't see it as an economic problem either. Cost may be a limitation, establishing boundaries on what attacks can be attempted. But I have not seen any evidence attackers make strategic decisions based upon a ratio of spending-to-attacker or target. If anything, I suspect they evaluate the spending in relation to the likely return. In my humble opinion, this probably holds true for financial, political, and even social attacks.
I would rather see this turn into a return-on-investment analysis, rather than a comparison on who is willing to spend more.
The question in the paper asks "Are you smarter than the TSA?". I would judge any organization which can achieve and manage to the same or better level of risk (risk of loss) in a similar environment, while spending less, as being "smarter than the TSA".