Security organizations should try to associate specific expenditures with business initiative. Certain security costs are easy to allocate, such as outsourced security monitoring services for a demilitarized zone, single sign-on systems, application monitoring tools and external audits. Security awareness, training and coordination costs, for example, dont obviously relate to specific business initiatives; neither do directory synchronization and maintenance tools, anti-virus or other ubiquitously deployed security software. Cost allocation is, for most organizations, a black art; tying back security costs to business units is more difficult.”]