Every time I told a friend I got an IT security job, I was always asked a similar question "Do you catch hackers or virus?". Of course, the popularity of the Internet definitely puts external threats and attacks on enterprise IT security's radar. However, I still personally believe internal threats and attacks cost more damage.
According to a 2003 study by the Computer Security Institute (CSI) and the United States Federal Bureau of Investigations (FBI), nearly half of all security breaches—an astounding 45 percent—come from within the enterprise by disgruntled or malicious employees. Industry analyst firm The Gartner Group estimates that more than 70 percent of unauthorized access to information systems is committed by employees and believes that more than 95 percent of intrusions result in significant financial losses.
SUA, LPA and SAT are good IAM defense weapons against internal identity theft:
An IAM project to improve security will cost money. Here is a rough estimate formula to calculate cost justification:
value of all data ($) × probability of breach (%) > cost of project ($)