One problem with most computer security is that its successes are transparent, but its failures are blatantly obvious. A New York Times story about how a hacker stole millions of credit cards from you is quite painful, but a hacker deciding that your security is too strong to be worth trying is really hard to detect. That is to say that security is a "negative experience" good, where only the negative experiences can be measured. While a lack of negative experiences might mean that your security system is working well, it doesn't necessarily. I will address the question of how you measure the effectiveness (and therefore "value") of computer security solutions in light of this problem.