Identity and Access Management (IAM) is a key issue for systems security managers such as CISOs. More specifically, it is a difficult problem to understand how different investments in people, process, and technology affect the intended security outcomes. We position this problem within the framework of optimal control models in macroeconomics, and use a process model to understand the dynamics of the utility of possible trade-offs between investment, access, and security incidents (breaches). A utility function is used to express the security manager's IAM preferences, and the functional behaviour of its components is described via a process model. Executing our process model as Monte Carlo simulations, we illustrate the behaviour of the utility function for varying levels of investment and threat, and so provide the beginnings of a decision-support tool for systems security managers.