How much IT-(Security) is enough? Many valuation methods have been developed, which try to define the value of IT and IT security investments. As criteria like Return on Investment (ROI) can be seen as a concept with a set of methods, tools, activities, and ideas, there is still no guide on how to apply, and combine those methods in order to invest in the right level of IT-(security). This work aims to reduce the gap between IT and IT security investments in order to improve the 1) Estimation of input values for IT security investments, 2) Alignment of IT security investments to the organizations objectives, 3) Valuation of IT investment alternatives considering the appropriate level of IT security investments. This is performed by the evaluation of differences between IT and IT security investments, resulting in a framework, which includes those advantages. This framework is shown in action by means of a case study. It shows how 1) Valuation methods can be appropriately applied 2) The advantages resulting of a process based valuation for IT security investments with Multi Objective Decision Support.