Never has so much been spent, by so many, on so little." That was the ominous analysis of Steve Hunt, an expert at Giga Information Group, about spending on public key infrastructure products. Once one of the most buoyant areas of spending on internet security, "from the first quarter of this year PKI has become a dirty acronym," he says.

That is a big change on a year ago, when PKI software, a technology which allows computers to issue digital certificates that authenticate an individual's identity online, was seen as a hot area for investment.

Interest in internet security moved centre stage with the rapid growth in e-commerce activities. As Arthur Coviello, chief executive at RSA Security, puts it: "Confidence in using the internet for business can only come with good security."

Issues of authentification and authorisation were seen as key to opening up internal networks to outsiders. Regular industry surveys confirm that concerns about security have been a significant barrier to consumers buying online.

Now, with the e-business frenzy replaced by a succession of mea culpas from bashful executives rueing their earlier exuberance, belts are tightening and tougher questions are being asked about whether IT spending delivers a return on investment.

In spite of some earlier expectations, internet security spending has not been immune to the slowdown. But as the results from many of the biggest quoted vendors confirm, there has been a clear divergence in performance which reflects the underlying shift in spending on internet security.

The worst affected group of vendors has been those selling PKI solutions, such as Entrust, a US company which has axed more than 400 employees amid slowing revenues.

Baltimore Technologies, an Irish rival, is also in trouble. Its market capitalisation has fallen from £5bn to about £115m - just double the amount of cash on its books - and there are doubts whether it will survive as an independent entity.

The company has cut 470 employees and announced plans to sell Content Technologies, the security company it acquired for £700m, in an effort to staunch costs.

"[PKI] had a tremendous amount of hype over the last two to three years and lots of companies rushed to implement it. But over the last year you have seen disappointment," says Howard Smith, at First Analysis in Chicago.

Mr Hunt agrees. "After two years of selling the stuff, there was a critical mass of users finding no return on investment." PKI, he points out, is an infrastructure rather than a shrink-wrapped piece of software - it is "the architecture which provides an environment for secure transactions." Unfortunately, however, some customers of Baltimore and other PKI vendors may have thought PKI was a solution, he says.

The technology can also be complex and costly - at around $700,000 on average - to implement. And it can be difficult to use, according to Stuart Campbell, partner in information risk at KPMG.

"Very few businesses have embraced PKI because it requires them to change the way they act in a fairly basic fashion, such as the need to establish the credentials of the person you are doing business with via a third party. Vendors need to create a better business case for PKI."

However, Alex van Someren, chief executive of nCipher, the Cambridge-based internet security group, believes the pivotal moment for Baltimore was Microsoft's decision to release its Windows 2000 operating system with a free version of PKI included.

"Although its functionality was not a complete replacement for the packages offered by Baltimore or Entrust, for many organisations it is sufficient. And if Uncle Bill [Gates] is giving it away, that makes it tough to sell software."

But while PKI is under pressure now, analysts believe it will eventually become a useful part of the security portfolio. One of those betting on that is RSA's Mr Coviello.

"When we entered the PKI market, people said we were already too late because the war was already won by vendors such as Entrust and Baltimore. We say this market has not yet begun to take off. PKI will play an incredibly valuable role but only when used with specific applications."

Even he concedes: "I won't say that the problems of Entrust and Baltimore haven't slowed things down."

While PKI is on the ropes, not all vendors are doing badly. Indeed, IDC, the technology research company, has forecast that spending on internet security software will increase from $5.1bn in 2000 to $14bn by 2005.

One of the better positioned companies is Check Point, an Israeli provider of firewall products which help secure telecoms networks. Its revenues, though slowing, have risen 55 per cent year-on-year.

Spending on anti-virus products has also proved relatively resistant to the sales downturn affecting most IT sectors. Vendors, rather than spend on marketing, can rely on the media attention given to viruses such as Code Red, and to self-promoting hackers keen to tout their latest exploits. This has helped protect spending in this area.

Data on the cost of security breaches is hard to find. The most worrying attacks are rarely reported because it is too embarrassing for a company to admit it has been hacked.

Even so, those threats can be overdone, says Jan Babiak, managing partner in information security at Ernst & Young. "I spent a whole week with clients worried about Code Red," she says. "None lost anything, but there had been inefficiencies with people making phone calls instead of sending e-mail."

Instead, she says that most financial loss is not from outside hackers, but internal security breaches, from those such as IT-literate disgruntled employees whose ability to disrupt the business has risen exponentially.

She adds: "There has been a large increase in security spending, much of which has not been spent in the right way. Customers need to spend more on understanding the problem instead of a scatter gun approach of buying different security toys."

Ms Babiak is typical among consultants in arguing that people spend too much time worrying about solving the problem via technology, and not enough on undertaking (often with the assistance of a consultant) a more comprehensive analysis of what data needs to be protected.

Mary Pat McCarthy, global chair of the information, communications and entertainment practice at KPMG, and co-author of Security Transformation, says: "It's not just about software but about the culture of an organisation. One of the biggest misconceptions is that this is just a technology problem that can be left to the IT department."

Even so, that argument is taking some time to be accepted. A recent survey by IDC, the research group, found mixed views on allocating responsibility for security. More than 60 per cent of those interviewed said security was the responsibility of IT departments. A worrying 9 per cent said no-one was responsible.

The exceptions are companies which have wrested internet security away from technologists and put it in the hands of those with more of a business background, or even elevated it to a boardroom issue - but they remain a minority.

One of the few to have done so is Motorola, the US electoinics and telecoms equipment group, which last year appointed Bill Boni, a former federal agent with US army counter intelligence, as its chief information security officer.

"The role is a recognition of the increasing complexity of managing digital assets, and that the problem is more than just a technology function but an asset protection function," he says. "Too many practitioners still engage in theological debates about six digit versus eight digit passwords.

"The core assets of large companies are increasingly being digitised. As those resources are transmitted by networks, tracking who has access to them and how they are shared is vital."

Those sorts of arguments - about the need to secure the business rather than simply the network that carries this data - make sense, and are likely to dominate the debate about internet security in the coming years.

But with the complexity involved in changing the culture of an organisation, and the need to continually reassess which data requires protection, this is not what executives want to hear when IT budgets are already under pressure.

As Stuart Campbell, partner at KPMG's information risk practice, concedes: "It is still easier to sell the tools and technology than change attitudes. People want to feel they are receiving something tangible for the money they are spending."