Information Value and Risk Assessment


I just wrote a paper on the value of information security. Please see the paper here. It is something I have thought about for a long time. Information security as a technical discipline but someone has to pay for all this fun we are having. My assumption is that as Willie Sutton is quoted as saying "Go where the money is...and go there often.” Today where organized crime and nation states are going is to information. It is amazingly easy to monetize certain kinds of information. There is a buyer for everything that hackers can steal. The impact to business has been debated for some time and we go to great lengths to perform risk assessments. What we don't do such a good job of is monetizing that risk. 

Consider this. If we can monetize the information asset, we should be able to monetize the risk to that asset. The key to monetizing risk is knowing the value of the asset at risk. Different systems for risk assessment have been in place for some time. They all seem to revolve around professional judgment. My argument is that using a combination of threat modeling (war planning) plus simple asset monetization will allow us to monetize risk. The results will not be perfect, but they should be directionally correct.  As Doug Hubbard says it is better to be directionally correct than specifically wrong[1].


Excellent idea. Info valuation models exist.

You're right on Ed. An asset is something that is 1) owned and controlled by the org, 2) exchangeable for cash, and 3) generates probable future economic value. Information meets that litmus test. This is why over 12 years ago I began writing and lecturing at biz schools on the topic of information economics, or what I call "infonomics". We now have info valuation models used by orgs to budget for infosec, data warehousing, BI, and data quality, etc. Companies are using them to create supplemental balance sheets that include info asset value. This way, individuals take better ownership of and care for info assets. There are a variety of benefits. See for more on the topic including articles in Forbes, WSJ and Financial Times. --Doug Laney, @doug_laney