After a few conversations, and having seen (part of) Russell Cameron Thomas’ post on the topic, I am beginning to realize that people are making a common mistake about Lindstrom’s Razor, which states:
The digital assets in question must be worth at least as much as you pay for them.
It is important to recognize that these costs are NOT associated with security spending to protect the assets; they are the amount spent on the asset itself. This is pure digital asset value as opposed to ALE (annual loss expectancy). So if I spend $5 million dollars on a new manufacturing application, that application is worth the $5 million to the enterprise.
ALE is risk adjusted and factors in costs related to losses that aren’t related to value. One of the other confounding factors in all this is that digital asset value is not the only component, and may be only indirectly related to consequences/impact/losses.
Ah…. thanks for the clarification.
So “Lindstrom’s Razor” is just a rule of thumb to estimate the MINIMUM value of a digital asset, is it?
If so, then I don’t support even this simple rule. It may seem dumb to invest more in an asset than it’s worth, but plenty of people who have studied IT carefully (in an enterprise context) believe it happens all the time. (I’m thinking of Nicholas Carr and Paul Strassman, as the most vocal proponents of this view.)
Going back to the 1960s, Peter Drucker observed that cost streams are only loosely related to revenue streams, and that unless there was active management and discipline (a.k.a. metrics, learning), costs tend to increase due to wasteful or misdirected activities — the same way that committees spawn yet more committees.
So it is with IT systems and digital assets of various kinds. Systems and complexity tend to spawn yet more systems and complexity, with out any necessary connection to the drivers of business value. How much this happens and where it shows up all depends on the nature of the organization, it’s relationships with customers, competitors, and other market forces, etc. Without much “selective pressure” from outside forces, IT systems can bloat all out of proportion and yield negative returns in aggregate and even on average.
I’m all in favor of good rules of thumb, but I don’t think that “spending on an asset” is a good rule of thumb for a minimum asset value.
Thanks for the debate!
Russell Cameron Thomas
@Russell -
I think you are making this too complicated. I stipulate that there are big question marks about value and made a handful of points in this arena in my previous post here: http://spiresecurity.com/?p=1046. But these are non-market goods and value is determined by the stakeholders willingness to pay. There are many reasons that value can change over time and vary from person to person, but at the time a decision to buy is being made I am hard-pressed to believe that any stakeholder a moment after having made a major purchase would say it wasn’t worth it. This is the rule of thumb.
Thanks,
Pete