One of the most challenging characteristics in our space is that *direct* information asset value – what the business is interested in – has an ambiguous relationship to consequences/impact – what security professionals are trying to minimize. I am a huge believer in what is essentially a “revealed preference” approach to understanding the value. At the very least, at the point a decision is made by business to spend $5m on some system they are making the bet that the system will drive that much benefit to the organization, either in increased revenue or decreased costs.

The challenge for us when measuring impact of some infosec-related incident is that the systems/assets often keep generating the expected value to an organization. Even DoS events against eCommerce sites – perhaps one of the easiest impacts to measure – should consider loyalty at this stage for people to come back and shop later if a system is out. It is often much more difficult than that – if the formula for Coca-Cola is stolen, it doesn’t impact Coke’s ability to make/distribute the drink; it is more likely to have some impact like lost market share due to black-market knockoffs (not sure if this is a problem in the soft drink world). Even more challenging might be the situations where an illegitimate third party can make even more revenue through stolen IP than the victim – did the victim actually lose that?

Creating estimates with problems like this is really challenging so I think we are much better off starting with the revealed preference thresholds that are out there – trying to assess just how much we spend to pursue/defend IP rights through legal means and using that as a baseline, for example. The logic being, again, that if you spend $5m protecting your IP, that is at least as much as you believe you could lose if you didn’t. I’d take this method over the notions of “brand” and “reputation” that get bandied about (for non-human organizations, it *should* all boil down to lost income and/or increased costs – current or future).

Considering thresholds and revealed preferences, security spending is a great baseline number for estimating risk. That is, if our security spending is $5m then we are betting that $5m is offsetting $5m in potential losses, at minimum (advocates of the GLEIS model might even suggest it is something like 39% of potential losses). This line of reasoning is also useful in helping us develop a “control horizon” – we can draw a line on a risk matrix using this spending (aka minimum estimated risk) as the slope. we can also plot the intersection with IT spending, profit, revenue, or other numbers that might be useful in comparison. As we slice up a risk matrix like this, we can determine whether our judgments about risk are holding up based on where they fit as well.

I consider this approach very ALE-like – certainly aggregated and coarse (though it could be applied to individual scenarios as well) and with the caveat that security spending must be carefully calculated. At the level enterprises are working today, I think this information would be very useful in helping folks understand the risk decisions they are making.