On the SecurityMetrics mailing list, Dan Geer wrote:

We have, of course, been around the mountain several times on how to value information. There are at least these:

1. acquisition cost (worth what you paid for it)
2. replacement cost (worth what you would pay for it)
3. opportunity cost (downside when, say, your IP is lost)

There is Pete Lindstrom’s (as I recall) effective minimum:

4. current dollar value of IT budget

I’ll suggest another:

5. paper at (a) says that the optimal amount to invest to protect an information asset is 1/e of its info value at risk, so the value of the information asset, assuming optimality is _not_ being achieved, is greater than or equal to the product [ e*investment ]

Not particularly helpful, but upper/lower bounds are often useful to think about. I know a CISO who justified a rather substantial identity management system by arguing that it would protect reputation of the firm and was a net positive return if the reputation of the firm was worth at least one basis point of the market capitalization. Needless to say, no member of the management committee would say that the reputation of the firm was smaller than one basis point so the investment went through.

There are two aspects of information (and technology valuation) that create the biggest problem for Technology Risk Professionals:

First, the perception of value is not absolute – it can be affected by timing, substitute/alternative options, opportunity cost, etc. Consider the price for Diet Coke is different at grocery store, fast food outlet, convenience store, baseball game, etc. So we negotiate “willingness-to-pay (WTP)” and “willingness-to-accept (WTA)” throughout the course of our lives. Valuation is even more difficult for goods without a large market (e.g. high-end artists’ paintings) and especially difficult for intangible assets like “information.”

Second, the value being driven by technology to an organization is not the same as the possible losses. For example, Coca-Cola does not “lose” the ability to manufacture and sell Diet Coke if somebody steals its proverbial formula. It MAY lose some % of revenue due to the sale of black market Diet Coke, but even that is questionable IMO (much easier to copy the can and approximate the taste, I think). Similarly, Amazon.com is unlikely to lose 1/365th of revenue due to being offline for a day. OTOH, an unrecovered transfer of $10k from one account to another at another entity IS lost. And sometimes a breach can result in greater losses ((at least arguably) than the currently realized value – consider intellectual property associated with undeveloped products, for example.

As echoed in a couple of the workgroups at Metricon 8 this year, organizations are most comfortable reporting losses reflected by direct costs – immediate response, forensic analysis, notification, etc. The enlightened company may include economic costs – e.g. loss of productivity in other areas. It is the truly rare company that can get to the point of quantifying losses in “brand, reputation, etc.” even though losses can only be reflected in its (current and/or future) financials – higher costs, lower revenue, increased liabilities, decreased assets. After all, we are talking about an inanimate entity.

With all of the ambiguity, it could be that we’ll only ever be able to get consensus on value and losses using breakeven approaches to define thresholds and make decisions. On the value side, my assertion holds that the amount spent on IT reflects a minimum valuation but it is only part of the story given the missing relationship between value and loss, which is much more important to techrisk professionals. So we need to modify our breakeven approach accordingly and create a “control horizon”. Things get a bit trickier here.

While a million dollar purchase of IT assets reflects at least a million dollars in value, a hundred thousand dollar purchase of a security solution does not reflect its corresponding loss. We can say that $100k spent on security reflects at least $100k of risk, that is not the same as loss because it has been discounted by its probability of happening. What’s more, this probability also has a lot of associated ambiguity (for a number of reasons).

What we can do, however, is draw a line on a graph using the value pairs of probability and loss (10% of $1m; 1% of $10m; etc). Lo and behold, this creates a “control horizon” on a risk matrix – in essence, a breakeven line. If the initial risk was above the line (or should we say “up and to the right”) and it is completely addressed, then the purchase at least breaks even. Below the line means a bad decision was made somewhere along the line.

The control horizon provides a basic way to determine whether security spending makes sense.