One of the things we don’t do well in information security is express the value of the information we are securing. It seems like many people take it on faith that everyone’s understanding of value is the same. Of course, one reason not to do it is because it is difficult to do.

My advice: be prudent in any estimates and as specific as possible. Here is a formula for calculating a minimum information asset value:

Info Assetmin = IT Salary & Wages + Current Capital Expense + (Org Salary & Wages)*Usage % + Direct IT Revenue + Intellectual Property

The basic premise is that your information assets must be worth at least as much as you spend on it, both in overhead (support and equipment) and in direct end-user usage (time spent on the computer). I also throw in any direct revenue being generated (probably worth tossing in indirect revenue from supply chain activities) and intellectual property (this one is a longshot, but we like thinking this way, so what the heck).

This formula can be used in a handful of ways. One is to reverse out a "risk" number by comparing the amount of security spending to the information asset value.

Another thing it does is highlight the notion of value within the scope of spending. It is extremely intriguing to me when people suggest that these assets actually are NOT worth what we spend on them. Heck, then pick up a paper and pencil!

The truth is, they must be worth it, but people still have a hard time with intangibility. Even if money was spent on software that isn’t used, the information asset had to be great enough to offset that amount.