The value of information – the reason for information security

18.07.2012 by Martin Kuppinger

If you’ve ever struggled with finding the argument for an investment in information security, here it is: According to a survey recently published by Symantec, 40% of the worth of organizations is derived from the information they own. The link goes to a German site and the extract of that survey specific to Germany but the report is in English. The global version can be found here. There are other interesting numbers: 57% of the German respondents expect a loss of customers and 48% brand damage in case of a leak of information (and breach notification). The global numbers aren’t that different. On a global basis, information is estimated to be 49% of the organizations total value, while 49% expect loss of customers and 47% brand damage in a data leak event.

These are numbers that help to argue better with business managers. They also prove what we’ve been observing over the past few years: Information Security is a hot topic again. Business cares about information security (and notably not about “technology security” – it’s about the I in IT, not the T). And thus, business needs information security. One of the reasons is simply that some years ago when sensitive or valuable data leaked this was only mentioned on page 7 or so of a computer magazine. Nowadays you might make it to the opening headline of the daily news on TV, or the business newspapers (Wall Street Journal, Financial Times, etc.).

Numbers like the ones from the Symantec report help in showing the value of Information Security investments, by first showing that it is about information security and then showing the potential impact of leaks and breaches to the business. The numbers also clearly indicate that this “IT risk” of leaking information is about business risks: Operational risks, reputational risks, and even strategic risks, if you lose too many customers or damage the brand too much – or if you’re competitor gains access to your most valuable intellectual properties.

There is a good reason that information security is one of the two key drivers for what we at KuppingerCole have worked out as the KuppingerCole IT paradigm, our approach on structuring IT to deal with the fundamental changes like Cloud Computing, Social Computing, and Mobile Computing and to deliver what business really wants:

  • Business wants the (IT) services they really need when they need them – and they want to order business services, not technology services for which they then wait endlessly for IT to deliver
  • Business wants their information secured appropriately – this is where information security comes into play and, over the past few years, became a real concern of business managers

There is a comprehensive report on this KuppingerCole IT paradigm available with some additional KuppingerCole Scenario reports like “The Future of IT Organizations” diving deeper into the details.


  • Doug Laney

    Interesting topic. I have been researching, consulting and lecturing on the topic of information economics & asset management, or "infonomics". This work includes the development of information valuation models that are used to justify information security and other info management & analtyics initiatives. Recent piece on this in Forbes: http://www.forbes.com/sites/gartnergroup/2012/05/… –Doug Laney, VP Research, Gartner, @doug_laney

    • Martin Kuppinger

      Great minds think alike ;-)
      However, like you show in your piece: There is no simple, tangible way for the valuation of information assets – at least not as long as an organization doesn't buy them from someone else.
      The problem of what you call "infonomics" is basically the same as the problem of valuation of qualitative aspects in decision making. It is easy to deal with aspects which are quantitative per se. But we still don't have a simple, tangible way for quantifying the qualitative aspects in decision making. In IT, mapping them to risks (which are per se defined by impact on assets and probabilty and thus quantifiable) is a good workaround – but it is a workaround. And it is limited as long as it is about the impact on information assets where we don't know the value of the asset.

      • Doug Laney

        Hi Martin,

        Actually, I have developed a number of relativistic and economic methods for quantifying information's value. Yes, one is a market-based approach. The other financial valuation methods are a cost/loss based model, and an income-based approach. They are consistent with accepted accounting methods for asset valuation, but also include factors to deal with some of the nuances of information compared to traditional assets. They have been used by a number of clients to assess the potential, probable and actual financial benefits of information management-related initiatives (including BI/analytics). And are being considered by insurers in developing stronger e-data insurance products, and by valuation firms for better valuing enterprises involved in M&A transactions.

        As for risk, this is not part of any asset valuation exercise, but can be quantified as well (typically estimated). Then these estimates can be used to quantifiably asset various decision scenarios using something like the Monte Carlo method. Knowing the value of information reduces at least one of the risks.

        Cheers,
        Doug Laney, VP Research, Gartner, @doug_laney

        • Martin Kuppinger

          Hi Doug,
          regarding models: Yes, helpful. I know some other models derived from other practices. However, the problem with all these valuation models is that they are based on some assumptions and the results might vary massively. That's the same as with methods for quantifying the value of organizations which aren't listed – the results depend on the methods chosen. If you just take the gross rental method/income approach and the fixed asset method (I don't know whether the translations are correct – in German it is "Ertragswertverfahren" vs. "Substanzwertverfahren"), you can end up with massive differences.
          Nevertheless I agree with you that it helps to apply such methods on information – and to do it consistently across an organization.
          Regarding the risk aspect: Risk needs to be quantified. An aspect of risk is that this can be quantified. Otherwise it would be about "uncertainties". To quantify information risks you need the asset valuation – either based on estimations or other, more advanced methods. The point I wanted to make is that we need methods for asset valuation anyway for Risk Management given that many risks are tightly associated with information assets. As long as you don't know their value, you can't measure the risk, So knowing the value of information not only reduces a risk, it is a mandatory prerequisite for risk management done right.
          -Martin

  • Doug Laney

    Hi Martin, Agreed, I think we're saying the same thing. And yes, all valuation models involve assumptions and yield differing results…my models for info valuation included. You say you've seen other info valuation models? Do you have any pointers to these or people I could speak with? My email is firstname DOT lastname AT gmail. Danke!

  • Frank

    I notice that a lot of companies invest a lot for information security, but they often neglect end-point security such as premises protection for the actual hardware that house company data. IBM noted of that with security guarding Bristol for firms.

  • Pingback: Assign # 2 « bbpirot()

  • Pingback: The value of information – the reason for information security | Susan Jonson()

  • Pingback: Data Protection ROI | njdrmtrade.com()

Services
© 2014 Martin Kuppinger, KuppingerCole