3: INFORMATION AS AN ASSET

INTRODUCTION

The art and science of security requires a complete understanding of the value of the assets requiring protection. The asset under scrutiny is primarily the information transmitted, stored, and processed by the organization. Secondarily, the computer and telecommunications resources themselves require protection; a significant component of that can and will be addressed by applying of the McCumber Cube approach.

One of the simplest ways to understand what an organization values and how it then labels its information resources is to look at an example used for decades, the U.S. military. In government parlance, information value is defined by broad categories such as unclassified, sensitive, secret, and top secret. There are published definitions of these terms that have been used and adapted since the terms were first coined to describe the amount of value placed on the information. You can search out these definitions in Federal Standard 1037C¹ and the DOD Dictionary of Military and Associated Terms.²

These terms will usually dictate how that information is controlled and used. A military person who meets the criteria of an appropriate clearance level and need-to-know usually can gain access to the information. But the tiered security system is a crude way to ascribe value to information resources.

Throughout this book, we will also apply broad categories of asset valuation similar to the military model. However, the McCumber Cube methodology can be tailored to accommodate a more descriptive and refined gauge for measuring the asset valuation of information resources. Within the process itself, you can substitute the overly broad categories for any hierarchical metric you choose. The one you ultimately use should be based specifically on your environment and level of granularity required.

The value of this structured methodology is that you can substitute the best metric to suit your valuation method. A military system can use the traditional confidential, secret, and top secret classifications for a system that controls multiple types of classified information. This is referred to as collateral national security information by the U.S. government. However, even the military has found it necessary to refine its simplistic three-tier classification system.

On top of these levels are additional categories that define more stringent levels of protection. These categorization systems include the Department of Energy Special Access Program, the Department of Defense Special Access Program, and the Director of Central Intelligence Sensitive Compartmented Information Programs. There are a variety of other specialized access lists and caveats that can be added as well. Dissemination controls and other restrictive markings can include notations to further refine its distribution and use. Code words also are employed as a way to describe sources and methods used in the collection of the information.

Models that focus either primarily or exclusively on the IT infrastructure itself rather than on the information resources do not have the flexibility to be mapped to different environments. In other words, an IT environment that provides adequate security for a manufacturing concern will most likely not be adequate for the Central Intelligence Agency. The reason is simple: each organization places widely different values on their information assets. Although information resources are critical to both, each organization will have to evaluate the likelihood of possible negative consequences for not protecting the information.

The primary issues of asset valuation a security analyst needs to consider are the consequences of not protecting the information. There are four primary categories for these consequences that cover the possible outcomes. I call them the Four Ds:

• Destruction
• Delay
• Disclosure
• Distortion

Every possible negative security outcome can be assigned to one of the Four D categories.

Destruction covers any type of access denial against legitimate users. It includes actual destruction of the information through such attacks as physical destruction of data media. Disks can be physically damaged, data can be deleted from databases, and both explosives and natural events (such as hurricanes and tornadoes) can destroy computer centers and their systems.

Delay defines any type of temporary denial of access or data use. The numerous denial of service attacks of recent memory dramatically demonstrate the insidious nature of simple delay. If a decision maker cannot gain access to vital information when needed, the consequences can be severe. Delay is, in many cases, an easier exploit to conduct than outright destruction; its effects can usually be just as damaging.

In the last several years, many attackers are finding that simply degrading the capabilities of IT systems is sufficient to meet their malfeasant goals. In some cases, they can simply use automated security safeguards to help cripple a system’s capabilities. As safeguards used in modern information systems are adapted to automatically detect and respond to attacks, certain simple exploits can be used to trigger the safeguard mechanisms. Many of these protective responses include isolating affected systems and blocking ports and services to external sources. An uncomplicated command that is associated with an exploit could be used to force the system to automatically invoke a response that degrades the system’s capabilities.

Disclosure and distortion are perhaps the most insidious consequences to consider. Disclosure is defined as unauthorized access to information resources. The reason disclosure is so insidious is that this exploit may not be exposed until it is too late or never at all. Many security safeguards are designed solely to enforce an insiders versus outsiders perspective of enforcement. The assumption is that the insiders can be trusted, but outsiders cannot. However, an effective security program must be able to enforce security policies that mandate the proper access to and use of all information resources.

An ages-old physical security maxim is: Prevent what you cannot detect; detect what you cannot prevent. If an attacker or other type of threat obtains unauthorized access to your resources, security analysts will at least require evidence to determine that the exploitation took place. In the physical security realm, a cut fence, a broken window, or a severed lock will bear forensic witness to the method of attack. By following this physical evidence trail, a security specialist or law enforcement person can determine how the attack or theft was perpetrated. It also aids in assessing the damages or losses incurred. However, with information resources, such a forensic trail may be hidden deeply or perhaps be nonexistent.

Disclosure could be the consequence for someone whose password is compromised. If you are one of the millions of people that hide your computer password under your keyboard, someone can use your password to look at sensitive corporate data or even confidential personal information. The ultimate loss for such a security breach using this ill-gotten knowledge will be determined by how the disclosed information is used. The information thief may provide this sensitive internal information to a competitor for personal gain; or they may simply retain the information for potential use sometime in the future. If you do not have a system that notifies you of the last authorized login time and date, you may never even know the information was disclosed to an unauthorized party. Unlike obvious evidence of broken glass, the disclosure of a password and unauthorized use of the system may go completely undetected.

Distortion can be a consequence with all the same problems associated with the loss of imputed value. If an unauthorized or unintended alteration is made to the information, decisions can be made that are ultimately detrimental to the organization that maintains the information resources. One of the most difficult security challenges is ensuring that information is not maliciously or accidentally distorted. Acting on inaccurate information can result in more severe consequences than not having the information at all.

DETERMINING VALUE

Information is a strategic asset to an organization. Many have used IT to transform business practices and achieve significant competitive advantage. Those who have been most successful have focused on the information itself rather than the technology as the basis for gaining an advantage. Technology is the means of delivering the information; the underlying asset itself is the key resource. Information is stored in operational databases or decision support databases.

To assess how or why information is valuable, it is useful to define information as an asset. As an asset, information has the potential for future benefit. Whether for national security or economic gain, it provides the capability for making effective decisions. The information asset provides strategic benefit if it is controlled by the organization. If information belongs to one organization exclusively, it becomes a commodity that can be used, sold, or shared to its advantage. Once control over the information has been obtained through purchase, discovery, or development from within, the cost for said data has been expended, making the information an intangible asset to an organization.

Being unique from tangible assets, information can be shared among many people without any depreciation of its value. Unlike finances, equipment, or staff that need to be proportioned among users, information’s value remains equal to all users. In most cases, there is no increase in cost or reduction in value from sharing data. In fact, there can be a multiplicity in the value of the asset if more people can use it and more gain can come of its dissemination in an organization. Unlike other commodities that depreciate with usage, information retains its original value.

Different types of information have different values. A home telephone number may have limited value in a transient society, although a cell phone number can be invaluable. The more accurate information is, the more useful and valuable it becomes. For some data, accuracy of 100 percent is required, although for other data, 75 percent may be good enough. In the second case, increasing the accuracy further actually reduces the value of the asset. In the first case, if the information falls below a specific level, it is useless and cannot be trusted. A case in point is the banking industry. Accurate records of financial data and transactions must be precise. If financial decision makers cannot trust the accuracy of their data, they will not use it.

It is important at this point to distinguish between data and information. Data is not the same concept as information. Information is data placed in context, analyzed, and processed into a consumable resource or asset. In many cases, a small amount of information can have more value than a large amount of data. It is important to recognize the difference. The McCumber Cube methodology is based on information valuation and analysis, not data valuation.

Information has different values to different users depending on their resources, intentions, or market position (Figure 3.1). It receives little financial recognition relative to its value as an asset. It uses organizational resources in terms of data capture, processing, storage, and maintenance, but is largely ignored as a value from a business perspective. It is this resource that enables an organization to make decisions, deliver services, or achieve a competitive advantage. The real cost of an information system resides in the information it is storing rather than the software and hardware it uses to store it. IT strategies should be focused on sustaining the value of the information product rather than on the equipment or system used to disseminate, store, or maintain it.

One must define and price a process to acquire or reacquire information should it be lost. Operational assessment includes the value of information to actual, ongoing operations. An example of this is where information is required for consumption as part of a current business practice. If the information is lost or unusable, one or more business processes cannot continue until the information is replaced. This valuation is heavily dependent on user needs.

A market-based valuation process assesses the resale value of information. Information is developed and provided to meet the needs of a customer. Examples of market-based scenarios include the news media or real estate firms that are purveyors of information to the public. Market value of information takes into account the development costs as well as how badly the consumer of the information needs it and whether or not there are alternative sources of the information available. This method uses comparisons with actual experiences and depends on supply and demand forces that are functions of location and time.

The collection of information, as with other collectibles, considers the perceived value to the user as distinct from the explicit developmental, operational, or documented market value. Information is often generally perceived to have value without a clear or direct purpose other than its possession. The question is raised as to whether or not this information has value.

Developmental valuation takes into account the efforts and resources required to develop or reconstruct information independent of other considerations. This involves defining and pricing a process to acquire or reacquire the information should it be lost. The bases of valuation are:

• Development basis
• Operational basis
• Market basis
• Collection basis

The consolidation of information increases its value (Figure 3.2). Proper integration becomes a factor in operational systems. The lack thereof becomes a major impediment to efficient use of the information asset. Although total integration may be unrealistic, identifiers that enable the linking of information and coding schemes for aggregating data are beneficial to an organization.

Many modern database management systems are being designed to capture and manipulate information from all operational areas of an enterprise. The comprehensive data environments are both a strategic corporate advantage and a significant vulnerability for security practitioners. The centralized information storage architecture translates into many access points to populate the databases. Additionally, the complex nature of the software that manipulates the information means that security practitioners have a difficult time identifying and isolating events that may violate the organization’s security requirements.

Many information resources are depleted over time. Information is one resource that does not follow that pattern. New or derived information is created as a result of analyzing or combining information. The original remains and the derived is added in a self-generating cycle. It is for this reason that information is often abundant and difficult to manage.

Most information changes value depending on its age (Figure 3.3). It must be updated and current to be most useful to an organization. If unused, information can become a significant liability because of the costs incurred from acquiring, storing, and maintaining it. A major problem typical to most organizations is not the lack of information, but the abundance thereof leading to information overload and reduction in decision-making performance. Effective use of information requires proper access. Information has a low value if it cannot be found or accessed. Proper cataloging increases the value of the data. People need to know where the information is and how to access it.

The value of an asset can be measured from its use or exchange. The cost of acquisition of the asset approximates the value of said asset at the time of its purchase. Using this idea, the asset is valued based on how much other people or organizations are prepared to pay for it. The same can be said of the value of information. Information sold on a usage basis or as a product is a widely traded commodity on the Internet. Information can be sold over and over again without losing value. It also retains its original value to the organization. The exception to this is when a group sells its exclusive rights to the information.

Valuing information is a difficult task because it does not follow the same rules that apply to other assets. The cost of collecting information can be used as a measurement of its value if it is operational data. Management data can be valued based on the cost used to extract it from operating systems. Unused, redundant information has negative value. Many users who have access to information multiply its value. Current information is more valuable than older information. Acceptably accurate information is valuable in its proper context.

In most cases, information’s value lies not in its contribution to revenues or products, but as a catalyst for decision making and gaining a competitive advantage. The valuation of information could have huge implications for the IT industry. Determining how and why to value information must be useful and relevant. Organizations must be aware of information as an asset. Managing the cost of data collection, storage, maintenance, and analysis increases accountability and reduces waste. Valuation of information provides a better approach to measuring the effectiveness of IT by measuring the value of the information rather than the hardware.

Information valuation may have many benefits for organizations. Companies, in creating and maintaining information assets, make a long-term investment in resources, systems, and people. To determine the importance of information it is useful to follow a logical process. First, identify information as an asset and list the attributes of the information that single it out as important. For example, if a company is consumer related, then customer-related information is highly valuable. It is necessary to develop methods for valuing the information. Include information on the accounting balance sheet as an asset. This will lead to better management of information assets. Once information is identified, valued, and recorded as an asset, then the potential to successfully exploit it for financial or strategic gain is greatly enhanced.

Applying a method used by accounting practices is an attempt to measure the value of information by attaching a number to it. This method seeks to ascertain market value of intangible assets. Unfortunately, information does not follow all the economic principles of tangible assets. The value of an information asset must take into account an active market where frequent buying and selling of that asset takes place if you are to apply accounting methodology to information valuation. The problem is that this market is currently limited, for example, to the sale of information lists. To fulfill the strict accounting standards of asset valuation, information would never be as valuable as when it is first obtained. This is certainly not the case. Following the same line of reasoning, more information would always be better than less, and information collected twice would be worth twice as much.

Another obstacle to achieving a valuation of information in a traditional sense is the identification of information assets and their attributes. A group should document their information assets as a preliminary step to identifying or assessing them at an organizational level. Without this first step, a valuation is extremely difficult. Other problems with placing a valuation on information assets include the fact that information may or may not hold its value over time. Information value depends on constant updating; information degrades quickly, making its value dynamic. The value of information for problem solving is time critical; only the right information at the right time helps in decision making.

Companies put an enormous value on information, without thinking on the whole about capitalizing it, putting it on the balance sheet, valuing it, or insuring it. These issues remain relevant and as business becomes more information based, its value is taking on greater prominence. Users of information often cannot perceive why it should be managed. They see information as a problem that should be dealt with by those in the IT department. However, once information overload is accepted as a problem, people are motivated to find a solution.

There is a growing location-independent workforce, which means that information collection and access is dispersed, leading to challenges of trust building and ownership of information assets. Digital commerce, for example, has the challenge of securing and protecting intellectual property rights. Personally identifiable information may become the new-world currency, with growing concerns among consumers. Business partnerships must demonstrate that information collected will only be used for specifically intended purposes.

The quantity of information has increased for a number of reasons. There is a general increase in business communication, within a company and with customers or suppliers. Trends such as globalization and deregulation increase competition and organizations are downsizing, therefore having fewer employees to manage the information. Outsourcing of work means a wider range of other groups with which it is necessary to communicate. There are also more ways to communicate: by fax, voice mail, e-mail, Internet and online conferencing, in addition to the more traditional methods, telephone, face-to-face meetings, and mail.

MANAGING INFORMATION RESOURCES

Many organizations cannot adequately cope with the volume of information they receive. Managers often feel the need to collect information to back up their decisions or keep up with competitors. An evolving professional understands how to leverage information for organizational benefit, viewing the organization as a whole rather than as individual groups or functions. Effective managers will identify what information should be created or captured and how it can be leveraged in making strategic decisions. They will determine who should or should not have access to the information and when it should be destroyed.

There is a cost for not managing information properly. Time is wasted as people look for information. Factors such as the holding of files in different software formats and the speed of the Internet at critical times of day contribute to this. Decisions can be delayed by the existence of too much information. Information collection can distract employees from their main responsibilities. It is necessary to develop strategies for dealing with the information retrieved, and interesting to imagine the potential increase in productivity if proper valuation were to be achieved.

Managing information assets can be broken down into various components. Leveraging information involves data mining, managing knowledge, workflow, content, and relationships. Valuation involves assigning a rank to the intellectual propeity and managing the risk to that asset. It is crucial to protect the privacy, security, and ownership of intellectual property. There is a need to prospectively forecast infrastructure based on the information. Management must monitor the information through auditing, compliance, and performance measurement and maintain the information by properly storing, preserving, retrieving, and disposing of it when necessary.

Information, when seen as a valuable corporate resource, defines an organization’s effectiveness as well as its assets. A well-developed information resource defines the current state of the organization, supports effective decision making, and provides a means of monitoring the organization’s performance. Inadequate information assets result in poor and destructive decisions, missed opportunities, wasted resources, and ineffective use of technology. Fundamental challenges exist in the need to better manage information flow and to determine of the link between organizational strategy and the use of information.

An organization’s interests lie in increasing the value of group-centered information, decreasing the cost of maintaining the group’s information, increasing the number and value of useful interfaces to other groups, and decreasing the cost of maintaining access to intergroup information (Table 3.1 Favorable Situations).

It should be noted that the information value to a corporation cannot be computed directly as the sum of each group’s information value because of redundancy and conflicting values between groups. For example, the information valued by Group C may be inconsistent, out of date, or erroneous from the perspective of Group B. Using a large university medical center’s scheduling dilemma as an example may illustrate this concept.

The medical center contains a number of outpatient clinics, each with its own staff and scheduling procedures (Table 3.2). Management decides to automate patient visit scheduling hospitalwide. Two situations are being considered:

1. Situation 1—allows each clinic to implement the scheduling system as a stand-alone application.
2. Situation 2—requires a high degree of integration with shared viewing access to patient and schedule information and the ability to book appointments across departments.

Table 3.2 University Medical Center Considerations for a New Scheduling System

In Situation 1 (stand-alone), the information about patients located within each individual clinic is of high value and low cost. The stand-alone situation lowers the cost of maintaining the information by automating existing paper scheduling books. If information from a different clinic is needed, a phone call or e-mail message will be used. Situation 2 (integrated) lowers the importance of local information by moving it to a shared database and makes costs higher in order to implement and maintain the information. Increased costs include the equipment and added training needed to schedule across departments and to standardize scheduling.

Objects of information are real assets that are enhanced or reduced in value by the way they are organized and managed by the organization. The value of an information system consequently is not measured as a sum of the value attributed to it by each group, but rather by its probable contribution to the corporation’s information assets. In the above example, the most important information asset in the medical center is the collection of data about its patients. The asset’s contribution to the success of the medical center and the cost of managing that asset is the most important factor to be considered in the selection of which scheduling scheme to implement.

To establish a useful method of valuing information assets it is necessary to know whether information is available when and where it is needed and if the cost of accessing the information is acceptable. Once accessed, is the information reliable and accurate and does corporate policy maximize the information’s benefit to the success of the organization?

At the university medical center, the decision to proceed with Situation 1 (stand-alone) or Situation 2 (integration) should begin with an assessment of the current state of the information asset. They know that patient information is not available because information about a particular patient is physically stored in various clinics without easy and reliable access. Patient information is not accurate because all information about the patient from the various clinics is not available. The medical center has a great deal of information that could be used in the care of the patient, but the current system keeps the information fragmented.

When analyzed from the perspective of the medical center’s information assets, the automated scheduling situations appear differently from the above situation. The proposal for local scheduling systems does not add to the medical center’s information assets’ value.

The cost component from the perspective of the medical center’s information assets changes the situation selection criteria. Decision makers must understand the total cost of managing the information asset. Specifically, they need to know how much it costs the medical center to record the patient information asset and how much it costs to coordinate access to the information.

Table 3.3 Medical Center’s Information Assets Considerations

Each individual clinic expends resources to keep records of a patient’s schedule (Table 3.3). When information must be shared between clinics, resources are expended to request and gather patient data. Errors and omissions must be tracked and distributed from one clinic to the next, adding to the cost of managing the patient information asset. If the medical center decides on Situation 1 (stand-alone), the cost to individual clinics of maintaining their own patient information may be reduced. The cost of coordinating information among clinics remains high. Even if the cost of Situation 1 is reasonable, its modest benefits make it difficult to justify. Situation 2 (integration) is likely to lower the cost of recording patient information, but the cost to coordinate and share information should be significantly lower.

The method for using the medical center’s information assets as a basis for the selection of the patient scheduling situation works by identifying the information assets affected by each situation and for each asset, evaluating its current value and the cost for managing the information. For Situation 1 and Situation 2, it is necessary to assess the probable change in the information’s value and the cost of managing the information asset. If the asset’s medical-centerwide values increase and the total cost of managing the asset decreases, the proposed situation would result in an increase in the asset’s contribution to the medical center. The situation with the greatest projected increase in information assets contribution should be the one to be approved and funded.

An organization-centered view of information’s value alters the perceived benefits and costs of decision making. The concept of information being a corporate asset is key to maximizing the return on its collection and use. Strategic planning or project justification should be based on the project’s potential for enhancing the contribution information makes to the success of the organization and its mission.

There are benefits to the valuation of information. It raises awareness of the importance of information and increases accountability for the management and effective use of the information asset (Figure 3.4). Valuation of the true asset will change the focus from the technology surrounding it to the information itself.

The behavior of information as an asset is not well understood and therefore applying historic accounting practices to information does not meet the need. The valuation method of choice would need to take into account the unique properties of information assets. When we apply these metrics to the McCumber Cube, we use the simplistic high, medium, and low labels. Although this may seem grossly inadequate, consider the military’s classification system that is based on a similar tiered system with categories for unclassified, confidential, secret, and top secret. There are numerous other caveats and compartments layered on and between these rudimentary classifications, but the basic system has been employed for decades. As we evolve toward a better understanding of information resources and information-centric security, it will be necessary to develop a more in-depth and granular valuation system for information in all its forms.

REFERENCES

1. National Communications System Technology & Standards Division, Federal Standard 1037C— Telecommunications: Glossary of Telecommunication Terms, Washington, D.C.: General Services Administration Information Technology Service, 1996 [updated 2000; available at http://www.its.bldrgoc.gov/].
2. Department of Defense, DOD Dictionary of Military and Associated Terms [online database available at www.dtic.mil/doctrine/index].