How to Value Information Security Risks

Knowledge capital is the most important asset that companies must protect

As I have noted before, most of a corporation's wealth is reflected not in its accounting records but in the valuations of knowledge capital (for discussions of this topic, see "Knowledge Metrics," September and October 1999 KMM). For more than 90 percent of U.S. corporations, this asset is greater than the financial assets that they report in audited financial statements. Yet conventional accounting methods, as defined by the accounting "book value," cannot measure it. Knowledge is embodied chiefly in the behavior of employees.

The information that exists on computer systems is of course important, but it is of less significance than knowledge. Damage to information is inflicted almost entirely by human actions and rarely by equipment failures. It is the combination of human and technological risks that we must take into account when considering what information security is all about.

One of the greatest challenges for information security professionals is to determine how to protect the corporate wealth embodied in knowledge. It is therefore useful to estimate the value of this knowledge capital prior to applying security measures. Such valuations should make it easier to explain and justify budget requests for added information security.

In this context, what matters most is the difference between the worth of a company as expressed by its book value and its total economic worth. Unfortunately, many observers view this difference only in terms of stock market multiples. Though such a measure may be useful for making stock-trading decisions, from the standpoint of information security it has little merit. The daily fluctuations in the price of shares offer little guidance for judging the persistence of information risks. Therefore, the proper mission of information security is to guard against risks that are not controlled by existing financial, accounting, engineering, administrative or insurance measures.

A useful metric
It is reasonable to think of information security as an additional form of property insurance. When contracting for an insurance policy, the worth of the insured property must be determined before discussing the amounts of insurance premiums the owner can afford. The worth of an asset also influences the type of coverage one should obtain. When evaluating the worth of information security, the use of knowledge capital metrics makes it possible to rank the probable impact of losses in consistent dollar terms.

I have found the ratio of knowledge capital per employee to be the most practical indicator for identifying the scope of potential information security risks. Companies with high levels of knowledge capital per employee are at greater risk for losses and thus become candidates for information security countermeasures that can offer enhanced protection.

The knowledge capital per employee indicator is also valuable in setting information security priorities, such as when decisions are made to allocate funds for risk-reduction projects. An example of such an assessment is shown in the table "Plenty of Knowledge Capital," which offers a sample of corporations that show some of the highest knowledge capital per employee ratios in the U.S. (based on averages from 1997 through 1999).

The figure for the average knowledge capital per employee should be used only as an approximation when performing an information security assessment. Within any enterprise, the contribution of different occupational groups to information risks will vary. In almost all cases, though, risks are concentrated in relatively few employees.

Information security measures are arduous, and executives and rank-and-file habitually see them as interfering with the efficient conduct of business. Consequently, the actual implementation of information security policies will be the outcome of compromises that frequently reflect behavioral concerns instead of the magnitude of the risks.

Major security exposures are always specific and are concentrated in a few critical spots. Hazards should not be managed by relying primarily on the application of uniform "best practices" to everybody's behavior. Using the indicator of knowledge capital per employee as a policy-making tool will help by focusing security practices where they can offer the greatest value.

Paul A. Strassmann originated the trademarked concepts "information productivity", "return-on-management" and "knowledge capital."