by Russell on October 23, 2009
I left out something important in my blog post “How to Value Digital Assets (Web Sites, etc.)” . This came to light as I read the commentary on other blogs by Andrew Jacquith, Pete Lindstrom, Matthew Rosenquist, and Gunnar Peterson. (I’m also anticipating Alex Hutton’s soon-to-come blog post.)
What good is it to know the economic value of a digital asset for the purposes of making information security decisions? If you can’t make better decisions with this information, then the metric doesn’t have any value. Skip it.
Like most things in information security management, this is less obvious and more complicated than it seems. (more tutorial…)
The digital assets in question must be worth at least as much as you pay for them [i.e. what you are willing to pay to keep it secure].
I gather that this is intended as a sanity check to trim out any obviously stupid security projects. It’s supposed to avoid controversy and debate because you aren’t arguing about probabilities, magnitude of impact for security incidents, or even the fine points of asset valuation.
In his blog post, Andrew describes some of the steps you would take to allocate specific security costs to specific digital assets. As you read through some of the details, you will start to see that the application of Lindstrom’s Razor has some complications and takes some effort. It’s not something that you’d assign to a junior staff member to crank out on a spreadsheet over a weekend.
Regardless of the pragmatics, I question whether Lindstrom’s Razor leads to better decisions, even as a crude filter for spending or investments. The underlying logic is that information security costs should be correlated to digital asset value, at least as a threshold. The implication is that higher-valued assets justify higher security investments, and vice versa.
However, this correlation is not as solid as you might think. Here are counter examples:
- Some high-value assets may have few vulnerabilities and a very small attack surface. If this is true, then the sanity threshold should be much lower than Lindstrom’s Razor suggests.
- Some low-value assets may have many vulnerabilties and large attack surface, making them prime candiates for “Top 10 list” in security incidents. Furthermore, security incidents at these assets may raise the risk of security incidents elsewhere in the information network (perhaps by attracting more attackers who, flush with initial success, use targeted attack methods to go after other assets). This situation would mean that information security investments would be justified even beyond the value of that individual digital asset. Lindstrom’s Razor might lead you to cut way back on these investments, which are otherwise justified.
Maybe you can think of other conditions where Lindstrom’s Razor leads to suboptimal or irrational decisions. Personally, I believe the situation described second bullet point above would be fairly common in large organizations due to interdependencies in the network of digital assets and also the interdependencies in business processes.
Lindstrom’s Razor isn’t worthless, it’s just too sharp. I would modify Lindstrom’s Razor by adding:
We should take a closer look at any security investment that doesn’t pass this threshold test…
Thus, “Lindstrom’s Razor” would become “Lindstrom’s Spotlight”. That is much less exciting and compelling than a Razor, but a better fit to the reality of security investment decision-making.
Another possible use of Digital Asset Value is to align security investments with business investments and priorities. Gunnar Peterson’s blog post focuses on this application:
If businesses simply used the Lindstrom Razor to assess their security alignment, it would greatly reduce the complete misalignment of security spend versus business spend. My cocktail napkin analysis says the network market is ~$39B and the network security market is ~900M, yet the software market is ~98B and the software security market is only ~150M, this just does not add up. If the 2.3% we spend to secure networks is a good number, fine, but that still means software is 0.2% invested in security. Why the lack of alignment?
This is a subtly different argument than Pete’s. Rather than focusing on individual assets and their direct security costs, Gunnar is talking about overall spending by the business in major categories, compared to overall spending on information security. The assertion is that business priorities are correlated to business spending (in aggregate), and that for information security to be aligned to business priorities, information security spending must be aligned to business spending. I think this makes quite a bit of sense for some purposes, but there are problems with this reasoning if you take it too literally. Here are a couple of case examples:
- Some categories of business spending may be very high only because of the cost structure of the projects, not because they are intrinsicly a high priority to achieve business goals. Most of the ERP projects I’ve been involved with fall into this category. They have been very costly and generally very important, but almost none have confered any lasting competitive advantage since everyone else was doing the same thing.
- In contrast, consider a little “skunk works” in an R&D lab somewhere that is able to produce game-changing products. I know of many cases where such a “skunk works” created a big percentage of the busines unit’s economic value and competitive advantage. The budget for these groups is almost always small, and sometimes even invisible, but smart executives prize these efforts very highly.
These two cases show that aggregate business spending by category is not always or necessarily correlated to business priorities.
A much better signal of business priorities is willingness to invest incremental scarce resources at the margin. In other words, if business executives had a limited pot of additional money to spend or a limited pool of additional skilled people to allocate, which project categories would they invest in?
In the cases listed above, almost no executives would want to spend one more dime than necessary on their ERP project. Indeed, many organizations have cut costs by cutting corners on their ERP projects — i.e. by skipping business process analysis or by underinvesting in change management. (Side comment: This is called a “package slam” in the consulting industry, and it brought down my former employer, BearingPoint, when they ”package slammed” themselves! The cobbler’s children not only have no shoes, but they have had their feet cut off in the process. :-( Their demise is public information and they are now out of business, so I can safely comment.)
In contrast, if they could replicate the success of their little “skunk works”, they might fall over themselves to pour more money into it. (I know of one case where an individual programmer had a seven figure compensation package, including a percentage of revenue, just like a major Hollywood movie star. If that company could have found another such “star”, they would have jumped at the opportunity and happily paid a similar amount of money.)
Peterson’s interpretation of Lindstrom’s Razor — appling it to large categories of spending — is OK as long as it has the same clause at the start: “We should take a closer look …”.
Putting this all together, I’d say that Digital Asset Value is not very useful in any direct, simple formula combing it to information security spending or investments if it is tied to decision criteria. It is more effective as Spotlight rather than as a Razor — grounds for further analysis and investigation.
OK… so why would I put so much effort into a blog post about Digital Asset Value methods? Maybe just to please Jeramiah Grossman? … Nah… :-) Actually, I had these for four reasons in mind:
- I think it could be very useful to normalize other information security metrics — not just security spending but also allocation of resources or management attention, number or severity of security incidents, and so on. This is like “revenue per employee” in some enterprise-wide financial models. I can imagine this would be useful in comparing across widely varying business units and organization structures, etc. In this use, it’s not directly driving decisions, but it might make some metrics more comparable and meaningful in the “apples to apples” sense.
- I think it’s a useful stepping stone toward a full probabilistic risk analysis. Digital Asset Value is only a starting point. What you are trying to estimate is the probability distribution curve for total costs, given a set of assets, threats, vulnerabilities, incident patterns, and the rest. (This is where Alex is going in his soon-to-come post, I’m guessing.) In some cases, the cost of security breaches will be directly related to the value of the digital assets. In other cases, security breach costs for a class of assets may be only vaguely related to their value or not related at all (e.g. when there are large potential costs in regulatory fines, litigation, decline in credit ratings, and/or reputation damage.) What we are really after is to understand the possible and probably costs associated with security and security incidents, and not all of these costs are a function of the business value of the collection of assets. Even so…
- It is a GREAT way to start a productive dialog with line-of-business managers and executives, with the goal of increasing mutual understanding and open communication. Once you have some understanding of the relative business value of various assets, and what drives that value, then you will be in a much better position to understand how various security breaches or security policies can affect those value drivers. This is true even if you never codify it all into formal risk models. Likewise, the business people will be more receptive to understanding the dynamics of security if they see that you’ve taken an effort to understand the dynamics of their business.
- It is a GREAT way to build stronger collaborative relationships with your IT brothers and sisters who are responsible for building and maintaining the IT systems that support the business. After all, they are trying to increase business value through their efforts and investments. If the IT team, the InfoSec team, the Business team, and the Finance people are all talking the same language (business value), just imagine the new levels of cooperation and synergy. (Sing “Kumbaya” everyone! :-) )
Metrics are not solely for the purpose of giving us answers or for telling us which decision we should make. Metrics can be very useful to inform our perspective, to stimulate our intuitions and our ability to make sense of the world, and to help us think insightfully about the way the world works, even in the dim light of our limited understanding of it. For security folks, Digital Asset Value is in this category.
I dont believe that it’s absolutely necessary to calculate digital asset values to do meaningful risk analysis. Elsewhere, I’ve proposed a “Total Cost of Security” (TCoS) framework for managing business unit or enterprise information security risk and investments. This method does not depend on estimating the value of all the relevant digital assets. You might do this as a stepping stone, or in a few cases, or might use Digtal Asset Value to normalize your TCoS metrics, but it’s not a necessary precursor.
In closing, InfoSec professionals seem to have the irresistable urge to find a business value metric that is both very simple and completely non-controversial. This is probably a hopeless quest like the Holy Grail. By analogy, imagine that there are business people who want to reduce all of information security to some simple proxy like “anti-virus” or “encryption”. We’d laugh. Likewise, you shouldn’t expect to reduce the complexities of business value of information to any simple arithmetic formula. Life ain’t like that.