Archive for October, 2014
Michael D. Moberly October 29, 2014 ‘A long form blog where attention span really matters’.
Computer/IT breaches breeding grounds for reputation risks…
Wisely, businesses are, for compliance, liability, and reputation reasons, quietly, but rather desperately seeking current and what they believe to be the most effective technologies and software to secure the data and information they produce, transmit, and store which has presumptively and legally been entrusted to their care and control.
Prompting and exacerbating these circumstances have been numerous, very public data breeches and thefts particularly those afflicting large retailers victimized by conglomerations of hackers who acquire untold numbers of personal identifiers and credit information.
Certainly no argument here when such adverse events/acts successfully target a business, in most instances they, quite correctly, produce very public outcry and oversight agency ridicule which, in many instances, rapidly manifests as reputation risk, which an unfortunately high percentage of c-suites and management teams appear to assume, can be just as rapidly stabilized or favorably reversed.
How such adverse events are conceptualized…
What I am proposing is that an unnecessarily high percentage of business leaders and management teams, including the IT/computer security software development community are inclined to conceptualize adverse events affecting data/information, and the economic, competitive advantage, and reputation challenges that follow, through a security vs. an asset value and safeguard lens.
Of all the seminars and product demonstrations I have attended over the span of 25+ years, I am hard pressed to recall any IT/computer security software developer, manufacturer, or vendor frame their products’ advantages in an asset (data, information) value and/or safeguard context.
Asset value can be characterized in many ways…
Asset value of course can be characterized in numerous contexts, aside from the conventional dollar guesstimates, e.g. its proprietary status, its sensitivity to its owner – holder, or its ‘contributory value’.
Efficiencies will accrue…
I am suggesting that efficiencies can accrue to data/information safeguards if IT/computer security…
- were designed to reflect data/information value vs. the ever changing and sophisticated risk – threat trends emanating from the global hacking and cyber warfare entities.
- software were designed to detect and differentiate information asset value fluctuations and materiality and reflect same in gradations of data/information security.
The efficiencies that would then accrue to IT security systems and companies in general, merely by not treating all data/information as if it had equal standing or its value was constant.
As always reader comments are most welcome!
Michael D. Moberly October 23, 2014 ‘A blog where attention span really matters’!
Company culture is a valuable, but intangible asset…
Readers recognize that a company’s ‘culture’ is a valuable and operationally and strategically critical collection of intangible assets which can favorably or unfavorably affect brand, image, goodwill, structural capital, and competitiveness.
As the U.S. and other countries’ businesses began their emergence from the economic doldrums of previous years, the Society for Human Resource Managers (SHRM) commissioned a survey in 2012 which queried 770 human resource leaders about significant workforce management and staffing challenges which the respondents reported, in rank order, the following…
- company culture management
- employee engagement
- employee retention
- effective performance management, and
- employee recruitment.
While I am confident readers’ and intangible asset strategists do not find these findings particularly revelatory, they are instructive. For example, when considered in the context that a ‘company’s culture’ frequently constitutes a convergence of intangible assets a full 90% of the survey’s respondents identified ‘company culture management’ as being (a.) important, or (b.) very important! For company culture advocates like me no particular surprise there.
Issues to take note of…
One is, the surveys’ findings should prompt management teams and c-suites to recognize that devoting time, energy, and a modicum of resources to building – developing, and sustaining an effective and sector relevant company culture will, in most instances, deliver strategically favorable and measurable returns that contribute directly to a company’s value, sources of revenue, and sustainability.
Second, the surveys’ findings give persuasive credence to the view that a well managed and customer/client/sector relevant company culture, whereby employees, management teams, c-suites, and boards collectively recognize, respect, and are consistently committed to sustaining the necessary intellectual, structural, and relationship capital, i.e., intangible assets, can, with little doubt, elevate a company’s overall performance.
Third, integral to both of the above lies the globally universal economic fact – business reality that 80+% of most company’s value, sources of revenue, and ‘building blocks’ for achieving growth, profitability, and sustainability today lie in or evolve directly from intangible assets, one of which, of course, is the sustainability of a sector relevant company culture!
Michael D. Moberly October 21, 2014 ‘A long form blog where attention span really matters.’
In most instances, there are numerous preludes to the materialization of reputation risk…
I am hard pressed to recall any company or organization I have engaged on intangible asset matters in recent years, irrespective of industry sector, that most anyone with a modicum of familiarity with ‘reputation risk’ could not have identified at least one probable and substantial (reputation) risk waiting to materialize. Naysayers, for which there are many, often argue that risk in general, and reputation risk in particular are inherent facets of doing business in highly competitive and predatorial global environments.
But, seldom, in my view, do reputation risks inexplicably materialize absent the presence of certain’ risk preludes’ or prerequisites, many of which are recognizable in advance, but dismissed, neglected, or arrogantly characterized as merely being drivers of a competitive company’s culture.
A significant percentage of reputation risks erupt when (a.) certain ‘reputation undermining’ acts, behaviors, events, decisions, or culture are tolerated or encouraged and interact with a company’s operations, its transactions, or strategic planning, or (b.) management teams are unfamiliar with the development of intangible assets of which reputation is one.
The speed and trajectory of reputation risks…
The speed which adverse events, acts, and behaviors can coalesce to become legitimate reputation risks remain somewhat speculative in as much as they are variously dependent on (a.) the time frame in which a materialized risk becomes public knowledge, (b.) the adverse economic and competitive advantage affects the risks are producing, and (c.) whether the risk finds a receptive and pre-disposed audience where the risk resonates and achieves the requisite traction which prompts its escalation. This is particularly relevant when a risk manifests in consumer – user death, injury, or adverse health.
Similarly, the trajectory which a particular (reputation) risk may take is seldom more than a ‘best guesstimate’. In other words, the trajectory of a reputation risk is similarly dependent on numerous variables and factors coalescing in a global business climate in which risk in general are become more asymmetric , multi-faceted, and complex insofar as mitigation or internal absorption is concerned.
It is true that some forms of reputation risk intensify quite independently, irrespective of risk prevention, mitigation, and management initiatives. Unfortunately, there is no shortage of company c-suites who naïvely assume that the speed which some reputation risks materialize and the trajectory those risks may take is longer and more predictable than what it ultimately is.
Management teams and decision makers would be well advised to recognize there are few, if any, term (time) limits in which some types of reputation risk can materialize and produce costly and quasi-permanent damage, just ask General Motors.
Reputation risks’ rear view mirror perspective…
Engaging in a quick scan of public domain articles published in business and academic journals, blogs, government agency oversight reports, and other open source media, one quickly sees there is no shortage of media that are purposed to draw attention to the adverse affects associated with materialized reputation risks, albeit with the benefit of a rear view mirror context.
As readers know, identifying potential – probable reputation risks is not, standing alone, a particularly challenging task. But, merely identifying a potential risk seldom includes the necessary analysis and assessment of a company’s desire or ability to distinguish the myriad of acts, behaviors, verbal miscues, or process oversights, etc., which…
- can achieve the requisite traction, external appeal, and media attention to become full blown reputation risks, and
- produce rapid, near and long term adverse effects to the victim company’s economics, competitive advantages, image, goodwill, and of course, reputation.
Similarly, I find there is no particular challenge to engage in a ‘bomb damage assessment’ or reverse investigation in order to reveal reputation risk consequences. What’s necessary is to recognize and understand the points of origin and rationales why a reputation risk materialized in the first place and why it intensified.
Michael D. Moberly October 17. 2014 ‘A blog where attention span really matters’!
Business reputation risk emerging as a specialized security discipline…
Mitigating business reputation risk is evolving into a specialized discipline and presumably one that will eventually produce some obligatory (dedicated) education and certification not unlike what is already associated with other disciplines with standalone specializations. For example, in the security and asset protection field, the American Society for Industrial Security International has differentiated its membership interests and expertise through 29 Councils, each reflecting a particular facet of security, loss prevention, and asset protection to the private, public, and government sectors.
With respect to mitigating company reputation risk, I suspect, in the not too distant future, ASIS International will recognize the relevance and distinctive contributions made by reputation risk specialists and accordingly adopt another Council.
Public relations argue reputation risk rooted there…
There are countless public relations firms and solo PR practitioners who characterize mitigation and management of reputation risk as having roots in their profession and thus should be and frequently tweak there services accordingly to convey their profession as the presumptive lead, insofar as being the logical first choice resource and service which companies experiencing materialized reputation risks should turn to for mounting a response, and monitoring, mitigating, and managing such risks.
Rising percentages of security practitioners engaged in reputation risk issues…
Interesting, in as much as I am an intangible asset strategist and risk specialist, I find, anecdotally, admissions of rising percentages of security, loss prevention, and asset protection practitioners time being devoted to addressing risks related to a companies’ intangible assets which reputation, brand, image and goodwill are certainly integral components.
A recent example of security’s rising interest in and obvious mandate to learn more and engage company reputation risk was evidenced by the first full presentation devoted exclusively to reputation risk being accepted for delivery at ASIS Internationals’ 2014 (September 28 – October 1) Annual Seminar & Exhibits. The speakers for this presentation were myself, Dr. Nir Kossovsky, and Kevin Peterson with the session attracting 100+ attendees.
Security professionals are frequently horizontal lookers and thinkers…
Often, I find security, loss prevention, and asset protection practitioners possess a distinguishing attribute, that being horizonal looking and thinking. In other words, they are inclined to foresee and devise on strategies to deter, mitigate, if not prevent, new and anticipated risks and threats before they materialize and adversely affect their employer or clients’ assets. More specifically, security professionals are acquiring a stronger appreciation for the economic fact that 80+% of most companies value, sources of revenue, and ‘building blocks’ for growth, profitability, and sustainability lie in – evolve directly from intangible assets, which again, company reputation is one!
Another favorable product to security’s elevated operational familiarity with intangible assets sector – discipline specific experience with intangibles is that their ‘horizontal attributes’ render them both inclined and able to identify and unravel niches of overlooked – unmet business risks, and challenges which warrant resolution, ala risk to a company’s reputation.
Too, security administrators are well positioned to draw attention to such unrecognized or dismissed risks by characterizing them in probable, costly, and often irrevocable impact contexts.
As always, reader comments are most welcome!
Michael D. Moberly October 8, 2014 ‘A long form blog where attention span really matters’.
CENTRA Technologies 2010 study, ‘Estimating the Economic Costs of Espionage’ close to perfection…
In an excellent, but somewhat overlooked, report published in May, 2010 and prepared for CENTRA Technology by the George Bush School of Government and Public Service at Texas A&M University, ‘researchers constructed a model initially designed for use by the government sector, but which, I find, has relevance to the private sector because it measures economic espionage losses by industry sector.
More specifically, the model identifies and distinguishes the severity and consequences of economic – cyber espionage incidents to the U.S. economy. The ‘CENTRA’ model which Texas A&M researchers constructed…
applies a (loss) ‘severity score’ between 0 and 1, and include open source (case study, incident) information so as to provide a qualitative estimate of the economic “consequences”.
- moderate, and/or
- high adverse (economic) consequences – losses, relative to
- the victim company’s industry sector, and thus factors two sets of variables, i.e.,
- Industry variables, i.e., assess the significance of where the incident of economic espionage occurred.
- the victim company’s industry sector, and thus factors two sets of variables, i.e.,
Note: Industry is derived from a combination of the percentage of GDP for each of the 14 industry sectors and the susceptibility/vulnerability of each sector. This process enables the CENTRA model to be individualized to a specific industry and recognizing potentially different consequences to the U.S. economy.
- Case variables i.e., assess the significance of economic espionage incidents on the basis of…
- characteristics of the theft (incident) itself.
- costs directly attributable to the incident (loss) and
- who the beneficiaries to the incident actually are.
- Seldom are two incidents of economic espionage identical. To address this, Texas A&M researchers, developed a system for weighing the variables and questions further analysis that such ‘weights’ prompt.
- So, the Texas A&M model requires practitioners to…
- first, identify the industry sector in which the incident occurred, and
- second, identify (individual, specific) ‘case – incident variables’.Ultimately, with all the variables measured, standardized, and weighted against each other, the CENTRA model calculates an overall severity score, which corresponds to individualized (company specific) consequence to incidents of cyber-economic espionage.
This post was inspired by a George Bush School of Government and Public Service, Texas A&M University research project titled “Estimating the Economic Costs of Espionage”. The reports was prepared for CENTRA Technology by the the Capstone research team comprised of Rich Bell, J. Ethan Bennett, Jillian R. Boles, David M. Goodoien, Jeff W. Irving, Philip B. Kuhlman, and Amanda K. White.
As always, reader comments are most welcome.
Michael D. Moberly October 7, 2014 ‘A long form blog where attention span really matters’.
In 2013, CSIS (Center for Strategic and International Studies) and McAfee partnered to examine cyber – economic espionage impact in a manner more inclusive than what I have previously observed over the past 25+ years. Dr. James Lewis, Senior Fellow and Director of CSIS’ Center for Technology and Public Policy Program, who directed the study, offered his best guess that ‘the upper limit of the costs-losses attributed to cyber – economic espionage might be under one percent of the GDP’ (gross domestic product). Lewis also states, and I paraphrase, ‘U.S. economic costs-losses to cybercrime and economic espionage attributed specifically to – originating in China, may reach as much as $140 billion annually’.
Lewis translates the $140 billion annual IP loss to 508,000 jobs…
While I have no basis to dispute those figures, or question Dr. Lewis’ experienced and respected record of achievements in the cyber crime – economic espionage arena, I do suggest there are two key factors necessary to arrive at the $140 billion annual loss figure, i.e.,
- determining which assets and/or impacts to include (factor) and
- the methodology for determining the lost assets’ near and long term value in terms of costs and losses companies will experience with respect to such things as market space, competitive advantages, profitability, sustainability, etc.
But, Lewis claims, and I agree, describing value loss – impact estimates with broad ranges is indicative of the difficulty in calculating losses. Accordingly, companies may be reluctant to reveal (their) victimization impacts, i.e., victim companies may be inclined to (a.) conceal particular portions of their losses, or, (b.) not know how to distinguish which/what intangible assets were targeted, stolen, comprised, or misappropriated. But, Lewis wisely, casts wide ranging estimates of losses attributed to cyber – economic espionage in other contexts, starting with World Bank reports which state global GDP stood at about $70 trillion for the year 2011. Thus, a $400 billion loss representing the high end range of probable losses attributed to cyber crime and cyber espionage is a fraction of a percent of the global GDP figure. This, Lewis says, prompts additional questions, several of which I have been examining for many years, e.g. who are recipients and/or ultimate beneficiaries of the acquired (intangible) assets; can they expect to – be positioned to maximize those benefits, e.g., market (space) position, sector competitive advantages, reputation, value, sources of revenue, profitability, etc.
Conventional loss surveys assess – assign dollar value to losses… Some IP and intangible asset theft – loss estimates rely on surveys, which Lewis correctly points out, generally produce imprecise findings because among other things respondents, are inclined to “self-select” which can become a source of distortion to the findings. Lewis suggests loss estimates should be based on “scale and effect” which ‘will likely produce quite different and possibly more objective and accurate results in terms of adverse impacts and loss values’.
CSIS – McAfee Assessment model… Lewis’ intent was to bring greater clarity and validity to the loss figures being reported, so data from ‘car crashes’, ‘retail pilferage/shrinkage’, ‘crime stats’, and ‘drug usage’ were examined for their relevance and comparison as methodologies to draw upon insofar devising CSIS’ assessment (valuation) model. By incorporating these analogies into the design of their loss valuation assessment model, Lewis, and McAfee were suggesting it’s problematic to rely on conventional (existing) survey methodologies to calculate dollar value for losses, because, among other things…
- companies that (publicly) reveal their losses are frequently unfamiliar with distinguishing the actual (proprietary, IP, intangible) assets which were stolen, compromised, or infringed, thus more guesstimates.
- intellectual property – intangible asset losses are difficult to quantify because relevant dependant variables are often absent from the equation, and, often
- the self-selection process associated with most conventional survey methodologies, frequently produces distortion in the findings.
CSIS model includes components – classifications of malicious cyber activity and economic espionage…
This, Lewis gleans, by asking ‘what should be included and counted insofar as arriving at more precise loss estimates’, i.e., there…
- was a loss of intangible assets, i.e., intellectual property, sensitive business confidential/- proprietary information.
- was an actual crime committed, i.e., a violation of federal law.
- were opportunity costs, i.e., business and/or service disruptions that adversely effected consumer/customer expectations, particularly those related to the victimized company’s online activities.
- would be additional costs incurred relative to…
- re-securing their IT networks.
- achieving greater company resilience insofar as to recovering from future cyber – economic espionage attacks, and
- developing/executing business continuity plans designed to provide more rapid and fuller recovery when future attacks occur.
- were damages to company reputations which tend to have a longer period for recovery, and lastly,
- were costs to re-establish and re-secure company supply chain networks.
What’s the harm…?
If Lewis is correct in inferring there have, inadvertently, become “tolerated costs” and/or ‘ceilings’ for estimating losses.
So, a different perspective; is economic-cyber espionage the greatest transfer of wealth in history, or merely a rounding error in countries’ GDP…?
This, of course represents a perspective intended to elevate the significance and acknowledge the adverse impact of cybercrime-economic espionage, while the former represents a perspective intended to diminish the ‘sticker shock’ of the adverse economic impacts by characterizing them as percentages of national GDP’s.
As always reader comments are most welcome.
Michael D. Moberly October 6, 2014 ‘A long form blog where attention span really matters.’
Stolen, misappropriated IP and other intangible assets…
When values are calculated and assigned to stolen, misappropriated, and/or otherwise compromised intangible assets, i.e., intellectual and structural capital particularly, they may be (a.) quite subjective, (b.) merely regurgitated guesstimates, and/or (c.) embedded with inadvertent biases or political agendas and other variables that inevitably influence high or low valuations.
For example, it’s quite common to witness pundits and open source media to merely regurgitate high dollar losses (impacts) attributed to cyber – economic espionage, ranging between $100 to $500+ billion annually to the U.S. alone.
The worlds’ second oldest profession…
It’s important to recognize that an, as yet unknown percentage of malicious cyber activity, evolves into economic espionage.
There remain a percentage of policymakers, company c-suites, and management teams who find it to be an especially challenging ‘to get their arms and heads around’ insofar as articulating, with strategic clarity, precisely why cyber – information asset protection security and economic espionage prevention/mitigation initiatives are essential from the outset to any business initiative.
Objective calculation of losses and costs to materialized risks…
Calculating and assigning a dollar value to losses and costs associated with cyber crimes, particularly those which culminate in economic espionage, may appear, at first blush, to be relatively straightforward tasks. But, to be sure, there is much more to calculating and assigning dollar values to costs – losses than acquiescing to mere guesstimates.
Factors that influence companies to go public with their victimization…
Going public, represents, among other things, a companies’ admission of being victimized followed by a guesstimated admission of the extent – value of the losses attributed to the adverse acts, which, are often initially framed in passionate and angry descriptions how the acts and losses will impact the victims’ company..
Victim anger and passion aside, we know it is challenging to determine, let alone isolate and accurately assess asset losses rapidly. In many instances, that’s because, the losses are not limited solely to stolen or undermined intellectual property or capital, i.e., trade secrets, and proprietary information, etc. Instead, the full extent of a targeted companies’ losses are frequently more strategic and include equally valuable structural and relationship capital and thus may not be immediately measurable or fully realized and calculated until well after the fact.
Again, assigning specific price tags to companies’ cyber – economic espionage losses is a challenging undertaking, because the processes are often embedded with subjective assessments that do not reflect a comprehensive accounting of the ‘contributory value’ of various assets which serve as foundations to an infringed patent. For example, it’s not especially prudent then to assume the findings of the various surveys and studies produced over the years are the result of using objective data and calculations free from the influence of larger political, social, and national security agendas.
Since the passage of the Economic Espionage Act (EEA) in October, 1996, there has been no shortage of surveys and studies produced whose focus has largely been to ‘dramatize’ the costs, losses, and adverse impacts attributed to cybercrime and economic espionage.
Having read and studied most, if not each of these studies/surveys over the past 25+ years, I interpret many of the methodologies and findings to be somewhat competitive in the sense that each appears to be conceptually broader in the ranges of dollar losses and adverse economic impacts and characterized in more dramatic fashion.
Calculating losses attributed to economic espionage require objectively framed equations…
For many years there has been a general inclination to accept, perhaps naively, after-the-fact prognosticative research regarding the valuation of losses attributed to cyber – economic espionage.
My counsel on that matter is that any formula or conventional intangible asset valuation methodology used to calculate the loss and/or compromise of intellectual properties should differentiate the assets which have been stolen and/or compromised by category, i.e., intellectual, structural, and relationship capital.
As always, reader comments are most welcome!