Michael D. Moberly January 19, 2012
Throughout my 25+ years of experience in the intellectual property – intangible asset side of business I recall only a handful of instances in which a company had assigned (presumably calculated) a specific dollar value, beyond a subjective estimate, to stolen, infringed, or misappropriated trade secrets (proprietary information).
On the other hand, I have been part of conversations, too numerous to mention, when a company representative would offer guesstimates about the value of ‘missing’ information assets.
There are various reasons why companies do not provide more detail about a loss or compromises of a trade secret or information deemed proprietary. One reason is, there is no standard methodology to objectively calculate (assign) a more precise, defensible, and preferably unchallengeable dollar value to a loss or compromise.
Not in-frequently, I have found that when a company experiences a particularly significant information asset loss or compromise, their initial reaction is to hurriedly resurrect a laundry list of resources used to produce that asset (from its inception to its execution) along with estimates of the associated cost of those resources. In such instances, simple arithmetic would be applied to tally the costs as representing the value of the missing asset.
Such approaches provide little if any insight to the underlying and contributory (enterprise-wide) value of a compromised information asset. In other words, if the secret/proprietary information was embedded in, for example, multiple processes or procedures that permitted a company to achieve (current, future) competitive advantages or an enhanced market position, it’s unlikely such simple calculations would reveal that additional, but very real, value.
A second reason companies may be reluctant to provide more precise (dollar value) information about stolen and/or compromised trade secrets and proprietary information is that by doing so, it may become problematic from a public relations, stakeholder, and legal perspective. And, if litigation (civil, criminal action) is being considered a more thorough analysis may…
- undermine consumer – shareholder confidence.
- encourage (leaving the door open to) unflattering challenges about the validity of the methodology the company used to reach a dollar value.
- prompt (legitimate) questions about the company’s overall information asset protection capabilities and practices, on a fiduciary (responsibility) level.
Relevant to all of this is a Forester Research study (March, 2010) commissioned by Microsoft and RSA, titled ‘The Value of Corporate Secrets: How Compliance and Collaboration Affect Enterprise Perceptions of Risk’.
Having read and studied numerous similar studies, this particular study stands out in my view because the principle investigators incorporated the following into their analysis of the findings, i.e., the,
- value of sensitive information contained in corporate portfolios, as a whole.
- variety of security controls used to protect/safeguard that information.
- drivers of information security programs, i.e., what influences companies (internally, externally) to impose security controls on its information assets.
- cost and impact of enterprise data security incidents, apart from corporate (trade) secrets and sensitive, proprietary information.
The key findings of this Forrester Research study are…
1. Secrets comprise two-thirds of the value of most company information portfolios
2. Compliance, not security, is the primary driver of (information) security budgets
3. Companies focus a great deal of time/resources on preventing accidents, but theft (of trade secrets) is actually more costly.
4. The more valuable a company’s trade secrets/proprietary information is, the more ‘incidents’ a company will likely experience.
5. Chief Information Security Officers (CISO’s) typically do not know how effective, or perhaps conversely, how ineffective, their company’s information security controls really are.
Ultimately, it’s important to recognize that…
- trade secrets and proprietary information are intangible assets, and
- 65+% of most company’s value, sources of revenue, and building blocks for growth and sustainability lie in – directly evolve from intangible assets.
Michael, Great post! This is a topic (information asset valuation) I’ve been researching, consulting and biz-school lecturing on for a while. I have also developed and implemented methods for quantifying information’s value for a number of clients.
Next month Gartner will publish my first research note on what I call Infonomics–the economics of information, which enumerates the reasons for quantifying information asset value. We’ve already published a note “Predicts 2012: Information Infrastructure and Big Data” in which I recommend that organizations: “Determine a framework and methods (cost, income or market-based) with your CFO to quantify information asset financial value. Consider a supplemental balance sheet to communicate it.” (http://www.gartner.com/resId=1861215)
You and your readers might also might enjoy my recent blog on “Blunderfunding: How Organizations Use Failure as a Basis for Budgeting” (http://blogs.gartner.com/doug-laney/blunderfunding-how-organizations-use-failure-as-a-basis-for-budgeting/) which corroborates what you’re saying about knee-jerk reactions in post-loss budgeting.
Anyway, I look forward to reading more from you on this topic of emerging importance and interest.
-Doug Laney, VP Research, Gartner