Michael D. Moberly September 6, 2012
I, along with numerous colleagues experienced in the information (intangible) asset protection, compromise, misappropriation, theft, and economic espionage arena know it is challenging enough just to achieve some semblance of timely detection and it is even more challenging to quantify such losses in actual ‘dollar contexts’.
In part, methods a victim (company, organization, institution) may elect to use to quantify information asset losses will likely pivot on one or more of the following inclinations, sentiments, or factors, e.g.,
- ethnicity (country of origin) of the alleged perpetrator(s).
- the perpetrators’ position and level of trust that was delegated.
- victims’ perspective about potential reputation (risk) fallout related to the nature/type of information assets missing, i.e., if the data/information loss identified customers/clients, and if so, is there a legislative mandate to report?
- if no such mandates exist, whether the victim company elected to (voluntarily) assign a dollar value to (quantify) their loss, and if so, what methodology was used to arrive at a dollar value, i.e., where, what, and how data was collected and ultimately quantified?
- the relative importance of the information, i.e., R&D critical to a current project, potential breakthrough, and/or contract.
- the type of information, i.e., proprietary and/or competitive advantage driving intellectual, structural, and/or relationship capital (intangible assets)?
- how the loss was detected, how long it took the victim to actually discover the loss?
- are there immediate and/or strategic consequences to a value chain and stakeholders following the loss?
- the perceived or proven motive of the perpetrator(s) and if there are ‘end user’ recipients of the information that are economic, competitive advantage, or national security adversaries?
Not discounting any of the above, I believe it’s certainly fair, perhaps even accurate to say today, that a strong and increasingly pervasive notion of ‘risks and threats’ exist today that influence victim companies to characterize information asset losses in worst case scenario contexts based variously on the factors, sentiments, and inclinations cited above.
One reality I am consistently conscious of with respect to characterizing information asset losses, is that in most circumstances, unless literally mandated to do otherwise, it is seldom in the interest of c-suites, particularly globally operating companies which strive to sustain amicable trading – transaction relationships, to be overly ‘public’ about such victimizations and/or ‘going public’ with dollar value loss estimates.
Readers inclined to explore this phenomena further would find it very useful and insightful to read a paper authored by Drs. Julie Ryan and Theresa Jefferson (George Washington University) aptly titled ‘The Use, Misuse, and Abuse of Statistics in Information and Security Research’.
In their paper, the authors analyzed multiple, well known surveys that tout information security trends and losses. They make a quite convincing argument that the findings are frequently anecdotal, not generalizable to the business level, and reported in a cumulative form. Collectively, this makes most findings unreliable for use to justify infosec resources or their allocation.
A special thanks to Dr. Julie Ryan (George Washington University) co-author to ‘The Use, Misuse, and Abuse of Statistics in Information and Security Research’ as inspiration for this post.
Comments regarding my blog posts are encouraged and respected. While visiting my blog I encourage you to browse other topics (posts) which may be relevant to your circumstance. Either way, I welcome your inquiry at 314-440-3593 or email@example.com