• Bookmark

The Essence of Information

By Peter T. Davis, CISA, CISM, CGEIT, COBIT Foundation, COBIT Implementation, COBIT Assessor, COBIT INCS, CISSP, CPA, CMA, CMC, DevOps FC, ITIL FC, ISO 9001 FC, ISO 20000 FC/LI/LA, ISO 27001 LI/LA, ISO 27005 Lead Risk Manager, ISO 27032 Lead Cybersecurity Manager, ISO 28000 FC, ISO 31000 Lead Risk Manager, ISTQB CTFL, Lean IT FC, Open FAIR FC, PMI-RMP, PMP, PRINCE2 FC, RESILIA FC, SFC, SSGB

COBIT Focus | 13 February 2017

I was taught that information was processed data.1 While the definition was useful, it was not very enlightening. It raised as many questions as it answered. Who uses the information? Why do I need information? For what do I use information? Where do I use information? When do I use it? How do I use it? So many questions.

We know that information is one of the 7 enablers in COBIT 5 (figure 1), so it is essential to enterprise IT governance and management.

Figure 1—COBIT 5 Enablers

Source: ISACA, COBIT 5, USA, 2012

The COBIT 5 framework shows us that information is 1 stage in the information cycle of an enterprise (figure 2).

Figure 2—Enterprise Information Cycle

Source: ISACA, COBIT 5, USA, 2012

In the COBIT 5 information cycle, which borrows from the Data Information Knowledge and Wisdom (DIKW) pyramid,2 business processes generate and process data, transforming them into information and knowledge and, ultimately, generating value for the enterprise. This definitely builds on my original definition, but does not tell us why.

In the context of DIKW, information is differentiated from data in that it is “useful.” Useful for what? Classically, information is data that are endowed with meaning and purpose. But what is the purpose?

When we study the framework, we find information goals; of particular interest is the intrinsic quality subdimension (figure 3).

Figure 3—Intrinsic Quality Subdimension

Source: ISACA, COBIT 5: Enabling Information, USA, 2013

Figure 3 brings us closer to the purpose of information. It describes the attributes of information, but it also strikes at the reason we need information. These attributes define information quality criteria, but not information itself.

But why do we need quality information? We live in a world where we are inundated with information and misinformation.3 I need some “facts” so I use my favorite search engine to look up something.4 The way I frame my question affects the result. I could ask “Are people the top risk to my organization?”5 or “What are the top risk factors to my organization?” You will get very different results to these queries. The answer may confirm any bias you might have. Additionally, most search engines have complex algorithms to rank links based on your previous queries, further accentuating your bias. This is worth noting when considering the reputation attribute of information quality. You may never see important scholarly articles, and you most likely will not see those that conflict with your views—or, at least, the algorithm’s perception of your views based on the language you used in your search history.

Biases aside, what is the real purpose of information? Perhaps we should look at the way mathematicians and scientists define it. To them, “information” is anything that reduces uncertainty. Where you see a pattern (i.e., the sequence is not random), information exists. The more information you have, the more you perceive the sequence as structured or patterned. The more information, the less uncertainty about the event under study.

Yes, some organizations sell information as a product, such as the Fourth Estate,6 bloggers and consultants, but, generally, we need information to reduce uncertainty. Why do we need to reduce uncertainty? Well, all decisions involve the future and, thus, involve some degree of uncertainty. Almost7, 8 every decision you make is forward-looking and, thus, involves some degree of uncertainty. To diminish uncertainty, we seek information that might aid in the decisions we face. This truly is the essence of information. I have caught myself saying “I cannot make a decision until I have more information.”9

Take a simple example. Information is, as we see in the COBIT 5 framework, an input and output. I generate performance reports as an output that represents historical data and provide them to the governing body that, in turn, uses the information as input to determine whether I am contributing to the goals of the organization. A decision is required and that means information is needed. And decisions involve uncertainty. I may have all the objective information in the world, but how I interpret the information is very subjective.

So, stop thinking of information as processed data and instead start thinking of it as something that reduces uncertainty. Once you understand that information helps to reduce uncertainty and use it that way, then, perhaps, you have gained some knowledge. But don’t get me started on that!

Peter T. Davis, CISA, CISM, CGEIT, COBIT Foundation, COBIT Implementation, COBIT Assessor, COBIT INCS, CISSP, CPA, CMA, CMC, DevOps FC, ITIL FC, ISO 9001 FC, ISO 20000 FC/LI/LA, ISO 27001 LI/LA, ISO 27005 Lead Risk Manager, ISO 27032 Lead Cybersecurity Manager, ISO 28000 FC, ISO 31000 Lead Risk Manager, ISTQB CTFL, Lean IT FC, Open FAIR FC, PMI-RMP, PMP, PRINCE2 FC, RESILIA FC, SFC, SSGB

Is the principal of Peter Davis+Associates, a management consulting firm specializing in IT governance, security and audit. He currently teaches COBIT 5 Foundation/Implementation/Assessor, ISO 27001 Foundation/Lead Implementer/Lead Auditor, ISO 31000/ISO 27005 Risk Manager (RM), ISO 20000 Foundation/Lead Implementer/Lead Auditor, ISO 22301 Foundation, ISO 9001 Foundation and Project Management Institute Risk Management Professional (PMI-RMP) courses.


1 Merriam-Webster defines “information” as “knowledge obtained from investigation, study, or instruction.” This means it comes from a process of some form or another.
2 Also known as the DIKW hierarchy, wisdom hierarchy, knowledge hierarchy, information hierarchy and knowledge pyramid.
3 You can generate your own fake news story at http://breakyourownnews.com.
4 I once was entering the United States and the Customs and Border Protection agent relied on Wikipedia as the authoritative source for the definition of a management consultant over the definition provided by the International Labour Organization, which is a United Nations agency. Go figure. I guess I should have updated the Wikipedia article before I headed to the airport.
5 If you have read my other COBIT Focus articles, you know this is difficult to prove or disapprove. You would need to have a controlled experiment; otherwise, as American engineer, statistician, professor and author W. Edwards Deming once said, “Without data, you're just another person with an opinion.”
6 Merriam-Webster, “fourth estate
7 I would have left this word out, but I did not want to offend anyone. You are standing in the line at Starbucks and the person at the register asks what you would like. You could use either your System 1 or lizard brain (and ask for the same thing you had the day before, which is, in itself, a subconscious decision), or your System 2 brain could race to assess all the risk: Will caffeine keep me up all night? Do I want a latte or a cappuccino? Do I need low-fat milk? Do I need the caramel topping? Do I have enough money? Would I prefer a green tea latte? So the event is almost contemporaneous with the question, but it is in the future.
8 Kahneman, D.; Thinking Fast and Slow, Farrar, Straus and Giroux, USA, 2013
9 Usually this happens when someone is asking me for a donation over the phone. But that gets us into another discussion about how people deflect what you are trying to sell them when they are negative or indifferent to your selling points.

Share: Email