Steven J. Ross, CISA, CISSP, MBCP
The question in the title is not an idle one, meant to be answered: “Oh, certainly, security is very valuable.” Rather, it is a challenge to those concerned with information security to place a monetary value on the protection of information resources. In every organization in which the need for information security is recognized, there is an expenditure to protect information and the systems that manage it against natural, technical and man-made hazards. What does an organization gain by the money it pays for security? This is more than the return on security investment (ROSI),1 which deals with the payback for individual outlays for equipment, software and services that safeguard information. The question is how much more is a secure company worth than an insecure one?
The terms “secure” and “insecure” are very much open to interpretation. What makes an organization demonstrably insecure? Fraud? Data leakage? Privacy violations? Does the absence of those things make an organization secure? If absolute terms are avoided, we can say that some industries need and have a higher level of security than others, and that organizations within those industries also differ in the level of security they have attained. Even this is definitional; some may have better access control while others make better use of encryption or have more effective business continuity plans. But, however defined or interpreted, each organization is secured to a certain extent that differs from the other. In that case, how much value does greater security add to a company or government agency as compared with its peers or against some absolute metric?
Is that the way security is viewed by the management of most organizations? I fear not. In many instances, security is, at worst, viewed as an annoying inconvenience best circumvented. More positively, security may be a response to regulation or perceived risk. In my experience, security is rarely perceived as a competitive advantage, and I am aware of no cases in which a financial value is placed on it. Management does not think of security that way, largely because security professionals do not make the business case for security in that manner. It is time to change that perspective.
To do so, I propose a simple thought experiment. A company has annual earnings of 1 billion (the currency is irrelevant, so long as this comes out to be a fairly large number). It has market capitalization of 6 billion. A potential buyer offers between 6 and 9 billion for the company, to be determined after a due-diligence review of its financial statements and internal controls. Assuming that the company’s books are materially correct, how much less than 9 billion would the business be worth if security were shown to be inadequate?
One view is that security would be a threshold condition for such a sale. If security did not meet some basic set of expectations, there would be no acquisition at all. Insecurity would raise questions about the stability of the business and its ability to sustain itself over the long term. The absence, or near absence, of even rudimentary security would indicate a management that is blind to potential risks. What, then, is basic security or a baseline set of controls? Exercising due diligence, one would expect to find at least a security policy supported by standards, access controls, privacy protection and some form of recoverability, especially for electronic data.
Is this a definition of “adequacy”? A C- is a passing grade, but it is hardly indicative of mastery of a subject. Still, the potential buyer of the imaginary company might accept that the necessary security was present, while using the degree of it to justify the acquisition at a lower price. I once sat across the table from a man who would make millions that very afternoon if I merely stated that my review indicated adequate, if not particularly advanced, security in the company he was about to sell. He was able to place a very clear value on security at that moment.
Another way to measure the value of security is based on the concept of sufficiency. The term sufficiency raises the question of some independent metric on which to base a decision. Such metrics exist in regulated industries and are often implicit in others. It is important to realize that appropriate security goes beyond adequacy; the adequate level is necessary but not sufficient. Thus, for example, the controls required to enforce separation of duties may be considered acceptable for financial systems, but not enough for trades over a billion or for access to trade secrets and proprietary formulas. Thus, if merely adequate security would enable completion of the acquisition at 6 billion, sufficient security would raise the price higher. How much higher is a matter of negotiation, but in terms of establishing value, sufficiency does raise the ante.
Sufficiency as a concept, or perhaps only as a term, has its dangers. If security is sufficient at a certain level, there is no incentive for more of it, regardless of risk. Placing a value on “just enough” security bases it on average circumstances. It ignores the possibility that security might prove insufficient in extreme but nonetheless predictable situations, thereby wiping out value all at once. I would, therefore, suggest that any definition of “sufficient security” include risk management processes.
The value of an organization’s intellectual property is tied to that of its information security. “A formal valuation of intellectual property most likely will refer to a standard of fair market value. This is the standard of value to which the analysis and all assumptions necessary in the valuation exercise have been held. It differs in some very important aspects from a strict calculation of the benefits derived from using the [intellectual property].”2 Thus, if intellectual property adds quantifiable value depending on its worth in the marketplace (very much like the thought experiment), it is wholly dependent on information security to retain that value.
The techniques for assessing value of intellectual property include a cost approach and the aggregate expenditure to develop it. Therefore, it follows that the cost of securing intellectual property is at least a part of the added value that security brings to an organization. A market approach places a value on intellectual property based on what it would bring if sold.
This actually shows up on balance sheets as “goodwill and other intangible assets.”3 Even if security were viewed as only a percentage of the overall value of intellectual property, it would be possible to place a monetary figure on it.
Finally, the value of security can be determined by the income derived from it. In commercial companies, this means sales revenue, which can be shown to be tied in some instances to security. This is not just theory. In the past, I assisted a client who needed to choose between two highly respected vendors for the same service. They were equivalent in terms of effectiveness, responsiveness, financial stability and fees. I was asked to evaluate them in terms of security; one was clearly superior, especially with regard to recoverability. That company received a very lucrative contract, which added to its bottom line.
It would be foolish to attribute the value of all sales to security, but it would be equally silly to disregard it as a factor. Once again, the monetary amount is negotiable. As a part of the thought experiment, one might say that 10 percent of all sales would be lost if security were not present, or at least not sufficient for the marketplace. Security, therefore, represents 100 million in annual revenue and would add at least 600 million to the acquisition price.
The purpose of this discourse into the value of security is to challenge the idea that it is simply a cost to an organization. Security professionals should state the worth of their contribution in monetary terms to establish the rationale for their activities in the same terms that profit centers do. This will provide not only a basis for managing the appropriate level of security for an organization, but will also demonstrate how much value is lost by not having enough security.
1 See Ross, Steven; “ROSI Scenarios,” Information Systems Control Journal, vol. 3, 2002. When I began writing on the subject, there was not much literature about it. Today, an Internet search on “return on security investment” brings 8,900,000 references.2 Drews, David; “Intellectual Property Valuation Techniques,” IPMetrics, www.ipmetrics.net/IPVT.pdf3 Ibid., p. 4–6. This is terminology from the US Financial Accounting Standard 142, of the same name.
Steven J. Ross, CISA, CISSP, MBCPis executive principal of Risk Masters Inc. He can be reached at firstname.lastname@example.org.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2011 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.