The Business Justification For Data Security: Data Valuation

Man, nothing feels better than finishing off a few major projects. Yesterday we finalized the first draft of the Business Justification paper this series is based on, and I also squeezed out my presentation for IT Security World (in March) where I’m talking about major enterprise software security. Ah, the thrills and spills of SAP R/3 vs. Netweaver security! In our first post we provided an overview of the model. Today we’re going to dig into the first step- data valuation. For the record, we’re skipping huge chunks of the paper in these posts to focus on the meat of the model- and our invitation for reviewers is still open (official release date should be within 2 weeks). We know our data has value, but we can”t assign a definitive or fixed monetary value to it. We want to use the value to justify spending on security, but trying to tie it to purely quantitative models for investment justification is impossible. We can use educated guesses but they”re still guesses, and if we pretend they are solid metrics we”re likely to make bad risk decisions. Rather than focusing on difficult (or impossible) to measure quantitative value, let”s start our business justification framework with qualitative assessments. Keep in mind that just because we aren”t quantifying the value of the data doesn’t mean we won”t use other quantifiable metrics later in the model. Just because you cannot completely quantify the value of data, that doesn’t mean you should throw all metrics out the window. To keep things practical, let”s select a data type and assign an arbitrary value to it. To keep things simple you might use a range of numbers from 1 to 3, or “Low”, “Medium”, and “High” to represent the value of the data. For our system we will use a range of 1-5 to give us more granularity, with 1 being a low value and 5 being a high value. Another two metrics help account for business context in our valuation: frequency of use and audiences. The more often the data is used, the higher its value (generally). The audience may be a handful of people at the company, or may be partners & customers as well as internal staff. More use by more people often indicates higher value, as well as higher exposure to risk. These factors are important not only for understanding the value of information, but also the threats and risks associated with it – and so our justification for expenditures. These two items will not be used as primary indicators of value, but will modify an “intrinsic” value we will discuss more thoroughly below. As before, we will assign each metric a number from 1 to 5 , and we suggest you at least loosely define the scope of those ranges. Finally, we will examine three audiences that use the data: employees, customers, and partners; and derive a 1-5 score. The value of some data changes based on time or context, and for those cases we suggest you define and rate it differently for the different contexts. For example, product information before product release is more sensitive than the same information after release. As an example, consider student records at a university. The value of these records is considered high, and so we would assign a value of five. While the value of this data is considered “High” as it affects students financially, the frequency of use may be moderate because these records are accessed and updated mostly during a predictable window – at the beginning and end of each semester. The number of audiences for this data is two, as the records are used by various university staff (financial services and the registrar”s office), and the student (customer). Our tabular representation looks like this: < p style=”font: 12.0px Helvetica; min-height: 14.0px”> Data Value Frequency Audience Student Record 5 2 2 In our next post (later today) we’ll give you more examples of how this works. Share:

Read Post

The Business Justification for Data Security: Information Valuation Examples

In our last post, we mentioned that we’d be giving a few examples for data valuation. This is the part of the post where I try and say something pithy, but I’m totally distracted by the White House press briefing on MSNBC, so I’ll cut to the chase: As a basic exercise, let”s take a look at several common data types, discuss how they are used, and qualify their value to the organization. Several of these clearly have a high value to the organization, but others vary. Frequency of use and audience are different for every company. Before you start deriving values, you need to sit down with executives and business unit managers to find out what information you rely on in the first place, then use these valuation scenarios to help rank the information, and then feed the rest of the justification model. Credit card numbers Holding credit card data is essential for many organizations – a common requirement for dispute resolution; because most merchants sell products on the Internet, card data is subject to PCI DSS requirements. In addition to serving this primary function, customer support and marketing metrics derive value from the data. This information is used by employees and customers, but not shared with partners. < p style=”font: 12.0px Helvetica; min-height: 14.0px”> Data Value Frequency Audience Credit Card Number 4 2 3 Healthcare information (financial) Personally Identifiable Information is a common target for attackers, and a key element for fraud since it often contains financial or identifying information. For organizations such as hospitals, this information is necessary and used widely for treatment. While the access frequency may be moderate (or low, when a patient isn”t under active treatment), it is used by patients, hospital staff, and third parties such as clinicians and insurance personnel. < p style=”font: 12.0px Helvetica; min-height: 14.0px”> Data Value Frequency Audience Healthcare PII 5 3 4 Intellectual property Intellectual Property can take many forms, from patents to source code, so the values associated with this type of data vary from company to company. In the case of a publicly traded company, this may be project-related or investment information that could be used for insider trading. The value would be moderate for the employees that use this information, but high near the end of the quarter and other disclosure periods, when it’s also exposed to a wider audience. < p style=”font: 12.0px Helvetica; min-height: 14.0px”> Data Value Frequency Audience Financial IP (normal) 3 2 1 Financial IP (disclosure period) 5 2 2 Trade secrets Trade secrets are another data type to consider. While the audience may be limited to a select few individuals within the company, with low frequency of use, the business value may be extraordinarily high < p style=”font: 12.0px Helvetica; min-height: 14.0px”> Data Value Frequency Audience Trade Secrets 5 1 1 < p> Sales data The value of sales data for completed transactions varies widely by company. Pricing, customer lists, and contact information, are used widely throughout and between companies. In the hands of a competitor, this information could pose a serious threat to sales and revenue. < p style=”font: 12.0px Helvetica; min-height: 14.0px”> Data Value Frequency Audience Sales Data 2 5 4 < p> Customer Metrics The value of customer metrics varies radically from company to company. Credit card issuers, for example, may rate this data as having moderate value as it is used for fraud detection as well as sold to merchants and marketers. The information is used by employees and third party purchasers, and provided to customers to review spending. < p style=”font: 12.0px Helvetica; min-height: 14.0px”> Data Value Frequency Audience Customer Metrics 4 2 3 You can create more more categories, and even bracket dollar value ranges if you find them helpful in assigning relative value to each data type in your organization. But we want to emphasize that these are qualitative and not quantitative assessments, and they are relative within your organization rather than absolute. The point is to show that your business uses many forms of information. Each type is used for different business functions and has its own value to the organization, even if it is not in dollars. Share:

Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.