Author: Benoit Heynderickx
04 Dec 2020
In risk quantification, the crux of the analysis lies in the value of the asset at risk or how much money is an organisation likely to lose in the event of a serious security incident. Security and risk professionals put a lot of emphasis on protecting the valuable assets their organisation possess, but do not always spend the necessary time to grasp the true value of these assets. Financial accounting is a good starting point for evaluating assets but lacks the information security lens and understanding for how severe financial losses can occur, should those assets be compromised.
The financial context
An asset is something that we use, for either personal or business reasons. It can be quantified in monetary value and most organisations disclose their list of assets and respective value in a balance sheet. Assets are typically grouped in specific categories (buildings, equipment, inventory, cash) and matched against liabilities and shareholders’ equity (loans, rents, equity). Assets are both tangible and intangible:
- Tangible: The assets listed in the balance sheet are primarily tangible assets and are valued according to the relevant accounting rules (cost of buildings or equipment and their depreciation).
- Intangible: Intangible assets can be of multiple sources (medical records, intellectual property, patents), they can add to a company’s possible future earnings and therefore can be more valuable than tangible assets. Although they don’t necessarily appear in a balance sheet as a single entry, organisations are inclined to value the intangibles with the calculation of the ‘goodwill’ especially when mergers and acquisitions occur or for business strategic reasons.
A recent survey on valuing intangible assets explains how data can be valued according to one of the three following approaches: the future revenue that could be generated from it, the value similar data has in an active market and the value it would cost the company to replace and restore the data. The latter option being similar to the information security approach as will be explained further in this blog.
The information security context
The ISF Asset Model provides a practical approach for describing the most common asset types within an organisation and associated lifecycles as follows:
- Business applications
- Technical infrastructure
When it comes to establishing an asset value, security and risk experts typically look at answering the following question:
“how much impact would the loss of an asset cause to the organisation?”
Whilst financial analysts focus on the current value of assets in the balance sheet, security and risk experts are more interested in the potential loss of value to the organisation, should a harmful event compromise the assets.
Quantifying asset values
Quantitative techniques in information risk analysis aim at giving a monetary indicator to in-scope assets. Therefore, it is useful to follow the guidance provided by the financial accounting community and join those up with figures determined by security and risk experts. Henceforth, the quantification of assets can be given at the following two stages of the risk analysis:
– First at the asset identification stage, by determining the current asset value or value to the organisation based upon financial indicators which:
- can be found in the balance sheet for tangible assets (buildings, equipment, inventory)
- require further analysis for intangible assets (PII, intellectual property).
– Next at the analysis of the loss event or business impact, by determining the direct and indirect financial costs that will incur to the organisation as a result of a security incident:
- direct costs can be directly attributed to loss event (cost of repair and restore)
- indirect costs are not directly attributed to the loss event but will occur as a result (brand and reputational damage).
Here are two fictive examples of valuation for two different types of assets.
The example illustrates how asset valuation should be determined at two stages, first as a value to the business and next as a loss estimate. It also illustrates how tangible assets can be easier to value and the initial value can be used as sound basis for future impact costs analysis.
In summary, asset valuation for information risk assessment can begin with looking at financial figures for those assets that are present in the balance sheet (tangible assets) or indirectly represented (intangible assets). Security and risk experts then need to evaluate potential losses in financial terms to determine the true value of those assets at risk.