Valuing Information | The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program

Before addressing the InfoSec functions, the ISSO determined that to provide an effective CIAPP with least impact to cost and schedule, it is important to establish a process to determine the value of information.

The ISSO's reasoning is that no information should be protected any more than is necessary. The rationale used by the ISSO is as follows:

The value of information is time-dependent. In other words, information has value for only a certain period of time. Information relative to a new, unique IWC widget must be highly protected, and that includes the electronic drawings, diagrams, processes, etc. However, once the new widget is announced to the public, complete with photographs of the widget, selling price, etc., much of the protected information no longer needs protection.

That information which once required protection to maintain the secrecy of this new widget can now be eliminated. This will save money for IWC because InfoSec and CIAPP costs are a parasite on the profits of IWC. Those costs must be reduced or eliminated as soon as possible. It is the constant task of the ISSO and staff to continuously look for methods to accomplish this objective.

How to Determine the Value of IWC Information

Determining the value of IWC's information is a very important task, but one that is seldom done with any systematic, logical approach by a company. However, the ISSO believed that in order to provide the program IWC required, this task should be undertaken.

The consequences of not properly classifying the IWC information could lead to overprotection, which is costly, or underprotection, which could lead to the loss of that information, and thus of profits.

To determine the value of information, the ISSO must first understand what is meant by information and what is meant by value. The ISSO must also know how to properly categorize and classify the information, and what guidelines are set forth by government agencies or businesses for determining the value and protection requirements of that information. In addition, how the information owners perceive the information and its value is crucial to classifying ^[4] it.

Why Is Determining Information Value Important?

If the information has value, it must be protected; protection is expensive. One should only protect that information which requires protection; only in the manner necessary based on the value of that information; and only for the period required.

The Value of Information

One might ask, "Does all the information of a company or government agency have value?" If you as the IWC ISSO were asked that question, what would be your response? The follow-on question would be "What information does not have value?" Is it that information which the receiver of the information determines has no value? When the originator of the information says so? Who determines whether information has value?

These are questions that the ISSO must ask—and answer—before trying to establish a process to set a value to any information. As you read through this material, think about the information where you work, how it is protected, why it is protected, etc.

The ISSO knows that a centralized approach would not work for valuing information, as every piece of information must be analyzed according to a specific criterion, identified according to a certain protective category, such as IWC Sensitive, and then marked and protected accordingly. The IWC ISSO knew that the best approach was to set the criteria and guidelines for the identification, marking, transmission, storage, and destruction of IWC information and have the information owners identify the information that they produce and, following the policy guidelines in the CIAPP, protect that information. Those criteria and requirements would be developed as part of the ISSO's project team that would also include various IWC department representatives, such as manufacturing, procurement, legal, security, finance, and planning.

The holder of the information may determine the value of the information. Each person places a value on the information in his or her possession. The information that is necessary to successfully complete a person's work is very valuable to that person; however, it may not be very valuable to anyone else. For example, to an accountant, the accounts payable records are very important, and without them, the accountants could not do their job. However, for the person manufacturing the company's product, that information has little or no value.

Ordinarily, the originator determines the value of the information, and that person categorizes or classifies that information, usually in accordance with the established guidelines.

Three Basic Categories of Information

Although there are no standard categories of information, most people agree that information can logically be categorized into three categories:

Personal, private information;
National security (both classified and unclassified) information (addressed in Chapter 12); and
Business information.

Personal, private information is an individual matter, but also a matter for the government and businesses. People may want to keep private such information about themselves as their age, weight, address, cellular-phone number, salary, and likes and dislikes.

At the same time, many countries have laws that protect information under some type of "privacy act." In businesses and government agencies, it is a matter of policy to safeguard certain information about employees, such as their ages, addresses, and salaries. Therefore, this requirement (InfoSec driver) must be considered in developing the information value and protection policy and guidelines.

Although the information is personal to the individual, others may require that information. At the same time, they have an obligation to protect that information because it is considered to have value.

Business information also requires protection based on its value. At IWC, this information is sometimes categorized as follows:

IWC Confidential;
IWC Internal Use Only;
IWC Private;
IWC Sensitive;
IWC Proprietary; and
IWC Trade Secret.

The number of categories used will vary with each company; however, the fewer categories, the fewer problems in classifying information, and also, possibly, the fewer problems in the granularity of protection required. Again, this is a cost item consideration. The IWC ISSO has found that Private, Internal Use Only, and Proprietary would meet the needs of the IWC CIAPP.

This company information must be protected because it has value to the company. The degree of protection required is also dependent on the value of the information during a specific period of time.

Types of Valued Information

Generally, the types of information which have value to the business and which require protection include the following: All forms and types of financial, scientific, technical, economic, or engineering information including, but not limited to, data, plans, tools, mechanisms, compounds, formulas, designs, prototypes, processes, procedures, programs, codes, or commercial strategies, whether tangible or intangible, and whether stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing.

Examples of information requiring protection may include research, proposals, plans, manufacturing processes, pricing, and product.

Determining Information Value

Based on an understanding of information, its value, and some practical and philosophical thoughts on the topic as stated above, the ISSO must have some sense of what must be considered when determining the value of information.

When determining the value of information, the ISSO must determine what it cost to produce that information. Also to be considered is the cost in terms of damages caused to the company if it were to be released outside protected channels. Additional consideration must be given to the cost of maintaining and protecting that information. How these processes are combined determines the value of the information. Again, don't forget to factor in the time element.

There are two basic assumptions to consider in determining the value of information: (1) All information cost some type of resource(s) to produce, for example, money, hours, or use of equipment; and (2) not all information can cause damage if released outside protected channels.

If the information cost to produce (and all information does) and no damage is done if it is released, you must consider, "Does it still have value?" If it cost to produce the information, but it cannot cause damage if it is released outside protected channels, then why protect it?

The time factor is a key element in determining the value of information and cannot be overemphasized. Let's look at an example where information is not time dependent—or is it? There is a company picnic to take place on May 22, 2003. What is the value of the information before, on, or after that date? Does the information have value? To whom? When?

If you're looking forward to the company's annual picnic, as was your family, the information as to when and where it was to take place had some value to you. Suppose you found out about it the day after it happened. Your family was disappointed, they were angry at you for not knowing, you felt bad, etc. To the company, the information had "no value." However, the fact that the employee did not receive that information caused him to be disgruntled and blame the company for his latest family fight. Based on that, he decided to slow down his productivity for a week.

This is a simple illustration, but it indicates the value of information depending on who has and who does not have that information, as well as the time element. It also shows that what is thought to be information not worth a second thought may have repercussions costing more than the value of the information.

The following is another example: A new, secret, revolutionary widget built to compete in a very competitive marketplace is to enter the market on January 1, 2004. What is the value of that information on January 2, 2004?

Again, to stress the point, one must consider the cost to produce the information and the damage done if that information were released.

If it cost to produce and can cause damage if released, it must be protected. If it cost to produce, but cannot cause damage if released, then why protect it? At the same time, be sensitive to dissemination. Information, to have value, to be useful, must get to the right people at the right time.

Business Information Type and Examples

Types of IWC Internal Use Only information:

Not generally known outside the company;
Not generally known through product inspection;
Possibly useful to a competitor; and
Provides some business advantage over competitors.

Examples are the company telephone book; company policies and procedures; and company organizational charts.

Types of IWC Private information:

Reveals technical or financial aspects of the company;
Indicates company's future direction;
Describes portions of the company business;
Provides a competitive edge; and
Identifies personal information of employees.

Examples are personnel medical records; salary information; cost data; short-term marketing plans; and dates for unannounced events.

Types of IWC Sensitive information:

Provides significant competitive advantage;
Could cause serious damage to the company; and
Reveals long-term company direction.

Examples are critical company technologies; critical engineering processes; and critical cost data.

Questions to Ask When Determining Value

When determining the value of your information, you should, as a minimum, ask the following questions:

How much does it cost to produce?
How much does it cost to replace?
What would happen if I no longer had that information?
What would happen if my closest competitor had that information?
Is protection of the information required by law, and if so, what would happen if I didn't protect it?

^[4]In the context used here, the term classify has nothing to do with classification as it relates to national security information such as Confidential, Secret, and Top Secret.