Kenneth F. Belva

Be honest: What’s the value of that data you’re protecting?

Last night I was at a corporate dinner and met a CISCO rep. He assured me that the value was in the network. I replied that from my perspective the value is in the data. I proceeded to give him a little thought experiment: Suppose my social security number is on a hard drive and the computer is disconnected from the network. There are plenty of security issues that now surround the hard drive because my social security number has value even though the network is “gone”.

On the heels of this conversation, a service provider turned to me and asked me that if I lost my PDA cell phone (and hence the data on the phone), wouldn’t I then surely suffer a huge loss (as per the example above). I thought about it for a moment and replied, “Not really. It’s my personal phone. I do not keep sensitive data on my smart phone and I back it up almost every night. The loss here would be mostly in the hardware.”

This led me to ask, “How valuable is data, ultimately?”

When I was growing up, the secret formula to Coca-Cola was the holy grail of valuable sensitive data. Imagine what Pepsi would pay for that! Well we now have an answer to that: Pepsi will tell Coke. They’ll pay nothing and you’ll go to jail! Huh? Definitely not what we assumed to be the case long ago.

This led me to think, if I stole data, what could I really do with it? How would this data benefit me? What would the data be worth?

Answering these questions led me to realize that data has utility. By that I mean that if one cannot do anything with the data there is no value to it.

The classic example of data theft is the salesperson who finds a new job and walks out the door with the prior company’s customer list. But it’s mostly valuable to salespeople (and perhaps marketing people). I do not work in sales. I do not have relationships with clients. If I were to steal a corporate client list, what good would it really do me? Could I sell it? Perhaps, perhaps not. Look at the Coke/Pepsi example. Just to press this point as much as possible, the stolen corporate client list would most likely not be valuable to physicist Stephen Hawking. See?

Are there cases that demonstrate where data has enormous value? Absolutely. What if I am bidding for a project? If I know the competitor’s bids, that is really advantageous and worth something. (It’s interesting to note that in this example the monetary value of the data would be in relation to the dollar value of project contract. Think about this point: the value can be quantified.)

When thinking about data, data loss and information security mechanisms, to say that data is valuable is not enough: “To whom?” and “How would it be used?” should also be answered.

I’m beginning to suspect that most data — data that cannot be utilized directly or data that has not been synthesized and aggregated from various sources in such a way as to provide utility after being mined — may be much less valuable than assumed.

5 Comments

  1. Andy Mar 19, 2007 at 11:05 am | Permalink

    Related but not necessarily counter to your premise is what the costs are to the company that loses the data.

    SSNs aren’t that valuable in and of themselves. But if I’m covered by SB1386 and I have to disclose that I lost the data, regardless of its street value, the damage to my reputation could be significant.

    Sometimes it isn’t the value of the data, its the liability surrounded with losing it.

  2. Kenneth F. Belva Mar 19, 2007 at 11:10 am | Permalink

    Hi Andy,

    For my take on reputation damage and data breaches see the following paper:

    http://www.ftusecurity.com/pub/FiTechSummit_final_paper.pdf

    I’m not so sure the reputational argument really holds that much weight, although I agree that the liability of losing the data is a significant driver toward data protection.

  3. Saso Mar 19, 2007 at 9:58 pm | Permalink

    Kenneth,

    Interesting paper on reputation. Unfortunately, I believe it is deeply flawed in methodology.

    By using investor confidence as a measure of overall reputation, you’re not measuring reputational risk at all. As you correctly identify in the paper, investors are worried about their investment. If the company’s performance, or ability to deliver expected results is impacted, markets will respond accordingly.

    Those breaches did not affect the company’s ability to perform, so the markets went through the initial “Oh, damn, I hold the stock that may prove to be worthless in the near future, if I don’t dump it now” phase. That’s when lack of information – or expectancy of worse news to come – rules supreme. After that, things stability, small stock players got out of the stock, speculators slowly move back in, and things go back to normal.

    So far, it is all strictly investor confidence and nothing about reputation.

    Also, what the impact to the reputation is depends on the type of incident: if a fast-food chain was charged with backdating options, sharemarkets would definitely respond harshly. At the same time the average consumer wouldn’t really care. Does this mean that their reputation is now tarnished?

  4. Kenneth F. Belva Mar 20, 2007 at 6:10 am | Permalink

    Hi Saso,

    It seems to me, despite your objection, an indirect measurement of reputation through investor confidence is the best indicator we may have.

    You incorrectly state that “Those breaches did not affect the company’s ability to perform.” Choicepoint’s breach did affect its ability to perform and they needed to reorganize their processes, as per the paper.

    If a reputation will affect the prospects of a company, investors will take this into consideration. Sure, it’s not a direct measurement. And hence:

    My challenge to you is to create a methodology and set of metrics that can directly measure reputational damage.

    If not for indirect measurements such as stock prices/investor confidence, it seems to me that reputational arguments are very similar to the theory of Phlogiston: there may be something happening, only we really cannot talk about anything causally.

  5. Rob Lewis Mar 22, 2007 at 11:28 am | Permalink

    Your condiderations of data value are generally sound, but I think attackers go after the crown jewels of data because they are either revenge motivated or they know a buyer who will use the data directly.

    Your conversation with the Cisco rep is interesting, as his attitude is typical of many who place too much value and weight on network security. If you remove the data, what is the purpose and value of the network?

    I have observed signs in the security media recently that suggest an attitude shift based on the realization that network security is not fully meeting the needs of data assurance. Some of them were comments by several of the keynote speakers at the RSA show this year, who expressed the notion that information-centric security is the way to go. This would back up your assertion that the value is in the data.

2 Trackbacks

  1. […] own admission only a small percentage are from online heists.  Maybe the same data, on IT systems, isn’t nearly worth as much.   I’ve long thought much like Kenneth – esp. concerning the motive, intent and […]

  2. […] just posted about Kenneth Belva’s latest article on my personal blog.  I don’t want to repeat myself, but PCI in Europe is a case in point […]

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*