Many security management methods don’t rely on valuing digital assets. They get by with crude classifications (e.g. “critical”, “important”, etc.). Moreover, I dont believe that it’s absolutely necessary to calculate digital asset values to do quantitative risk analysis. But if you need to do financial justification or economic analysis of security investments or alternative architectures then you might need something more precise and defensible.
This tutorial article presents one method aimed at helping line-of-business managers (“business owners” of digital assets) make economically rational decisions. It’s somewhat simplistic, but it does take some time and effort. Yet it should be feasable for most organizations if you really care about getting good answers.
Warning: No simple spreadsheet formulas will do the job. Resist the temptation to put together magic valuation formulas based on traffic, unique visits, etc.
(This is a long post, so read on if you want the full explanation…)
A Single Method for All Seasons? No.Caveat: There is no one method that is universally applicable and accepted. A method that convinces accountants for financial reporting or for a merger or asset sale does not work for economists, and neither is going to be very comprehensible or realistic for line-of-business executives. Assessing damages for a lawsuit will use different methods yet again. What ever method chosen needs to be appropriate to the context and internally consistent. The proposed method here is aimed at business decision-makers who want to make economically rational decisions, given the available information.
When is Digital Asset Valuation UsefulBefore you plunge in to valuing digital assets, you should identify exactly why you are doing it. Here are four reasons I can think of:
- I think it could be very useful to normalize other information security metrics — not just security spending but also allocation of resources or management attention, number or severity of security incidents, and so on. This is like “revenue per employee” in some enterprise-wide financial models. I can imagine this would be useful in comparing across widely varying business units and organization structures, etc. In this use, it’s not directly driving decisions, but it might make some metrics more comparable and meaningful in the “apples to apples” sense.
- I think it’s a useful stepping stone toward a full probabilistic risk analysis. Digital Asset Value is only a starting point. What you are trying to estimate is the probability distribution curve for total costs, given a set of assets, threats, vulnerabilities, incident patterns, and the rest. (This is where Alex is going in his soon-to-come post, I’m guessing.) In some cases, the cost of security breaches will be directly related to the value of the digital assets. In other cases, security breach costs for a class of assets may be only vaguely related to their value or not related at all (e.g. when there are large potential costs in regulatory fines, litigation, decline in credit ratings, and/or reputation damage.) What we are really after is to understand the possible and probably costs associated with security and security incidents, and not all of these costs are a function of the business value of the collection of assets. Even so…
- It is a GREAT way to start a productive dialog with line-of-business managers and executives, with the goal of increasing mutual understanding and open communication. Once you have some understanding of the relative business value of various assets, and what drives that value, then you will be in a much better position to understand how various security breaches or security policies can affect those value drivers. This is true even if you never codify it all into formal risk models. Likewise, the business people will be more receptive to understanding the dynamics of security if they see that you’ve taken an effort to understand the dynamics of their business.
- It is a GREAT way to build stronger collaborative relationships with your IT brothers and sisters who are responsible for building and maintaining the IT systems that support the business. After all, they are trying to increase business value through their efforts and investments. If the IT team, the InfoSec team, the Business team, and the Finance people are all talking the same language (business value), just imagine the new levels of cooperation and synergy. (Sing “Kumbaya” everyone! :-) )
Three Principles1) The most important principle in valuing digital assets is that you can’t do it outside the context of the enterprise that gets value from the asset. (I use the word “enterprise” here to include both for-profit and not-for-profit organizations, and even government agencies.) Digital assets, for the most part, get their value from being used in context, not from a free market value.
2) This leads to the second principle of valuation: you value the digital asset according to its role in creating economic value (or, more broadly, business value, which can include non-economic goals.). While the most accurate and precise valuation requires analysis of the value creation processes (i.e. value chain analysis), it’s possible to get a decent estimate without it if you are willing to take a “cold hearted” approach to classifying assets.
This “cold hearted” approach comes from the work of Paul Strassman, and also the perspective of Nicholas Carr (Does IT Matter?). In essence, they argue that the only IT investments that have a clear positive return are those that directly contribute to revenue or competitive advantage (narrowly defined). Everything else is a cost. (Strassman has done field studies to back up his arguments.)
Therefore, the second principle is to divide digital assets into two classes – Class 1: Digital assets that directly drive revenue and/or competitive advantage, and Class 2: everything else. It’s not to say that Class 2 assets are not important. They may be very necessary. But the point is that you need to use different valuation methods.
3) The third principle is that valuation must be forward-looking. What you have already invested or spent on it is irrelevant (mostly). Economists call these “sunk costs”. You might use historical investments or costs as reference points in estimating the future, but not always. (This is where you the accountants walk out on you. :-) )
Being forward looking, your valuation will necessarily be based on projections, forecasts, and/or willingness to pay now for future events. This can lead to all sorts of errors and delusions of grandeur. This is especially true if your projections involve low probabilities and very large magnitudes. There are a few ways to minimize these sorts of errors, but that is outside the scope of what I want to cover in this article.
Identifying Assets that Drive Competitive Advantage (Class 1)Ignore most of what you hear about how information and IT in general drives competitive advantage. Every business owner will make a claim that their digital assets are critical to the enterprise’s competitive advantage. Bunk! That’s like saying “all the children are above average”.
Here’s the cold reality of competitive advantage:
- The only drivers of competitive advantage are those capabilities that allow your firm to charge higher prices than direct competitors who have an identical offering or a closest substitute.
- Alternatively, competitive advantage comes from capabilities that allow your firm to be more profitable than all your competitors while selling at or below the “market prices”.
- Also, competitive advantages can be defined in terms of differential ability to win market share at the expense of competitors or substitutes, or to expand market demand. (Similar standards can be defined for non-profits and government agencies, but the explanation is longer.)
For every business unit that has its own profit and loss statement (P&L), you can usually identify two or three sources of competitive advantage. It won’t be twenty! For each source of competitive advantage, you’ll probably be able to identify one to three digital assets that are essential to that capability.
For simplicity, let’s just consider internet-accessible assets, such as web sites, portals, web services, and so on. Let’s say you catalog these assets and come up with 1,000 individual assets. Of these, probably only five or ten will pass the test of “driving competitive advantage” – maybe fewer, or maybe no digital assets will qualify. If you run through this exercise and identify 900 out of 1,000 assets as “driving competitive advantage”, you’ve done something wrong.
Here is the acid test:
- If we doubled the quantity, quality, or performance factors of this particular digital asset, would it directly lead to greater than proportionate increase in:
- Market share?
- Market growth rate?
- Firm market value? (stock market value, private market value, etc.)
- Likewise, if the quantity, quality, or performance factors were cut in half, would it lead directly to a greater than proportionate decrease in any of those four outcomes?
If you follow this argument, you now see the critical importance for understanding the enterprise context and especially the business model and competitive strategy of the enterprise. There’s no way around it.
Valuing Digital Assets that are Competitive Advantage Drivers (Class 1)You value Class 1 assets in proportion to their ability to drive firm value, at the margin. That’s economist language. Let me break it apart.
“At the margin” means the ability to drive value with additional dollar of investment (or by reducing investment by a dollar). Visually, think of this as the slope of the value creation curve at the current level of investment. Many assets have diminishing marginal value—as you invest more, your returns gradually diminish, until they plateau or even go negative. Therefore, you don’t value the asset as if you were building it from scratch. You value it based on incremental investment (enhancing) or incremental disinvestment (detrimental to capability).
“Drive firm value” goes back to the acid test listed above. Technically, you need to convert “drive firm value” into cash flow projections, including incremental investments in the digital asset required to increase the enterprise value. A sharp MBA can do this analysis, including appropriate discount rate for the time value of money, and then arrive at a valuation that is credible and defensible.
With all the relevant data available, the analysis might take a few days or a week per asset, including review and revision cycles. Since only a few assets qualify, this shouldn’t be an undue burden. After all, these are the most important digital assets for your enterprise!
Valuing All Other Digital Assets (Class 2)Here is the most general method for valuing all the other digital assets:
- How much is the business owner willing to pay to repair or replace the digital asset, assuming it were damaged or disabled, and assuming the business owner is paying out of a fixed budget?
It only takes a little fiddling to set up this exercise. You have to enumerate the digital assets. You have to set an overall spending budget – something like 5 years of investment and maintenance for the whole set. And then you need to define what “damaged” or “diminished” means in each asset class. (You can exclude the upside case because enhancing these assets does not drive competitive advantage, by definition!) Again, it’s usually best to do a marginal analysis rather than full replacement cost.
There’s one more critical element to the exercise: viable investment alternatives outside of digital assets. Your business owner should always have the option of “do nothing” or “do something else”. This can be as simple as “buy back company stock” which should yield the company’s market rate of return. You can also make it more meaningful or tangible to line-of-business people by offering alternatives such as “increase staff” or “invest in business process changes”, with a fixed rate of return. This forces the business owner to think of the digital assets in the context of the whole value creating process and all of their goals.
Once you’ve set these factors, you then take your business owners through the “willingness to pay” exercise for all the digital assets, plus alternatives. It might take a few passes if you have a lot of digital assets. It’s very helpful to do sanity checks along the way, such as comparing actual spending or budget allocations, or resource allocations, or prioritization in service level agreements, etc.
When this is complete, you’ll have the relative economic value of all the assets, relative to each other and to the overall budget you set for the exercise. The final step is to convert these into cash flows over time, which might only take a few more calculations and normalizations. You want to make Class 1 and Class 2 asset valuations comparable. The absolute economic value numbers may not be perfect, but the relative values will be quite robust.
Notice what isn’t included in this analysis (on purpose):
- There is no mention of the volume of internet traffic to the web site, number of users, frequency of use, etc.
- There is no mention of the size or complexity of the digital asset, or the nature of the technology behind it.
- There is no mention of how the digital asset fits into the overall enterprise architecture, or whether it is state-of-the-art, or aging legacy code.
Putting it All TogetherIt won’t take much work to combine the Class 1 and Class 2 valuations into a common list where the relative values are meaningful and defensible. You can then compare these valuations to various protection investment decisions, or for use in risk analysis or business continuity planning.
How Much Time and Effort?With qualified analysts and readily available data, this whole value analysis might take three or four weeks for a large business unit. If the data is not readily available or if the business owners have no clue what drives competitive advantage, then it could take much longer.
If this amount of effort makes you or your boss gag, then ask yourself how much it is worth to you to get a good answer, as opposed to a crude prioritization or categorization that you could arrive at through a simple voting exercise.
To save time and effort, you might be tempted to use some simple spreadsheet formulas like this (made up):
- Asset Value = # unique users * average # visits per year * $ value per visit
What This Method Leaves OutOf course, there are ways of doing this analysis that are more data-driven, but they will take more time and effort and money. For example, you could build simulation models that link cost drivers and value drivers, along with models of customer and competitor behavior and strategy. Then you could run thousands of scenarios to get probabilistic estimates of cost and value. (Paul Strassman proposes Monte Carlo analysis in his books.)
To simplify things, I left out a bunch of things. The methods described above leaves out all the “option value” of digital assets. You can make decisions in the future to do different things with your digital assets, and some of these possibilities could change the payoffs or even the whole business model. Sometimes a digital asset is a “platform” for a bunch of other assets or capabilities. The method described above undervalues such platforms.
It also leaves out critical interdependencies between digital assets. You might have some Class 1 asset that is, in turn, dependent on the existence and well-function of several Class 2 assets. Some of that can come forward in the “willingness to pay” exercise, but only if the business owner understands all the interdependencies and can make smart tradeoff decisions.
It also leaves out contingent valuation that can arise from special circumstances or events. Examples include a merger or buyout, a bankruptcy, forensic investigation in the case of massive fraud, or regulatory penalties. These valuations can be layered on, but only if you estimate the likelihood of these special events.
One form of contingent valuation is asset sale. You can sell domain names on the open market. You can sell customer databases. You can even sell whole web sites, to be used as a whole or broken into reusable parts. This “market value” is a whole different class of valuation procedure, but it’s not relevant to most line-of-business executives, whose focus is on running their business using the digital assets available to them, not trading in the asset marketplace.
I’m leaving out the value of intellectual property – patents, copyright, trade secrets – that can be monetized through sale or licensing. That’s a whole other analysis.
The analysis also leaves out the impact of digital assets on intangible assets like market reputation and brand awareness. Actually, these are factored in indirectly through “drive firm value” for Class 1 and the “willingness to pay” for Class 2. This may not be wholly satisfactory for some businesses, but it’s workable for most companies.
Finally, it leaves out value creation in your ecosystem (suppliers, distributors, partners, complementary entities, regulators, etc.). This requires more sophisticated analysis.