One of my clients recently asked me: “How do I assign a dollar value to information assets? Should I use the purchase value of the asset, replacement value or expected damage to the company if the assets were stolen or exploited?”

Estimating asset value is the most frequent question when it comes to calculating data security risk in monetary terms. Here are a few practical guidelines for measuring information assets value:

Use the right metric
A common mistake made by marketers who work for data security vendors is to estimate the cost of a data security breach as the number of records multiplied by some plug number. The cost of a data security breach to a company is not the same as the cost of a customer data record breach to a customer.

A customer may not even know that her credit card number is breached, considering that 250 million credit card numbers have been stolen in the past few years. It is a reasonable assumption that your credit card number is known to someone who stole, but your cost is zero, isn’t it?

Ask an expert
Usually ask the CFO. The expert can and should provide confidence levels for his estimates. He is best equipped to decide if replacement value, purchase value or depreciated or opportunity cost is the relevant metric to measure the value of an asset. For a practical threat modelling exercise, you can test sensitivity of your threat model to the confidence boundaries.

Use test equipment
For example, if the cost of acquiring a customer is $50, you can write a SQL query to find out the number of customers you have and then multiply by $50.

Looking at the fixed assets and GL modules is an example of using test equipment. If you have to measure the number of credit cards in clear text circulating on your network, I suggest network surveillance.

Use random sampling from a population of asset value estimators. The ‘Rule of Five’ says that there is a 93 percent chance that the median of a population is between the smallest and largest values in any random sample of the population.

Measure in small increments and iterate.
In other words, when you do a threat model exercise, take small steps: measure 5-10 asset values and move on from there.

Most of the information value is gained at the beginning of a measurement exercise, and most companies’ measure things that have zero information value to the business because they are easy to measure, while the assets that are really valuable are left out. So you would have a company that will check on how many SSH password attacks were made on company web servers instead of finding what is the value of a field service engineer diagnostic database that is distributed to notebook computers.

—Danny Lieberman is a serial technology innovator and data security consultant. This article is published with prior permission from www. information-security-resources.com.