A client recently asked:

How do I assign a dollar value to an assets?…should I use the  purchase value of the asset, replacement value or expected damage to the company if the asset were stolen or exploited?

Estimating asset value is without doubt the most frequent question we get when it comes to calculating data security risk in monetary terms. There are several practical guidelines for measuring information assets value:

• Use the right metric – a common mistake made by marketeers who work for data security vendors is to estimate the cost of a data security breach as the number of records multiplied by some plug number.  The cost of a data security breach to a company is not the same as the cost of a customer data record breach to a customer.  A customer may not even know that her credit card number is breached (considering that 250 million credit card numbers have been stolen in the past few years – it is a reasonable assumption that your credit card number is known to someone who stole – but your cost is zero, isn’t it?
• Ask an expert – usually the CFO. The expert can and should provide confidence intervals for his estimate. The CFO is the best source and best equipped to decide if replacement value, purchase value/depreciated or opportunity cost is the relevant metric to measure the value of an asset. It’s ok, if your CFO says that company IP is worth $50 million with a confidence level of 85%.  If you do a practical  threat modeling exercise, you will be able to test sensitivity of your threat model to the confidence boundaries.
• Use test equipment. For example – If the cost of acquiring a customer is $50, you can write a sql query to find out how many customers you have and then multiply by $50. Looking at the Fixed assets and GL modules is an example of using test equipment.  If you have to measure the number of credit cards in clear text circulating on your network – I suggest  network surveillance.
• Use random sampling from a population of asset value estimators. The Rule of Five says that there is a 93% chance that the median of a population is between the smallest and largest values in any random sample of the population.   So – if you have to estimate value of a digital asset like intellectual property – you can ask five people for their estimate – for example, the CFO, the CTO, a customer, your VP marketing and a software developer who worked for one of your competitors.
• Measure in small increments and be prepared to iterate. In other words – when you do a threat model exercise, take small steps –  measure 5-10 asset values and move on from there. Most of the information value is gained at the beginning of a measurement exercise and most companies measure things that have zero information value to the business because they are easy to measure (for example – how ssh password attacks were made on company web servers) instead of the important things – like what is the value of a field service engineer diagnostic database that is distributed to notebook computers.