- Email: [email protected]
Information Warfare Attacks Can Be Against Trade Secrets and Intellectual Property. How Much is a Kilo of Your Information Worth?
july.qxd
9/5/00
12:51 PM
Page 15
INFORMATION WARFARE
Information Warfare Attacks Can Be Against Trade Secrets and Intellectual Property. How Much is a Kilo of Your Information Worth?
the value of information in a database? How about after it’s been profitably data mined? Converting information from an intangible to a tangible asset is essential for information to be the currency of the Knowledge Age. Since the value fluctuates, an accounting category such as ‘Transient Virtual Assets’ would be appropriate. Let’s delve into the perceived and quantitative values of information, and describe a practical application using a model to rationally allocate resources. The reason the information environment (IE) exists is to develop, field, maintain and withdraw products and services in order to attain and maintain a competitive advantage. Whatever comprises a specific
Perry Luzwick A few months ago a fellow flight passenger and I conversed about our jobs. I mentioned some challenges regarding information warfare (IW). When we debarked, he said, “Thanks for keeping us safe.” He paused and then said, “Well, at least for keeping us ahead.” I was, in fact still am, struck by two things. He characterized the situation as a race. The stakes in this race are national sovereignty, economic stability, corporate survival and individual freedom.
“If you don’t know what information is worth, how do you know which will give the best competitive advantage?” The value of information will be the cornerstone of E-commerce and the Knowledge Age. Value, or perceived value,
Multi -Dimensional Approach for Determining the Perceived Value of Information y 1 y2 y3 es
CONTEXT
NS IT IV IT Y
INFORMATION ELEMENTS
ga
x1 x2 x3 x4 x5
SE
Important
Le
R
&
D
an um H
uf
Routine
l
R
tu ac
g an M
Strategic
M
ar
ke
tin
Operational
es
rin
g
ou
rc
Tactical
ME
Critical
TI
His comment about “keeping us safe” is of increasing concern to industry and government. Infoworld published the top 10 challenges keeping information technology executives awake at night. Number 10 was security. Number 3 was measuring the business value of technology. Number 2 was getting the most from corporate data. And the number 1 issue? Enabling business initiatives. The value of information is directly related to all four issues. If you don’t know what information is worth, how do you know which will give the best competitive advantage? How can you be sure the proper security mechanisms are used? How can you insure it? In disaster recovery and business continuity situations, how do you know which information to recover and restore first?
z1 z 2 z3
drives resource allocation. This leads to the need to use proper protection features since not all information has the same value. Why aren’t there accounting standards for information? What information is critical enough to require deadly force by law enforcement or the military? Quantitative approaches elude us. The lack of rigorous, quantitative metrics, measures of effectiveness (MoE), and accounting standards for the value of information hinders Ecommerce and IE protection. What’s
IE, the important fact remains if its elements aren’t defended, consequences can range from irritants to catastrophes. Aspects of information are content, context and timeliness. Some content is of a lasting nature, and thus has durability. Content can be manoeuvered in cyber space, wheeling software, data mining results, and tacit knowledge. This virtual manoeuver allows swift resource reallocation, and enables effective and efficient service of many customers. Another important aspect is
15
july.qxd
9/5/00
12:51 PM
Page 16
information warfare
Value of Information •
Information has a cost to acquire, store, maintain, and dispose
•
Since information isn’t tangible and doesn’t have a monetary value, managers are unable to rationally allocate resources to protect and secure it
•
Proposed formula
{[(wt 1)(wt 2)(wt 3 )(…)](attribute 1)2 }+ {[(wt 1)(wt 2)(wt 3 )(…)](attribute 2)2 }+ {[(wt 1)(wt 2)(wt 3 )(…)](attribute 3)2 }... n attributes
– Attributes based on business process or product/service – Weight based on: • Information aspects: content, context, timeliness • Security aspects: confidentiality, integrity, authentication, availability, and non-repudiation • Range from -2 to 2
tailored format. Graphics are okay if you’re at a desktop with a T-1 connection, but if you’re in the field with a 28.8 modem, graphics are a hindrance. A subset of context is perishability. Information at the tactical level may be meaningful for a few minutes, while at the strategic level it would have no value. An important subset of timeliness is capturing explicit information and tacit knowledge, organizing it and delivering it. IW attacks make disaster recovery and business continuity plans essential. For every minute information systems are not up and fully running, revenue, profit and shareholder value are lost. What about the well-funded competition, drug cartels and hostile nation states? They overtly and covertly acquire products, then reverse engineer hardware and decompose software in order to understand how they work and to identify vulnerabilities. Tools are then developed to exploit the vulnerabilities with the purpose of narrowing or widening the competitive edge. What are they going after? Your intellectual property, trade secrets and critical technology. Avery-Dennison won a United States Economic Espionage Act case for having its trade secrets stolen. Amazon.com won a $225 million
16
judgement for having its E-mail intercepted and used against it. Different groups have dissimilar interests, so place emphasis on different elements within the value of information. Individuals are concerned with confidentiality and privacy, banks depend upon integrity, and the legal community wants non-repudiation. One way to account for this is to use a multi-dimensional approach to determine a perceived value of information. As an example, the Unites States sends a roll-on/roll-off (RORO) ship with 100 M1A1 Abrams main battle tanks to South Korea to support an exercise. The ship encounters bad weather in the North Pacific, suffers mechanical damage, takes on water, and sinks. The value of the tanks, ship and loss of life can be accurately calculated by traditional accounting methods. Change the scenario. North Korean actions indicate probable conflict. The United States wishes to show its resolve and support for an ally, so it sends a RORO with 100 M1A1s to meet activated Army and Marine Corps Reservists airlifted to South Korea. The ship sinks. What is the value of the tanks? The perceived value is definitely higher than the accounting value. What is the value of the information to the North Koreans that the ship sunk? A value of information would help prosecutors in computer crime cases. The jury
must be convinced there was a loss. What is information in database worth? A simple approach is it took people (their compensation) and IT assets to acquire, process, store and maintain. Is there a competitive or national security loss? What’s the cost to replace the information, and the cost of lost business/profits or national security? How does a business know what information to acquire, retain, maintain, protect and dispose? Laws and practices cover some areas. What information is valuable? It depends on content, context and time sensitivities. In the absence of accounting standards for information as a tangible asset, qualitative approaches are necessary. Here’s a three-dimensional approach for determining the perceived value of information. Business units produce information elements. From a contextual perspective, the information is of tactical, operational or strategic nature. From a time perspective, the information is routine, important or critical. At any given time, selecting an information element, its contextual perspective, and its time perspective will result in the perceived value. Does this produce a tangible dollar figure? No. Does it help value intangibles? Absolutely. Can there be more than one perceived value at the same time? Yes. Proactive measures must be taken to protect operations and the bottom line. Businesses could self-insure — in other words, eat a loss. Such a decision needs to be made in the presence of hard facts, not a gut feel. Does the corporation and its individual business units know how much profit they make per year? Per quarter? Per month? Per day? Per hour? Per minute? Precision is required to derive the perceived value of information because business decisions to focus finite resources on products and services need to be based on more than perceptions. How granular is the information? How much will it cost to acquire more information? Have performance MOEs for information been developed, such as leading indicators; goals (e.g. expected sales or reduced development time); incremental change and rate of change
july.qxd
9/5/00
12:51 PM
Page 17
information warfare
“For every minute information systems are not up and fully running, revenue, profit and shareholder value are lost.” timeliness, and to these can be added the five IA aspects of confidentiality, integrity, authentication, availability and non-repudiation. Some weights are important, while others can be deleterious, so a weight can range from negative to positive two. An example is the financial community considers integrity the most important feature, so it can be assigned a factor of two. If needed, more weights can be added for greater precision. This will derive a unique number that can be used as a basis for ‘what if ’ analyses. All information should not be equally protected. Protection measures need to be added as the value of the information increases. How much should a corporation spend on firewalls, shielding, intrusion detection devices, personnel checks, motion sensors, encryption, training,
'To What Extent' Model Establish Parameters
Confidentiality Risk
M
Protect consumers’, in-house, and business partners’ information; privacy, aggregation issues
L L* M H Vulnerabilities
Profit
H Validated Requirements
IA Sliding Scale
Authentication & Identification
Value
M
Integrity Info isn’t altered or destroyed
Access control
L
Non-Repudiation L
M Cost**
H
C
Effect on Operations
I R
Tactical Operational Strategic Context
anti-virus software and other protection capabilities? A practical application is the ‘To What Extent’ Model which is used to determine a rational laydown of IA products and services. The more valuable an IE’s components are to achieving goals and a competitive advantage, the more necessary a full spectrum IE protection program. Leading off the model is validated requirements. A streamlined process to request, analyse, prioritize, and fund them should be in place. The two-dimensional graphs are based on the perceived value model. The intersection of threat and vulnerability is risk and, assuming risk and consequence management indicate the need, those risks are what need to be defended. This is important because there isn’t enough time and money to eliminate risk. Another parameter is value. The cost to obtain and replace information can be calculated. The corporation’s leading and lagging indicators and MoEs can be used to determine profit. Knowing profit and costs can lead to questions like ‘What is the value of not having the information?’ The third parameter uses the contextual and time perspectives to determine the effect on operations. The model can easily embrace more complexity.
Undeniable proof of the transaction and participants
Rational laydown of IA mechanisms
Threats
H
Time ***
toward those goals; and comparing against lagging indicators (e.g. last quarter’s and year’s sales, market share and profit)? What are information development and reuse costs? What extra business will be generated? Those corporations that leverage information the most effectively will lead their industries. A more rigorous approach than using perceived value is needed. The formula below is proposed as a point of departure for further study. Information has a cost to acquire, store, maintain and dispose, so we can identify a minimum, simplistic value. The formula requires the attributes for a process, product or service to be identified. Each attribute is adjusted by a number of weights. We’ve already discussed the three information aspects of content, context and
Availability Access information in seconds, minutes, or hours; operate while under sustained attack
* Low, Medium, High ** To obtain and replace info and/or info infrastructure *** Routine, Important, Critical
The IA sliding scale is applied to all the parameters. Confidentiality, integrity, authentication and identification, nonrepudiation, and availability are applied
“All information should not be equally protected. Protection measures need to be added as the value of the information increases.” to risk, value and effect on operations. An analysis of these 15 variables is used to determine the rational laydown of security mechanisms. Although time and contextual perspectives can shift frequently, thereby altering perceived value, not having hard figures results in inability to attain and maintain a competitive advantage, inefficient resource allocation, inadequate IE protection, and a less than optimal bottom line. With values derived through rigorous methods, information can then be carried on the books as an asset. This will spur Ecommerce and accelerate us into the Knowledge Age.
17
9/5/00
12:51 PM
Page 15
INFORMATION WARFARE
Information Warfare Attacks Can Be Against Trade Secrets and Intellectual Property. How Much is a Kilo of Your Information Worth?
the value of information in a database? How about after it’s been profitably data mined? Converting information from an intangible to a tangible asset is essential for information to be the currency of the Knowledge Age. Since the value fluctuates, an accounting category such as ‘Transient Virtual Assets’ would be appropriate. Let’s delve into the perceived and quantitative values of information, and describe a practical application using a model to rationally allocate resources. The reason the information environment (IE) exists is to develop, field, maintain and withdraw products and services in order to attain and maintain a competitive advantage. Whatever comprises a specific
Perry Luzwick A few months ago a fellow flight passenger and I conversed about our jobs. I mentioned some challenges regarding information warfare (IW). When we debarked, he said, “Thanks for keeping us safe.” He paused and then said, “Well, at least for keeping us ahead.” I was, in fact still am, struck by two things. He characterized the situation as a race. The stakes in this race are national sovereignty, economic stability, corporate survival and individual freedom.
“If you don’t know what information is worth, how do you know which will give the best competitive advantage?” The value of information will be the cornerstone of E-commerce and the Knowledge Age. Value, or perceived value,
Multi -Dimensional Approach for Determining the Perceived Value of Information y 1 y2 y3 es
CONTEXT
NS IT IV IT Y
INFORMATION ELEMENTS
ga
x1 x2 x3 x4 x5
SE
Important
Le
R
&
D
an um H
uf
Routine
l
R
tu ac
g an M
Strategic
M
ar
ke
tin
Operational
es
rin
g
ou
rc
Tactical
ME
Critical
TI
His comment about “keeping us safe” is of increasing concern to industry and government. Infoworld published the top 10 challenges keeping information technology executives awake at night. Number 10 was security. Number 3 was measuring the business value of technology. Number 2 was getting the most from corporate data. And the number 1 issue? Enabling business initiatives. The value of information is directly related to all four issues. If you don’t know what information is worth, how do you know which will give the best competitive advantage? How can you be sure the proper security mechanisms are used? How can you insure it? In disaster recovery and business continuity situations, how do you know which information to recover and restore first?
z1 z 2 z3
drives resource allocation. This leads to the need to use proper protection features since not all information has the same value. Why aren’t there accounting standards for information? What information is critical enough to require deadly force by law enforcement or the military? Quantitative approaches elude us. The lack of rigorous, quantitative metrics, measures of effectiveness (MoE), and accounting standards for the value of information hinders Ecommerce and IE protection. What’s
IE, the important fact remains if its elements aren’t defended, consequences can range from irritants to catastrophes. Aspects of information are content, context and timeliness. Some content is of a lasting nature, and thus has durability. Content can be manoeuvered in cyber space, wheeling software, data mining results, and tacit knowledge. This virtual manoeuver allows swift resource reallocation, and enables effective and efficient service of many customers. Another important aspect is
15
july.qxd
9/5/00
12:51 PM
Page 16
information warfare
Value of Information •
Information has a cost to acquire, store, maintain, and dispose
•
Since information isn’t tangible and doesn’t have a monetary value, managers are unable to rationally allocate resources to protect and secure it
•
Proposed formula
{[(wt 1)(wt 2)(wt 3 )(…)](attribute 1)2 }+ {[(wt 1)(wt 2)(wt 3 )(…)](attribute 2)2 }+ {[(wt 1)(wt 2)(wt 3 )(…)](attribute 3)2 }... n attributes
– Attributes based on business process or product/service – Weight based on: • Information aspects: content, context, timeliness • Security aspects: confidentiality, integrity, authentication, availability, and non-repudiation • Range from -2 to 2
tailored format. Graphics are okay if you’re at a desktop with a T-1 connection, but if you’re in the field with a 28.8 modem, graphics are a hindrance. A subset of context is perishability. Information at the tactical level may be meaningful for a few minutes, while at the strategic level it would have no value. An important subset of timeliness is capturing explicit information and tacit knowledge, organizing it and delivering it. IW attacks make disaster recovery and business continuity plans essential. For every minute information systems are not up and fully running, revenue, profit and shareholder value are lost. What about the well-funded competition, drug cartels and hostile nation states? They overtly and covertly acquire products, then reverse engineer hardware and decompose software in order to understand how they work and to identify vulnerabilities. Tools are then developed to exploit the vulnerabilities with the purpose of narrowing or widening the competitive edge. What are they going after? Your intellectual property, trade secrets and critical technology. Avery-Dennison won a United States Economic Espionage Act case for having its trade secrets stolen. Amazon.com won a $225 million
16
judgement for having its E-mail intercepted and used against it. Different groups have dissimilar interests, so place emphasis on different elements within the value of information. Individuals are concerned with confidentiality and privacy, banks depend upon integrity, and the legal community wants non-repudiation. One way to account for this is to use a multi-dimensional approach to determine a perceived value of information. As an example, the Unites States sends a roll-on/roll-off (RORO) ship with 100 M1A1 Abrams main battle tanks to South Korea to support an exercise. The ship encounters bad weather in the North Pacific, suffers mechanical damage, takes on water, and sinks. The value of the tanks, ship and loss of life can be accurately calculated by traditional accounting methods. Change the scenario. North Korean actions indicate probable conflict. The United States wishes to show its resolve and support for an ally, so it sends a RORO with 100 M1A1s to meet activated Army and Marine Corps Reservists airlifted to South Korea. The ship sinks. What is the value of the tanks? The perceived value is definitely higher than the accounting value. What is the value of the information to the North Koreans that the ship sunk? A value of information would help prosecutors in computer crime cases. The jury
must be convinced there was a loss. What is information in database worth? A simple approach is it took people (their compensation) and IT assets to acquire, process, store and maintain. Is there a competitive or national security loss? What’s the cost to replace the information, and the cost of lost business/profits or national security? How does a business know what information to acquire, retain, maintain, protect and dispose? Laws and practices cover some areas. What information is valuable? It depends on content, context and time sensitivities. In the absence of accounting standards for information as a tangible asset, qualitative approaches are necessary. Here’s a three-dimensional approach for determining the perceived value of information. Business units produce information elements. From a contextual perspective, the information is of tactical, operational or strategic nature. From a time perspective, the information is routine, important or critical. At any given time, selecting an information element, its contextual perspective, and its time perspective will result in the perceived value. Does this produce a tangible dollar figure? No. Does it help value intangibles? Absolutely. Can there be more than one perceived value at the same time? Yes. Proactive measures must be taken to protect operations and the bottom line. Businesses could self-insure — in other words, eat a loss. Such a decision needs to be made in the presence of hard facts, not a gut feel. Does the corporation and its individual business units know how much profit they make per year? Per quarter? Per month? Per day? Per hour? Per minute? Precision is required to derive the perceived value of information because business decisions to focus finite resources on products and services need to be based on more than perceptions. How granular is the information? How much will it cost to acquire more information? Have performance MOEs for information been developed, such as leading indicators; goals (e.g. expected sales or reduced development time); incremental change and rate of change
july.qxd
9/5/00
12:51 PM
Page 17
information warfare
“For every minute information systems are not up and fully running, revenue, profit and shareholder value are lost.” timeliness, and to these can be added the five IA aspects of confidentiality, integrity, authentication, availability and non-repudiation. Some weights are important, while others can be deleterious, so a weight can range from negative to positive two. An example is the financial community considers integrity the most important feature, so it can be assigned a factor of two. If needed, more weights can be added for greater precision. This will derive a unique number that can be used as a basis for ‘what if ’ analyses. All information should not be equally protected. Protection measures need to be added as the value of the information increases. How much should a corporation spend on firewalls, shielding, intrusion detection devices, personnel checks, motion sensors, encryption, training,
'To What Extent' Model Establish Parameters
Confidentiality Risk
M
Protect consumers’, in-house, and business partners’ information; privacy, aggregation issues
L L* M H Vulnerabilities
Profit
H Validated Requirements
IA Sliding Scale
Authentication & Identification
Value
M
Integrity Info isn’t altered or destroyed
Access control
L
Non-Repudiation L
M Cost**
H
C
Effect on Operations
I R
Tactical Operational Strategic Context
anti-virus software and other protection capabilities? A practical application is the ‘To What Extent’ Model which is used to determine a rational laydown of IA products and services. The more valuable an IE’s components are to achieving goals and a competitive advantage, the more necessary a full spectrum IE protection program. Leading off the model is validated requirements. A streamlined process to request, analyse, prioritize, and fund them should be in place. The two-dimensional graphs are based on the perceived value model. The intersection of threat and vulnerability is risk and, assuming risk and consequence management indicate the need, those risks are what need to be defended. This is important because there isn’t enough time and money to eliminate risk. Another parameter is value. The cost to obtain and replace information can be calculated. The corporation’s leading and lagging indicators and MoEs can be used to determine profit. Knowing profit and costs can lead to questions like ‘What is the value of not having the information?’ The third parameter uses the contextual and time perspectives to determine the effect on operations. The model can easily embrace more complexity.
Undeniable proof of the transaction and participants
Rational laydown of IA mechanisms
Threats
H
Time ***
toward those goals; and comparing against lagging indicators (e.g. last quarter’s and year’s sales, market share and profit)? What are information development and reuse costs? What extra business will be generated? Those corporations that leverage information the most effectively will lead their industries. A more rigorous approach than using perceived value is needed. The formula below is proposed as a point of departure for further study. Information has a cost to acquire, store, maintain and dispose, so we can identify a minimum, simplistic value. The formula requires the attributes for a process, product or service to be identified. Each attribute is adjusted by a number of weights. We’ve already discussed the three information aspects of content, context and
Availability Access information in seconds, minutes, or hours; operate while under sustained attack
* Low, Medium, High ** To obtain and replace info and/or info infrastructure *** Routine, Important, Critical
The IA sliding scale is applied to all the parameters. Confidentiality, integrity, authentication and identification, nonrepudiation, and availability are applied
“All information should not be equally protected. Protection measures need to be added as the value of the information increases.” to risk, value and effect on operations. An analysis of these 15 variables is used to determine the rational laydown of security mechanisms. Although time and contextual perspectives can shift frequently, thereby altering perceived value, not having hard figures results in inability to attain and maintain a competitive advantage, inefficient resource allocation, inadequate IE protection, and a less than optimal bottom line. With values derived through rigorous methods, information can then be carried on the books as an asset. This will spur Ecommerce and accelerate us into the Knowledge Age.
17