MEA$URING THE VALUE OF INFORMATION

This paper was presented at: infoWARcon'97, September 10 - 12, 1997 Sheraton Premier, Vienna, Virginia

Dr. Myron L. Cramer
Director, Information Assurance
Windermere Information Technology Systems
Annapolis, Maryland 21401
(410) 266-1900
mcramer@witsusa.com
http://www.wias.net

Abstract

This paper examines issues and methods of measuring the value of information. Topics discussed include the difference between information and data, the contextual reference for value, the different value standards for types of information, an organizational information model, and methods of attributing value. This paper also includes an assessment of the limitations of these methods. Since Information Warfare is the battle to use information superiority for a market advantage, in assessing the value of information we must consider more than just the replacement cost, but also the impact of attacks on market position. These assessments consider the market environment and the actions of potential competitors. The conclusions are that a balanced cost benefit approach is possible, but that it must consider the different types of information and must view each from the competitive perspective.

Problem Statement

There are several problems whose solution can benefit from a method for measuring the value of information. These include among others trading off risks, optimizing protection, evaluating military worth, studying cost-benefits, and analyzing cost effectiveness. With the increasing awareness being given to the vulnerabilities of the Internet and the National Information Infrastructure has come increased interest in security products and methods to protect valuable organizational information systems. This is often a new problem for corporate decision makers, and managers are confronted with a lack of conventional wisdom and predetermined solutions and at the same time a confusing assortment of security products each addressing a different aspect ofthe problem in a different way. Since the costs of these products often span several orders of magnitude, having a quantitative basis for comparison will be useful. Cost benefit analyses are a proven way of conducting the required analyses, but they require that a value be placed on the information to be protected. Without a way to quantify the value of information, it is difficult to conduct any systematic assessment of protection options.

Differences between Information and Data

Figure 1. Information is More than Data

Information is more than just the data from which it is derived. Through processing, data is placed in a context, related to other data or previous information and developed into something that is consumable by its users. Figure 1 illustrates the relationship with data which is carried on communication links, but is still just data. Adding network structures on these communication links, just packages the data into packets or other structures. It is only when these data are part of user processes that they can contribute to information. The abstract nature of these concepts makes it difficult to see a clear way to measure the value of information, even though there are established ways to quantify and characterize the associated data.

The relationship between data and information is not direct. Often a small amount of information will have greater value than large amounts, thus there is no direct relationship between the quantity of data and the value of the associated information. For this reason, it would be a mistake to use purely communication metrics to analyze information operations. The need to design cost-effective information protection architectures adds new urgency to this classic problem. There is no single metric that applies in all circumstances, but an approach using multiple metrics can be useful. The biggest mistake system evaluators can do is equate information and data and evaluate Information Warfare performance of systems from a purely data communications perspective. Within the context of overall information operations, a bandwidth-efficient distributed system transmitting a smaller number of bits is very likely to be a better system than one that dumps large amounts of raw data on its users.

Establishing Value

Three Fundamental Metrics. The three fundamental metrics are quantity, quality, and time. All other metrics can be expressed as combinations or specifications of these. Before we can assign a value to information, we need to think about what we mean by value. The simplest measure of value is dollars: how much does something earn or save us. The dollar value metric is useful for assessing contributions in a commercial context. The military uses military worth analyses to assess systems in terms of how they contribute to combat effectiveness. The military worth of information is more difficult to model due to the indirect way that information enters into combat activities. It is important to keep a larger context in mind when measuring value, since there are limitations on representing value. We also need to keep in mind that there are things that clearly have value to our society, but which cannot be reduced to a representation in either dollars or effectiveness terms.

How is Value Used? In assessing value, it helps to consider the uses we have for this metric. Applications could include, for example, a cost-effectiveness analyses or a cost-benefit analyses. A cost-effectiveness analysis is used to select the best way of accomplishing a given objective, such as protecting an information system. For alternatives providing comparable capabilities, the emphasis is on the cost analysis of the options and assigning a value to the protected information is less critical. By contrast, a cost-benefit analyses seeks to compare investments providing different capabilities. Accomplishing this requires some way to trade off higher levels of protection against the higher costs involved.

Value is Relative Although we often would like to have a simple way of assigning an absolute value to information, it is more useful to recognize that this value is relative to its context including the uses that are to be made of it as well as the actions of competitors or enemies. Some types of information, such as trade secrets are valuable to the party having them because they enable it to build better products or conduct a type of business better than those who don't have this secret information. This type of information can lose its value should it become commonly available. This is the case with intellectual capital such as software or copyrighted literature. Regardless of other functional or societal value it may carry, its commercial value derives from its ability to influence purchases or products containing it. Other types of information such as advertising or political ideas increase in value when they are widely distributed or shared. Their value lies in the impact they have on actions such as purchasing or voting decisions.

Information has a Context. We mentioned above that information derives from data in a context. One of the reasons it has been difficult to assign a value to information is that there is no one way in which this happens. Information that is very valuable to one person or organization, may be useless to someone else. Another way to say this is that information derives its value from a context that represents the uses to which the user will make of the information. Different users have a different model or value basis. We will discuss four possible value bases to illustrate this concept. There are others, but let's consider the development, operations, market, and collection bases. Each of these provides us with a methodology for assessing the value of information.

Development basis. The developmental basis takes into account the efforts and resources required to develop or reconstruct the information, independent of other considerations. Applying this basis involves defining and pricing a process to acquire or re-acquire the information should it be lost.

Operations basis. The operations basis includes the value of information to actual, ongoing operations. It is the clearest situation where information is required for consumption as part of current business processes. The premise is that if this information is lost or otherwise rendered unusable, then a set of processes will be forced to stop until the information is replaced. This value basis is heavily dependent on scenarios and user needs.

Market basis. The market basis addresses the resale value of information. Information is often developed and provided strictly to meet the needs of a user's customers. This is true in the government for the intelligence community and commercially for the news media. Although the market value of information may take into account the development costs, it is also influenced by how badly the ultimate consumer of this information needs it and the availability of alternate sources. Consider the example of the news media. During the research stage of a story, care must be taken to protect the emerging story from competitors who might break the story first. Once the story is released, confidentiality doesn't matter, but availability does. Market values are best assessed by comparisons with actual experiences since they depend on supply and demand forces, which are functions of location and time.

Collection basis. Often information (as well as other items) are generally perceived to have value without a clear or direct purpose other than simple possession. This is true of many collectable objects, and may also be true for information. How many of us have some objects from our past that we keep for sentimental reasons? Do we save data from the internet without a purpose in mind? Does this information have a value? The collection basis considers the perceived value of information to the user separate from explicit developmental, operational, or documented market value.

How Does Information Add Value?

There are many factors influencing the value of information including who the user is, what he intends to do with it, what others intend to do, and the resulting outcomes. In evaluating value in each of these models, there are different results depending on the respective outcomes.

Value = Function(information, user, user intentions, other actions, and outcome)

Revenue is one such function applicable to business operations. As illustrated in Figure 2, value depends on other factors such as resources. Knowledge by itself without the wherewithal to use it is not as valuable as information matching available resources. Consider the value of computer software. The source code for this software would carry great value to a competitor who could use it to gain insights into program design and techniques. It would have almost no value to someone who lacked the ability or resources to compile the program, and who only had use for the executable code. To a third person also lacking the software development capability but without ethical restraints of the second person, the source code might have value based on its marketability to competitors of the developer.

Figure 2. Value Depends on a User's Context

Different Types of Information

Different types of information add value in different ways. This section analyzes these types where they reside in an organization, how they contribute value, and methods to assess this value. It is important to recognize that information can take many diverse forms. Assigning and comparing the respective value of these forms is more complex than comparing similar types of information. To appreciate this diversity, consider the following representative examples, all of which illustrate some of the ways in which information is an integrated part of current day operations.

Product designs. The engineering technical designs from which products can be manufactured or otherwise produced. This may take the form of engineering drawings, or the electronic equivalents in computer-aided designing (CAD) or computer-aided manufacturing (CAM) systems.
Product technical data. Supporting technical data user manuals, maintenance manuals, and part breakouts.
Management guidance. Organizational management documents including mission statements, charters, policies and procedures manuals, strategic plans, implementation plans, unit operating plans, business plans, and marketing plans.
Operational data bases. Business operational data bases, customer account data, pending product orders, shipping load rosters, inventories, and financial records.
Operational processes. Techniques and methods of conducting business, and process descriptions.
Technical data bases. Technical parameters and other related engineering data bases used to support designs and operations.
Staff knowledge. Knowledge and know-how resident in organizational staff, reflects education, training, and experience. Includes staff knowledge of business procedures, staff technical knowledge, customer experience, and market understanding.
Computer software. Software to operate organizational information systems including office automation, mission software, and communications. Includes executable and source code, where custom applications are utilized.

Information Model

In order to put a structure on the diversity of information types, consider the general process model in Figure 2. This model includes various types of information and illustrates their relationship.

Figure 3. Information has many roles in business processes

The model begins with a mission or vision statement, which communicates the purpose of the organization to its staff, customers, or the public. Managers use this statement within a planning process to develop plans including strategic or implementation plans. These plans control the use of available resources and processes to organize and direct them toward objectives. The individual processes utilize technologies and facilities. They are operated by knowledgeable staff and are supported by the organization's data bases. Information assets are integrated into all of these in different ways; the value and risks to these information resources are different. Table 1 summarizes these relations.

Assessing Loss

In putting a value on information, the analogies with physical property are inadequate. When physical property is stolen, the original user no longer has it. Recovering this property typically involves identifying and capturing the thief to allow the property to be recovered for its rightful owner. Owning information is different; except for the cases where the media or computers holding the information is stolen. Someone stealing information usually just obtains access to the computers containing it and copies or otherwise uses it without permission. The owner of the information may still have his original copy, but the value of the information may have been reduced. There are other situations where the analogies to physical property also do not apply.

Table 1 included a reference to risks. There are different types of security threats, which can result in different types of losses. These include threats to availability, confidentiality, and integrity. There are others such as authentication, non-repudiation, reconstitution, but the main points of this paper can be made by focusing on the big three discussed here.

Availability. Availability is the assurance that information will be there for the user when required. This is the threat that comes to mind easiest when we think about attacks. Threats to availability involves the destruction or removal of the information to deny its use. This threat applies to all types of information

Confidentiality. Confidentiality is the assurance that information is not disclosed to unauthorized users. For intellectual property,confidentiality is the important issue. However, the lost property may not be replaceable, since it may relate to unique innovations or time-critical market opportunities.

Integrity. Integrity is the assurance that information has not been altered or corrupted. Examples where integrity is important include information intended for public dissemination in order to influence purchases or other actions. This information derives its value from its use. In addition to its availability, its integrity is an important issue. If this integrity is compromised, the damage done depends on proactive actions that involved storing archives and providing backup services. For integrity the real measure is confidence loss, regardless of the extent of the actual damage, so even the possibility of error in a large data base may necessitate replacement.

Table 1. Information Assets

Type	Description	Leverage	Risks
MISSION	Communicates organizational mission	Directs plans, processes, staff,data bases	Availability,integrity
PLANS	Results from planning process to organize and control processes, staff, and resources	Directs and controls resources and data to accomplish mission	Availability, confidentiality, integrity
PROCESSES	Technologies and processes to produce products	Affects interconnected processes	Availability, integrity
DATA BASES	Operational and technical data bases used by planning and other processes	Affects processes	Availability, integrity, confidentiality
STAFF KNOWLEDGE	Knowledge and know-how of staff, reflecting education, training, and experience. Knowledge of business procedures, technical knowledge, customer experience, and market understanding	Affects ability to plan and execute processes	Availability

The mission statement drives the entire organization including its planning and use of processes and resources. In most commercial instances it is something that does not change frequently, is widely disseminated, and widely known. Military scenarios are examples where missions can be expected to be regularly issued. There are some organizations where management is less communicative with its staff. Attempts to undermine mission statements could include deception, human engineering, or psychological operations. Although threats to this type of information might be unlikely or difficult, they would have grave consequences, if they could succeed. The value of mission information could be conceived to include the entire value or worth of the organization's objective.

Planning information drives resources, processes, staff, and data. This type of information may be competition-sensitive and may be limited to engaged personnel. Threats include loss of confidentiality. If a competitor knows about plans, he can adapt his actions to counter them. If planning information can be altered by an enemy, then the effectiveness of the organization in accomplishing its objective can be reduced. If the planning information can be destroyed or made otherwise unavailable, then the organizations can be brought to a standstill. The value of planning information can be as great as the results produced by the affected processes.

Process information is the technology and the know-how distributed among each of the organization's business processes. It exists in operating procedures, staff capabilities, and a variety of documentation. The availability and integrity of this information is expected to be the most important, although trade-secrets may be involved in some. For these instances, confidentiality is also a relevant factor.

Data base information is required for many of the processes to function. Since the availability and integrity of these data bases drives how effectively they will be conducted, the value of this information may be related to the impact on process effectiveness. Some data bases may contain proprietary data, whose value may also be related to the confidentiality of this information, since a competitor could use it for market advantages.

The knowledge and know-how of staff is another type of organizational information. Its availability is the most important measure, since the unavailability of a few key people may have severe operational consequences. This one is more complicated areas since a competitor can simply hire these people and obtain the benefit of their capabilities.

Information Warfare Perspective

The Information Warfare perspective is implicit in what we have discussed here, since we must always consider the competitive perspective in assigning value. After all, Information Warfare is the battle for information superiority for a market advantage. Assessments of the value of information include more than just the cost of replacing it; they should include the impact of attacks on market position. Assessments should consider the market environment and the actions of potential competitors.

Measurability of Information

Our discussions on measuring the value of information would be incomplete without acknowledging some limitations of this activity. These include being realistic on what information can be assigned value, and the degree of accuracy we should expect.

What is measurable? In physics, we learn that certain physical parameters are measurable and others are not, because they have no meaning in certain contexts. The example of the electrons in an atom. They have energy and momentum which are measurable, but the position of the electrons is neither knowable nor relevant to the atomic physics. Although, we can think of the electrons as particles (which could have positions), this is an overly simplistic model and is inconsistent with the actual behavior of electrons in microelectronics. This analogy applies to information. Although we might like to assign it a specific intrinsic value, this would not correctly represent the effects of this information in different contexts.

Uncertainty Principle. Although the engineering and accounting professions deal with numerical precision, there are many reasons why this is difficult when dealing with information. Unlike real property such as a house, it is difficult to tabulate statistical data on something in CyberSpace; it is too intangible. Although we may be able to calculate acceptable approximations, there will always be some amount of uncertainty which will be proportional to the information's time window and the associated information bandwidth within this time. This can be thought of as a type of Time-Bandwidth product that limits calculations.

References and Credits

U.S. Army Field Manual, FM 100-6, Information Operations, Chapter 2, August 1996, relationship of data and information

Professor William Read, Georgia Tech School of Public Policy, conversation on types of information, February, 1997, basis for organizational information model

Revised May 25, 1998