Business Case for Data Protection

Information in a web application could be the most valuable asset. A research study of UK executives' attitudes to data protection risks and data breaches was published by the Ponemon Institute at the end of March.

The report, Business Case for Data Protection - A Study of CEOs and other C-level Executives in the United Kingdom (and a US version), was sponsored by Ounce Labs (now part of IBM). A representative sample of 115 respondents were surveyed across a range of small, medium and large enterprises. Almost 80% of the organisations surveyed had suffered a data loss in the previous 12 months. The report lists a useful priority ranking of the six most critical types of data to business operations:

1. Financial information
2. Intellectual property
3. Non-financial confidential information
4. Employee information
5. Business customer information
6. Customer or consumer information

Of course other parties (e.g. partners, suppliers and customers) might view the last two as most important to themselves.

The findings were broadly similar to the 2009 survey. Maintaining reputation and brand was the most commonly stated important organisational goal that depends on data protection and there seemed to be many fewer organisations for which ensuring regulatory compliance was such a goal. The ranking of business functions the respondents felt needed to collaborate to achieve data protection goals changed somewhat, but generally the survey seems to add weight to the previous year's findings. Even the "average cost per compromised record" seemed to be about the same (the number is in the report if you are interested).

But determining the impacts (direct and indirect costs) of data breaches is one aspect of calculating the value of information. Recently judges in the US have been trying to determine the loss when data were stolen in the case of Albert Gonzalez for the TJX breach (who has now been sentenced).

The ICO's report on the business case for investing in proactive privacy protection, The Privacy Dividend, describes alternative aspects for valuing information—and not just from the business' own perspective. This seems to be the discussion the US judges were having.

Another report, published two weeks ago, from SAS and the London Business School on Valuing Information as an Asset discusses the internal business value. The report argues for a proactive, asset-centric, value-based approach to the management of information, rather than a security-centric approach, which could otherwise limit access to data rather than enabling its exploitation. Without placing a value on information, and therefore an economic incentive, data breaches (real breaches not lost media) will continue.

Information in web applications should add value and therefore it needs to be protected from internal and external threats. That shouldn't mean it can't be exploited to fulfill its potential (within appropriate legal, ethical and other constraints). By considering what this potential is and its values to various parties are during the design of the system, appropriate security and privacy measures can be built in that support and enhance the business functions, not detract from the organisation's goals.