How to Value Digital Assets

Russell C Thomas delivers a great post on How to Value Digital Assets.  It covers many basics and more importantly gives a good direction to take while spotlighting common pitfalls in the valuation journey.

“This tutorial article presents one method aimed at helping line-of-business managers (”business owners” of digital assets) make economically rational decisions.  It’s somewhat simplistic, but it does take some time and effort.    Yet it should be feasable for most organizations if you really care about getting good answers.  Warning: No simple spreadsheet formulas will do the job.  Resist the temptation to put together magic valuation formulas based on traffic, unique visits, etc.”

Definitely a good read for anyone wondering where to start the valuation process.  I especially like the Three Principles section.  He makes a logical separation between assets which provide direct revenue (Class 1) and those which are in a support function (Class 2).

As follow-on, I believe some other aspects may be covered under the Class 2 section including liability avoidance, direct efficiency gain, life safety, and regulatory compliance.  In certain cases we must apply a different method to determine the value, outside what has been explained.  As management may be willing to replace or upgrade, but typically such investments must have a positive ROI, therefore they provide much more value than the replacement/repair costs.

Years ago I had a stimulating conversation with the late (and some would say infamous) Dr. Bill Hancock.  Bill had trudged through the information security swamps for decades and had a unique insight to valuations of vulnerable systems, particularly single-points-of-critical-failure.  He recanted his experience evaluating an airline’s security and discovery of a minor system which was largely ignored, a weights and balances server.  Apparently when planes take off, the distribution of weight must be calculated to insure they don’t become giant ‘lawn darts’ (Bill’s colorful description) at the end of the airfield.  A data integrity compromise of this system could cause catastrophic consequences, leading to the end of the business.  Who would fly on an airline which had several take-off crashes in a single day?  It would be the critical factor to likely cause the airline to no longer exist as a viable business.  Although this was a support system, the integral value was far beyond the cost of the equipment, software, and support.

Secondly, the blog is written with the assumption the assets are already in place.  Thus, in a perfect world, a proper ROI/justification has already been made to assist the decision to acquire and land these assets.  But what if a decision to purchase or not, is the objective?  The Class 2 method then becomes circular.  The value is the expenditure management is willing to invest?  How do they know?

Overall it is a great blog.  I think it would be helpful if the author could give an example for a medium sized enterprise, with particular focus on Class 2 areas (specifically security or safety assets).  Hopefully he is willing to post such details.

Published on Categories Archive
Matthew Rosenquist

About Matthew Rosenquist

Matthew Rosenquist is a Cybersecurity Strategist for Intel Corp and benefits from 20+ years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.