(Editor's note: Art of budgeting is a series of articles that looks at several aspects of IT security budgeting....
In this third part, SearchSecurity.com columnist and defense expert Paul Strassmann will address how to justify security spending through "valuation of knowledge capital." And just what is that? Read on...)
By Paul A. Strassmann
The difficulty in dealing with the valuation of losses of knowledge as an enterprise asset, whether in the form of accumulated employee know-how, destruction of databases or security compromises, has its origins in ideas proposed over a century ago about the value of capital and labor. These theories claim that only measurable capital assets, defined as financial capital, increase the productivity of labor.
Consequently, the productivity of an enterprise was always measured only in terms of the productivity of its capital, such as return-on-assets (ROA), return-on-equity (ROE) or return-on-investment (ROI). The providers of capital were then entitled to the surplus, called profit or rent. For example: Return on Assets = Profit / Financial Capital.
That equation is true if knowledge happened to be necessary for labor to make better uses of capital, which explained a higher wage rate for labor. By this reasoning, people performing the actual labor were not an asset worthy of any special protection. Labor could receive only fair compensation for the time worked. The most they were allowed to claim is to be awarded premium wages and a bonus here or there. If employees quit and give company secrets to competitors, that would be a matter for the lawyers to handle.
The above reasoning is not only misleading, but also results in judging the value of employees, data, know-how and software on the basis of ongoing costs, rather than how fast they represent an accumulation of useful knowledge over several decades. The industrial age accounting methods do not recognize that the productivity of labor is not only a matter of wages. Productivity comes from knowledge capital aggregated in an employee's head in the form of useful training and company-relevant experience, or in the form of intelligence that spins on the firm's magnetic disks. Most importantly, productivity arises from the way people and information systems are organized as an enterprise capability in pursuit of well-chosen strategic objectives.
Whenever a security executive is asked to produce a ROI or ROA of the proposed security investments, the industrial-age theories will be of little help. The accountants may actually deny the validity of any such attempts since "knowledge assets" do not show up anywhere on their ledgers, except in the rare case where they may have been booked at acquisition cost.
Calculating Knowledge Capital
The value-added of information management is the net result of all managerial activities. The value of the wealth created by information equates the net surplus economic value-added (EVA) created by the firm, since the suppliers, the tax authorities, all labor and all shareholder expenses will have been already fully compensated. By this definition, information value-added is profit (after taxes and after preferred dividends) minus the implied "rental" value payments for the shareholder's capital (defined as Total Assets minus Total Liabilities multiplied by the cost of shareholder capital).
Economic Profit = Knowledge Capital * Cost of Capital
The creation of information value-added is something that defies the laws of conservation of energy. These laws state that the outputs of any system in the universe can never be greater than its inputs. Delivering a positive information value-added in excess of all costs must be therefore seen an act of creativity that springs forth from something that can be observed and measured only indirectly, as if it were some sort of a nuclear energy. The source of the energy that creates net information value-added is Knowledge Capital. This force can be quantified only by inferring how much economic profit it creates.
This leads to one of the most important propositions concerning the characteristics of Knowledge Capital: Today's Economic Profit is the Return Realized from Prior Accumulations of Knowledge Capital. Another way of looking at the same phenomenon is to deduce the value of Knowledge Capital from its periodic yield. If value-added is the interest earned from an accumulation of knowledge residing with the firm, then the worth of its "principal" can be calculated by dividing economic profit by the price the shareholders expect to pay for added capital.
Knowledge Capital = Economic Profit / Cost of Capital
Mergers and acquisitions of companies have made the pricing of all capital explicit. Publicly listed U.S. corporations, which account for approximately 80 percent of the value of all public companies, had financial assets worth an estimated $3.6 trillion at year-end 1998. The Knowledge Capital of these firms was $7.4 trillion, for a total corporate asset valuation of $11.0 trillion. The total market valuation for these firms was $12.3 trillion.
Market pricing of Knowledge Capital
It is the risk-adjusted estimate of future earnings, in excess of the cost of capital, which an investor is willing to pay for, that becomes the basis for the valuation of any intangible assets. Since investors cannot differentiate between the price of capital for financial or knowledge investments because they are intermingled, I use the same price for all capital as a first approximation. This yields a simple equation: Knowledge Capital = Mgmt Value-Added / Price of Capital
This relation makes it possible to prepare a revised balance sheet for any firm, by adding a line item Knowledge Capital on the asset side of the ledger, and by increasing (or decreasing) the reported valuation of shareholder equity by the identical amount.
Loss in Knowledge Capital as an Indicator of Security Risks
The calculation of the management value-added makes it possible to count the worth of the people who possess the accumulated knowledge about a company. These are the carriers of Knowledge Capital. They are the people who leave the workplace every night (and may never return), while storing in their heads knowledge acquired while receiving full pay. They possess something for which they have spent untold hours listening and talking, while delivering nothing of tangible value to paying customers. Their brains have become repositories of insights about "how things work here" -- something that is often labeled vaguely as "company culture." Their heads carry a share of the company's Knowledge Capital, which makes them shareholders of the most important asset a firm owns, even though it never shows up on any financial reports. Every such virtual shareholder of knowledge assets in fact becomes a manager, because information acquisition and information utilization are the essence of all managerial acts.
Stay tuned for another installment of budget survival guidelines over the next month when I will show how to apply the calculation of Knowledge Capital / Employee indicator for explaining information security risks.
To read my previous Art of Budgeting articles, please click here.
About the author:
Paul A. Strassmann (email@example.com) services as the chief information systems executive started in 1957. Since his "retirement" in 1993 he has continued engagements in matters related to information security.