Ponemon study shows data valuation discrepancies in enterprises

Security and IT may play a larger role in prioritizing confidential and proprietary information assets than many organizations realize, especially at companies that take an informal approach to data valuation.

Research by the Ponemon Institute released this week looked at the value of information assets and how companies underestimate data breach costs based on miscommunication about what constitutes high value assets. The research, "Understanding the Value of Information Assets," sponsored by document security vendor DocAuthority, is based on Gartner's Infonomics Data Valuation Model, which attempts to evaluate data assets in the same way as physical, financial and human capital.

Ponemon surveyed 2,820 professionals in the United States and the United Kingdom, whose roles compromised IT security (530), IT (459), marketing and sales (456), human resources (425), finance and accounting (351), legal (336), and product and manufacturing (263).

Respondents were categorized by job function and then asked to determine the value of proprietary and confidential information per record or per file based on predetermined data types. They were also asked to rate the importance of six elements that contribute to an asset's total value including its business, cost, economic, market, performance and intrinsic value (correct, complete and exclusive data). The asset's impact on business performance topped the list.

The highest valued assets, according to Ponemon's findings, included research and development (R&D) documents, merger and acquisition information, pricing models, codes and scripts as well as financial documents and employee agreements.

Respondents' data valuations were determined based on a range of factors, including the impact of data reconstruction as well as data leakage to competitors, cybercriminals, the public and even other employees.

Based on respondents' data valuation (by functional area), researchers estimated that a breach of IT security's assets would result in the highest cost at $11.14 million on average, followed by product and manufacturing at $10.8 million. Surprisingly, finance and accounting ranked second to last at $7 million, followed by IT at $6.70 million.

Researchers found that the value of information assets generally decreased over time, in part because the latest data, such as R&D for example, was viewed as having more "importance" to an organization's bottom line. At the same time, IT security professionals valued the cost of reconstructing R&D documents at less than half of the data's perceived business value, $306, 545 versus $704,619. Similarly, IT security underestimated the costs of the loss of financial and accounting documents, at $131,570 compared to $303, 182 projected by respondents who worked in those job functions.

The Ponemon report also indicated that IT security professionals estimated the loss of monthly salary information for 1,000 employees at higher than HR professionals, $94,148 versus $57,477.

The mismatch in data valuations may lead to misplaced investment in data protections, warned Ponemon researchers. Unstructured data, which makes up the majority of data at many organizations, is harder to inventory, classify and control.

Response to a data breach is another area in which professionals had different outlooks based on their job functions. According to the report, respondents in legal roles indicated the highest confidence in the organization's preparation for a data security breach at 41%, while IT and product and manufacturing had the least confidence at 25%. IT security was slightly higher at 29%.