Get started Bring yourself up to speed with our introductory content.

The Business Model

Each "business" is unique in what it does, and yet businesses share some things with each other. For example, all businesses involve people and things.

  • People have to be dealt with in terms of their value in doing things and have to be paid in order to keep working.
  • Things have inherent value, are inventoried and tracked, and get bought, sold, lost, and stolen.
Because most businesses deal in financial currency, this is certainly an important element of the business modeling process, but the value of most businesses is an order of magnitude or more higher than the inventory value of its assets. This difference is, in one form or another, the information value of the enterprise. Enterprises also value different things. For example, educational institutions are generally non-profit and their main output is graduating students with life-long knowledge that will help them live better and help society prosper. Military enterprises produce the force needed to help exert influence through direct application of power as well as the potential for force that deters conflicts and people and skill sets that benefit society as a whole, but they can also produce devastation and large-scale loss of life, liberty, health, and property.

Most businesses can be understood at some level in terms of:

  • Sales, Market, Brand: Brand is a reputational element of the information value of a business and represents a critical factor in sales. Information protection failures tend to harm brand, but claims of security rarely enhance brand substantially. Brand is vital to generation of leads, sales, and ease of success in business. Marketing and the markets that a business operate in dictate to a large extent the aspects of information protection that apply and the tolerance for risk and need for protection. Sales are more directly related to income. All of these also involve business processes that are key to success and failures in these processes lead to anything from release of critical competitive information like pricing or customer details to incorrect pricing to inability to process orders. Any of these can be catastrophic to some businesses.

  • Process, Work Flow, Results: Business processes are critical to their survival and increasingly business they are highly automated. Attacks on work flows can be highly destructive and cause subtle effects like the ability for unauthorized individuals to cause unauthorized changes to business processes, grant themselves access or monies, disrupt operations, destroy logistics, and otherwise disrupt business operations.

  • Resources, Transforms, Value: Resources are transformed into value through processes. For example, land is transformed into gold through extraction processes while chemicals are transformed into medicines through chemical processes and raw data is transformed into competitive intelligence through analytical processes. These processes are fundamental to how many businesses operate and failures in theses processes lead to failures in the ability of the enterprise to produce value.

  • Supply, Inventory, Transport: Many enterprises take supplies of some sort and move them from place to place in order to produce value. Wholesalers and retailers move supplies from suppliers through warehouses and storefronts into consumers or customers while many companies have internal logistics processes that support their operations in one way or another. Disruptions in the supply and logistics process can cause anything from military campaigns to businesses to fall apart.

  • AR/AP, Collections, Write-offs: With the exception of purely cash businesses, all businesses have accounts payable and receivable, collection processes, and write-offs. These processes are critical to cash flow and business operations as well as profitability and customer relations. Failures in these processes can cause businesses to lose the confidence of their customers, to offend customers, to be stolen from in large quantity, and to be unable to meet payroll or other obligations and go bankrupt. Other elements of the financial systems of businesses are also important in much the same way and are subject to malicious attack for their direct financial value.

  • Services: Infrastructure is used in conjunction with services and applications to meet the desires and needs of users. The value of the infrastructure comes in the utility of the services provided to users. If infrastructures or the services they support fail, the harm is in reduction of business utility. These servicees also support content that may have inherent value, lose value with exposure or time, or otherwise be affected by failures in protection. At the same time the utility is dictated by the ability to use these services.

  • Cost, Shrinkage, Collapse: Costs and changes in costs and cost structure, shrinkage (loss and theft of inventory), and ultimately collapse of markets or businesses effect enterprises in a wide range of ways.
These and other business functions can be codified in terms of business process diagrams and the elements of the processes diagrams can be associated with failure conditions producing losses as a function of the durations of the failures. Information technology and its role in supporting these business processes can be codified by indicating which processes that technology interacts with and how losses of integrity, availability, confidentiality, use control, and accountability can impact those processes. These then are the depictions of the business that help to understand information and information technology related risks from a business perspective.

For more details and in-depth coverage of these issues, buy the Governance Guidebook.

This was last published in January 2006

Dig Deeper on Information security program management