A thought-provoking piece in Forbes about the commercial value of intellectual property contains a stack (a set? A pile? A jumble? An assortment?) of remarkable statistics ... and I feel inspired to comment on one graph in particular:
Neither the Forbes piece nor the Ocean Tomo source explain how the numbers on that graph were calculated. Intangible assets are not normally reported/disclosed, and in fact are notoriously difficult to value. Various approaches could have been used to estimate the asset values but we don't know how it was done.
The valuation appears to have been based, in part, on the 'market value' or capitalization - essentially the product of the number of issued shares and the share price - of some or all of the Standard & Poor's Top 500 companies. The difference between capitalization and reported tangible asset values would estimate the value of intangibles ... but both values are somewhat uncertain. Share prices, for instance, tend to be far more volatile than tangible asset values. Having been determined by an acceptable method (i.e. conventional book-keeping, accounting and auditing practices), tangible asset values are essentially fixed, but that raises another concern since the 'book value' of a capital asset may be the value when purchased, not necessarily today's value. The accounting and tax rules for depreciating and re-valuing assets further complicate things.
Anyway, setting all those doubts and concerns aside, what does the graph tell us? If we trust the numbers, it says that over the past 40 years, the proportion of the asset value of some US-listed companies relating to intangibles has sustantially grown, relative to their tangibles. The rate of growth has fallen over the last 10 to 20 years, and the trend suggests the intangible to tangible value ratio will reach its peak of about 86% in the next 10 years.
That in turn raises all sorts of interesting questions such as why has the ratio changed so remarkably, and why is it now stabilizing? The Forbes article strongly implies that the change is largely due to a marked increase in the value of intangibles over the period (mirroring the widely reported emergence of the 'knowledge economy'), but it could equally be that tangibles have fallen in value (mirroring the widely reported decline of manufacturing industry): some capital assets such as vehicles, computers and other electronics have indeed become cheaper in real terms, but we are buying more of them now so the net expenditure could be lower, the same or higher. I'm equally unsure about buildings and land. Land values increase fairly steadily, on the whole, but over the period we have seen social changes such as urbanization. City center real estate values have skyrocketed, prompting some businesses in turn to downsize HQ or head out to rural business parks and less crowded towns. New, more efficient building techniques and materials may have reduced building costs, but conversely improved building standards, environmental controls etc. may have negated or reverse those savings.
It's all very complicated!
The Forbes article uses the Ocean Tomo graph and findings from other surveys and studies to encourage young workers to take more of an interest in generating and exploiting intellectual property, particularly patents. Fair enough athough being an information risk and security professional, I have a different interest in or perspective on the same information. Seems to me the main take-home message is that we should have been substantially improving our protection for intangible assets, particularly information, in recent decades. We should be investing or spending proportionally much more on information security today than on physical security, of the order of four-to-one. So if our annual bill for physical/site security (doors, locks, barriers, guards, alarms, patrols, CCTV systems and so on) is $1m, we should expect to spend about $4m on information security (antivirus, firewalls, passwords, infosec pros, backups, patents, compliance etc.), other things being equal.
That's an intriguing thought. Even at a high level, it's hard for management to determine how much an organization ought to be spending on its information security, hence resource allocation and investment appraisal in this area are distinctly challenging. Several different approaches are used (e.g. benchmarking against other similar organizations, finger-in-the-air budgeting such as '5% more than last year', and various value assessments based around the projected costs of incidents if expenditure was cut) but none is definitive. The sizes of information security departments varies widely in practice between organizations, but perhaps now we have a more objective basis, comparing information security and physical security expenditure. While it may be no easier to determine how much ought to be spent on physical security, we do at least have the advantage of thousands of years of real-world experience in that domain!
Then again, maybe not: it all depends on whether all those numbers, assumptions, presumed causal links and assorted leaps of faith are valid.
I have a nasty, nagging feeling that the average dollar spent on information security somehow achieves less return than the average dollar spent on physical security. Is there truly a business case for investing as much as we do in, say, antivirus or information security awareness?
I believe so but I'm hard pressed to prove it. Mind you, I've given it my best shot!