Welcome to the SecAware blog

I spy with my beady eye ...

6 Jul 2016

IP Intellectual Poverty

A thought-provoking piece in Forbes about the commercial value of intellectual property contains a stack (a set? A pile? A jumble? An assortment?) of remarkable statistics ... and I feel inspired to comment on one graph in particular:

Neither the Forbes piece nor the Ocean Tomo source explain how the numbers on that graph were calculated. Intangible assets are not normally reported/disclosed, and in fact are notoriously difficult to value. Various approaches could have been used to estimate the asset values but we don't know how it was done.

The valuation appears to have been based, in part, on the 'market value' or capitalization - essentially the product of the number of issued shares and the share price - of some or all of the Standard & Poor's Top 500 companies. The difference between capitalization and reported tangible asset values would estimate the value of intangibles ... but both values are somewhat uncertain. Share prices, for instance, tend to be far more volatile than tangible asset values. Having been determined by an acceptable method (i.e. conventional book-keeping, accounting and auditing practices), tangible asset values are essentially fixed, but that raises another concern since the 'book value' of a capital asset may be the value when purchased, not necessarily today's value. The accounting and tax rules for depreciating and re-valuing assets further complicate things.

Anyway, setting all those doubts and concerns aside, what does the graph tell us? If we trust the numbers, it says that over the past 40 years, the proportion of the asset value of some US-listed companies relating to intangibles has sustantially grown, relative to their tangibles. The rate of growth has fallen over the last 10 to 20 years, and the trend suggests the intangible to tangible value ratio will reach its peak of about 86% in the next 10 years.

That in turn raises all sorts of interesting questions such as why has the ratio changed so remarkably, and why is it now stabilizing? The Forbes article strongly implies that the change is largely due to a marked increase in the value of intangibles over the period (mirroring the widely reported emergence of the 'knowledge economy'), but it could equally be that tangibles have fallen in value (mirroring the widely reported decline of manufacturing industry): some capital assets such as vehicles, computers and other electronics have indeed become cheaper in real terms, but we are buying more of them now so the net expenditure could be lower, the same or higher. I'm equally unsure about buildings and land. Land values increase fairly steadily, on the whole, but over the period we have seen social changes such as urbanization. City center real estate values have skyrocketed, prompting some businesses in turn to downsize HQ or head out to rural business parks and less crowded towns. New, more efficient building techniques and materials may have reduced building costs, but conversely improved building standards, environmental controls etc. may have negated or reverse those savings.

It's all very complicated!

The Forbes article uses the Ocean Tomo graph and findings from other surveys and studies to encourage young workers to take more of an interest in generating and exploiting intellectual property, particularly patents. Fair enough athough being an information risk and security professional, I have a different interest in or perspective on the same information. Seems to me the main take-home message is that we should have been substantially improving our protection for intangible assets, particularly information, in recent decades. We should be investing or spending proportionally much more on information security today than on physical security, of the order of four-to-one. So if our annual bill for physical/site security (doors, locks, barriers, guards, alarms, patrols, CCTV systems and so on) is $1m, we should expect to spend about $4m on information security (antivirus, firewalls, passwords, infosec pros, backups, patents, compliance etc.), other things being equal.

That's an intriguing thought. Even at a high level, it's hard for management to determine how much an organization ought to be spending on its information security, hence resource allocation and investment appraisal in this area are distinctly challenging. Several different approaches are used (e.g. benchmarking against other similar organizations, finger-in-the-air budgeting such as '5% more than last year', and various value assessments based around the projected costs of incidents if expenditure was cut) but none is definitive. The sizes of information security departments varies widely in practice between organizations, but perhaps now we have a more objective basis, comparing information security and physical security expenditure. While it may be no easier to determine how much ought to be spent on physical security, we do at least have the advantage of thousands of years of real-world experience in that domain! 

Then again, maybe not: it all depends on whether all those numbers, assumptions, presumed causal links and assorted leaps of faith are valid.

I have a nasty, nagging feeling that the average dollar spent on information security somehow achieves less return than the average dollar spent on physical security. Is there truly a business case for investing as much as we do in, say, antivirus or information security awareness? 

I believe so but I'm hard pressed to prove it. Mind you, I've given it my best shot!



  1. Hi Gary -

    Great topic and good post on it. I wanted to challenge your "nasty, nagging feeling" that information security spend achieves less return than physical security spend does. I've seen way too many times where the physical security spending has no metrics around it, like uptime. In real life, I commonly see 70% uptime as acceptable for physical security, whereas for information security it's always >99% uptime. So you need to divide your physical security spend by .70 in order to estimate what you are really paying for it in ROI terms.

    Again, thanks for the great perspective.

  2. Hi John. Many thanks for that comment - you've got me thinking! I think I understand what you're getting at, although I'm not altogether sure what 'uptime' even means in the context of physical security, hence I don't know whether 70% would be a normal or acceptable level of it. 'Uptime' for, say, the servers and other ICT equipment in the computer room would make sense in the information security context, and that's largely achieved through securing the computer room power supply, maintaining an even temperature, preventing fires and floods, and preventing unauthorized physical access. Of those, power is, in my experience, the least well controlled, paradoxically enough as a result of problems with so-called uninterruptible power supplies. UPS problems I've seen include battery failures, poorly-designed control circuitry (especially failing to cope with power glitches in both the initial reaction/response and subsequent recovery phases) and plain old overload - all of which should have been avoided or mitigated by better power monitoring and preventive maintenance, coupled with investing in better quality UPS equipment in the first place, plus better power engineering. Total power consumption is an excellent metric for the computer room, very easy to measure with clamp-on ammeters on the supply lines: squeezing more and more powerful ICT equipment into the racks has a material effect on the power demands AND the heat generated in the racks. That, for me, is an example of a highly cost-effective physical security control for the computer room, hence all the ICT services supplied. Is there any tech/cybersecurity equivalent at anything like the same cost-benefit ratio? I'm struggling to think of anything much!