A popular expression in security circles is to equate critical company intellectual property with the crown jewels. That comparison is apt in more ways than one. I've visited the Tower of London and the crown jewels. The crown jewels are protected by many layers of security, but the truth is that they make very poor targets for theft because they are far too distinctive to fence. To sell such items, a thief would have to take great risks and heavy discounts. If someone was holding the queen hostage, they'd more likely ask for "nonsequential unmarked bills" that the crown jewels. Any item, whether tangible like the crown jewels or intangible like your company's latest flying car design is only worth what a buyer will offer. If the market for such an item is too small or the risk of laundering too high, the item will have to be heavily discounted. Yet, in most information security risk-assessment methodologies we measure the loss impact for the company and ignore the gain potential for the thief.
The impact of a loss is a very important component of the risk assessment because it allows us to compare cost and benefit of securing an asset. But equally important is the other cost-benefit that occurs in the mind of a cybercriminal. In selecting which targets to attack, the criminal must consider the fully discounted value of the asset based on how easy it is to monetize it. So the flying car design has only a handful of potential buyers and leaves a trail because its source is easy to identify. So if I'm the attacker I will go for the asset that is most like small unmarked bills. In most companies that is either cash and financial instruments or the identities stored in various databases. The identity theft market is large and growing very fast. Identities can be sold for US$14 to US$18 in black markets, with anonymity and plenty of buyers.
When companies are trying to decide how much to invest in security and which assets to protect, they rely on a risk assessment that multiplies the impact of a loss with the probability of a loss. In turn, the probability of a loss depends on the rate of attacks and the vulnerability of the asset. So while we can calculate the relative vulnerability of our assets, how do we rate the probability of an attack? Most models use statistics based on reported attacks. But a better way to rank assets by probability of attack is to consider their resale discount rate -- the cost of monetizing those assets in a black market. While we're focused on protecting the flying car design, our HR database is like a pile of cash, enticing and easy to trade. Perhaps we need to re-assess risk by incorporating the motives of the attacker.