He likes an approach that considers current and future revenue. Broadly speaking, CIOs would chart the IT systems that support each major corporate function, such as sales, marketing, manufacturing or research and development. Then they measure the contribution each system makes to top-line sales or bottom-line profits.
Next, ask questions. Could the company meet sales targets if these two databases were out of commission? "Then you know which information has value in an estimated hierarchy," Ferrara says.
In justifying security spending, CIOs or CISOs would also want to evaluate the probability of particular threats. "If you can do that, you can make decisions on how much you want to spend on [protecting] the asset."
The system isn't as precise as, say, generally accepted accounting principles. But it's more than what many CIOs do now, he says.
Ken Grady, CIO of New England Biolabs, is going through a data valuation exercise to figure out how much and what kind of insurance to buy for the company's information assets. But not everything is worth protecting. For example, PowerPoint presentations from routine meetings, videos from a training seminar and chemical safety sheets are everywhere and easily reproduced, he says. Sorting the mundane from the valuable "requires us to really understand and assess which types of data have a financial value if compromised and which don't."
Zannier, the privacy-eschewing grad student, might have made more money if he had talked friends into joining him in sacrificing their privacy. Marketers could then buy the data to answer questions about twentysomething university students in New York with a penchant for risk. Many data gurus say information has no absolute value; its worth materializes only when it can be used to make a decision, then it goes away.
"The value of data has to do with imagined impacts," says Doug Hubbard, founder of Hubbard Decision Research, a consultancy that focuses on applied information economics. Those impacts can be either positive or negative. Movie rights, for example, can be licensed and generate revenue for years. A weakly protected customer list, on the other hand, can be stolen, forcing a company to pay millions in fines and court settlements.
Rather than trying to gauge the value of information alone, a CIO should consider which decisions would be made differently if the value were known, Hubbard says. Look at the potential costs and benefits of making one choice instead of another. That is, analyze the situation, not the data.
"You're making decisions with consequences. Those are more significant than any one bit of data," he says. If there are no consequences to a decision, the data is worth nothing. "The data is useful in that it helps eliminate uncertainty."
Sign up for CIO Asia eNewsletters.