Many corporate information security organisations often do not implement simple countermeasures that could easily reduce the loss of sensitive information despite the apparent high value of some of this information.
In one recent survey, laptop users estimated that the information on their laptops was worth approximately $1 million (₤550,000).
Industry analysts estimate that there is approximately a 10 per cent chance of a laptop being stolen in a given year, so that we might expect a typical business to be willing to spend up to 10 percent of $1 million, or $100,000, to protect the information on their laptops, perhaps through the use of encryption or similar technologies.
If the information on an average laptop is really worth $1 million and the information is not encrypted, we would expect laptop theft to be rampant.
But because we see neither the widespread use of laptop encryption nor the rampant theft of laptops, we should expect that either the information on an average laptop is actually worth much less than $1 million or that the chance of a laptop being stolen is actually much less than 10 per cent per year.
The economic theory of marginal utility, however, provides another explanation for this phenomenon.
In The Wealth of Nations, Adam Smith described the so-called diamond-water paradox, or the paradox of value: water is essential to life, yet its price is low, while diamonds are totally unessential to life, yet their price is high.
The theory that economists use to explain this apparent inconsistency is that of 'marginal utility', or the additional benefit that comes from a single additional unit of a good.
Water is very abundant, so the additional benefit from an additional unit of water is very low, so its price is also low. Diamonds are relatively rare, so the additional benefit from an additional unit of diamonds is very high, so their price is also very high.
The theory of marginal analysis tells us that the marginal utility of something is defined by its least important use, as Eugen von Böhm-Bawerk’s discussion of the marginal utility of corn to a farmer in The Positive theory of Capital demonstrates.
Suppose that a farmer ends up with five sacks of corn from his harvest. The first sack he needs to survive until the next harvest.
Consuming the second sack will keep him healthy, but he has no further need for corn as food for himself past these first two sacks. He might then use a third sack to feed poultry to provide variety in his diet, use a fourth sack to create liquor and a fifth sack to feed to his pet parrot.
In these circumstances, the value of the fifth sack of corn is quite low to the farmer. If he loses one sack of corn out of five, he will not scale back each of his uses for the corn by one-fifth, but will decide to stop the use that provides him with the least value – feeding his parrot. On the other hand, if he has only a single sack of corn, the value to him is extremely high, for losing the final sack of corn may mean that he starves to death.
In general, the more corn that the farmer has, the less value an additional sack of corn has to him. Economists describe the phenomenon as the 'law of diminishing marginal utility'. The additional benefit provided by an additional unit of a good tends to decrease as the total amount of the good increases.
Applying the law of diminishing marginal utility to information may provide some useful insights into the behaviour of corporate security departments and let us predict some future trends.
The information age has caused an explosion of information, and we should expect a diminishing marginal utility for this information as the total amount of it increases, particularly because this ever-increasing amount of information is often close to indistinguishable.
It is currently unfeasible to classify information to any significant granularity; data classification projects that try to classify data based on more than the source of the data usually fail.
So current technology might require the same handling of any information that comes from an ERP system, or it might require the same handling of any information that is processed by an email system, for example. Within such broad categories, information is essentially handled in a common way.
The law of diminishing marginal utility tells us that the marginal utility of such information is defined by its least important use, and we should expect corporate information security organisations to protect their information as if this were the case.
So although there may some information in email that is of high value, we should expect email to be protected as if it were of low value. And because it is currently impractical to classify data according to the actual value of the data, we should expect to often see high-value data remain unprotected.
The slow adoption of security technologies like whole-disk encryption or email encryption may be due to the low value of some corporate data, and thus to the low marginal value for all data on an enterprise-wide basis.
There has also been a steady trend towards outsourcing core business functions, including those that involve extremely sensitive data. Not many years ago, it was unheard of for any business to outsource functions like accounting or payroll, while today these functions are routinely outsourced.
More recently, there has been at least one successful business that provides a service that outsources the management of sales data, information that is extremely sensitive and potentially valuable to competitors. Even information security functions are starting to be outsourced.
The trend to outsource more and more critical business functions has coincided with the explosion of information, and the theory of marginal utility tells us that we should expect information to have a decreasing marginal utility to businesses as the total amount of information increases. Thus the trend towards outsourcing is certainly predicted by marginal utility theory.
If a business has a relatively small amount of information, the marginal value of the information is relatively high, and outsourcing is viewed unfavourably because it provides a chance for the loss of valuable information.
But when a business has a relatively large amount of information, the marginal value of the information is relatively low, and objections to outsourcing disappear.
Currently it is often unfeasible to classify data beyond the source of the data, but technology is now being developed that may produce better solutions in the not-too-distant future that will allow businesses to classify data according to its actual value.
In this case, marginal utility theory predicts that this will create a boom in products that will be able to provide strong protection to the high-value data that future data classification products will identify.
So in the future, data will still be protected according to its least important use, but the ability to separate data into different categories will make it possible to more narrowly define these categories. In this case, even the least important uses of valuable data will justify the use of encryption to protect it.
Thus better data classification products may soon create an increased demand for encryption technology; whole-disk encryption and email encryption products that have so far experienced fairly slow adoption rates may become more widely deployed as it becomes easy to identify exactly what data should be encrypted.
