How to Value Intellectual Property at Risk from Cyber Criminals

January 2, 2020  Cary Wise

I recently completed a cyber risk consulting engagement at a major industrial company, applying the FAIR model through the RiskLens platform to determine the value of their intellectual property and the ROI of their control efforts.  (For the details, download my case study Manufacturing Co. CISO Justifies Project to Protect IP from Cyber Theft.)

For manufacturing companies or any other organizations that heavily depend on processes or designs, a theft of intellectual property could be devastating, perhaps more of a long-term threat to the organization than the large-scale data breaches of personal information we hear about so often.

And in some important ways, IP theft is a different problem to tackle from more common data thefts—but nothing the FAIR model can’t handle. (For you FAIR fans, the analysis here is mostly on the Loss Magnitude side of the FAIR on a Page chart).

Here are some of my key takeaways about IP and cyber risk from the manufacturing company engagement:

Cyber criminals usually want to steal everything. Not necessarily with IP.

The threat actors would most likely be operating on behalf of a competing product line – they will know specifically what they want and they will keep looking till they find it. For analysis purposes, a loss of all IP would not be probable and that helps with realistic risk measurement. The clients had a pretty good idea of what IP criminals would steal if they got in.

Group IP into buckets and focus on the few higher value buckets.

Intellectual property content tends to be scattered around large organizations in different functional departments and on different servers, depending on where, when and how the IP was developed, acquired or used.  Part of securing IP is to identify and consolidate IP by type and value.

Valuing IP is not like valuing data.  

With data, you can go to public sources to research value – the value of a PCI  record is a known quantity, for instance.  The value of IP is likely to be unique to the organization, and it won’t be so simple as lost product sales – at this company, any one product is based on several different bits of intellectual content.

“Loss of competitive advantage” could be your best way to think about IP value 

As FAIR analysts, we look for one or more of six forms of loss, and for intellectual property, competitive advantage loss is the best fit. This manufacturing company thought through the problem this way:

  • How much market share would a competitor take away from our organization by getting better at what they do?
  • How fast could they put that change into production?
  • Conclusion: We think that in X many years, the competitor would be able to integrate the IP and start producing products better than ours and as a result would be able to take X percentage of market share away from us.

Find an IP value measurement that makes sense to your organization.

The client’s process to value IP assets was not as methodological as we’d like, but it was completely validated when they showed their results around the organization. Nobody said, “Where’d you get those numbers?” There’s no standard, and ultimately your analysis will have to be a communication tool that everyone agrees makes sense.

For more on how the manufacturing company CISO justified a project to protect intellectual property from cyber theft, read the case study.