Don Peppers and Martha Rogers work on a new metric called Return on Customer which helps companies target resources and investments towards creating value for their customers has the ability to inform Enterprise Security and Risk Management.
TaoSecurity posted a review of OCTAVE's defintion of threat classification of threat actors. The maturity and availability of the risk management processes like NIST, OCTAVE, COBIT, and Microsoft's Risk Management Guide is an encouraging sign for the industry. One of the main drawbacks in risk management processes today have to do with poor asset classification/valuation.
From the OCTAVE Method Individual Guide v 2.0(note, I am not knocking OCTAVE, this is just an example of the type of asset classification across the risk management processes in the indsutry today):
"1. What are your important assets?
The process goes on to map threats and vulnerabilities to the above set of assets. My contention is that in a business scenario basing risk management decisions on those assets directly is not as effective as basing it on ROC.
A company's most important assets are not listed in the above list. A company's most important assets are their current and future customers, or as the authors of ROC say: "If you don't have customers, you don't have a business, you have a hobby."
Customers and customer relationships, as opposed to a valuation of the amount of GB in the DB, have tangible, measurable value to businesses, and their value is much easier to communicate to those who fund the projects. So in an enterprise risk management scenario, their value informs the risk management process. One of the examples of using ROC includes the example of a farmer deciding which crop to grow. A farmer interested in short term profits may grow the same high
yield crop every year, but over time this would burn the fields out. The long term focused farmer would rotate the crops, invest in things that build the value of the farm and soil over time. Investing in security on behlaf of your customers is like this, the investment made in securing your customer's data builds current and future value for them by protecting their assets. Measuring the value of the customer and the relationship helps to target where to allocate security resources.
Conduct an analysis of the customer base using ROC and then map the customers to the informations, systems, software, hardware, and people they deal with and then map threats and vulnerabilities to those. Use the ROC metric to determine the asset valuation and classification.