Andy Jaquith blogs about Lindstrom's Razor where we establish a floor (minimum) value information assets by counting how much we spend to build, deploy and operate the assets. The simplicity of counting the costs is attractive, as Andy says:
This metric is quite simple to gather (even as a consultant I can generally get these numbers together for clients in a matter of days) and once you do its quite useful for decision support. If businesses simply used the Lindstrom Razor to assess their security alignment, it would greatly reduce the complete misalignment of security spend versus business spend. My cocktail napkin analysis says the network market is ~$39B and the network security market is ~900M, yet the software market is ~98B and the software security market is only ~150M, this just does not add up. If the 2.3% we spend to secure networks is a good number, fine, but that still means software is 0.2% invested in security. Why the lack of alignment?
It doesn’t require interviews or any sort of guesswork, just a spreadsheet and a few defensible ideas about how to allocate costs that are known and can be measured.
In other words if security would align with business goals (which spends ~3x more on software) instead of functioning a la Colonel Kurtz in some kind of People's Republic of Information Security (spending 6x more on network security) where balance sheets are irrelevant and the only currency is FUD and threats.
Further, I cannot emphasize enough - its a relatively straightforward metric to communicate and understand in an organization, and if decision support is the goal of metrics then a shared understanding is critical.
Mohnish Pabrai won't buy stock in a company if he needs to use Excel to understand it, Warren Buffett goes one step further saying if you need a computer to understand the business you shouldn't be buying it.
By the way, the asset valuation is not an end in itself, its the starting point for more qualitative discussions which could be "now that we've established a floor let's talk about the ceiling", but from an engineering standpoint we can also use the asset valuation to assess the control efficacy that we can bring to bear on the situation. In other words, the asset valuation combined with what you are willing to spend then lets you put on your security engineering hat to say - given I have x dollars to spend what is the best combinations of controls that I can deliver for that amount.
Believe me, this is not the de rigeur approach to security engineering in most companies - boss plays golf with firewall vendors, contract is renewed, hey what happened to 50% of our infosec budget?
Instead use Lindstrom's Razor as a starting point to align infosec with business goals.