Whether its a breach, credit card theft, IP copying or something other event, the impact is best conceptualized in terms of how it impacts competitive advantage
Michael Mauboussin shares some ideas on Measuring Moats which is a good way to think about defining security metrics, which events impact the moat?
Businesses have different kind of moats, and so the way to measure business value for a company with moat based on the network effect differs from the measures used on a company whose moat is based on efficient scale. The most valuable security metrics are ones that are tied to the company' competitive advantage.
One limitation here is that plenty of companies have no moat at all. Morningstar rates that out of its coverage universe of around 5,000 companies only 1,033 have a moat. The rating is subjective obviously, but if you are working for an airline (an industry that has been lighting money on fire for a century (see page 13)) it will be hard to measure a competitive advantage. It also isn't simple to see how it will work for non-profits and the like, but for other companies its a useful tool.
As I said in my SIRA talk
"the best work on this is done by Morningstar which pioneered the concept called moats (patterned on Michael Porter's work on competitive advantage)
Morningstar identified five kinds of moats
1. Low Cost producer: better profit margins through lower cost, example Walmart
2. High Switching Costs: disincentive for a customer to switch to competitor leads to customer retention and pricing power example banks or proprietary software
3. Network Effect: virtuous cycle where the network gets more valuable the more people use it example Google
4. Intangible Assets : brands, IP, trademarks, patents, government agreements
5. Efficient Scale: a limited market served by small number of vendors example Lockheed Martin - you only need one nextgen strike fighter supplier
When I teach secure coding to developers, most of the examples we use to say show SQL injection works involve stealing credit cards. So I joke that stealing credit cards is the "Hello World" of computer security, I stole the cards out of the database so now I know how SQL Injection works, but of course this is not the end of the story just like Hello World isn't everything you need to know to write Python.
Businesses that have one of the above types of moats have widely different assets that they require to ensure their moats endure, the old school notion of breach does not pertain directly to most of their competitive advantage, but its more than just IP that's only one type of moat and most businesses don't have IP moats. So the campaigns to be concerned about are the ones targeted at your business' moat and for us to begin to value those that requires at least five different models to analyze across industries.
This is a core lesson - defenders who try to defend everywhere defend nowhere. You have to pick your spots. The two most important things in infosec are Identifying what kind of moat your business has and then defending that moat."
That is also why there is no one, single answer for what to secure, its very industry specific and moat specific - for Pharma its IP and channel. For retail its brand loyalty, efficiency. The things to measure and defend are the those that map to the business' advantage not technical constructs