So, for instance, it’s hard to say exactly how much the HR database
is worth, but it’s a fair bet that it is less valuable to the
organization than the Sales and Marketing database containing
commercial details on customers and prospects. Therefore, it
probably makes commercial sense to put more effort and resources into
securing the S&M database against disclosure incidents, than for the
While Gary is ‘classically’ right, there’s a hidden gotcha in all that.
It is *YOU* that are assigning value, it is the value to YOU.
As Donn Parker points out, this may be quite different from the the value system of the attackers. You don’t know their values, motivations, tools etc etc etc. Continue reading What is the goal behind calculating assets in ISO-27000?