Sarbanes-Oxley, OPSEC, and valuation of intellectual property
An OPSEC program can be a big help in valuation of intellectual property. This is largely because OPSEC gives management a new way to look at their intellectual property.
There are a number of ways that IP can be valued. One can, for example, look at development cost, or replacement cost, or the cost if lost.
OPSEC, on the other hand, looks at cost not in vacuo, but in term of the risk to the enterprise.
Risk is calculated as:
RISK = PROBABILITY × IMPACT
where
PROBABILITY = THREAT × VULNERABILITY
so that risk decomposes to
RISK = THREAT × VULNERABILITY × IMPACT
Threat—Threat comes from specific competitors or adversaries. If there is no threat, there is no risk. But the numbers tell us that there is a real threat—that a specific individual or organization has the desire, the skill, and the intent to acquire your critical information.
Vulnerability—Some targets are more vulnerable than others, generally thorough neglect because the entire issue has been overlooked. If vulnerability is lowered, risk will be lowered as well.
Impact of the theft—How damaging is the loss of “smart” assets? If the impact is low, you don’t care. If it is high it is cause to worry.
What does this mean in terms of valuation? It means that managers have a new way of looking at IP, and a new way of looking at cost. Thus, if you have a patent that is costing you, over its lifetime, $80,000 to protect, and the risk in the case of its loss is substantially less than $80,000, the patent may not be worth protecting. And if you have a thousand patents with no real value, and over their lifetime each of them is costing $80,000 to protect, you have the potential to save the company a lot of money.
By the same token, when you factor the threat and vulnerability in with the financial impact, you come up with a different scale of measurement that may well be more reasonable compared to other methods.
Thus, while OPSEC is designed to allow you to identify and protect information, its very nature gives you the side benefit of more realistic evaluation, independent of any protective steps you take.
