Many methods for analysing Information Security Risks use the term assets, information assets or business assets interchangeably. This is a common foundation of Information Security risk analysis often providing a guide to the business impact of a risk being realised in particular systems that hold or access these assets.
The Oxford English Dictionary defines an asset as: “an item of value owned; an item on a balance sheet representing the value of a resource, right, item of property, etc.“
This is not only a usefully clear definition it isn’t incompatible with the way the term is used in Information Security Risk (Which is not always the case with re-purposed English language in information security!).
Looking to the mainstream risk standard, International Standard for Risk Management, ISO 31000:2018 doesn’t have the concept of an asset in its definitions. It does describe: “the nature and value of assets and resources” as factors to consider in risk identification. The supporting standard ISO 31010 Includes assets as a factor in scope for BIA and DPIA and also the concept of assets as a ‘risk-bearing capacity’ for a commercial enterprise. This is interesting, assets potentially representing a mitigation rather than an exposure.
For the ISO 27000 series the initial document ISO 27000 itself provides definitions of the rest of the series, It describes assets in terms of something access control is applied to and that attacks target. It also defines assets specifically in terms of information security risk: “Information security risk is associated with the potential that threats will exploit vulnerabilities of an information asset or group of information assets and thereby cause harm to an organization.”
ISO 27000 Also defines assets in the text but not as a normative definition when it states that “information, and related processes, systems, networks and people are important assets for achieving organization objectives“. It then uses “information assets” and “business assets” as common terms although these are not specifically defined.
ISO27001 is strangely silent on Assets beyond their definition as things under asset management as a control: “Information, other assets associated with information and information processing facilities shall be identified“. This was unexpected as most ISO27001 auditors are very keen to see information assets as the basis of the risk assessment that underpins the ISMS establishment.
ISO27002, as the supporting standard to ISO27001, in its introduction echos the ISO27000 definition with “information and related processes, systems, networks and personnel involved in their operation, handling and protection are assets that, like other important business assets, are valuable to an organization’s business“.
ISO27005, the specific information security risk management standard, has a much more expansive definition of assets: “An asset is anything that has value to the organization and which, therefore, requires protection.” but in an appendix is more specific: “the primary assets: — business processes and activities; — information; the supporting assets (on which the primary elements of the scope rely) of all types: — hardware; — software; — network; — personnel; — site; — organization’s structure.“
The NIST Special Publication 800-30 Guide for Conducting Risk Assessments introduces the broader category of “organisational operations and assets” which it expands as “The term organizational assets can have a very wide scope of applicability to include, for example, high-impact programs, physical plant, mission-critical information systems, personnel, equipment, or a logically related group of systems. More broadly, organizational assets represent any resource or set of resources which the organization values, including intangible assets such as image or reputation.“
The OCTAVE method includes Asset in its name: “Operationally Critical Threat, Asset, and Vulnerability Evaluation OCTAVE Allegro method focuses on “information assets“. Introduces the concept of “asset containers where information assets are stored, transported, or processed.
“Asset – An asset is something of value to the enterprise. Assets are used by organizations to achieve goals, provide a return on investment, and generate revenue. The overall value of the organization can be represented collectively by the value of its assets.
“Information asset – An information asset can be described as information or data that is of value to the organization, including such information as patient records, intellectual property, or customer information. These assets can exist in physical form (on paper, CDs, or other media) or electronically (stored on databases, in files, on personal computers).”
“Information asset container – An information asset container is where information assets are stored, transported, or processed. It is a place where an information asset “lives.” Containers generally include hardware, software, application systems, servers, and networks (technology assets), but they can also include items such as file folders (where information is stored in written form) or people (who may carry around important information such as intellectual property). They can also be both internal and external to an organization.“
OpenFAIR treats assets as something threats happen to, much like ISO 27000. FAIR also links assets to value which reflects it’s quantitative focus. ““What asset is at risk?” Another way to think about this is to determine where value or liability exists.”
OpenFair formally defines an asset as: “Anything that may be affected in a manner whereby its value is diminished or the act introduces liability to the owner. Examples include systems, data, people, facilities, cash, etc.
UK Government and NATO standard CRAMM v5.1 defines assets as:
“Within CRAMM an information system is considered to be constructed from three types of asset – data assets, application software assets and physical assets. These assets are considered to have a value to the organisation that uses the system. A key factor in determining the level of security required for an information system is the value of its assets.“
There is a coherence between these various industry definitions around an asset being something that an organisation values. This definition is then commonly used to identify and ultimately value these assets as the basis for estimating harm as a result of security risk events.
There is a conceptual gap between the list of things that an organisation values and the ‘the negative effect of uncertainty on information security objectives‘.
I suspect this gap contributes to difficulty communicating security risks as the concept of an asset needing to be protected isn’t natural to many stakeholders outside of the information security domain.
While we, as a specialist community, have set our own focus for managing information security (The classic CIA triad) many of our stakeholders rather focus on the consequences of events (See the Open Information Security Risk Universe for examples). The path from understanding the value of organisational assets at risk to the scale of consequences to the organisation is not well-described in the various standards that exist for information security risk analysis or management.
Assets are a useful concept for identifying value but may be too limiting for identifying harm.