Jason Palmer, CPA, CITP

Cyber Insurance Auditing

You are here: Home / Archives for Security Risk

The Security Value Context – Data vs. Information

By Leave a Comment

101010All Information is comprised of Data but not all Data leads to useful Information.

Data should be protected where possible but it is Information that needs to be actively secured.

The Security Value Context is the degree to which Data or Information needs to be protected and secured based entirely on the context of how it is organized and how it will be used.

Let me explain:  If I have a Tax Preparation Business with thousands of individual client returns, considered Data, no one specific return is particularly interesting (unless perhaps the return belongs to a Public figure, then it becomes Information.)  In fact, if I published one random Tax Return, (say Mitt En), on a Billboard in Times Square (without the Social Security Number), chances are no one would give it a second glance.  Even if someone knew Mitt En, there is little practical value to the Data presented on the Tax Return.  Big deal, the world now knows how much “Mitt” took home last year.  The point being made here is that this Tax Return is just random Data.  Unless someone is specifically interested in Mitt, and most people are not interested in Mitt, there is extremely limited security value risk to Mitt in the public exposure of his Tax Return.  In short, the scope of the Context is singularly “Mitt” himself.  No one else really cares.

(For the moment, I am excluding the possibility of Identity Theft from this discussion.)

On the other hand, if this is the Tax Return of Mitt Romney instead of our average individual Mitt En, what a moment ago was random unimportant Data now becomes specifically useful Information.  The Tax Return will most likely list all of the Charitable Donations that Mitt Romney has made.  This Information will imply the causes that he supports which in turn may suggest the types of Policies he will try to legislate based on his beliefs and values.  This has a very high security value risk and therefore needs to be actively secured.  The scope of the Context is huge.  The majority of the voting population of the United States cares.

If I take the thousands of individual client returns and start to analyze and segregate them based on factors like income, mortgage interest paid, charitable donations, type of employment, dependents, or any other element, I have taken the raw disorganized Data and turned it in to incredibly valuable Information.

Used in a good way, the Internal Revenue Service aggregates the Data from Filed Tax Returns in just this manner to present anonymous profile statistics about the American Tax Payer.  This provides valuable information that Congress can use to manage Tax Policy.  Since the Data is presented in anonymous, aggregate format, there is a very low security value risk to any one individual return.

Used in a bad way, an unscrupulous person could use the identifiable Data that created this incredibly useful Information against specific groups of individuals for nefarious purposes.   For example, groups of individuals that have high mortgage interest deductions might become the target of predatory refinancing lenders.  Since each person can be identified, there is a very high security value risk.

It is impossible to know exactly how raw “Data” will be organized or its’ eventual value in producing Information which is why it is important to take appropriate action to protect it.  For example, we manage user access with Password protected Software Applications and we encrypt the files to keep the Data as secure as practicable away from unauthorized access.

Conversely, we know exactly how “Data” can instantly become valuable “Information” which is why we go to such great lengths to actively secure it in its final form.  We know that a Tax Return contains a Social Security Number, Birth Date, and the full legal name and address of an individual.  In the wrong hands, like that of an Identity thief, the information on a Tax Return contains everything necessary to steal the Taxpayers identity and create financial chaos.

Actively securing access to valuable Information, like a Tax Return, requires more than a Password.  It requires a policy that explicitly defines how the Information will be stored or transmitted and who will have access to it.

The simplest analogy to the difference in managing “Data” security vs. “Information” security is to think of “Data” as a Credit Card and “Information” as Cash.

With a Credit Card, if a fraudulent transaction is discovered, it can be reversed, the Card cancelled and your perfect credit score remains intact.  Data stored on your computer works pretty much the same way:  If a file becomes corrupted or damaged, that one data element can usually be isolated or fixed with minimal risk to the remainder of the data.  It is one random element among many.

With Cash, if you lose it or it is stolen, it is completely gone with zero recourse.  With valuable Information, like a Tax Return in the wrong hands, you can never get it back.  The person’s identity may be stolen along with the creation of a financial mess that may take months to clean up.

Determining the Security Value Context of Data vs. Information requires an understanding of how each will be stored, accessed, and presented.

One person’s Data is another person’s Information.