Any structured security management methodology or model must take into account the dynamic and fluid nature of information and also must be able to ascribe reasonable value estimates to it at each stage of its transmission, storage and processing. Because security is not an absolute, but a matter of degree, these aspect of any risk management model are crucial to the element of cost-effective security implementation.

One of the major problems with assigning value to information is that it currently does not appear on corporate balance sheets. To effectively manage security, it is necessary to measure its efficacy. If you cannot measure the assets you're endeavoring to protect, you cannot have an effective model to define security requirements.

Information may often show up on the balance sheet in the form of intellectual properties. It is critical to understand that the actual rights to the information are considered the property, not intellectual work itself. For example, a patent is something that can be bought, sold, or traded. The actual invention itself, technically, does not belong to anyone. In this case, intellectual property represents a government granted monopoly on certain types of business activities.

Information is important to all organizations and it is the raison d'etre for innumerable businesses, such as clearinghouses, credit scoring companies, and contact providers. In these instances, it is ironic that items such as computer equipment and brick-and-mortar facilities are part of the balance sheet, but information is not. Most information-dependent organizations could recover quickly from a loss of any physical asset, yet would quickly go out of business without the ability to access and sell their information.

In order to create an effective risk management model, information should be tracked as a line item in the balance sheet which the current accounting practice does not yet recognise

Ola Osunkoya, Ph.D