• United States




If time is money, what exactly is data?

Feb 07, 20186 mins
Data and Information SecurityData ManagementIT Governance

If you consider how much your data is worth to various parties and in varied contexts, then you’ll be in a better position to understand both its value and the extent to which it needs to be protected.

data search money currency solution uncertainty escape leave
Credit: Thinkstock

Right now, I have $30 in my wallet. Including the loose change dispersed between my coin purse and back pocket, I’ve probably got about another $5.

Money might have an assigned value, but it is of course a completely artificial construct. One day, millennia ago, someone thought it would be a better idea to exchange goods with a token, rather than barter with other goods and services. Those tokens – and the modern currencies they have evolved into – have no intrinsic value. However, we all know what their accepted value is; all you need to do is look at a banknote or coin, and you’ll immediately see how much it’s worth.

Unfortunately, the same can’t be said for data. Despite my many years of experience in the InfoSec industry, if you put a database in front of me, I’d struggle to ascribe a monetary value to it. When it comes to data, its financial worth is most definitely in the eye of the beholder.

To an attacker, a small leaked database might be worth a fortune in cryptocurrencies. Or, it might be worth as little as $5 on a dark web forum, where data and tools are abundant, trivial commodities.

Even to the organizations that hold data, its value can seem ambiguous. In many respects, it’s entirely subjective. If you deal with it daily, you probably hold it in higher esteem than someone else would; conversely, you might take this data for granted, assuming that that its value is not high enough to make it a target for anyone.

This uncertainty around the value of data often results in organizations failing to adequately protect their data, so it’s important to take a closer look at just how much our data can actually be worth.

Show me what your name is worth

We all know that credit card data is important. If your personal credit card number ended up on Pastebin, you’d probably panic. Your blood would run cold, and you’d frantically reach for your phone to call your bank and freeze your accounts.

Similarly, if you’re a company, you can expect to get some stern words from the ICO (as well as a fair slice of negative press) if you accidentally leak your customers’ credit card numbers.

The value of this kind of information is fairly obvious; but let’s shift our focus to instead look at the so-called grey areas, the pieces of data where the value isn’t immediately obvious.

Some slightly esoteric examples come to mind: patient photographs belonging to a top plastic surgeon, for example; or maybe the data held on the servers of the World Anti-Doping Agency (WADA). When Fancy Bear splashed that information on the internet back in 2016, it created an ongoing issue for the sports integrity agency that has yet to be resolved.

When calculating the value of a data set, it’s always worth remembering that everything comes with its own context.

Another example of a potentially valuable, yet often overlooked, piece of data is an email address. People don’t ascribe much value to email addresses. They’re easily created, and easily replaced. But if your digital life is an atom, its nucleus can be considered to be your email address.

We’re continuing to see attackers heavily target email accounts, knowing that these are the gateway to other accounts. Password reset emails must go somewhere, right?

This trend is relatively new, especially when you consider it within the context of how long email has been around; this highlights the fact that the value of data isn’t static – it changes significantly over time.

The value in aggregating data

Imagine a periodic table of data. Email addresses, social security numbers, phone numbers – the entire cornucopia of personal information are all elements. What happens when you combine them all?

It turns out it creates a much stronger digital compound. A rich dataset with a variety of different information about each target is worth much more than the sum of the individual parts.

Metadata from a mobile phone, for example, can identify someone as using a certain dating app. By itself, this may not be valuable information, but if you combine it with location data, or transactional data from a payment service like Apple Pay, you could figure out where someone went on a date.

This is an example with scant relevance to the business world, but it does serve to illustrate the interconnected nature of our data, and how it can be combined to paint a bigger, more detailed picture of a user’s whereabouts and activities.

Mattresses and banks

Where do you keep your life savings? In the 1920s, when cascading failures in the financial system undermined consumer confidence, people decided to hide their money in mattresses, because they perceived that to be the safest option.

Nowadays, this is a no-brainer. People around the world entrust their money to banks without a second thought. But, just like the value of data, perceptions about the safest place to store money change over time.

There are parallels in the InfoSec world as well. In many ways, cloud-based services, which can house huge databases of valuable data, are the banks of today. However, as was the case with the banking system in the 1920s, the cloud has at times faced a confidence deficit.

Are those concerns still justified? Perhaps not. There are many cloud services out there that are solid, secure and dependable. They’re good. They work. And crucially, people rely upon them to conduct business.

It’s important to recognize that just like an organization needs to be selective about which bank it chooses to do business with, they should also be selective about which cloud services they trust with their data.

Whether you are choosing a new business partner or figuring out how to handle your data, it is essential that you do your homework. Be flexible, since change is inevitable, but make sure you know what security controls exist, how they work, and if they’re adequate for the valuable data you’re trying to protect.


The value of money feels arbitrary, and that of data often does too. Determining its true value is something that requires sincere thought. You need to look at it from multiple perspectives; not just from that of the business, but also from the point-of-view of an attacker, or that of a third-party company hoping to leverage and profit from your company’s data.

If you consider how much your data is worth to various parties and in varied contexts, then you’ll be in a better position to understand both its value and the extent to which it needs to be protected.


Javvad Malik is an award-winning information security consultant, author, researcher, analyst, advocate, blogger and YouTuber. He currently serves as a security advocate at AlienVault.

An active blogger, event speaker and industry commentator, Javvad is known as one of the industry’s most prolific influencers, with a signature fresh and light-hearted perspective on security.

Prior to joining AlienVault, he was a senior analyst with 451 Research providing technology vendors, investors and end users with strategic advisory services, including competitive research and go-to-market positioning. Prior to that, Javvad served as an independent security consultant, with a career spanning 12+ years working for some of the largest companies across the financial and energy sectors.

Javvad is an author and co-author of several books, including The CISSP Companion Handbook: A Collection of Tales, Experiences and Straight Up Fabrications Fitted Into the 10 CISSP Domains of Information Security and The Cloud Security Rules: Technology is Your Friend. And Enemy. A Book About Ruling the Cloud. He’s also the founder of the Security B-Sides London conference and a co-founder of Host Unknown with Thom Langford and Andrew Agnés.

Javvad has earned several professional certifications over the course of his career, including Certified Information Security Systems Professional (CISSP) and GIAC Web Application Penetration Tester (GWAPT). He’s also won numerous awards in recent years for his blogging, including the "2015 Most Entertaining Blog" and the "2015 Best Security Video Blogger" recognitions at the European Security Blogger Awards.

The opinions expressed in this blog are those of Javvad Malik and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.