28

Assessing and Protecting Knowledge Capital

The protection of proprietary information is gaining a higher importance in many organizations today, partly because of the increasing cyber-security threat, and partly because organizations have become more aware of its critical value.

One aspect of proprietary information is one that is often overlooked is the protection of Knowledge Capital. This is partly because investment in it does not come from a single budget  line item, but is buried inside of many different kinds of expenditures. For example, internal and external training programs and events, meetings, customer interactions, task force efforts, projects, management conferences and so on almost always result in the accumulation of additional knowledge capital.

Knowledge Capital is an intangible asset that comprises the information and skills of a company’s employees, their experience with business processes, group work and on-the-job learning. Knowledge capital is not like the physical factors of production – land, labor and money capital – in that it is based on skills that employees share with each other in order to improve efficiencies, rather than on physical items. Having employees with skills and access to knowledge capital puts a company at a comparative advantage to its competitors. —Investopedia

Assessing Knowledge Capital

From an asset protection perspective, knowledge capital is too frequently ignored.

Few security and risk management professionals can easily answer the question, “What is the status of your Knowledge Capital protection?” Without a specific assessment of its Knowledge Capital, how could an organization have an answer?

Why an Assessment is Important

Unlike other investment results, Knowledge Capital:

  • Typically grows invisibly, and correspondingly can also be lost invisibly
  • Moves with promotions and transfers unless retention is specifically arranged
  • Varies less with the position and more with the person holding the position
  • Its value life cycle, short or long, varies with the specific type of knowledge

For additional insight into information assessing the life cycles of information, download my copy of the article that I wrote for Computers & Security journal: Information Lifecycle Security Risk Assessment: A tool for closing security gaps. (If you want to share the document with a colleague, please use the “Send this page to a friend” link at the top right column of this page.)

Knowledge Capital Assessment Tool

Any security or risk practitioner, whether familiar with information security or not, can use a tool developed at Carnegie Mellon University for information security assessment: the OCTAVE Allegro  method. Allegro is a musical term that means “a quick and lively tempo”. Allegro is the “next generation” of the Operationally Critical Threat, Asset and Vulnerability Evaluation method (OCTAVE).

OCTAVE has been refined three times: the original OCTAVE, OCTAVE-S (for small business), and OCTAVE Allegro—each refinement simplifying and streamlining the assessment process.

Allegro introduces the idea of “containers”—a term for where the information is stored or held in transit, for example in print form, electronic document form, or even in human memory.  Knowledge Capital reside in all of these types of containers. The idea is to put appropriate security controls in place for each container, something that makes the planning of information protection a little simpler to think about. A very practical question is, “Who is responsible for this particular container?”—in contrast with “Who is responsible for this particular information’s security?”

Physical security practitioners will find many parallels with physical facility security risk assessments, giving them potential to deliver even more value to their organizations through assessing and ranking the Knowledge Capital of the organization. Where the container resides in the IT domain, the IT security folks can provide recommended controls. Where the container is human memory, the information stakeholders can collaborate with HR,Legal, and the individuals involved to develop appropriate security measures.

Get the PDF document report “Introducing OCTAVE Allegro” from its download page.

This report introduces the next generation of the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) methodology, OCTAVE Allegro. OCTAVE Allegro is a methodology to streamline and optimize the process of assessing information security risks so that an organization can obtain sufficient results with a small investment in time, people, and other limited resources. It leads the organization to consider people, technology, and facilities in the context of their relationship to information and the business processes and services they support.

The worksheets, questionnaires and tools of Allegro are most easily used with a narrowly-focused assessment, which is perfect for assessing Knowledge Capital. Additional download documents include a complete example assessment, which will help give you a good idea of the kinds of results you want to get. Combine Allegro with the steps in my Information Lifecycle Security Risk Assessment document, and you’ll be all set to get effective results you’ll be happy to report to management.

How much Knowledge Capital will you be able to save your organization? Probably more than you think!

Best regards,
Ray Bernard

Leave a Reply

Your email address will not be published. Required fields are marked *