Dear entrepreneurs
In my previous blog post I discussed the possibility that a business can bleed to death due to intellectual property (IP) theft… More and more companies experience IP data leakage and a business owner need to be able to calculate the current and potential negative financial impact on his/her company (for illustrative purposes, I will use a fictitious company with the name of “Company ABC”).
A method to calculate profit erosion
By not knowing the current or potential negative financial impact of a threat (in monetary terms), Company ABC runs the risk of implementing data leakage prevention controls that are ineffective and/or economically unfeasible. As a result, Company ABC would be unable to determine the effectiveness and feasibility of the controls in monetary terms.
Although I have used some freely defined profit erosion figures in our previous blog post to illustrate some principles, I would like to provide you as reader with a more conservative quantitative method to calculate current and potential profit erosion. Different methods exist; the important principle, however, is to estimate profit erosion. You can therefore decide to use other methods as well.
By following a qualitative approach in identifying and assessing IP leakage risks (i.e. by only assigning non monetary values to risks like High, Medium, and Low), Company ABC could tend to implement only a suitable collection of controls rather than the exact right number of controls – as is the case with a quantitative approach. In other words, with the qualitative approach Company ABC could have a situation where risks are “over controlled” or “under controlled”.
The following steps should be performed to calculate current and potential profit erosion:
Risk scenario “simulation” – loss of potential profit calculation
The following scenario doesn’t include unnecessary expenses (like legal costs), loss of Research & Development (R&D) costs and damage to public image (as mentioned in my previous blog post). In normal circumstances, profit erosion from these scenarios should also be included in calculations.
Scenario
Identify a specific IP leakage scenario:
| Potential threat: | An employee steals IP information (e.g. a drawing, calculations and so forth) and provides it to a competitor. The competitor successfully proposes at a lower price. In this instance, Company ABC loses potential income and profit. |
| Risk assessment period: | Five (5) years (i.e. this risk might occur over a five-year period). |
| Number of IPs stolen: | 20 IPs are leaked out |
| Number of cases one specific IP is used in one year against Company ABC in tenders: | 5 times |
| Average margin (profit) on one project: | $30, 000.00 |
Monetary amount at risk
Start by determining the monetary amount at risk for leaking out one (1) IP, once, in a one (1) year period (and by assuming that it is used successfully against Company ABC by a competitor only once in a tender case):
| Calculation: | 1 IP x $30, 000 margin |
| Result: | $30, 000 (monetary amount/profit at risk) |
Expected financial loss
The following formula can be used to calculate the expected loss:
| Formula: | Expected financial loss = (A + (3)(B) + C)/5 | |
|
where |
||
|
A |
= |
Smallest amount of financial loss. |
|
B |
= |
Most likely amount of financial loss. |
|
C |
= |
Greatest amount of financial loss. |
|
3 |
= |
This figure indicates how much weight the “most likely amount of financial loss” should carry. In other words, the more Company ABC Management feels the possibility of the “most likely amount of loss” to be, the higher the number and vice versa. |
|
5 |
= |
1(i.e. one A) + 3(i.e. three B’s) + 1(i.e. one C) = 5 |
The next step is to allocate monetary amounts to the “smallest amount of financial loss,” the “most likely amount of financial loss,” and the “greatest amount of financial loss.” To do that you can allocate percentages to it and then calculate the severity of the financial loss:
| Formula: | Financial loss expressed as a percentage x Monetary amount at risk | ||
|
A |
= |
30% of monetary amount at risk ($30, 000). | $ 9, 000 |
|
B |
= |
50% of monetary amount at risk ($30, 000). | $ 15, 000 |
|
C |
= |
70% of monetary amount at risk ($30, 000). | $ 21, 000 |
Therefore the:
| Expected Financial Loss |
= |
($9, 000 + (3)*($15, 000) + $21, 000)/5 | $75, 000 |
Expected probability of occurrence
The next step is to calculate the probability that a threat will occur, within the given period under assessment (in this case, one year), so that the potential financial impact of the given threat (in this case IP leakage and where a competitor successfully proposes at a lower price) can be calculated:
| Formula: | Probability of occurrence = D/E | |
|
where |
||
|
D |
= |
Number of occurrences in one year (e.g. 5 times). |
|
E |
= |
11 tender cases in one year. |
Therefore the:
| Expected Probability of Occurrence |
= |
5/11 |
0.45 |
Potential financial impact of threat
The potential financial impact of the threat is therefore:
| Formula: | Potential financial impact of threat = F x G | |
|
where |
||
|
F |
= |
Expected financial loss. |
|
G |
= |
Expected probability of occurrence. |
Therefore the:
| Potential Financial Impact of Threat |
= |
$75, 000 x 0.45 |
$33, 750 (gross impact of threat once) |
Collective impact of multiple threat instances
Of course, chances are good that more than one IP could be at stake. Data leakage is not limited to one IP and in one year. By considering that IP leakage can happen, for example, over a period of five (5) years, and that 20 IPs are leaked out (and where a competitor successfully proposes at a lower price against Company ABC in multiple cases), the loss of potential profit could be:
| Collective Impact of Multiple Instances |
= |
$33, 750 x 5 years x 20 IPs* * Note: Assuming that the margin is $30, 000. |
$3, 375, 000 |
Risk scenario “simulation” – Company ABC’s own calculations
Above scenarios and calculations are only for illustrative purposes.
We therefore recommend that you perform your own risk assessments and quantitative calculations to verify the current or potential negative financial impact of IP (data) leakage risk scenarios on the prosperity and profitability of your company.
In my next blog post I will discuss some control measures you can implement to reduce your risk of IP theft in your company.
If you have any questions, you are welcome to contact us at blog@business-around-the-globe.com
Warm regards
Michiel Jonker, CISA
Tags: business, intellectual property, IP, profit erosion, Profit Protection, risk
