The Business Model
Each "business" is unique in what it does, and yet
businesses share some things with each other. For example, all
businesses involve people and things.
People have to be dealt with in terms of their value in doing things and have to be
paid in order to keep working.
Things have inherent value, are inventoried and
tracked, and get bought, sold, lost, and stolen.
Because most businesses deal in financial currency,
this is certainly an important element of the business modeling process,
but the value of most businesses is an order of magnitude or more higher
than the inventory value of its assets. This difference is, in one form
or another, the information value of the enterprise. Enterprises also
value different things. For example, educational institutions are
generally non-profit and their main output is graduating students with
life-long knowledge that will help them live better and help society
prosper. Military enterprises produce the force needed to help exert
influence through direct application of power as well as the potential
for force that deters conflicts and people and skill sets that benefit
society as a whole, but they can also produce devastation and
large-scale loss of life, liberty, health, and property.
Most businesses can be understood at some level in
Sales, Market, Brand: Brand is a
reputational element of the information value of a business and
represents a critical factor in sales. Information protection failures
tend to harm brand, but claims of security rarely enhance brand
substantially. Brand is vital to generation of leads, sales, and ease
of success in business. Marketing and the markets that a business
operate in dictate to a large extent the aspects of information
protection that apply and the tolerance for risk and need for
protection. Sales are more directly related to income. All of these
also involve business processes that are key to success and failures in
these processes lead to anything from release of critical competitive
information like pricing or customer details to incorrect pricing to
inability to process orders. Any of these can be catastrophic to some
Process, Work Flow, Results: Business
processes are critical to their survival and increasingly business they
are highly automated. Attacks on work flows can be highly destructive
and cause subtle effects like the ability for unauthorized individuals
to cause unauthorized changes to business processes, grant themselves
access or monies, disrupt operations, destroy logistics, and otherwise
disrupt business operations.
Resources, Transforms, Value: Resources are transformed into value through
processes. For example, land is transformed into gold through
extraction processes while chemicals are transformed into medicines
through chemical processes and raw data is transformed into competitive
intelligence through analytical processes. These processes are
fundamental to how many businesses operate and failures in theses
processes lead to failures in the ability of the enterprise to produce
Supply, Inventory, Transport: Many enterprises take supplies of some sort and move
them from place to place in order to produce value. Wholesalers and
retailers move supplies from suppliers through warehouses and
storefronts into consumers or customers while many companies have
internal logistics processes that support their operations in one way or
another. Disruptions in the supply and logistics process can cause
anything from military campaigns to businesses to fall apart.
AR/AP, Collections, Write-offs: With the exception of purely cash businesses,
all businesses have accounts payable and receivable, collection
processes, and write-offs. These processes are critical to cash flow
and business operations as well as profitability and customer relations.
Failures in these processes can cause businesses to lose the confidence
of their customers, to offend customers, to be stolen from in large
quantity, and to be unable to meet payroll or other obligations and go
bankrupt. Other elements of the financial systems of businesses are
also important in much the same way and are subject to malicious attack
for their direct financial value.
Infrastructure is used in conjunction with services and applications to
meet the desires and needs of users. The value of the infrastructure
comes in the utility of the services provided to users. If
infrastructures or the services they support fail, the harm is in
reduction of business utility. These servicees also support content
that may have inherent value, lose value with exposure or time, or
otherwise be affected by failures in protection. At the same time
the utility is dictated by the ability to use these services.
Cost, Shrinkage, Collapse: Costs and changes in costs and cost structure,
shrinkage (loss and theft of inventory), and ultimately collapse of
markets or businesses effect enterprises in a wide range of ways.
These and other business functions can be codified in
terms of business process diagrams and the elements of the processes
diagrams can be associated with failure conditions producing losses as a
function of the durations of the failures. Information technology and
its role in supporting these business processes can be codified by
indicating which processes that technology interacts with and how losses
of integrity, availability, confidentiality, use control, and
accountability can impact those processes. These then are the
depictions of the business that help to understand information and
information technology related risks from a business perspective.