Israeli Software

A colleague who has a startup in the US for social networking for doctors was whining to me the other day that advertising business models are dead for everyone except the top 5-10 Internet properties like Yahoo and Google. He said that Google does a great job of aggregating ads from small Web site but that doesn’t mean that a small-mid size Web property can monetize traffic enough in order to be profitable. It’s a corollary of the long tail of the Internet, that the small guys a the end of the tail will never have enough traffic to monetize.

Read more…

I was working on an article on a holistic approach to data leakage, fraud and revenue leakage today.   Spend most of my Sunday, reading and trying to summarize some of the work we’ve done with our telecom service provider customers in Israel and Poland.

I came across a thread entitled What is the acceptable percentage of Revenue Leakage?

It was somewhat entertaining with nuggets like

“The simple truth is this.  So far, very few vendors are in the mode of caring about repeat business.  So they will make any promise to make a sale.  If they make some extravagant claim about total losses, but the product they sell delivers little or no value, then they are still happy because they got the sale.  What makes it worse is that people working in revenue assurance service providers will often try to cover up the failures of expensive projects, presenting them as a success even if they deliver little benefit.”

But the simple truth is that the same problem of talking about losses without talking about risk mitigation cost and effectiveness is also rampant in the information security world.  Vendors like Symantec, McAfee, WebSense and RSA  use pseudo-science to justify their products and FUD tactics when the pseudo science doesn’t work.

I just love these vulnerability curves.  I think that the only difference between the revenue assurance space and information security is terminology.   Vendors appear to be unconcerned with repeat sales and being able to prove consistent ROI over time.

However all is not lost. In the security analyst and research community there is a a growing trend to  model threats and damage to assets in dollar terms – since justifying budgets to the CISO is pretty hard with qualitative measures when products and services cost quantitative money.

Eric Priezkains talks about TMF publishing KPIs (key process indicators) for revenue assurance. As Eric notes in another post on his blog – there is a problem with generic KPIs:

1. There is a lack of consensus  on revenue assurance KPIs both with vendors and customers
2. Even if agreed upon in an industry group like the TM Forum; standard KPIs are not one-size-fits-all and what’s good for a large telco may be a poor fit for a Tier 3 operator.
3. Even with standards, customers may not have the data to measure the KPIs.

There is a similar situation in the compliance industry with standards like PCI DSS 1.1. The PCI Data Security Standard was written by a committee made up of big processors, Visa and Mastercard.  Many of the guidelines are out-dated – like making an anti-virus mandatory and calling it threat management or explaining how routers can be configured to be firewalls. I am not sure that this is security best practice any more and more importantly – standards written by big credit card institutions may not be suitable for small merchants.

There are three things we must have for security, compliance and revenue assurance:

1. Assess risk with a common $ metric;  anything else will be an endless debate
2. Prioritize mitigation; countermeasures must be cost-effective
3. Sell to decision-makers in language they understand.  Any executive will want to know that the revenue gains will exceed the investment in revenue assurance.

One of the more difficult tasks in any fraud, revenue assurance, security or compliance risk assessment is classifying assets and tagging them with a financial value.  Here are a few tips on asset classification and valuation.

There are 5 fundamental types of assets:

1. physical assets (like a building or a data center),
2. digital assets (like unstructured text in a MS Word file),
3. chemistry assets (An asset that is well defined by a unique formula. not necessarily a drug)
4. software assets (source code or an algorithm).
5. operational assets (customers, suppliers)

Then there are 5 fundamental  attributes of assets, where each attribute has particular values:

1. Location – a physical asset such as building has a unique, invariant location. a digital asset such as a Strategic plan in Powerpoint format does not.
2. Boundaries – a physical asset such as building has unique, invariant boundaries, digital and software assets do not have measurable boundaries whereas a chemical asset has a fairly well defined boundary in terms of the description of the formulas involved although not in terms of the manufacturing recipe.
3. Measurable – what is the ability to measure damage to the asset by an attacker. Can the replacement value be calculated and is there an alternative cost. Physical assets are eminently measurable due to their physical location and boundaries.  The other 3 asset types – chemical, digital and software vary as to measurability.  If a chemical formula is leaked by a trusted insider – it may not make any difference at all if the patent is publicly available and if software is leaked then it may not matter if it was free open source – on the other hand – proprietary closed source software, if stolen can result in damage equivalent to how many man hours were invested.
4. Clonable – A physical asset cannot be cloned.  Digital and software can and chemical assets are probably not easily cloned since they may have unique formulas.
5. Replaceable – An old historical building in a unique location cannot be replaced but most all the other assets can be replaced by substitutes with equivalent functionality, attributes and value to the organization.