Posted in:

The new Data Economies

Do cyber threats perceive a value in your enterprise data that you’ve missed? Can that value go up as well as down? Calculating minds understand the data economy rules. By James Hayes.

The wikis define the ‘data economy’ as a global digital inter-system in which data types are gathered, organised, processed and exchanged by a network of vendors and agencies to derive value from the information thus accumulated. This definition has assumed broader resonance, however, as more sections of the data economy undergo programmes of digital transformation, and start to discover, perhaps for the first time, the full extent of their data assets and the full extent of those assets’ value.

This means that a general appreciation of data economy dynamics, at least, should exist around Europe’s c-suites and boardrooms. Cyber security process plays an important part in this assessment: it is because data has an intrinsic value that cyber criminals and other threats try to steal it for resale and other nefarious exploitations.

Targeted organisations that want to understand the intrinsic value of their data assets should factor its attractiveness to hackers into their calculations. (Additional value criteria could include intellectual property value and value for business analytics.) The calculation of value naturally depends on the type of data under evaluation. Some data, such as intellectual property (IP) and data-protected customer data is innately valuable.

Other data holds value because if anything unlawful happens to it, the data owner could be penalised by regulator. Some data owners want to find out how much their data is worth so that they can decide how much of their IT security budgets they should spend to protect it: little point in defending relatively worthless data with expensive arrays of security. Data value might also be a decisive metric for data that is insured against cyber attack.

Data is so important to businesses today that 67% of EMEA businesses that responded to Evolution’s Data Economy Report 2017 reckoned it should be ‘shown as an asset on the company balance sheet’. Some respondents went as far as to say the data their company holds is ‘more valuable than the people it employs’. It is evident that some of the cyber criminals who hack into an organisation’s IT systems and steal data do so to feed a demand. A decade ago there were still organisations who were convinced that they would not be subject to cyber attack because its data was valueless. They were wrong, somewhat in the same way that 150 years ago, few people thought that oil was worth drilling for.

Indeed, within its publication The Hidden Data Economy (2015), McAfee designates enterprise data as ‘the “oil” of the digital economy’. The commercial market for personal data is ‘booming’, it reports with large databases of subscriber information drive up the valuations of the companies it belongs to, even though many have yet to turn a sure financial profit.

As the commercial value of personal data is a good example of this. As it so grows, cyber criminals have long built a complex economy to purvey stolen data to anybody with a computer browser and the accepted means to pay. It’s likely that some buyers of illicit data don’t really know the true value of what they buy, and just hope that they will find something in there that proves profitable.

Digital economists have been somewhat enlightened by the activities of cyber criminals and other data thieves. Many organisations, for instance, are progressing their own models for making public data assets available for commercial use. It’s arguable that this would have happened anyway – cyber thieves or not – but data breaches do represent some supporting evidence for the models being evinced.

According to the Body of European Regulators for Electronic Communications (BEREC)’s Report on the Data Economy, the European Commission has stated that the value of the data economy in the European Union (EU) was more than €285bn in 2015: that represented 1.94% of the EU’s gross domestic product (GDP).

The total direct economic value of public sector information in the EU states, for instance, is expected to increase from a baseline of €52bn in 2018, to €194bn in 2030. Accordingly, favourable and timely policy and legislative conditions and incentives to invest in ICT might support an increase of the value of the European data economy to €739bn by 2020, that represents 4% of overall EU GDP.

BEREC’s Report on the Data Economy goes on to point out that our traditional economic structures as well as our societal structures will undergo a rapid change as a result of global Digital Transformation. The diverse possibilities to be found in data collection, storage, evaluation and transmission are commensurately at the centre of these changes.

These are the basic requirements for the achievement of potential intra-company efficiencies and the development of innovative business models. Data is thus becoming a central factor of competition and value-added growth. It is also of ever-increasing economic relevance. The European Commission further estimates the added value of the EU data economy in 2015 at around €272bn; it forecasts an increase to €643bn by the end of 2020.


A comparison of two of Europe’s leading data economies by the Digital Catapult’s UK Data Economy After Brexit report (2017) provides some key indicators of how they feed into traditional economic trends. In 2016, the UK’s data economy accounted for more than 2% of the country’s GDP with an estimated value of €61.3bn. This placed the UK data economy as the second largest in the EU, behind Germany with a data economy worth (an estimated) €77bn. Not surprisingly, both nations have experienced growth in their legitimate suppliers of data.

In the UK, the number of data suppliers is disproportionately bigger than other large EU economies (albeit with a rather average growth rate). In 2015, there were some 120,500 data companies in the UK; that was about 95,000 more than Germany (a distant second) and more than 47% of the whole of the rest of the EU, which the Digital Catapult estimated to have about 254,850 data companies in total at the time of its report. Similarly, in terms of data revenue, the UK leads – along with Germany in close second place – but with growth rates only slightly better than average.

The UK also has a sizeable and active data market, which for the purposes of The UK Data Economy After Brexit is defined as’ the aggregate value of the demand for data products or services in the economy’. In 2016, the value of the UK data market was estimated to be €13.313bn; that’s marginally higher than Germany’s €12.9bn, with above-average growth levels, at 13.2%.

Projections of the growth of the EU data market by the end of 2020 place the UK first at €17.7bn, with Germany again being a close second at €16.4bn. (France is a more distant third at €9.1bn, and Italy comes in fourth at €6.3bn). Analyst IDC’s European Data Market report (2017) reckons that the UK share of the EU data market to be the biggest, at 22.4%.

Such statistics and forecasts make heady reads, to be sure; but there is one substantial inhibitor that is ever-poised to curtail the full potential of the European digital economy from being realised: the cyber threats that make use of the public internet a risky undertaking. In short, by any assessment.

Accenture’s Securing the Digital Economy 2019 report suggests that until the public Internet is made a safer place to conduct commerce and the normal conduct of business, the aspirations of a digital economy will perforce be limited by cyber threats. It states: ‘One of the most glaring challenges of an insecure Internet is the economic cost. In the private sector, over the next five years companies risk losing an estimated €4.71tn ($5.2tn) in value creation opportunities from the digital economy – almost the size of the economies of France, Italy and Spain combined – to cyber attacks’.

This translates to 2.8% in lost revenue growth over the next five years for a large global company, Accenture extrapolates. However, it is Europe’s high-tech industries that face the biggest risk, with more than €683bn ($753bn) ‘hanging in the balance’. This returns us to the question of how an organisation begins to calculate the intrinsic/extrinsic value of its data assets. Published by Trustwave in 2017, the Value of Data Report was conceived to examine the relative value placed on enterprise data from the perspective of different stakeholders: be they enterprise security practitioners, state regulators, cyber insurers – or even cyber criminals.

Determining of what that data is worth is integral to this process. The report attempts to answer this question and to provide guidance that can be used to help evaluate the cost of data breaches. It also looks at what data risk vigilance measures organisations it surveys have in place.

The Value of Data Report focused on four standard (and regulated) data types: Personally Identifiable Information (PII), Payment Card Data (PC data), intellectual property (IP), and enterprise email. It looks also at how the value of PII varies by data subject, by use of Per Capita Values (PCV).

Different types of data may be involved in any given data breach, the Value of Data Report outlines. The targeting of a point-of-sales device, for example, may involve exclusively PC data, whereas the theft of a laptop may involve PII, email and IP. Respondents to the report’s survey were asked to rate four basic data types in order of priority. Each data type could then be assigned an overall average priority score.

PII was ranked highest, followed by IP, PC data and email. All organisations store PII and IP of some sort and all must deal with email, although enterprise email is given the lowest priority. However, only a subset deal with PC data. The data type ranked first by each organisation has been termed its ‘prime data type’. 47.4% selected PII, 27.6% selected IP, 18.4% selected PC data, and 6.6% selected email.

Different data types do matter more in certain industries, the report determined: PII is given the highest priority in health care (3.5) and hospitality (3.4), and least in industrial (2.9), while IP was given the highest priority in industrial (3.0) and IT and communications (2.9); IP was lowest in hospitality (2.4) and financial services (2.4). The size, and therefore value, of data sets is not just a function of the number of records, Trustwave’s Value of Data Report suggested, but of the information each record so contains.

A data subject record consists of attributes: family name, date-of-birth, Social Security number, mother’s maiden name are all examples. An average of 49 attributes are held for each prime data subject. This rises to 74 for patients and drops to 18 for contractors. This richness of information is part of the reason patient records are considered some of the most valuable, being assigned an estimated mean PCV of €1,402 ($1,546). This is just behind shareholders, which come highest at €1,564 ($1,725), and ahead of consumers at €995 ($1,054).