One of the common core activities when designing an Information Security Management System is to identify all the appropriate assets within the organisation so that risks against those assets can be properly identified and managed. Part of this process is to also identify all you data assets such as customer databases, sales lists, intellectual property and other key information resources that are critical to the business. Indeed identifying your data assets is a key element of the ISO 27001 Information Security Standard.
However, perhaps we are thinking about this the wrong way. Treating information as an asset means we place a value on it. Placing a value on something means people want it. If there is value to something then it must be important and if I have that asset then I am important too. So the customer database becomes an asset to the company and any member of staff wanting to be seen to provide value to the company must have a copy of that valuable asset.
What if we were to turn this thought process around? Instead of thinking of information as an asset what if we were to think of it as a liability? A liability is by its nature a dangerous thing and is therefore treated differently than an asset. Depending on its nature liabilities are protected to ensure they do not cause any damage and people tend not to want to have liabilities in their possession.
So if we treated information as a liability will that help us secure it any better? Maybe that sales database would no longer be the desired thing to have on your desktop or laptop. Because a liability is potentially dangerious management will be more reticent in granting access to certain information.
Treating information as an asset has proven to be a difficult model to secure in the past, maybe information liabilities is a more workable solution?