Module 8.6 – Deciding What Specific Information to Release

Module Introduction

            Financial information is usually the most important and sensitive information a organization ever releases about itself. That is why it must be extremely careful about what it sends out and analyze the impact the information could have. Not only do you have to decide what information is worth, you also have to develop ways to protect it.

~ ~ ~ ~ ~

1. Deciding What Specific Information to Release

            Financial information is usually the most important and sensitive information a organization ever releases about itself. That is why it must be extremely careful about what it sends out, and analyze the impact the information could have.

            We all know people who give us too much information. We ask them what time it is, and they want to tell us how to build a watch.

            We also know people who never give enough information. We ask them what time it is and they say: “early,” or “late,” or “still morning” or even “I’m not sure.”

            organizations can do the same thing, and the results can be just as frustrating.

            Before you can determine what information to release and to whom to release it, however, you have to know:

• What information you have
• If there is any sort of requirement to release it
• What the information tells people
• What that information means to the organization in terms of proprietary concerns, competitiveness, and so on.
• What commercial or monetary value the information has
• What it means to the recipients
• If the is any benefit in releasing it

~ ~ ~ ~ ~

2. Knowledge, Data and Information

            Before we talk about what information to release, let’s look at the differences between data, information, and knowledge. They are not the same thing, even though some people use these terms interchangeably.

·           Data: Here are some data, a collection of random facts and observations: three inches of rain, 527,942 widgets, purple, last month, Tuesday, nine, 27 percent, Human Resources, shirt, 87, €79.57, Max, 14 percent, reams, green tie, Friday.

·           Information: Once you put the data into some sort of context, you have information. Three inches of rain fell last night. There are 527,942 widgets sitting in the warehouse, each with a retail value of  €79.57. There is a 27 percent profit on each widget sold. Max wore a green tie with a purple shirt Friday. Nine people were sick Tuesday. Human resources used 87 reams of paper last month, 14 percent more than the previous month.

·           Knowledge: This is valuable data and information. It comes from finding value in what we have observed, collected, and assembled over time, thanks to experience, training, communication, or inference—or any combination of them.

These distinctions are important because you have to decide what it is you are managing, and what to do with it once you have it. At times, data and information are knowledge. At other times they are not. When you are managing information, however, you are also managing data and knowledge. Each has potential value. That value is established by your organization, your department, your job, by what your organization can do with it, and what others outside your organization could do with it if they had it.

3. Analyzing Your Financial Information

            Let’s look at the points in more detail, keeping in mind that in project/programme purpose virtually all information has value and therefore can be considered financial.

What information you have:

            Let’s say you’re in a manufacturing plant and have:

1.  A cost-per-unit breakdown
2. A production report
3. A “spoilage” report that shows how much mistakes are costing
4. An analysis of how much it will cost to upgrade some of your machinery
5. An estimate of when that new machinery will have paid for itself

What you have are five separate pieces of financial information.

Number One could tell the competition what your mark-up and profit margin is. Number Three could possibly tell an analyst what sort of quality control you practice, a great deal about your machines and procedures, and how efficient and well trained your workers are. Both Numbers Four and Five could let someone make some shrewd guesses about your overhead and operating costs which, of course, could tell them even more about your mark-up and profit margin.

      Number Two, your production report, merely tells them how many acceptable units you produce.

      What information should you release? It all depends on what you want the world—especially your competition—to know about you.

~ ~ ~ ~ ~

4. Analyzing Your Financial Information (Continued)

If there is any sort of requirement to release it:

            Some organizations in some fields—food and pharmaceuticals are two examples—have to release a great deal of information about the products they process and produce and what their actual contents are, how they are prepared, and so on. This might even include the exact amount of each compound in each unit.

            In the case of processed or prepared food, you might not have to list the proportions of the ingredient, but you might be required to release the calories, fat, fiber, sodium, protein, carbohydrate and cholesterol content.

            organizations in other fields—such as nuclear power generation and explosives manufacturers—do not have to reveal that much about what they produce. But they do have to reveal a lot about how they produce it and what sort of safety procedures and systems are in place.

            Depending upon what you do, where you do it, your processes, procedures, and raw materials, you might have to file extensive environmental impact assessments and reports that are more concerned about the impact of what you do than they are with what you are actually doing.

            If you are a publicly traded organization, there is also information you are required to release.

            When you are “required” to release information because of governmental or legal regulations, the only question is when the information has to be produced, how much you have to produce, and what form and format it should be produced in.

~ ~ ~ ~ ~

5. Analyzing Your Financial Information (Continued)

What the information tells people:

            If, when you get home in the evening, you want to find out if your children have been doing their homework or watching TV you can feel the TV set to find out if it’s warm.

            If you want to know who has been making unauthorized long-distance calls on your private phone at work you call the numbers that appear on your phone bill and figure out who they know who works in your office.

            If you run a restaurant and want to know that your competitor across the street has added to its marinara sauce to give it that extra piquancy you could snoop through their trash looking for empty spice containers, have a chemical analysis done on a sample, or bribe their service staff or dishwasher to watch their chef and report to you.

            In other words, using logic, observation, science, and industrial espionage, you can find out all sorts of information. So can your competitors.

            In the United States, the Federal Bureau of Investigation estimates that U.S. organizations lose more than $100 billion annually due to industrial espionage. Similar estimates have been made about losses in Europe and the rest of the world.

            Some information is “stolen,” by breaking in and physically stealing plans and formulas, as well as by hacking into computer systems and stealing the information digitally.

            Much more, however, is deduced by careful observation and analysis.

            While it is very important to know what information you can safely release, it is even more important to know which information you want to protect.

6. Analyzing Your Financial Information (Continued)

What that information means to the organization in terms of proprietary concerns, competitiveness, and so on:

            If you are a contractor, everyone knows exactly what you do and how you do it.

There are no “secrets” involved, just skill, training, experience, common sense, organization, and a lot of hard work.

            The loss of such proprietary information could seriously damage your project/programme purpose.

What commercial or monetary value the information has:

            How much is your production process worth? What about your quality control system? How much income has your mailing list generated for you over the years?

            What do you know that others do not, and what is it worth?

            What would you pay for a computer program that would streamline your inventory control or purchasing systems? If you had developed such a system in-house, designed to meet your specific sector of activity’s needs, would you be willing to sell or license it to a competitor, and if so, how much would you charge?

            Some organizations sell products. More and more organizations today sell information. Even more important, more and more organizations buy information and they know exactly what it is worth.

~ ~ ~ ~ ~

7. Analyzing Your Financial Information (Continued)

What it means to the recipients:

            What value does the information have to the various individuals or groups that could receive it, such as investors, vendors, partners, beneficiaries, government or regulatory agencies, and so on?

            In other words, do they want it and if so, why”

Is there any benefit in releasing it?

            This is the key question.

            There is most likely some information—possibly a great deal—that you are require to release either to a government or regulatory agency, or the public, for any of the reasons listed earlier, or perhaps for other reasons not even mentioned.

            That information is not part of the discussion. Everything else is.

            A system has to be in place to decide which information can be released, and to whom, at what time, and in what specific situations. These are management decisions that should be based on a thorough analysis of the information and of all the possible ways it could be used, and all the possible effects it could have on the organization, its profitability, operations, and personnel.

            Each organization has to make these decisions for itself, and those decisions have to be made by senior management.

 ~ ~ ~ ~ ~

8. Creating an Information Classification System

            Think of information as a commodity.

            Your job could be to determine what information can be released or moved out now, what gets released or moved out later, what goes into long-term storage, and what gets locked away—possibly forever.

            Once all of that has been determined, you might have to decide exactly where it goes, who gets it, and how to get it to them.

            At times you merely move information without any physical medium, such as onto an Internet site, as a digital transfer, or as e-mail. In this case “your” copy—or the “original”—of the information never actually leaves the organization. In other cases, you have to produce and duplicate the information to make sure you have enough physical copies to hand out, while keeping some in reserve.

            All of this requires the development of an information classification and flow system that contains:

1. An information strategy
2. Information policies
3. Information classification
4. Recipient identification and classification policies
5. Acceptable use policy
6. Dissemination storage and facilities
7. Dissemination procedures

~ ~ ~ ~ ~

9. Classifying Information

The world’s governments deal with the issue by classifying specific information according to a scale of how important, valuable, dangerous, or damaging it is. In many cases the categories are:

• Unclassified
• Confidential or Classified
• Secret
•  Top Secret
• Top Secret (Need To Know, Sensitive Department Information, or Special Access Programs)
• For Your Eyes Only

Let us look at one other category—For Official Use Only. Technically speaking, this is not really a government security classification at all. Instead, it is used to protect information covered under a country’s—or a organization’s—privacy laws. This can and often does include medical information, racial or national origin, religious beliefs, sexual preference, payment history, financial holdings, performance evaluations, disciplinary actions, and so on.

      In effect, then, this classification covers matters of personal security. The people whose “secrets” are covered under these policies, however, usually have no say so in the matter. While a organization or government can choose what to classify, and what category to place it at, individuals have little if any say in how their own “secrets” are handled, or in who does—or does not—have access to them.

~ ~ ~ ~ ~

10. Industrial Espionage Basics

            Industrial espionage is big project/programme purpose. Here are some thoughts from security consultant Kevin D. Murray, of Murray Associates, in Oldwick, New Jersey, from his web page at http://www.egyed.com/mbsc/mbsc.html about information you want to protect.

1. Trust Your Instincts: With eavesdropping and espionage, the thought would not have crossed your mind if a real problem did not exist.
2. Only Failed Espionage Gets Discovered: You never hear about successful eavesdropping or espionage attacks. You’re not supposed to. It’s a covert act. Frequency of publicity about industrial espionage is on a par with commercial airline flights: only partially completed (failed) flights make the news.
3. Espionage is Preventable: Information is like any other organizational asset. Management has a responsibility to protect it Stockholders can claim negligence and hold organization executives responsible if it lost due to lack of protection.
4. The Law Only Protects Those Who Protect Themselves: You can’t just wander into the courtroom crying, “They stole my project/programme purpose secrets” and expect help. You have to show the extraordinary steps you took (and maintained) to elevate your project/programme purpose information to secret status.
5. Counterespionage is Not a Do-It-Yourself Project: Deal with qualified professionals; people who understand the law and actually know how to use the equipment. Buying an eavesdropping detection sensor—a bug spotter—and teaching yourself to use it is like buying a jet plane and teaching yourself to fly. He adds that a security guard is not a security expert, neither is a private detective.

Assignments

Multiple-Choice (2)

1.         __________ is/are usually the most important and sensitive information a        organization ever releases about itself.

a.       Trade secrets

b.      Financial information

c.       Management lists

d.      None of the above

2.         Before you can determine what information to release and to whom to release it          to, you have to know _________.

a.       What information you have.

b.      What the information tells people.

c.       What it means to the recipients.

d.      All of the above

3.         When you are required to release information because of governmental or legal           regulations, the only question is _______.

a.       When the information has to be produced.

b.      How much information you have to produce.

c.       What form and format the information should be produced in.

d.      All of the above

4.          In the United States, the Federal Bureau of Investigation estimates that U.S. organizations lose more than $100 billion annually due to _________.

a.      Industrial espionage.

b.      Low morale.

c.       Overly high management salaries.

d.      None of the above

5.         While it is very important to know _____, it is even more important to know   ________.

a.       What information you have; what information to release.

b.      What information you can safely release; which information to protect.

c.       What information is worth; who wants to know it.

d.      None of the above

6.         The key question in deciding what information you have to protect is

a.       What does it mean to the recipients?

b.      Is there any benefit in releasing it?

c.       What does the information mean to the organization in terms of proprietary concerns and competitiveness?

d.      What commercial or monetary value does the information have?

7.         For Official Use Only usually pertains to ________.

a.       Governmental security

b.      Unimportant issues

c.       Personal security

d.      None of the above

8.         Espionage is __________.

a.       A routine part of project/programme purpose

b.      Inescapable

c.       Preventable

d.      None of the above

Matching the Columns

Answers:

1.)    C

2.)    A

3.)    E

4.)    B

5.)    F

6.)    D

Summary

            As we have seen, financial information is usually the most important and sensitive information a organization ever releases about itself. That is why it must be extremely careful about what it sends out, and analyze the impact the information could have. Not only do you have to decide what information is worth, classify it and develop policies about what information can be revealed to whom and under what circumstances, you also have to develop ways to protect it.

~ ~ ~ ~ ~

Test

1. ______        Data and information are always knowledge.

2. ______        When you are managing information, you are also managing data and                          knowledge.

3. ______        In project/programme purpose, virtually all information can be considered financial                                                information.

4. ______        What information you release depends on what you want the world to                                    know about you.

5. ______        Most organizations don’t have to release a great deal of information about the                 products they process and produce.

6. ______        organizations such as nuclear power generation have to release a lot about                                 what they produce, but not much about how they produce it.

7. ______        Using logic, observation, science, and industrial espionage, you can find                                  out all sorts of information.

8. ______        Very few organizations buy information.

9. ______        A system has to be in place to decide which information can be released,                                and to whom, at what time, and in what specific situation.

10. ______      Decisions about what information to release should be made by middle                                   management.

Answers:

1.                                                       F – not always

2.                                                       T

3.                                                       T

4.                                                       T

5.                                                       F – some organizations have to release

6.                                                       F – not much about what, a lot about how

7.                                                       T

8.                                                       F – More and more organizations

9.                                                       T

10.                                                   F – senior management

Bibliography

Arfin, F.N. (1993). Annual reports that pay their way. London: Pitman.

Heims, P. (1982). Countering industrial espionage. Leatherhead, Surrey, England: 20^th Century Security Education.

Stanat, R. (1990).   The intelligent organization: Creating a shared network for information and profit. New York: American Management Association.

Learning Objectives

• Financial information is usually the most important and sensitive information a organization ever releases about itself.
• Not only do you have to decide what information is worth, you also have to develop ways to protect it.

Glossary

Data – A collection of random facts

Information – Data in some sort of context

Knowledge – Valuable data and information

Industrial espionage – The stealing of another organization’s data and information; costs organizations more than $100 billion annually

Q&A

1. What do you have to know before you can determine what information to release and whom to release it to?

Before you can determine what information to release and whom to release it to, you must know what information you have, what the information tells people, what it means to recipients, and if there is any benefit in releasing it. You must also know if there is any sort of requirement to release it, what that information means to the organization in terms of proprietary concerns or competitiveness, and what commercial or monetary value the information has.

2. What should an information classification and flow system contain?

An information classification and flow system should contain an information strategy, information policies, information classification, recipient identification and classification policies, acceptable use policy, dissemination storage and facilities, and dissemination procedures.

3. What should you keep in mind about industrial espionage?

You should always trust your instincts. Only failed espionage gets discovered. Espionage is preventable. The law only protects those who protect themselves. Counterespionage is not a do-it-yourself project.

End of Module