Shostack + Friends Blog Archive


How to Value Digital Assets (Web Sites, etc.)

Many security management methods don’t rely on valuing digital assets.  They get by with crude classifications (e.g. “critical”, “important”, etc.).  But if you need to do financial justification or economic analysis of security investments or alternative architectures, especially risk analysis, then you need something more precise and defensible.

This tutorial article presents one method aimed at helping line-of-business managers (“business owners” of digital assets) make economically rational decisions.  It’s somewhat simplistic, but it does take some time and effort.    Yet it should be feasable for most organizations if you really care about getting good answers.  Warning: No simple spreadsheet formulas will do the job.  Resist the temptation to put together magic valuation formulas based on traffic, unique visits, etc.

(This is a long post, so read on if you want the full explanation…) 

A Single Method for All Seasons? No.

Caveat: There is no one method that is universally applicable and accepted.  A method that convinces accountants for financial reporting or for a merger or asset sale does not work for economists, and neither is going to be very comprehensible or realistic for line-of-business executives.  Assessing damages for a lawsuit will use different methods yet again.   What ever method chosen needs to be appropriate to the context and internally consistent. The proposed method here is aimed at business decision-makers who want to make economically rational decisions, given the available information.

Three Principles

1) The most important principle in valuing digital assets is that you can’t do it outside the context of the enterprise that gets value from the asset.  (I use the word “enterprise” here to include both for-profit and not-for-profit organizations, and even government agencies.)  Digital assets, for the most part, get their value from being used in context, not from a free market value.

2) This leads to the second principle of valuation: you value the digital asset according to its role in creating economic value (or, more broadly, business value, which can include non-economic goals.). While the most accurate and precise valuation requires analysis of the value creation processes (i.e. value chain analysis), it’s possible to get a decent estimate without it if you are willing to take a “cold hearted” approach to classifying assets.

This “cold hearted” approach comes from the work of Paul Strassman, and also the perspective of Nicholas Carr (Does IT Matter?).  In essence, they argue that the only IT investments that have a clear positive return are those that directly contribute to revenue or competitive advantage (narrowly defined).  Everything else is a cost.  (Strassman has done field studies to back up his arguments.)

Therefore, the second principle is to divide digital assets into two classes – Class 1: Digital assets that directly drive revenue and/or competitive advantage, and Class 2: everything else.  It’s not to say that Class 2 assets are not important.  They may be very necessary.  But the point is that you need to use different valuation methods.

3) The third principle is that valuation must be forward-looking.  What you have already invested or spent on it is irrelevant (mostly).  Economists call these “sunk costs”.  You might use historical investments or costs as reference points in estimating the future, but not always.  (This is where you the accountants walk out on you. 🙂  )

Being forward looking, your valuation will necessarily be based on projections, forecasts, and/or willingness to pay now for future events.  This can lead to all sorts of errors and delusions of grandeur.  This is especially true if your projections involve low probabilities and very large magnitudes.  There are a few ways to minimize these sorts of errors, but that is outside the scope of what I want to cover in this article.

Identifying Assets that Drive Competitive Advantage (Class 1)

Ignore most of what you hear about how information and IT in general drives competitive advantage.  Every business owner will make a claim that their digital assets are critical to the enterprise’s competitive advantage.  Bunk!  That’s like saying “all the children are above average”.

Here’s the cold reality of competitive advantage:

  • The only drivers of competitive advantage are those capabilities that allow your firm to charge higher prices than direct competitors who have an identical offering or a closest substitute. 
  • Alternatively, competitive advantage comes from capabilities that allow your firm to be more profitable than all your competitors while selling at or below the “market prices”. 
  • Also, competitive advantages can be defined in terms of differential ability to win market share at the expense of competitors or substitutes, or to expand market demand.  (Similar standards can be defined for non-profits and government agencies, but the explanation is longer.)

For a typical Fortune 500 company, the majority of IT assets and investments do not contribute directly to competitive advantage.  This includes ERP systems, data warehouses, middleware, security devices and software, and so on.  Even many front-line systems like customer relationship management (CRM) and computer-aided manufacturing (CAM) may not pass this hurtle if they are not accompanied by business process changes that lead to differential value for the end customer.

For every business unit that has its own profit and loss statement (P&L), you can usually identify two or three sources of competitive advantage.  It won’t be twenty!  For each source of competitive advantage, you’ll probably be able to identify one to three digital assets that are essential to that capability. 

For simplicity, let’s just consider internet-accessible assets, such as web sites, portals, web services, and so on.  Let’s say you catalog these assets and come up with 1,000 individual assets.  Of these, probably only five or ten will pass the test of “driving competitive advantage” – maybe fewer, or maybe no digital assets will qualify.  If you run through this exercise and identify 900 out of 1,000 assets as “driving competitive advantage”, you’ve done something wrong.

Here is the acid test:

  • If we doubled the quantity, quality, or performance factors of this particular digital asset, would it directly lead to greater than proportionate increase in:
    • Profitability?
    • Market share?
    • Market growth rate?
    • Firm market value?  (stock market value, private market value, etc.)
  • Likewise, if the quantity, quality, or performance factors were cut in half, would it lead directly to a greater than proportionate decrease in any of those four outcomes?

Revenue management software would meet this criteria if your firm was in the business of selling or renting a fixed, perishable resource (such as airline seats or hotel room reservations), but only if your revenue management capabilities are meaningfully different than competitors.  A customer portal or self-help web site or customer social network web site might meet these criteria but only if you can show that the customer web service is essential to customer purchase decisions – choice of vendors, spending decisions, etc.  It might also meet the criteria of your competitive advantage comes primarily from customer-driven R&D (i.e. open source or open innovation) and the customer web service is an essential vehicle for that customer-driven R&D.

If you follow this argument, you now see the critical importance for understanding the enterprise context and especially the business model and competitive strategy of the enterprise.  There’s no way around it.

Valuing Digital Assets that are Competitive Advantage Drivers (Class 1)

You value Class 1 assets in proportion to their ability to drive firm value, at the margin.  That’s economist language.  Let me break it apart. 

“At the margin” means the ability to drive value with additional dollar of investment (or by reducing investment by a dollar).  Visually, think of this as the slope of the value creation curve at the current level of investment.  Many assets have diminishing marginal value—as you invest more, your returns gradually diminish, until they plateau or even go negative.  Therefore, you don’t value the asset as if you were building it from scratch.  You value it based on incremental investment (enhancing) or incremental disinvestment (detrimental to capability).

“Drive firm value” goes back to the acid test listed above.  Technically, you need to convert “drive firm value” into cash flow projections, including incremental investments in the digital asset required to increase the enterprise value.  A sharp MBA can do this analysis, including appropriate discount rate for the time value of money, and then arrive at a valuation that is credible and defensible.

With all the relevant data available, the analysis might take a few days or a week per asset, including review and revision cycles.  Since only a few assets qualify, this shouldn’t be an undue burden.  After all, these are the most important digital assets for your enterprise!

Valuing All Other Digital Assets (Class 2)

Here is the most general method for valuing all the other digital assets:

  • How much is the business owner willing to pay to repair or replace the digital asset, assuming it were damaged or disabled, and assuming the business owner is paying out of a fixed budget?

You can clearly see that this method is set in a particular decision frame that is somewhat hypothetical and artificial.  The purpose of this decision frame is to emphasize the need to economize and prioritize among all the other assets.  It will also highlight any digital asset that currently exists but has no value whatsoever (because it’s not used, or duplicates something else, or not functional, etc.).  Some or all of your digital assets may be essential, or at least very important.  Fine.  But that doesn’t mean they will have a high economic value.  You need some way to separate the wheat from the chaff, so to speak, and this decision frame is designed to do that in a consistent, rational way.

It only takes a little fiddling to set up this exercise.  You have to enumerate the digital assets.  You have to set an overall spending budget – something like 5 years of investment and maintenance for the whole set.  And then you need to define what “damaged” or “diminished” means in each asset class.  (You can exclude the upside case because enhancing these assets does not drive competitive advantage, by definition!)  Again, it’s usually best to do a marginal analysis rather than full replacement cost. 

There’s one more critical element to the exercise: viable investment alternatives outside of digital assets.  Your business owner should always have the option of “do nothing” or “do something else”.  This can be as simple as “buy back company stock” which should yield the company’s market rate of return.  You can also make it more meaningful or tangible to line-of-business people by offering alternatives such as “increase staff” or “invest in business process changes”, with a fixed rate of return.  This forces the business owner to think of the digital assets in the context of the whole value creating process and all of their goals.

Once you’ve set these factors, you then take your business owners through the “willingness to pay” exercise for all the digital assets, plus alternatives.  It might take a few passes if you have a lot of digital assets.  It’s very helpful to do sanity checks along the way, such as comparing actual spending or budget allocations, or resource allocations, or prioritization in service level agreements, etc.

When this is complete, you’ll have the relative economic value of all the assets, relative to each other and to the overall budget you set for the exercise.  The final step is to convert these into cash flows over time, which might only take a few more calculations and normalizations.  You want to make Class 1 and Class 2 asset valuations comparable. The absolute economic value numbers may not be perfect, but the relative values will be quite robust.

Notice what isn’t included in this analysis (on purpose):

  • There is no mention of the volume of internet traffic to the web site, number of users, frequency of use, etc.
  • There is no mention of the size or complexity of the digital asset, or the nature of the technology behind it.
  • There is no mention of how the digital asset fits into the overall enterprise architecture, or whether it is state-of-the-art, or aging legacy code.

Why?  Because all these factors are incorporated in the “willingness to pay” decision by the business owner.  The technologists who are responsible for the digital asset may not be very satisfied or happy with this approach or its results, but it’s the shortest path to get an economically meaningful measure of asset value.

Putting it All Together

It won’t take much work to combine the Class 1 and Class 2 valuations into a common list where the relative values are meaningful and defensible.  You can then compare these valuations to various protection investment decisions, or for use in risk analysis or business continuity planning.  

How Much Time and Effort?

With qualified analysts and readily available data, this whole value analysis might take three or four weeks for a large business unit.  If the data is not readily available or if the business owners have no clue what drives competitive advantage, then it could take much longer.

If this amount of effort makes you or your boss gag, then ask yourself how much it is worth to you to get a good answer, as opposed to a crude prioritization or categorization that you could arrive at through a simple voting exercise.

To save time and effort, you might be tempted to use some simple spreadsheet formulas like this (made up):

  • Asset Value = # unique users * average # visits per year * $ value per visit

My advice: lie down until that urge goes away.  Such formulas are almost always “dope” – fanciful but not economically sound and therefore not defensible.  So unless you want to be accused of “smoking dope” don’t use them.

What This Method Leaves Out

Of course, there are ways of doing this analysis that are more data-driven, but they will take more time and effort and money. For example, you could build simulation models that link cost drivers and value drivers, along with models of customer and competitor behavior and strategy. Then you could run thousands of scenarios to get probabilistic estimates of cost and value. (Paul Strassman proposes Monte Carlo analysis in his books.)

To simplify things, I left out a bunch of things.  The methods described above leaves out all the “option value” of digital assets.   You can make decisions in the future to do different things with your digital assets, and some of these possibilities could change the payoffs or even the whole business model.  Sometimes a digital asset is a “platform” for a bunch of other assets or capabilities.  The method described above undervalues such platforms.

It also leaves out critical interdependencies between digital assets.  You might have some Class 1 asset that is, in turn, dependent on the existence and well-function of several Class 2 assets.  Some of that can come forward in the “willingness to pay” exercise, but only if the business owner understands all the interdependencies and can make smart tradeoff decisions.

It also leaves out contingent valuation that can arise from special circumstances or events.  Examples include a merger or buyout, a bankruptcy, forensic investigation in the case of massive fraud, or regulatory penalties.  These valuations can be layered on, but only if you estimate the likelihood of these special events.

One form of contingent valuation is asset sale.  You can sell domain names on the open market.  You can sell customer databases.  You can even sell whole web sites, to be used as a whole or broken into reusable parts.  This “market value” is a whole different class of valuation procedure, but it’s not relevant to most line-of-business executives, whose focus is on running their business using the digital assets available to them, not trading in the asset marketplace.

I’m leaving out the value of intellectual property – patents, copyright, trade secrets – that can be monetized through sale or licensing.  That’s a whole other analysis.

The analysis also leaves out the impact of digital assets on intangible assets like market reputation and brand awareness.  Actually, these are factored in indirectly through “drive firm value” for Class 1 and the “willingness to pay” for Class 2.  This may not be wholly satisfactory for some businesses, but it’s workable for most companies.

Finally, it leaves out value creation in your ecosystem (suppliers, distributors, partners, complementary entities, regulators, etc.).   This requires more sophisticated analysis.


If there is enough interest, I am willing post some book and article references.

10 comments on "How to Value Digital Assets (Web Sites, etc.)"

  • Nicko says:

    The third principle is that valuation must be forward-looking.

    This reminds me of a time about 7 or 8 years ago when my company was looking at acquiring another firm and, in the process of examining their books, we found their website listed as a $350,000 asset. The site was not some revenue-generating component of their business, just your run of the mill marketing information. When we asked why they thought that their site added more than a third of a million to the value of their business they told us that that was how much they had paid the consultants who built it! (We didn’t buy them in the end!)

    • Russell says:

      @Nicko Great story. Yes, that is a mis-application of the “replacement cost method” in valuation. The trouble is that this would probably get the approval of some CPAs, and thus might receive their “stamp of approval”.

  • TLDR says:

    Tighten it up! You’re not being paid by the word!

    • Russell says:

      Actually, I *am* being paid by the word:

      Total Revenue = # words X $ per word;

      (with $ per word = $0)


  • Irfan says:

    nice description, thanks

  • Steve Dotson says:

    This is good stuff. We (security) are taking a hard look at the CMU/SEI Information Asset Profiling, but this may help us sprinkle in some business speak depending on who is helping do the valuation. The enterprise folks will use cost, number of users, age of application, etc. and we will look at the type of data stored to determine risk, as that’s data that isn’t too hard to figure out. Asking the business to value things in this manner is sometimes challenging (RE business impact analysis during risk assessment).

  • Afzalur Rahman says:

    Kindly provide the reference and books for your article.

  • Jay says:


    This is somewhat related and somewhat not, I lost around 200,000 files the majority of which we’re artwork that only existed as a digital file, as well as reference material for my work. And I am trying to figure out how to calculate their value.

Comments are closed.