There is a NYTimes article on whether there is too much hype around Cybercrime. The argument, made by the authors centres around the extrapolations and the lack of real data backing up the financial harm suffered due to cybercrime. These arguments are not new - the financial harm apparently caused by piracy has attracted similar criticism before; but that argument has been extended further to cover the entire spectrum of cybercrime.
But there is one argument, that this argument doesn't cover - and that currently there is no established mechanism to valuate information. This is a problem I have posed to a number of people, and have looked at researching in my spare time (though I have not gone very far). If we take the physical world analogy - physical objects have a value. That value can be established by one of two ways - you can look at what was paid for the object (i.e. historical price) or what the market is willing to pay for the object (i.e. market value).
But data does not have value as such. There are certain ways to measure certain types of data; but no generic approach. For example, certain types of information - such as credit card numbers - there is an established black market; thus it is possible to valuate the information of having "credit card data". With the recent valuation of Facebook, it can be easy to argue that "personal information" is worth approximately USD 100; if one takes the simple maths of taking Facebook's market valuation and the core asset of Facebook that is embodied in that valuation. But what is the cost of a word document detailing the business strategy? Or a thesis? Or a drug formula? And how does that translate to the value of the bits and bytes?
That is one of the reasons why information security is hard to sell - is the cost of what you are protecting actually worth what you are paying to protect it? And one can argue (as argued partially in the article); when one considers the cost of PCI-DSS compliance; and the cost of the actual credit card information; PCI-DSS just doesn't seem to be worth it. But there are other costs if one does not comply to PCI-DSS; so the true cost is higher than the credit-card information - but it is still difficult to build the actual business case purely on whether the security was worth it ...