In the same way, business survival depends on successful responses to risk, and an increasing number of these risks are associated with information systems. Unfortunately, they are often hard to see. Software and data are completely invisible, and one piece of computer hardware looks very like another. Warning signs may be few and far between and, by the time they are noticed, it may be too late.

Part 1 begins by examining the kind of threats which apply to information systems. It points out that these threats will not always result from actions which are malicious, or even deliberate. As well as considering their capacity to cause harm, it is important to decide how likely they are to happen. This enables calculations to be made of the size of the risks involved, and comparisons can then be made between them.

It should not be assumed that protection against risk is achieved by throwing up massive fortifications around the IS installation. It is more important to select exactly the right countermeasures, targeted at the risks which matter most. Some methodologies for estimating the seriousness of risks are described, and suggestions are made for ways of ensuring that all the countermeasures which are introduced are appropriate and cost-effective.

When information is traded in this way, it is possible to test out its market value. But this cannot be done for the bulk of the information which is held by business organisations, which they keep for their own internal use, and which is not subject to any kind of pricing. Of course, some trade secrets may have an obvious value to competitors. Equally, business systems contain a lot of information which has little intrinsic value (such as advertising copy which has been widely published) but which it is useful to keep on file.

The value of business information has been the subject of theoretical analysis by economists. Marschak, for example, points to the value of quality in information, which will enable the business to make sound decisions. Conversely, the presence of errors will undermine the credibility and therefore the value of the information (Marschak 1968). Writers on information systems have built on some of the economists’ ideas. Monk points out that merely searching for information amounts to an economic transaction, and that ‘acts of communication are necessarily economic events’. Thus value is to be obtained not just from holding information, but in being able to communicate it easily across networks (Monk 1993: 16).

A more pragmatic approach has been described by Keen, who cites the case of a bank which drew up an ‘IT Asset Balance Sheet’. Somewhat to the bank’s surprise, it found that the amount it had invested in developing software and collecting data came to three times the amount spent on its Information Technology (IT) hardware (Keen 1991: ch. 6). Notwithstanding the large numbers involved, the calculations still only indicated the costs of acquiring the information assets. Their actual value to the bank could have been quite unrelated to these costs.

In a study of twelve manufacturing companies in North America, McKinnon and Bruns (1992) asked managers what they felt made information valuable. The researchers found that there was general agreement that it should be trustworthy, timely, relevant and accurate. However, the same information might be perceived to have different value by different managers. Those with accounting degrees, for example, valued financial reports much more than those whose accounting background was limited.

Perhaps the most ambitious attempt to provide a general framework for valuing information has been provided by Boisot. Boisot (1998) describes a ‘knowledge asset’ as having three dimensions. Codification organises information into classes or categories, so that it becomes easier to search. Abstraction helps to reveal the shape and meaning of information, and diffusion determines the availability of information for those who want to use it. Each of these dimensions has an effect on the value of the information. For example, a database may have high codification, increasing its value to interested individuals. At the same time, the diffusion might be kept low, giving it a scarcity value and justifying a premium rate for access. Boisot concedes that using these three dimensions does not eliminate the need for subjective judgements, but suggests that it can provide a useful framework for discussion, to help members of an organisation arrive at a better consensus about the value of the information they are using.

Rather than trying to value the information itself, it may be more practicable to set about valuing the information system as a whole. This is the approach taken when reviewing proposals to buy a new system, or to extend an old one. Unless some value can be placed on the benefits expected from the upgrade, there is no basis for judging whether the investment is going to be worthwhile. A number of guides are available to help with decision-making in this area, most of which focus mainly on the cost side of the equation. Unfortunately, detailed and accurate costings are not much help if the figures for the benefits have all been arrived at by fudges and guesswork. Nor is it common for predictions of benefits to be checked against actual outcomes. As Hares and Royle point out, it is rare for organisations to do any kind of analysis after implementation to see whether the expected benefits from a new system have actually been delivered. Consequently they do not learn from the experience of what Hares and Royle (1994: Ch. 8) term benefits realisation.

Valuing IS assets is also a problem for accountants. Although intangible assets are regularly included on Balance Sheets, no precise methods are available for valuing them. A draft standard from the US Financial Accounting Standards Board (FASB 1999) has a classification of ‘technology-based assets’, including software, databases and information systems. It distinguishes these from assets whose value is protected for a set period of time by law, such as patents, trademarks and copyright, where the value will fall sharply when the legal protection expires. However, the determination of the actual values remains a matter for professional custom and practice.

J. Lyons & Co was in a position to take advantage of IT, without becoming completely dependent on it, and this experience was reflected in many other companies as they automated many of their clerical and manufacturing processes for the first time.

Today, it would be hard to find any manufacturer who does not use information technology, but the technology is now expected to be completely reliable, and underpins all kinds of activities which are crucial to the business. Computers are expected to schedule the requirements for raw materials, to take control of the processes on production lines, and to support the distribution of the products on to the retailers. Modern supermarket chains, in turn, use their systems to keep goods moving as quickly as possible through the warehouses, onto the store shelves, and through the check-outs. The movement of goods through supply chains has been speeded up dramatically over the years, and mistakes or failures at any point can have severe knock-on effects.

The prospect of a sudden computer failure has now become a worst nightmare for many managers: a supermarket packed with Saturday morning shoppers, with no check-outs working; or a warehouse in which the tracking system has failed, so no-one knows where anything is; or a production line requiring speed and temperature to be kept within precise limits, where the controls have failed. This heavy dependence on IT has also spread inexorably through other sectors of business, most noticeably bureaucracies, particularly in the administrative arms of government and the military. Small businesses, too, have begun to move on from their traditional computing applications such as word-processing and accounting, and now use computers in a much wider variety of situations. Examples range from hotels keeping track of their room bookings and occupancy, to sellers of books and music CDs operating via web sites on the Internet.