UNIVERSITY IN RIJEKA

THE FACULTY OF ECONOMY IN RIJEKA

RIJEKA

DOCOTORAL STUDY

BUSINESS ECONOMY

IMPACT OF INFORMATION CAPITAL ON ENTERPRISE EFFICIENCY – AN OVERVIEW

DOCTORAL STUDY PAPER

RIJEKA, 2011.

UNIVERSITY IN RIJEKA

THE FACULTY OF ECONOMY IN RIJEKA

RIJEKA

DOCOTORAL STUDY

BUSINESS ECONOMY

IMPACT OF INFORMATION CAPITAL ON ENTERPRISE EFFICIENCY - AN OVERVIEW

DOCTORAL STUDY PAPER

Course: Microeconomics

Mentor:prof.dr.sc. Maks Tajnikar

Doctoral candidate: Sasa Aksentijevic

Field: Business economy

Reg. number: 37/09

Rijeka, January 2011.

FOREWORD

I have spent the last ten years of my career working in foreign-owned enterprises with

diverse ownership structure and business cases, all having a common trait – taking close care of

information security and information capital. Since year 2006. I have been serving also as a

company information security officer, so I was faced with a task of envisioning and organizing

integral enterprise information security management system. In the past four years a number of

policies, plans, standards, guidelines and work instructions had to be devised that encompass not

only information, but also integral corporate security. This endeavor has ended by joining post

graduate studies at the University of Economy in Rijeka where I have completed the final thesis

with the topic of integral and information security, motivated by my daily work.

In contact with colleagues of the same profession, I have noticed that many medium and

even large scale enterprises do not have a separate business function in charge of information

security, sensitive business information are protected in the same way other forms of capital are

being protected, despite the fact that information capital has intrinsic values making it

comparable to “classical” forms of capital, but also certain characteristics that make them very

different, thus requiring completely different treatment. Difficulties in definition of information

capital concept are especially clear when trying to make a clear division between raw data,

information and knowledge.

Some difficulties have been encountered during this research. The topic of information

capital has been mentioned in literature sporadically, due to the fact that best practice models of

information protection are related mainly towards data or information, and not information

capital, while enterprises systematically manage only derivatives of information capital (for

example, knowledge). The main driver behind creation of this paper is to clearly make a

distinction between information and other forms of enterprise capital, describe some measures

used to protect it within enterprises and describe relation between information capital and

enterprise efficiency.

At this point, I would like to thank my mentor prof.dr.sc. Maks Tajnikar for the patience

demonstrated during creation of the draft and the seminary paper itself.

SUMMARY

IMPACT OF INFORMATION CAPITAL ON ENTERPRISE EFFICIENCY - AN OVERVIEW

Running business is nowadays characterized by immanent need to treat information

capital as a separate, non-material variety of capital that is equally participating in business

activities as other material capitals. To the contrary to material capital forms that are traditionally

protected by measures of physical protection, misappropriation of non-material forms of capital

like information capital is quite difficult to ensure. The only way to do so is to systematically

execute measures of integral information security within the company, respect the law regulating

the subject and treat the identified risks adequately, both internal and external, derived from the

company's environment.

Change of identification and classification concept of information capital through its

forms and management of lifecycle information that represents accumulated knowledge within

the company is possible if adequate guidelines are being used, that are described within

standards of information security management and thus ensure it from unwanted events like loss

of integrity, undesired availability to other companies and loss of confidentiality. Proper

classification of information leading to identification and utilization of information capital leads

to achievement of enterprise efficiency.

Key words: information capital, information security, productivity, Pareto efficiency

TABLE OF CONTENTS Page

FOREWORD.............................................................................................................................. 3

SUMMARY................................................................................................................................ 4

TABLE OF CONTENTS............................................................................................................ 5

1. INTRODUCTION............................................................................................................... 7

1.1 RESEARCH PROBLEM, SUBJECT AND OBJECT.................................................. 7

1.2 WORKING AND SUPPORT HYPOTHESES….......................................................... 8

1.3 RESEARCH PURPOSE AND GOALS......................................................................... 9

1.4 SCIENTIFIC METHODS.............................................................................................. 10

1.5 PAPER STRUCTURE.................................................................................................... 10

2. IMPORTANT CHARACTERISTICS OF INFORMATION SECURITY AND

INFORMATION CAPITAL……............................................................................................ 12

2.1 DEFINITION, DEVELOPMENT AND IMPORTANCE OF INFORMATION

SECURITY.................................................................................................................... 12

2.1.1 Definition and development of information security............................................ 12

2.1.2 Strategic importance of information security in enterprises…………................. 13

2.1.3 Impact of the risk concept on information security…………………….............. 16

2.2 ELEMENTS OF THE INFORMATION CAPITAL..................................................... 19

2.2.1 Definition and inception of information capital.................................................... 19

2.2.2 Data, information and knowledge as basic components of information capital.. 20

2.2.3 Enterprise information capital management......................................................... 22

3. INFORMATION SECURITY – DECISIVE FACTOR OF SUCCESSFUL

INFORMATION CAPITAL MANAGEMENT............................................................ 24

3.1 INFORMATION SECURITY MANAGEMENT CYCLE……….............................. 24

3.1.1 Information capital identification…….. .............................................................. 24

3.1.2 Data and information classification .................................................................... 25

3.1.3 Data and information lifecycle management…………........................................ 27

3.1.4 Information security planning………................................................................... 28

3.2 LEGAL AND BEST PRACTICE MEASURES IN INFORMATION CAPITAL

MANAGEMENT……………….………………………….......................................... 30

4. CONSIDERATIONS OF USAGE OF ENTERPRISE INFORMATION CAPITAL

IN ACHIEVEMENT OF EFFICIENCY................................................................................ 33

4.1 SOLOW RESIDUAL AND INFORMATION CAPITAL……………………………. 33

4.2 INFORMATION CAPITAL AND PRINCIPLES OF PARETO EFFICIENCY…… 38

5. CONCLUSION....................................................................................................................

LITERATURE............................................................................................................................ 43

ILLUSTRATIONS…………..................................................................................................... 45

42

1. INTRODUCTION

Introductory part outlines research problem, subject and object, defines working

hypothesis and auxiliary hypotheses used in research, explains purpose and goals of the

research, used scientific methods and shortly describes structure of the doctoral paper.

1.1. Research problem, subject and object

In the broadest economic sense, capital is a production factor that by itself does not have a

particular value needed by the consumer when compared with comparable goods, but it

possesses ability to reproduce maintaining characteristics of relative non-changeability in

production process, therefore serving as a catalyst in production of other goods. Throughout the

history, schools of economic thought have formed their paradigms and theories dealing with the

term of capital and its relationship towards capital, even in the earliest periods of capitalistic

production, during mercantilism or physiocratic viewpoints.

In parallel with the development of production and social relationships refracted through

politeconomic prism, new forms of capital are being differentiated. Primary identified physical

forms of capital are therefore followed by newly identified forms of capital derived from such

development, among which mercantile and financial (banking) capital are the most easily

identified. However, throughout 20th century, due to exponential development of base of human

knowledge, rising connectivity between national economies and development of very complex

organizational blueprints as a draft for execution of economic reproduction, it has become clear

that it is not possible to describe in their entirety all factors influencing the process of money-

goods exchange just by researching physical and derived forms of capital. Such new forms of

capital are, among others, political capital, infrastructural capital, human capital, natural capital,

social capital and intellectual capital.

This division of forms of capital has opened a number of questions and dilemmas that are

not entirely solved, especially in regard to relation between different forms of capital, but also

towards other production factors known and identified by schools of political economy. For

example, human and social capital are inherently connected with paradigm of information

economy where positive economic output of enterprises and national economies is a result of

their internal processes that enable creation, processing and real application of information based

on knowledge, through usage of modern information technologies.

Research problem can be derived from outlined research problem: what is information

capital, what is its connection with other material and non-material forms of capital and

production factors, how has management of information capital, knowledge and human capital

become a condition sine qua non of national economy development and what is the connection

between utilization of information capital and enterprise efficiency?

Research subject can be extrapolated from defined problem of the research: to research,

analyze and systematically outline basic characteristics and specifics of information capital and

its reproduction inside enterprises and research the topic of efficiency in general and impact of

information capital management on enterprise efficiency, using language of Pareto efficiency.

Research objects are information capital and its impact on enterprise efficiency.

1.2 Working and support hypotheses  

Definition of the research problem, subject and object, leads to definition of the working

hypothesis of the paper: information capital is a separate form of capital, it is being managed and

preserved within enterprises using legislative and best practice systems and its utilization can

influence efficiency within enterprises.

In order to enable support to working hypothesis, three support hypotheses will be defined

(abbreviation S.H.):

S.H. 1) In modern enterprises, information capital is a separate form of capital defined by its

components, data, information and knowledge. It has a catalytic effect on other forms of

capital.

S.H. 2) Information capital is a basic requirement for creation of knowledge based enterprise.

While other forms of capital are preserved through legislation, information capital is

protected by technical and organizational measures aimed towards mitigation or annulation

of risk.

S.H. 3) Proper utilization of information capital inside enterprises can increase efficiency.

1.3 Research goal and purpose  

According to the research problem, subject and object, and working and supporting

hypotheses, purpose and goals of research are being defined.

Purpose of the research is to study, analyze and outline all characteristics of the information

capital that make it unique and clearly delimit from other forms of capital and describe the way

how identified specifics of information capital influence the efficiency of enterprise activities.

Information capital is often placed under social or political capital, or „goodwill“ or „intellectual

base“ of economy, without full understanding of relationship between different forms of capital

and factors of production.

Goal of the research is to prove existence of independent form of capital – information

capital – and explain its functioning bringing it into relation to other forms of capital and show

that availability of information capital has influence on enterprise production result.

This paper will provide answers to the following questions:

1) What is information capital?

2) What specifics and characteristics distinguish information capital from other forms of

capital?

3) What are the interactions and relations between information capital and other forms of

capital and factors of production?

4) What methods and technologies are used in protection and reproduction of information

capital on operative enterprise level?

5) What is the impact of utilization of information capital on enterprise efficiency?

1.4 Scientific methods  

During research, the following scientific methods will be used in appropriate combinations:

method of induction and deduction, method of analysis and synthesis, methods of abstraction and

concretization, methods of generalization and specialization, method of classification, descriptive

method, comparative method, historical method, method of mosaic, method of comparison in

pairs and method of compilation. The last method will be carefully used in those parts of the

paper that will lean onto existing scientific studies and papers, carefully quoting and citing the

sources.

1.5 Paper structure

 

Topics in this paper will be presented in five connected chapters.

In the first chapter, INTRODUCTION, problem, subject and object of the research will be

defined along with working and support hypotheses and purpose and goal of the research.

Scientific methods used in the research will be presented and in the end, its basic structure will

be presented.

IMPORTANT CHARACTERISTICS OF INFORMATION CAPITAL AND

INFORMATION CAPITAL is title of the second chapter. In this chapter, inception and

development of the information capital will be described along with historical overview and its

relation towards factors of production and other forms of capital.

INFORMATION SECURITY – DECISIVE FACTOR OF SUCCESSFUL

INFORMATION CAPITAL MANAGEMENT is title of the third, analytical part of the paper

that emphasizes identified specifics of information capital compared to other forms of material

and non-material capital. Terms of information economy and concepts of risk and information

capital protection will be very carefully explained.

Fourth chapter is aimed towards offering a new view of information capital functioning

within enterprises in a way to put in focus of the research perspectives of information capital

management development in order to facilitate efficiency. Title of this chapter is

CONSIDERATIONS OF USAGE OF ENTERPRISE INFORMATION CAPITAL IN

ACHIEVEMENT OF EFFICIENCY.

CONCLUSION is the final chapter of the paper, containing a systematic recapitulation of

new realization achieved during research, hence proving the initial working hypothesis.

2. IMPORTANT CHARACTERISTICS OF INFORMATION SECURITY

AND INFORMATION CAPITAL

In order to explain this problematic, it is important to pay attention to two connected topics:

1) definition, development and importance of information security and 2) factors of the

information capital.

2.1 DEFINITION, DEVELOPMENT AND IMPORTANCE OF

INFORMATION SECURITY

To tackle the challenge of defining importance of information security and its development,

there are three distinctive topics to be discussed: 1) definition and development of information

security, 2) strategic importance of information security in enterprises and 3) impact of the

risk concept on information security.

2.1.1 Definition and development of information security

Information security is protection of information and information systems from unauthorized

access, usage, disclosure, interruption, change or destruction.1Information security is ensured

through principles of protection of integrity, availability and confidentiality of information.2

From the earliest days of written history, rulers and military leaders have understood

importance of the mechanism that would protect the confidentiality of written correspondence

and existence of the mechanism that would detect that such confidentiality is endangered. The

first person mentioned by historians to use such a system was Julius Caesar who has 50 years

before Christ devised a system of “Caesar coding” to prevent his messages fall into the wrong

hands.

Second World War has brought significant advances in terms of theoretical and practical

measurements of information security and this is the point when such activity is professionalized

and became a business function in enterprises and government function. The emphasis has been

put primarily on physical controls that guard the access to information processing centers. Data

                                                            1 http://www.law.cornell.edu/uscode/44/usc_sec_44_00003542----000-.html (18.05.2010.) 2 In information security this concept is known as “C-I-A triad”, where “C” stands for confidentiality, “I” stands for integrity and “A” stands for availability 

formalization and classification of information according to their sensitivity was the next logical

step, along with personal checks before information access. Well known and documented

example is the one of “Enigma” coding machine, first time decoded by Polish engineers just

prior to World War II. The British and the American managed to do the same just during World

War II, when “Enigma” already had a new version. Information gathered from decoded

messages were used to anticipate German armed forces moves and actions.

Change of focus of information security towards information technologies was prominent

with development of technology during Cold war when mainframe computers started being

deployed. Primary threat at the time was unauthorized access to information stored in paper

media, so the actions of espionage and sabotage were aimed towards mitigating such risks. One

of the first documented problems of information security that was not physical in nature was in

the first half of 1960. when due to the computer mistake, access password was printed on every

file page.

At the end of 20th and the beginning of 21 century rapid advances in technical

possibilities of communications, computing equipment and electronic networks for data

exchange brought along new encryption techniques. Availability of smaller, more powerful and

cheap computers was the main enabler behind data processing even in small companies and in

employee`s homes. Rapid growth and widespread usage of electronic data processing and

introduction of e-business 3 in parallel with threat of international terrorism was the main reason

behind devising new and better ways of computer protection, but also protection of information

stored, exchanged and processed by the computers. Nowadays, information protection is

academic and multidisciplinary activity between different professional organization, working

towards common goal of ensuring security and protection of information systems.

2.1.2 Strategic importance of information security in enterprises

Strategic importance of information security in enterprise management can be evident from

the fact that identified strategic, tactical and operative units inside the companies that are

included in execution of information security do not have clear and isolate responsibilities

                                                            3 Canzer, B.: „E-Business: Strategic Thinking and Practice“, McGill University, and Concordia University, 2006., p.24 

according to the plan of information security, because their responsibilities are usually mixed and

intertwined, but the same happens also with the risks shared throughout the organization

structure of the companies. For example, if one department of the organization maintains data

related to health of the employees, even though such data seems to be operative for that

particular department, the damage of its disclosure may be high and have significant impact for

the whole organization, so information security in such a case is not any more just operative, but

becomes strategic task. Therefore, when evaluating criticality of information security, it is

necessary not only to rely on initial evaluations and classifications but to take into consideration

the big picture, that will enable creation of overall perspective, arising from the true business

case.

Indeed, the most important initial activity on a strategic level for every enterprise is to clearly

identify organizational units, departments and key users who all commonly share the

responsibility for the information system security as a whole. All levels included need to

cooperate with nominated information security officer to create a robust information protection

plan, periodically test it and adjust it to new circumstances. The end results has to be a

continuously set process of revision of information security and report presented to the top

management of the organizations that outlines current state of affairs and measures and budget to

mitigate any gaps. Such a report should at least contain the following elements4:

1) additions to the information protection plan arising from technological and operative

development of information technology and business needs in the past period,

2) evaluation of current state of implementation of information protection plan,

3) proposed measures for improvement of information security,

4) time needed for implementation and

5) related costs and budget needed to implement proposed measures.

It is both the responsibility and right of every key user to develop and implement their own

strategic plans of information and document protection. The minimum requirements of such a

                                                            4 Aksentijevic, S.: „Operative Information Protection Plan“ , WI-SMS-ICT-105-E rev2, working instruction of ISO 9001 system, Saipem Mediterranean Services LLc., Rijeka, 01.02.2009., p. 17. 

plan is that it is signed and accepted by the key user, contains the timeframe and defines the

following requirements5:

1) name of the office, department, project or organization unit using sensitive information,

2) names of the persons authorized to access such data along with access levels,

3) administrative controls used to minimize the number of people authorized to access

sensitive information,

4) description of methods of physical protection,

5) description of the retention time of sensitive information,

6) description of methods of destruction and deletion of obsolete information,

7) description of implemented human resource training, frequency and ways of sensitive

information transfer.

The array of required knowledge to achieve all this is quite way, the main drivers behind that

are very specialized activities and short time for their implementation. For this reason, many

organizations resort to outsourcing information security as a whole, or partially. Such

outsourcing contracts have to be carefully managed and subcontractors have to prove their ability

to provide sensitive information management and security services in appropriate manner. The

main tool used to achieve this legally are exhaustive confidentiality clauses.

Enterprise information security is achieved through tight regulation of access to information

contained inside information systems. It is technically and organizationally very demanding

activity that itself can be a subject of a separate debate. It involves all actions undertaken inside

organizational and technical systems of organizations to limit access to sensitive data and to

allow it just to those persons authorized. That goal is achieved by using specific controls

regulating the following areas6:

1) computer network access controls,

2) user groups controls,

3) e-mail and communication controls,

4) Internet services controls,

                                                            5 Ibidem, p.13. 6 Cf. Ibidem, p.103.-104. 

5) telephony and fax access controls,

6) remote access controls,

7) virtual private networks controls.

2.1.3 Impact of the risk concept on information security

Risk is a stochastic concept that describes potentially negative impact on enterprise activities

that can be a consequence of some ongoing process or future event. The term itself is often used

simultaneously with possibility of known loss, therefore, risk is closely connected with

expectations. In enterprises, risk is always connected with evaluation of possibility of occurrence

of certain event, and they are difficult to evaluate because of constant operative changes in the

environment and constant increase of number of potential risks. Therefore, it is almost

impossible to identify all risks: at the very moment when a risk table is drafted for a particular

enterprise, the new risks that are not identified are already present, so risk assessment is as

ongoing activity as is the implementation of the information security itself. Risk assessment

methodology is therefore also subjected to periodical evaluations to identify and mitigate new

risks or at least lower their possible impact.

Some of the most common risks of compromising enterprise data and corporate information

capital will be described.

1) Access to sensitive data by unauthorized personnel. Historically, both internal and

external parties are equally culprits that are trying to compromise sensitive data. The

reasons for such behavior are many, ranging from pure curiosity, information theft,

competition attempts to malicious intent.

2) Compromised information security as a result from hacking. Hacking is by definition

unauthorized attempt to use or access information systems or networks. Initially, hackers7

were highly skilled persons with knowledge of information systems, and this term was

used just inside the community, but nowadays it has a derogatory meaning and it is used

for people who steal, destroy or compromise information systems and cause damage and

destruction, usually resorting to illegal activities.

                                                            7 http://www.cs.berkeley.edu/~bh/hacker.html (06.05.2010.) 

3) Data interception during transaction. Modern information transaction systems are a

mixture of distributed and hierarchical system: end users like physical persons or

enterprises are connected to service providers who are connected to “backbone”

providers Special computers and network equipment called routers and gateways send

these data packets to their final destinations enabling connectivity. After data package

leaves the service provider`s network, it is almost impossible to predict its route because

it primarily depends on the destination. If the destination remains unchanged, the route to

it still can be changed. This enables data interception and possibly its change during

transaction. Minimum requirements for information security during transaction is its

coding on hardware or software level. The same technology has to be used when virtual

private networks or remote connectivity is used.

4) Loss of data due to user`s mistake. This is the most common reason that leads to

sensitive data disclosure. The nature and impact of the damage depends on the type of

compromised information and the severity of the mistake. There are numerous

unintentional mistakes done by users in enterprise environments that can lead to serious

damage.

5) Physical loss of information due to disaster. Physical loss of data due to disasters like

fire, flood, terrorist actions can lead to most severe consequences including complete

interruption of activity. Enterprises plan measures of mitigation of these activities by

disaster recovery and business continuity planning.

6) Incomplete and non-documented transactions. Every transaction inside information

systems should be documented and originators who can vouch for their completeness.

However, there is a risk over “over-documenting” all transactions, so it is necessary to

limit transaction documentation just to relevant auxiliary information to vouch for its

integrity

7) Unauthorized access of employees to sensitive information. Access to information

systems has to be limited to those people who need to have access for business reasons.

Every information system requires segmentation of its elements according to owners,

users and purpose and subsystems have to be access password protected with password

rotation. A formal matrix of authorization has to be maintained that has to be subjected to

periodic reviews. Those in charge of information security (usually dedicated departments

or instances) have to undertake reasonable and adequate actions to keep pace with

development of technology to ensure security of information in transit and availability of

information only to those that are authorized.

8) Unauthorized access to sensitive information by third parties (“phishing”).

“Phishing”8 is a form of criminal activity that uses social engineering techniques in order

to get access to sensitive information. However, unauthorized access to information can

be also gained through paper documents and report or by third parties. To mitigate risk of

unauthorized internal access, information stored in electronic or paper form has to be

carefully stored to be available only to those that have proper levels of authorization.

Risk of external unauthorized access is usually diminished by introducing physical

barriers like anti-intrusion devices, cameras, visitor registrations and overall measures of

physical security.

Described risks imposed on enterprise information security are just some of the most

common scenarios that can be encountered. Despite popular opinion, information security

function is a senior management function and just partially operative and technical discipline.

Security functions have to be formally identified across the structure. Access approvals are

given based on the evaluation of the key user that certain person has to get access to certain

information. In enterprise environments, such actions are subject to compliance both to

internal information security plans but also local legislation under which the enterprise

operates. A solid set of formal procedures has to be put in place to regulate areas like

employee information security education, risk treatment and mitigation and security incident

processing. Furthermore, no enterprise should gather and store information unless that is

relevant for the business side. If it is possible, they should be gathered directly from the

information source, and not from the second hand.

As a summary, information capital risk management is a structured approach to

insecurity and uncertainty management using the tools of risk assessment and management.

These strategies usually include transferring the risks to third parties (for example,

insurance), risk avoidance, mitigation of the risk or, as the final possibility, acceptance of a

certain level of residual risk. Traditionally, information capital risk management is focused

                                                            8 http://www.microsoft.com/protect/yourself/phishing/identify.mspx (05.05.2010.) 

on risks that emanate from technical or legal sources, while financial risk management is

focused on risks that can be mitigated through usage of tradable financial instruments.

The final goal of every risk treatment process is lowering the risk to a level that is

acceptable by the enterprise.

2.2 ELEMENTS OF THE INFORMATION CAPITAL

This chapter outlines in details the following sub-chapters: 1) definition and inception

of information capital, 2) data, information and knowledge as basic components of

information capital and 3) enterprise information capital management.

2.2.1 Definition and inception of information capital

Information security and information capital seem to be seemingly understandable at first

sight, but their interaction in achievement of business goals of modern companies is often

clouded due to the influence of very complex business forms, patterns and tools used to

ensure information and knowledge that exists inside enterprises. Every employee uses a

unique set of tools in order to achieve the result, while in the same time, it has to be done

inside the organizational framework set by the enterprise in order to safeguard information

capital through measures of information security. Furthermore, additional problem is that

enterprise information capital is intangible in form.

Therefore, enterprise information capital can be defined as non-material form of capital

whose usage in business activity acts as a catalyst in production of goods and services, and it

is represented by classified information and knowledge stored inside information and

documentation systems of the enterprise.9 It is important to stress that term “classified” in the

definition does not refer to “confidential”, rather it refers to structural identification and

classification of information that is important for the organization and that is further managed

in a structured way.

                                                            9 The definition of information capital is original author’s definition. 

2.2.2 Data, information and knowledge as basic components of information

capital

Definitions of data, information, knowledge and information capital are often not very

well delimited. In order to make clear boundaries, all of them need to be clearly defined and

put into mutual relations. Data is a set of symbols that by itself does not have a particular

meaning, or can be directly used in the enterprise. They maintain such a form as long as they

do not enter certain usable form. Data does not have to be just a set of symbols, it can be also

signals or stimuli often defined as subjective data, to make distinction from objective data,

that is a product of observation. What the raw data is missing is business context. Only data

that possesses business context can have potential value for the enterprise.

The data that can be useful for particular enterprise and its activity is information. It is

represented by organized and well-structured data, processed in a way that is relevant for

certain purpose or context. Its main values are significance, value, usability and relevance.

Knowledge is a concept that is very elusive and difficult to define. Usually, its definition

is very similar to the definition of information. Knowledge is a combination of experience,

value, context, professional insight and founded intuition that represents a framework and

environment for evaluation and inclusion of new experiences and information in enterprise

environment. Accumulated enterprise knowledge can be seen not only in documentation and

processed information stored inside information systems, but also in organizational routine,

practices and norms. Those enterprises that have the highest level of produced knowledge

and usage of new technologies based on knowledge achieve the highest growth rates.

Especially important form of knowledge is leadership knowledge, also known as “business

wisdom”.

After defining data, information and knowledge, it is possible to derive the relationship

between information capital and them. This relationship is shown on Fig 1.

Fig. 1. Pyramid of relationship: data, information, knowledge and business strategy

Source: created by ph.d. candidate

Informations are a basis for enterprise decision making, they respond to the question „how to

achieve something“.However, enterprise leaders operate on a different level, they have a deep

understanding of why is something the way it is in the business environment and what is the best

course of action with given input. Therefore, enterprise leadership has a distinctive note of

deeper understanding leaned towards future, while daily usage of data, information and

knowledge is usually oriented towards the past.

Definition of information capital implies that enterprises have awareness of information

intrinsic value that can be used as means of exchange inside the enterprise and towards its

surroundings. Some authors take position that information capital is just that part of overall

information pool that makes so called „knowledge capital“ that can be exchanged. However,

identification of enterprise information capital depends on business strategy and differs between

enterprises and across business sectors. For example, information capital that is of high value in

pharmaceutical sector might be completely useless in wood processing industry; information

capital of high importance for complex technology industry will be insignificant in construction

business enteprises. Therefore, when evaluating true importance of information capital, it is very

important to put it inside business case context of particular enterprise.

Business strategy

Knowledge

Information

Data

Usage of information to achieve set goals and 

produce enterprise results 

 

Analysis and synthesis of derived information 

 

Data with added significance/context 

 

Business data and facts 

 

2.2.3 Enterprise information capital management

Information capital management consists of a set of strategies and practical blueprints used in

organizations to identify, create, represent, distribute and enable assimilation of that kind of

knowledge inside enterprise that enhances its output. Information capital is therefore necessarily

integral element of the knowledge that makes possible for all participants to follow

organizational processes in a way outlined in business strategy. Its management is relatively new

discipline developed in the past 20 years, even though enterprises have historically been

implementing measures aimed towards protection of their information capital. It has roots in

those business functions and disciplines that are open to new technologies endorsed by business

management or information science.

Most large enterprises and organizations have separate task or organizational groups

dedicated to internal information capital management and their exact formulation is usually

embodied in functions of business strategy development, information technologies or human

resource management. Due to the “elusive” nature of information capital and the fact that related

activities are both systematic and long term and not single-instance effort, companies tend to

outsource these activities, sometimes to other companies that provide strategic advising support.

Information capital management should not serve its own purpose, it has to be focused on set

organizational goals like improvement of corporate performance, its competitiveness,

innovations, integration and quality improvement. It is clear that in modern systems, information

capital management and quality control/quality assurance are tightly connected activities.

However, every modern enterprises has to match not only internal, but also external criteria that

can be divided to three different sets of criteria and perspectives to be satisfied10:

- Techno centric perspective, with a strong focus on underlying technology, enabling

knowledge creation and sharing,

- Organizational perspective, focused on how the company has to be organized to

promote knowledge creation,

                                                            10 Aksentijevic, S: “Information security in function of information capital management”, seminary paper, Economy of University, Rijeka, 2010., p. 26 (not published) 

- Ecological perspective, focused on interaction between people, their identity,

knowledge and surrounding factors, starting from the fact that human cooperation on

knowledge creation is comparable to functioning of natural eco-system, because both

systems are complex and adaptable.

Information capital and, consequentially, knowledge, can be further divided to explicit

and tacit forms. While explicit knowledge can be easily defined and managed, tacit knowledge is

a more abstract concept represented by knowledge without “consciousness” of that particular

knowledge. That kind of knowledge is not easily transferred – only once it becomes transferred

to other people, it becomes explicit knowledge. Therefore, explicit knowledge is a result of

conscious, intentional information management and processing, using power of mental focus,

and resides in form that is easily transferred to others.

Information capital management principally consists of two mutually connected

activities: information security management and knowledge management. Information security

management is a separate business function that is usually considered to be a “technical” or

“information science function”, but in fact, it is not so: it is a multidisciplinary activity that has to

be sponsored from very top of the management and executed using measures equally applied to

all business functions. Implementation activity of information security is never considered to be

finished, function is never fully implemented and its final goal is to ensure confidentiality,

integrity and availability of information so they can be successfully utilized to support the

business case. In order to avoid unnecessary utilization of financial, time and organizational

resource to achieve information security goals, methods of information classification and

information lifecycle management are used. During their use, basic components of information

capital (and knowledge) are ranked according to their life-cycle in business process, thus creating

a dynamic system where constant input are new information and constant output are those that

are not anymore relevant for the enterprise business.

3. INFORMATION SECURITY – DECISIVE FACTOR OF SUCCESSFUL

INFORMATION CAPITAL MANAGEMENT

To prove that information security is a decisive factor of successful information capital

management, the following topics have to be discussed) information security management

cycle and 2) legal and best practice measures in information capital management.

3.1 INFORMATION SECURITY MANAGEMENT CYCLE

Explaining information security management cycle consists of four separate topics: 1)

Information capital identification, 2) data and information classification, 3) data and

information lifecycle management and 4) information security planning.

3.1.1 Information capital identification

The key issue most enterprises is facing is – how to identify information capital? Information

systems usually store data, as already shown, if that data is given a certain context, they represent

information and information may become knowledge and information capital if they help the

management and enterprise to improve business outcome. However, it is very difficult to delimit

and identify information capital. It is achieved by deployment of measures of data and

information classification, using information lifecycle management techniques. Information

capital identification has to be done inside enterprises to achieve the following11:

1) Achieving the goals of excellence. Usage of identified information capital results in

increased efficiency, productivity and increased profit.

2) Creation of new products, services and business models. Information capital facilitates

creation of new business models, products and services and satisfy clients` needs.

3) Improved connection with clients and vendors. Favorable climate in relations towards

clients and vendors deepens the cooperation possibilities, increases revenue, margin and

lowers operative costs.

4) Enhanced decision making process. Managers recognize the importance of utilization

of adequate information in the right moment. Usage of inadequate, compromised or

                                                            11 Cf. Tijan, E.:“Data classification and information lifecycle management in port community systems“, Journal of maritime studies, The faculty of maritime studies, Rijeka year. 23, num.. 2, 2009., p. 557.-568. 

incorrect information may results in wrong decisions, business result and loss of clients.

Structurally classified and stored information capital enables usage of data and

information in real time during critical decision making.

5) Comparative advantage. Usually, when enterprises are oriented towards achievement of

one of business goals, like goals of excellence, new products, services and models, it is

quite obvious they have already achieved certain level of comparative advantage against

competition. Additional deployment of information capital results in increased business

efficiency.

6) Daily operations. Enterprises typically primarily invest in information technology

because it is necessary for daily operations. With deeper analysis, this may lead to more

structured approach, but information capital is certainly main facilitator behind daily

operations of enterprises.

It can be concluded that information capital is only that set of data, information and

structured knowledge used inside enterprises to create new forms or organization, management,

products and services and that gives enterprises competitive edge. Enterprise information capital

is protected by technical and organizational measures of integral and information security and by

legal regulations.

3.1.2 Data and information classification

Data classification and information lifecycle management are two mutually connected

activities. Once the data and information are adequately classified, the rules for their

management may be selectively applied. The rules for data classification do not differ

significantly from the rules for object classification in a domain system where similar objects or

users are grouped and a set of rules specific for that group is applied on them. The main goal is

to group information to classes having similar characteristics and therefore, requiring similar

approach to their management. There are several reasons why information classification is a

demanding and complex task. This process refers not only to existing information, but also to

information that might enter the system after it was once initially deployed. It is much easier to

add new information into already established system than introduce classification process to

existing data. The reason for this is rather simple: new information can be adjusted to existing

classification framework while already existing information may be present in form that does not

allow for such malleability. These reasons may take form of different database structures,

application and business layers or internal information owners.

There are also strict requirements for enterprises to maintain information in a structured

form. Data classification refers to enterprise information capital regardless of its form: it can be

documents stored on papers, centralized servers, transaction systems, other types of databases or

stored in a distributed way. Data classification can also be applied on services like electronic

mail or data contained on smart phones or telephones. Activity of information classification has

to be sponsored by highest management levels and information process management. The steps

in information lifecycle management are outlined in fig 2.

Fig 2: Steps in information lifecycle management

Source: modified by the candidate, according to Tijan, E.:“Data classification and information

lifecycle management in port community systems“, Journal of maritime studies, The

faculty of maritime studies, Rijeka, year. 23, br. 2, p.562.

Information classification has to follow business processes and has to be adjusted to the

form of enterprise, real issues, goals and quality control system. Its goal is to set up a system that

enables not only information capital protection but also competition advantage arising from

systematic management of one`s own knowledge.

Modern policy of information classification and lifecycle management has to include

wider perspective than just legal requirements and information maturity (age). Among criteria to

be evaluated is also management of content, Intranet and Extranet management, connection of

Information capital classification and categorization

Balancing of information classes and business needs

Determining service levels and cost goals

Establishing support services

Selection of inf. infrastructure management tools

enterprise information system with other enterprise systems, data mining and requirements of top

management decision systems. The end result of this process, and in the same time, input signal

for the information lifecycle management process is addition of business value to different

categories of data. This is best achieved in technologically highly developed enterprises where

service levels are well established and translated into standard offering of information services.

However, despite popular opinion, information capital is dynamic in nature and its attributes

rapidly change. This means that information capital movement inside organization may cause

change of their attributes. Such a process is best managed using a consistent system of best-

practice information service management like ITIL.

3.1.3 Data and information lifecycle management

As already shown, information capital classification is a basis for setup of coherent

information lifecycle management that cannot be by itself consistent. Information lifecycle

management enables cost efficiency, optimization of capital investments and related operative

costs and promotes goals of information security.

Information lifecycle management is in fact, sustainable strategy that balances costs of

data and information retention and storage with their business value that is always changing due

to internal and external changes in enterprises or organizations. It provides a practical

methodology to align those costs to priorities and goals of business policy. Considering that

during information lifecycle management, the underlying layer (data classification) also changes,

a new paradigm emerges – dynamic data classification. There are many reasons why it changes,

and some of them are12:

1) Changes in information classification or service levels

2) Changes in purpose of information usage

3) Changes in classification taxonomy

There are several models that can be utilized to create taxonomy of information classification.

Each of them assigns attribute to stored information. One of the most often used models is                                                             12 Cf. Ibidem, p. 565 

developed by Bell and LaPadula and it relies to classic concept of integrity, availability and

confidentiality. There are however also other models that can be partially of fully used during

introduction of the process of system of data and information classification:13

1) Graham-Denning model14

2) Discretional access control15

3) Mandatory access control 16

4) Clark-Wilson integrity model of access control 17

5) Multilevel security access control18

6) Biba integrity model19

Discussion of all these models is not further developed as most of these models are a part of

information science technology and practice and more information on them is readily available.20

3.1.4 Information security planning

As it was shown, information security is a decisive factor of enterprise business.

Information security is executed through a well-documented system that defines general criteria,

risks, functions and responsibilities in ensuring information capital. In order to enable the

management to fulfill these requirements, security procedures are put in place to protect

information and data and therefore contribute to enterprise activities. Basic document defining

critical factors of information security management is information security plan that has to be

aligned with the organization and therefore can have varying levels of complexity. Such a plan

tries to anticipate all possible risks that can have negative impact on the enterprise business

system and suggest various actions to avoid risks or mitigate their impact. Information security

                                                            13 Cf. Ibidem, p. 559. 14 Smith, R.: „Introduction to Multilevel Security“, http://www.cs.stthomas.edu/faculty/resmith/r/mls/index.html (20.04.2009.) 15 Curphey, M., /et al./: „A Guide to Building Secure Web Applications, The Open Web Application Security Project (OWASP)“,2002., http://www.cgisecurity.com/owasp/html/ch08s02.html (20.04.2009.) 16 http://www.freebsd.org/cgi/man.cgi?mac_biba (11.04.2009.) 17 Blake, S. Q.: „The Clark-Wilson Security Model“, http://www.lib.iup.edu/comsci-sec/SANSpapers/blake.htm (20.04.2009.) 18http://ou800doc.caldera.com/en/SEC_admin/IS_DiscretionaryAccCntlDAC.htm (11.04.2009.) 19http://www.freebsd.org/cgi/man.cgi?mac_biba (11.04.2009.) 20 for detailed discussion of these models Cf. Aksentijevic, S: “Information security in function of information capital management”, seminary paper, Economy of University”, Rijeka, 2010., p. 35-37 (not published) 

plan is developed in line with internal documentation and processes. This document initially

states what is the dependency between business case of the enterprise and information capital of

the enterprise, and willingness of the enterprise management to implement a documented

procedure that promotes information capital security business function. After all necessary

procedures are identified along with legal requirements, a methodology used to implement

information capital security planning can be implemented gradually. Such a methodology is

shown on fig. 3.

Fig 3.: Steps in creation of information security plan

 

Identification of standards and underlying documentation

Evaluation of achieved level of information security

Defining information security priorities

Identification of responsible functions and operative levels

Identification of possible risks

Suggesting methods for risk mitigation

LEGAL REQUIREMENTS OF INFORMATION SEC. 

BEST PRACTICE OF INFORMATION SECURITY 

INTERNAL DOCUMENTATION 

INTERNAL DOCUMENTATION 

BEST PRACTICE OF INFORMATION SECURITY 

LEGAL REQUIREMENTS OF INFORMATION SEC. 

Source: Aksentijevic, S.: “Integral enterprise security function and information security

management system – Saipem Mediterranean Services LLc, Rijeka”, master thesis, University of

Economy, Rijeka, 2008, p.91. (not published)

Information security plan therefore defines also key organization’s positions. Initially,

needs for confidentiality, availability and integrity of information capital inside the business

context are being established. After that, inside established framework, need to distribute

information on a “need to know” basis and best practices during treatment and utilization of

information capital is being defined. Discretion levels are being created according to Bell-

LaPadulla model that are further used during information classification. After all possible risks

are identified, models to lower them or completely avoid them are implemented. The main tools

used in those models are constant education of employees, setting requirements and checks of

confidentiality towards third parties, and creation of business unit and department information

security plans. At the very end, key users (usually middle management) are identified, and they

are put in charge to execute and follow up information security plans inside their lines of

responsibility and ensure security of that part of enterprise information capital that is under their

control, and considered especially sensitive and confidential.

3.2 LEGAL AND BEST PRACTICE MEASURES IN INFORMATION

CAPITAL MANAGEMENT

There are several best practice systems that are used in process of information capital

management. Some of those systems are national, some are connected more with certain sectors

(for example, military complex or pharmaceutical industry) or they are a part of general

management of documentation and information technologies or project management

methodology.

COBIT21 is a framework for management of information technology created by ISACA22 and

ITGI23 in 1992. COBIT provides to managers, auditors and users of information systems a set of

                                                            21 Abbreviation for „Control Objectives for Information and related Technology“, for more details cf. http://www.ezcobit.com/UsingCobit/html/00Intro2.html (19.05.2010.) 

generally accepted measures, processes, indicators and rules that can help in maximization of

benefits of information capital, but also ensure adequate management of information resources

and control inside enterprises. It was issued in 1996. and its mission is research, development,

publishing and promoting of international set of accepted control goals used by managers and

auditors of information systems and security levels and controls. COBIT provides a basis for

decision making of investments in information infrastructure. It is based on 34 processes

covering 210 controls in 4 main groups: planning and organization, delivery, support and

delivery and follow up and evaluation. Entire COBIT system contains six publications:24

1) Management report

2) Framework

3) Control goals

4) Audit guidelines

5) Implementation tools

6) Management guidelines

Between years 2000. and 2002., a number of corporate scandals and frauds were

discovered in USA. Among them the most famous were scandals in companies Enron,

WorldCom and Tyco. Lessons learned from those scandals resulted in creation of Sarbanes-

Oxley law. Lack of control mechanisms has caused that enterprise consultants were in the same

time auditors that should provide independent opinion. Full title of Sarbanes-Oxley Law is

„Public Company Accounting Reform and Investor Protection Act of 2002“25. This law sets new

and enhances existing standards in accounting and businesses of American publicly owned

companies. As a consequence of this law, a number of agencies that supervise, regulate, inspect

and punish accounting and consultancy companies that are included in the process of audit.

American SEC defines that methodology used to achieve compliance with Sarbanes-Oxley Law

                                                                                                                                                                                                22Abbreviation for “ Information Systems Audit and Control“, for more detailed description of the standard, cf. http://www.isaca.org/ (19.05.2010.) 23Abbreviation for „IT Governance Institute“, head office is in Rolling Meadows, Illinois, USA, cf. http://www.itgi.org/ (19.05.2010.) 24 http://www.itsm.hr/itil-itsm-metodologija/metodologija-cobit.php (19.05.2010.) 25 Sarbanes-Oxley Law is mandatory for all enterprises regardless of size. To ensure information security compliance, the most important are articles 302, 401, 404, 409 and 802, cf. http://www.soxlaw.com/s302.htm, http://www.soxlaw.com/s401.htm, http://www.soxlaw.com/s404.htm, http://www.soxlaw.com/s409.htm, http://www.soxlaw.com/s802.htm (18.05.2010.) 

is COSO.26 COSO defines five main areas (components) of internal controls that support

requirements set by Sarbanes-Oxley. These five areas are the following:27

1) Risk assessment

2) Control environment

3) Control activities

4) Supervision

5) Informing and communicating

PRINCE 2 is acronym for “Projects In Controlled Environments”, and it is in fact a

methodology for project management. It was developed from previous version of PRINCE

technique issued by CCTA28 as a standard of project management in information sector, but

since then, the methodology was widely adapted and because de facto standard of project

management in United Kingdom and fifty other world countries. It does not provide a direct

framework for evaluation and support of information capital security activities inside enterprises.

PRINCE2 is structured in a way not only to mitigate possible risks, but also to derive benefits

from positive impact of unforeseen events, if applicable.

Another set of techniques used to manage infrastructure of information technologies is

described in ITIL29, a series of publications copyrighted in United Kingdom. It provides a set of

descriptions of important practices in management of tasks and procedures that can be adjusted

to suit needs of particular organizations. Currently valid version (v3) is issued in 2007.

The final concept of security management recognized by ITIL is – information security

and similarly to other standards, its main goal is to guarantee security of the information towards

risk, therefore, security is a way to achieve security from the risk. The main disadvantage of ITIL

information security process is the fact that ITIL controls are enriched by physical security

controls but lack in area of application, program and logical security.

                                                            26 Abbreviation for Committee of Sponsoring Organizations of the Treadway Commission, for detailed chart of the committee, cf. http://www.coso.org (18.05.2010.) 27 The brochures regulating supporting matter are available on the Internet free of charge, cf. http://www.coso.org/guidance.htm (19.05.2010.) 28 Abbreviation for Central Computer and Telecommunications Agency, that became in 2000. godine a part of British Office of Government Commerce (OGC) agency. For more details on OGC agencys cf. http://www.ogc.gov.uk/about_ogc_who_we_are.asp (19.05.2010.) 29 Abbreviation for “Information Technology Infrastructure Library”, for formal explanation of meaning cf. official Internet pages on address http://www.itil-officialsite.com/AboutITIL/WhatisITIL.asp (19.05.2010.) 

Finally, the most comprehensive norm of implementation of information security is

ISO/IEC 27001. 30 It has in 2005. replaced British norm BS 7799-2. It is a standard of

information system security management intended to be used in conjunction with ISO/IEC

27002, formerly known as ISO/IEC 17799, a practical codex defining goals of security controls

and recommending their practical area of influence. It provides a practical model for

establishment, usage, follow up, maintenance and constant improvement of information security

management. Those organizations that use ISO/IEC 27002 during evaluation of their systems are

likely to be compliant to ISO/IEC 27001 norm. 31

Regardless of the formal system of certification or management of information security,

every enterprise or organization is a subject of a set of laws that regulate this area. Usually, the

most developed set of legal regulation relates to financial and banking sector.

4. CONSIDERATIONS OF USAGE OF ENTERPRISE INFORMATION

CAPITAL IN ACHIEVEMENT OF EFFICIENCY

To outline thoroughly connection between information capital and enterprise efficiency, two

topics need to be discussed: 1) Solow residual and information capital and 2) Information

capital and principles of Pareto efficiency.

4.1 SOLOW RESIDUAL AND INFORMATION CAPITAL

Efficiency and productivity are two very distinctive principles, so are macroeconomic

and microeconomic perspective, but nevertheless, investigation into some macroeconomic

aggregates may reveal interesting insight into unexpected behavior of some forms of capital in

economic reproduction. Clearly distinguishing between economic efficiency, analyzed as

microeconomic phenomenon, being a measure of resource utilization in achievement of certain

level of goods and services and economic productivity, as a macroeconomic phenomenon, and a

measure of output of production process in comparison to input (typical input factors being labor

                                                            30 Abbreviation for “International Organization for Standardization”, cf. http://www.iso.org/iso/about.htm (19.05.2010.) 31 For detailed expansion of ISO 27001 topic, Cf. Aksentijevic, S: “Information security in function of information capital management”, seminary paper, Economy of University, Rijeka, 2010., p. 45-51 (not published) 

and capital), further analysis can be done to establish whether in a macroenomic model,

additional deployment of information capital can be beneficial for overall economy productivity.

To achieve this, Solow32 residual may be deployed. After World War II, mass

industrialization and large investments into capital resources and automated production was

undertaken. Even the Soviet experience of controlled economy that achieved (at least initially)

high growth rates was sometimes cited as a right choice. Even though over-investment into

capital as a production factor may lead to diminishing returns due to equipment depreciation, this

was the path to be followed in many countries. However, other economists have taken the view

that once that marginal rate of return on capital becomes equal to marginal rate of return on

labor, the returns will diminish.

This consideration lead to a conclusion that only those countries that had previously

under-invested into capital stock will benefit greatly from additional investments in

infrastructure but other nations should concentrate on improving labor productivity. It was

Solow`s merit to identify an indicator (per-capita economic growth above the rate of capital

stock growth), named in his honor – Solow`s residual. Real economies data showed that

measured growth in standard of living could not be matched just in the growth or capital/labor

ratio. Solow explained that new technologies and innovation, rather than capital accumulation,

was the way for national economies to achieve growth. Solow`s residual is therefore a useful tool

to show the effect of so called “technology” growth, as opposed to “industrial” growth.

Some economists have over the time developed some major objections to the Solow

residual. 33 The influence of technologies and, consequently, information capital, has been a

major source of disputes. In 1982, Nathan Rosenberg said that “economists have long treated

technological phenomena as events transpiring inside a black box....[and]adhered rather strictly

to a self-imposed ordinance not to inquire too seriously into what transpires inside that box.”34

These authors usually consider that such a large gap in unaccounted proportion of growth that is

not explained for by factors of production by itself poses a big problem. Another problem is the

                                                            32 Robert Merton Solow (born August 23, 1924) is an American economist particularly known for his work on the theory of economic growth that culminated in the exogenous growth model named after him. 33 Cf. Francisco Louçã :”The Solow Residual as a Black Box: Attempts at Integrating Business Cycle and Growth Theories”, History of Political Economy vol. 41, 2009, 334-355. 34 Nathan Rosenberg: “Inside the Black Box: Technology and Economics”, McGraw-Hill, 1983, p. 193-195, 225-238. 

neoclassical approach cultivated by Solow was not able to explain the emergence of crisis (this is

also issue with many other neoclassical – and other – microeconomic models. There is also some

empirical data that proves to be problematic to explain. For example, Plosser's and Mankiw's

panels may elaborate further on this, and they are shown in Fig. 4 and Fig. 5.

Fig 4.: Annual growth rate of technology

Source: Plosser, C.I., "Understanding Real Business Cycles," RCER Working Papers ,

University of Rochester - Center for Economic Research (RCER)., 1989, p. 198.

Fig. 4. shows annualized percentual rate of technology and Plosser’s conclusion was that

residuals are behaving according to the random walk theory. However, Mankiw has, on the other

hand, plotted residuals against the income series and claimed that residual was quite literally a

“leftover”, as shown on fig. 5.

Fig. 5: Solow Residuals and output growth

Source: Francisco Louçã :”The Solow Residual as a Black Box: Attempts at Integrating Business

Cycle and Growth Theories”, History of Political Economy vol. 41, 2009, 344.

There is also another interesting concept that can be derived from evaluations of Solow

residual. In 1987, after receiving a Nobel prize, Robert M. Solow said “You can see the

computer age everywhere but in the productivity statistics." This has since been known as

„Solow productivity paradox“ – and usually interpreted that the productivity of labour has not

risen after information technology has been introduced in industry and across enteprises.

Empirical evidence is that usage of new technologies boosts output in industry and office

evironments but such evidence cannot be confirmed by growth indicators. It is interesting that

exactly after 1970s, when computerization and usage of information science and capital was

really booming, the productivity has fallen down or at best, stagnated, as shown in table 1.

Table 1: productivity growth (%) in some world countries and associations 1960-2007

Source: calculations are based on The Conference Board and Groningen Growth and

Development Centre, total Economy Database, September 2008.

Let us also evaluate downtrend of annual productivity growth rates in output per hour for EU-

1535 and USA, as shown in Fig 6.

                                                            35 EU-15 consists of the following 15 countries of European Union: Austria, Belgium, Denmark, Finland, France, Germany, Greece, Ireland, Italy, Luxembourg, the Netherlands, Portugal, Spain, Sweden and the United Kingdom.

Fig. 6: Trend in output per hour for EU-15 and U.S.A. 1981.-2004.

Source:

http://www.metrics2.com/blog/2007/01/24/2006_us_labor_productivity_growth_at_the_lowest_i

n.html (26.01.2011).

It would be interesting to evaluate this paradox, considering that even incidental evidence

show that intensive usage of computer capital should improve productivity and that additional

investments in information technology and accumulation of structural capital (information

capital included) should result in additional growth. Here are several possibilities why is that so:

1. Processes that involve intensive application of information capital are those that are

somewhat remote from “real economy” processes and production (even though

deployed technology in production process necessarily depends both on innovation

and underlying processes). That is why information capital enhances underlying

processes, but that does not translate into real productivity increase, neither in labor

nor in capital sense,

2. Similar analogy has been noted by some other authors. For example, economist Paul

David did not approve Solow’s position on this paradox and claimed that the problem

was a lag in productivity improvements since a new technology is introduced until it

produces tangible results. He underlined his opinion by drawing analogy with

introduction of electric motor in 1880. whose impact in statistics was negligible until

1913.36,

3. Finally, it is possible that information capital and innovations do not significantly

contribute to overall productivity of labor and capital. Some economists have proved

that information technology related capital accounts for less than two percent of used

capital in the world. 37.

Therefore, looking at impact of information capital on macroeconomic concept of

productivity yields divers and surprising results with inconclusive results that may be followed

up and evaluated only with flow of time.

4.2 INFORMATION CAPITAL AND PRINCIPLES OF PARETO EFFICIENCY

In its simplest form, Pareto efficiency model is a model of multi-criteria optimization that

is often used not only in economy, but also technical and social sciences. It is based around

change of parameters to get the best possible outcome for the set problem. In economics, Pareto

efficient solution is the one where there is no way to further improve the situation of one

participant, without worsening the situation of another. Such a distribution, or input, that satisfies

this requirement is considered to be “Pareto optimal”.Pareto efficiency model can be equally

applied in production of several goods, when outcomes have to be calculated in terms of quantity

of produced goods, or when adequate allocation of production factors like capital and labor has

to be achieved. Possible combinations of production factors that can be combined to create

output make so called Pareto Frontier, where any additional output of a certain product would

inevitably lead to less production of another, thus inevitably leading further away from Pareto

optimum.

Pareto efficiency is devoid of moral dilemmas. This means that all situations where one

person has all the riches in the world and some persons have none; or when a certain product is

                                                            36 Paul A. David: “The Dynamo and the Computer: An Historical Perspective on the Modern Productivity Paradox”, The American Economic Review, Vol. 80, No. 2 , p.355-357 37 Stephen D. Oliner, Daniel E. Sichel, Kevin J. Stiroh: “Explaining a Productive Decade”, FEDS Working Paper No. 2007-63, p.17 

fully produced just by labor almost no capital; or when a quantity of certain product is produced

“at the expense” of another – may be on the Pareto Frontier and Pareto optimal and/or efficient.

A number of possible outcomes may be further explored by introduction of Kaldor-Hicks

model of distribution, where it is possible to build a brand new frontier if those who are made

better off by initial distribution compensate those that are made worse off to achieve balance, as

shown on fig. 7.

Fig 7.: Kaldor-Hicks improvements

Source: http://www.newworldencyclopedia.org/entry/John_Hicks (27.01.2011.)

When further evaluating properties of information capital stock in regard to efficiency, it

is important to establish connection between information and its price: typically, it is the market

that establishes the information value as a price that does not have to be monetary or financial, it

can also be established as barter or its exchange utility. However, it is very difficult to deal with

terms like price of the information. To try to do so, one has to start with definition of a good –

“Good: commodity or service that is regarded by economists as satisfying a human need. An

economic good is one that is both needed and sufficiently scarce to command a price.”38

Furthermore, information rarely has rival goods that could diminish its utility but certainly has

many properties of excludable good, meaning that unwanted people can be excluded from using

it. Value and type of the price of information or any other tradable good is not intrinsic to the

nature of the product and may change with e.g. technology.

Despite popular belief, as it was the case with the relation between information and

macroeconomic productivity, information capital within enterprises behaves as a fix investment

cost and a sunk cost, many analysts believe that ICT investments have no or little value for the

price of a firm (despite the fact that analysts themselves use expensive ICT tools!) and while

information and knowledge have positive connotations in sciences, traditional economic

perspective relates information to inefficient markets, with few exceptions.39 Usual economic

model calls for perfect knowledge, information and convexity of preferences while those markets

that are associated with information are typically limited and information is in fact present in

shortage, not allowing market mechanisms to match demand and supply, as shown on Fig. 8.

Fig 8.: Classical supply-demand model under inefficient conditions of information capital market

Source: George A. Fodor: “The Value of Information”, Short version of the Milano University

presentation, ABB AB, Sweden, Milano, October 2008., p/ 28.

                                                            38 The New Oxford American Dictionary, Erin McKean, 2005. 39 Cf. Margaretha Levander,” Så gör analitikerna när de värderar ditt bolag” (Translation from Swedish: This is how analysts are evaluating your company), CIO Sweden, http://cio.idg.se/2.1782/1.181573, 27.01.2011. 

Orthodox evaluations of classical forms of capital, therefore, cannot answer the dilemma

posed by general behavior of information capital in economic reproduction. The key resource is

therefore not anymore information capital itself, but ownership over information capital that

prevents others from gaining access to it; it is a barrier for entry of competition. Additional

difficulty in this evaluation is present because of duality in information nature: information that

has convex properties is already embedded in equilibrium price, while information that is not

convex (for example, future markets and patents) is not included in the equilibrium, bit will

appear in future in the market. Therefore, enterprises are typically interested only in value of

non-convex type of information.

5. CONCLUSION  

Behavior of information capital in the cycle of economic reproduction is quite diverse,

depending on the level of aggregation. On the company level, information capital is a factor of

competitive advantage that is protected by the technical measures of information security, legal

framework and organizational measures aimed towards ensuring confidentiality, availability and

integrity of enterprise capital stock. Increased levels of information capital stock are connected

with increased productivity.

On the microeconomic level, there are serious problems present in evaluation of information

capital as it behaves differently than physical of financial capital. Main trait of information

capital in that scenario are expectations and scarcity and its main property is unavailability to

other market players. This makes information capital elusive for analysis as it is typically

considered to function in non-efficient strata of the market.

On the macroeconomic level, surprisingly, increased levels of information capital are not

significantly correlated with higher productivity. It remains to be seen what exactly is the source

of this phenomenon as new forms of capital caused by technical progress typically required

several decades in order to be statistically measurable.

Maintenance of information capital stock is technically very demanding and financially very

expensive business function, both in terms of investments and running costs, therefore,

enterprises should aim to optimize what is the productive part of their information stock through

methods of data classification and information lifecycle management, in line with their own

needs and procedures and legislative requirements and maintain and manage only that part of

overall information capital in order to achieve goals of cost efficiency.

LITERATURE

BOOKS

1. Canzer, B.: „E-Business: Strategic Thinking and Practice“, McGill University, and

Concordia University, 2006.

2. Louçã, Francisco :”The Solow Residual as a Black Box: Attempts at Integrating

Business Cycle and Growth Theories”, History of Political Economy vol. 41, 2009.

3. Rosenberg, Nathan: “Inside the Black Box: Technology and Economics”, McGraw-

Hill, 1983.

ARTICLES

1. Tijan, E.:“Data classification and information lifecycle management in port

community systems“, Journal of maritime studies, The faculty of maritime studies,

Rijeka year. 23, num.. 2, 2009.

2. Curphey, M., /et al./: „A Guide to Building Secure Web Applications, The Open Web

Application Security Project (OWASP)“, 2002.

3. Plosser, C.I., "Understanding Real Business Cycles", RCER Working Papers ,

University of Rochester - Center for Economic Research (RCER)., 1989.

4. Paul, A. David: “The Dynamo and the Computer: An Historical Perspective on the

Modern Productivity Paradox”, The American Economic Review, Vol. 80, No. 2

5. Oliner, Stephen D., Sichel, Daniel E., Stiroh, Kevin J: “Explaining a Productive

Decade”, FEDS Working Paper No. 2007-63

6. Fodor, George A: “The Value of Information”, Short version of the Milano University

presentation, ABB AB, Sweden, Milano, October 2008.

OTHER SOURCES

1. Aksentijevic, S: “Information security in function of information capital

management”, seminary paper, Economy of University, Rijeka, 2010. (not published)

2. Aksentijevic, S.: „Operative Information Protection Plan“ , WI-SMS-ICT-105-E rev2,

working instruction of ISO 9001 system, Saipem Mediteran Usluge d.o.o., Rijeka,

01.02.2009.

3. Levander, Margaretha: “Så gör analitikerna när de värderar ditt bolag” (Translation

from Swedish: This is how analysts are evaluating your company), CIO Sweden, 2008.

4. The Conference Board and Groningen Growth and Development Centre, total Economy

Database, September 2008.

5. The New Oxford American Dictionary, Erin McKean, 2005.

INTERNET SOURCES

1. Blake, S. Q.: „The Clark-Wilson Security Model“, http://www.lib.iup.edu/comsci-

sec/SANSpapers/blake.htm (20.04.2009.)

2. Smith, R.: „Introduction to Multilevel Security“,

http://www.cs.stthomas.edu/faculty/resmith/r/mls/index.html (20.04.2009.)

3. http://ou800doc.caldera.com/en/SEC_admin/IS_DiscretionaryAccCntlDAC.htm

(11.04.2009.)

4. http://www.freebsd.org/cgi/man.cgi?mac_biba (11.04.2009.)

5. http://www.ezcobit.com/UsingCobit/html/00Intro2.html (19.05.2010.)

6. http://www.isaca.org/ (19.05.2010.)

7. http://www.itgi.org/ (19.05.2010.)

8. http://www.itsm.hr/itil-itsm-metodologija/metodologija-cobit.php (19.05.2010.)

9. http://www.soxlaw.com/s302.htm, http://www.soxlaw.com/s401.htm,

http://www.soxlaw.com/s404.htm, http://www.soxlaw.com/s409.htm,

http://www.soxlaw.com/s802.htm (18.05.2010.)

10. http://www.coso.org (18.05.2010.)

11. http://www.coso.org/guidance.htm (19.05.2010.)

12. http://www.ogc.gov.uk/about_ogc_who_we_are.asp (19.05.2010.)

13. http://www.itil-officialsite.com/AboutITIL/WhatisITIL.asp (19.05.2010.)

14. http://www.iso.org/iso/about.htm (19.05.2010.)

15. http://www.metrics2.com/blog/2007/01/24/2006_us_labor_productivity_growth_at_the_l

owest_in.html (26.01.2011).

16. http://www.newworldencyclopedia.org/entry/John_Hicks (27.01.2011.)

17. http://cio.idg.se/2.1782/1.181573 (27.01.2011.)

18. http://www.cs.berkeley.edu/~bh/hacker.html (06.05.2010.)

19. http://www.law.cornell.edu/uscode/44/usc_sec_44_00003542----000-.html (18.05.2010.)

20. http://www.microsoft.com/protect/yourself/phishing/identify.mspx (05.05.2010.)

21. http://www.cgisecurity.com/owasp/html/ch08s02.html (20.04.2009.)

22. http://www.freebsd.org/cgi/man.cgi?mac_biba (11.04.2009.)

ILLUSTRATIONS

1. Fig. 1. Pyramid of relationship: data, information, knowledge and business strategy

2. Fig. 2: Steps in information lifecycle management

3. Fig. 3.: Steps in creation of information security plan

4. Fig. 4.: Annual growth rate of technology

5. Fig. 5: Solow Residuals and output growth

6. Fig. 6: Trend in output per hour for EU-15 and U.S.A. 1981.-2004.

7. Fig. 7.: Kaldor-Hicks improvements

8. Fig. 8.: Classical supply-demand model under inefficient conditions of information

capital market

1. Table 1: productivity growth (%) in some world countries and associations 1960.-2007.