Impact of Information Capital On Enterprise Efficiency

UNIVERSITY IN RIJEKA
THE FACULTY OF ECONOMY IN RIJEKA

RIJEKA
DOCOTORAL STUDY
BUSINESS ECONOMY
IMPACT OF INFORMATION CAPITAL ON ENTERPRISE EFFICIENCY

– AN OVERVIEW
DOCTORAL STUDY PAPER
RIJEKA, 2011.
UNIVERSITY IN RIJEKA
THE FACULTY OF ECONOMY IN RIJEKA
RIJEKA
DOCOTORAL STUDY
BUSINESS ECONOMY

- AN OVERVIEW
DOCTORAL STUDY PAPER
Course: Microeconomics
Mentor:prof.dr.sc. Maks Tajnikar
Doctoral candidate: Sasa Aksentijevic
Field: Business economy
Reg. number: 37/09
Rijeka, January 2011.

FOREWORD
I have spent the last ten years of my career working in foreign-owned enterprises with
diverse ownership structure and business cases, all having a common trait – taking close care of
information security and information capital. Since year 2006. I have been serving also as a
company information security officer, so I was faced with a task of envisioning and organizing
integral enterprise information security management system. In the past four years a number of
policies, plans, standards, guidelines and work instructions had to be devised that encompass not
only information, but also integral corporate security. This endeavor has ended by joining post
graduate studies at the University of Economy in Rijeka where I have completed the final thesis
with the topic of integral and information security, motivated by my daily work.
In contact with colleagues of the same profession, I have noticed that many medium and
even large scale enterprises do not have a separate business function in charge of information
security, sensitive business information are protected in the same way other forms of capital are
being protected, despite the fact that information capital has intrinsic values making it
comparable to “classical” forms of capital, but also certain characteristics that make them very
different, thus requiring completely different treatment. Difficulties in definition of information
capital concept are especially clear when trying to make a clear division between raw data,
information and knowledge.
Some difficulties have been encountered during this research. The topic of information
capital has been mentioned in literature sporadically, due to the fact that best practice models of
information protection are related mainly towards data or information, and not information
capital, while enterprises systematically manage only derivatives of information capital (for
example, knowledge). The main driver behind creation of this paper is to clearly make a
distinction between information and other forms of enterprise capital, describe some measures
used to protect it within enterprises and describe relation between information capital and
enterprise efficiency.
At this point, I would like to thank my mentor prof.dr.sc. Maks Tajnikar for the patience
demonstrated during creation of the draft and the seminary paper itself.
SUMMARY

- AN OVERVIEW
Running business is nowadays characterized by immanent need to treat information

capital as a separate, non-material variety of capital that is equally participating in business
activities as other material capitals. To the contrary to material capital forms that are traditionally
protected by measures of physical protection, misappropriation of non-material forms of capital
like information capital is quite difficult to ensure. The only way to do so is to systematically
execute measures of integral information security within the company, respect the law regulating
the subject and treat the identified risks adequately, both internal and external, derived from the
company's environment.
Change of identification and classification concept of information capital through its

forms and management of lifecycle information that represents accumulated knowledge within
the company is possible if adequate guidelines are being used, that are described within
standards of information security management and thus ensure it from unwanted events like loss
of integrity, undesired availability to other companies and loss of confidentiality. Proper
classification of information leading to identification and utilization of information capital leads
to achievement of enterprise efficiency.
Key words: information capital, information security, productivity, Pareto efficiency

TABLE OF CONTENTS Page
FOREWORD.............................................................................................................................. 3
SUMMARY................................................................................................................................ 4
TABLE OF CONTENTS............................................................................................................ 5
1. INTRODUCTION............................................................................................................... 7
1.1 RESEARCH PROBLEM, SUBJECT AND OBJECT.................................................. 7

1.2 WORKING AND SUPPORT HYPOTHESES….......................................................... 8
1.3 RESEARCH PURPOSE AND GOALS......................................................................... 9
1.4 SCIENTIFIC METHODS.............................................................................................. 10
1.5 PAPER STRUCTURE.................................................................................................... 10
2. IMPORTANT CHARACTERISTICS OF INFORMATION SECURITY AND

INFORMATION CAPITAL……............................................................................................ 12
2.1 DEFINITION, DEVELOPMENT AND IMPORTANCE OF INFORMATION

SECURITY.................................................................................................................... 12
2.1.1 Definition and development of information security............................................ 12
2.1.2 Strategic importance of information security in enterprises…………................. 13
2.1.3 Impact of the risk concept on information security…………………….............. 16
2.2 ELEMENTS OF THE INFORMATION CAPITAL..................................................... 19

2.2.1 Definition and inception of information capital.................................................... 19
2.2.2 Data, information and knowledge as basic components of information capital.. 20
2.2.3 Enterprise information capital management......................................................... 22
3. INFORMATION SECURITY – DECISIVE FACTOR OF SUCCESSFUL

INFORMATION CAPITAL MANAGEMENT............................................................ 24
3.1 INFORMATION SECURITY MANAGEMENT CYCLE……….............................. 24

3.1.1 Information capital identification…….. .............................................................. 24
3.1.2 Data and information classification .................................................................... 25
3.1.3 Data and information lifecycle management…………........................................ 27
3.1.4 Information security planning………................................................................... 28
3.2 LEGAL AND BEST PRACTICE MEASURES IN INFORMATION CAPITAL
MANAGEMENT……………….………………………….......................................... 30
4. CONSIDERATIONS OF USAGE OF ENTERPRISE INFORMATION CAPITAL

IN ACHIEVEMENT OF EFFICIENCY................................................................................ 33
4.1 SOLOW RESIDUAL AND INFORMATION CAPITAL……………………………. 33

4.2 INFORMATION CAPITAL AND PRINCIPLES OF PARETO EFFICIENCY…… 38
5. CONCLUSION.................................................................................................................... 42
LITERATURE............................................................................................................................ 43
ILLUSTRATIONS…………..................................................................................................... 45
1. INTRODUCTION
Introductory part outlines research problem, subject and object, defines working
hypothesis and auxiliary hypotheses used in research, explains purpose and goals of the
research, used scientific methods and shortly describes structure of the doctoral paper.
1.1. Research problem, subject and object
In the broadest economic sense, capital is a production factor that by itself does not have a
particular value needed by the consumer when compared with comparable goods, but it
possesses ability to reproduce maintaining characteristics of relative non-changeability in
production process, therefore serving as a catalyst in production of other goods. Throughout the
history, schools of economic thought have formed their paradigms and theories dealing with the
term of capital and its relationship towards capital, even in the earliest periods of capitalistic
production, during mercantilism or physiocratic viewpoints.
In parallel with the development of production and social relationships refracted through
politeconomic prism, new forms of capital are being differentiated. Primary identified physical
forms of capital are therefore followed by newly identified forms of capital derived from such
development, among which mercantile and financial (banking) capital are the most easily
identified. However, throughout 20th century, due to exponential development of base of human
knowledge, rising connectivity between national economies and development of very complex
organizational blueprints as a draft for execution of economic reproduction, it has become clear
that it is not possible to describe in their entirety all factors influencing the process of money-
goods exchange just by researching physical and derived forms of capital. Such new forms of
capital are, among others, political capital, infrastructural capital, human capital, natural capital,
social capital and intellectual capital.
This division of forms of capital has opened a number of questions and dilemmas that are
not entirely solved, especially in regard to relation between different forms of capital, but also
towards other production factors known and identified by schools of political economy. For
example, human and social capital are inherently connected with paradigm of information
economy where positive economic output of enterprises and national economies is a result of
their internal processes that enable creation, processing and real application of information based
on knowledge, through usage of modern information technologies.
Research problem can be derived from outlined research problem: what is information
capital, what is its connection with other material and non-material forms of capital and
production factors, how has management of information capital, knowledge and human capital
become a condition sine qua non of national economy development and what is the connection
between utilization of information capital and enterprise efficiency?
Research subject can be extrapolated from defined problem of the research: to research,
analyze and systematically outline basic characteristics and specifics of information capital and
its reproduction inside enterprises and research the topic of efficiency in general and impact of
information capital management on enterprise efficiency, using language of Pareto efficiency.
Research objects are information capital and its impact on enterprise efficiency.
1.2 Working and support hypotheses

Definition of the research problem, subject and object, leads to definition of the working
hypothesis of the paper: information capital is a separate form of capital, it is being managed and
preserved within enterprises using legislative and best practice systems and its utilization can
influence efficiency within enterprises.
In order to enable support to working hypothesis, three support hypotheses will be defined
(abbreviation S.H.):
S.H. 1) In modern enterprises, information capital is a separate form of capital defined by its
components, data, information and knowledge. It has a catalytic effect on other forms of
capital.
S.H. 2) Information capital is a basic requirement for creation of knowledge based enterprise.
While other forms of capital are preserved through legislation, information capital is
protected by technical and organizational measures aimed towards mitigation or annulation
of risk.
S.H. 3) Proper utilization of information capital inside enterprises can increase efficiency.
1.3 Research goal and purpose

According to the research problem, subject and object, and working and supporting
hypotheses, purpose and goals of research are being defined.
Purpose of the research is to study, analyze and outline all characteristics of the information
capital that make it unique and clearly delimit from other forms of capital and describe the way
how identified specifics of information capital influence the efficiency of enterprise activities.
Information capital is often placed under social or political capital, or „goodwill“ or „intellectual
base“ of economy, without full understanding of relationship between different forms of capital
and factors of production.
Goal of the research is to prove existence of independent form of capital – information

capital – and explain its functioning bringing it into relation to other forms of capital and show
that availability of information capital has influence on enterprise production result.
This paper will provide answers to the following questions:
1) What is information capital?
2) What specifics and characteristics distinguish information capital from other forms of
capital?
3) What are the interactions and relations between information capital and other forms of
capital and factors of production?
4) What methods and technologies are used in protection and reproduction of information
capital on operative enterprise level?
5) What is the impact of utilization of information capital on enterprise efficiency?

1.4 Scientific methods

During research, the following scientific methods will be used in appropriate combinations:
method of induction and deduction, method of analysis and synthesis, methods of abstraction and
concretization, methods of generalization and specialization, method of classification, descriptive
method, comparative method, historical method, method of mosaic, method of comparison in
pairs and method of compilation. The last method will be carefully used in those parts of the
paper that will lean onto existing scientific studies and papers, carefully quoting and citing the
sources.
1.5 Paper structure

Topics in this paper will be presented in five connected chapters.
In the first chapter, INTRODUCTION, problem, subject and object of the research will be
defined along with working and support hypotheses and purpose and goal of the research.
Scientific methods used in the research will be presented and in the end, its basic structure will
be presented.
IMPORTANT CHARACTERISTICS OF INFORMATION CAPITAL AND

INFORMATION CAPITAL is title of the second chapter. In this chapter, inception and
development of the information capital will be described along with historical overview and its
relation towards factors of production and other forms of capital.
INFORMATION SECURITY – DECISIVE FACTOR OF SUCCESSFUL

INFORMATION CAPITAL MANAGEMENT is title of the third, analytical part of the paper
that emphasizes identified specifics of information capital compared to other forms of material
and non-material capital. Terms of information economy and concepts of risk and information
capital protection will be very carefully explained.
Fourth chapter is aimed towards offering a new view of information capital functioning
within enterprises in a way to put in focus of the research perspectives of information capital
management development in order to facilitate efficiency. Title of this chapter is
CONSIDERATIONS OF USAGE OF ENTERPRISE INFORMATION CAPITAL IN
ACHIEVEMENT OF EFFICIENCY.
CONCLUSION is the final chapter of the paper, containing a systematic recapitulation of

new realization achieved during research, hence proving the initial working hypothesis.
2. IMPORTANT CHARACTERISTICS OF INFORMATION SECURITY
AND INFORMATION CAPITAL
In order to explain this problematic, it is important to pay attention to two connected topics:
1) definition, development and importance of information security and 2) factors of the
information capital.
2.1 DEFINITION, DEVELOPMENT AND IMPORTANCE OF

INFORMATION SECURITY
To tackle the challenge of defining importance of information security and its development,
there are three distinctive topics to be discussed: 1) definition and development of information
security, 2) strategic importance of information security in enterprises and 3) impact of the
risk concept on information security.
2.1.1 Definition and development of information security
Information security is protection of information and information systems from unauthorized

access, usage, disclosure, interruption, change or destruction.1Information security is ensured
through principles of protection of integrity, availability and confidentiality of information.2
From the earliest days of written history, rulers and military leaders have understood
importance of the mechanism that would protect the confidentiality of written correspondence
and existence of the mechanism that would detect that such confidentiality is endangered. The
first person mentioned by historians to use such a system was Julius Caesar who has 50 years
before Christ devised a system of “Caesar coding” to prevent his messages fall into the wrong
hands.
Second World War has brought significant advances in terms of theoretical and practical
measurements of information security and this is the point when such activity is professionalized
and became a business function in enterprises and government function. The emphasis has been
put primarily on physical controls that guard the access to information processing centers. Data

1
http://www.law.cornell.edu/uscode/44/usc_sec_44_00003542----000-.html (18.05.2010.)
2
In information security this concept is known as “C-I-A triad”, where “C” stands for confidentiality, “I” stands for
integrity and “A” stands for availability
formalization and classification of information according to their sensitivity was the next logical
step, along with personal checks before information access. Well known and documented
example is the one of “Enigma” coding machine, first time decoded by Polish engineers just
prior to World War II. The British and the American managed to do the same just during World
War II, when “Enigma” already had a new version. Information gathered from decoded
messages were used to anticipate German armed forces moves and actions.
Change of focus of information security towards information technologies was prominent

with development of technology during Cold war when mainframe computers started being
deployed. Primary threat at the time was unauthorized access to information stored in paper
media, so the actions of espionage and sabotage were aimed towards mitigating such risks. One
of the first documented problems of information security that was not physical in nature was in
the first half of 1960. when due to the computer mistake, access password was printed on every
file page.
At the end of 20th and the beginning of 21 century rapid advances in technical
possibilities of communications, computing equipment and electronic networks for data
exchange brought along new encryption techniques. Availability of smaller, more powerful and
cheap computers was the main enabler behind data processing even in small companies and in
employee`s homes. Rapid growth and widespread usage of electronic data processing and
introduction of e-business 3 in parallel with threat of international terrorism was the main reason
behind devising new and better ways of computer protection, but also protection of information
stored, exchanged and processed by the computers. Nowadays, information protection is
academic and multidisciplinary activity between different professional organization, working
towards common goal of ensuring security and protection of information systems.
2.1.2 Strategic importance of information security in enterprises
Strategic importance of information security in enterprise management can be evident from

the fact that identified strategic, tactical and operative units inside the companies that are
included in execution of information security do not have clear and isolate responsibilities

3
Canzer, B.: „E-Business: Strategic Thinking and Practice“, McGill University, and Concordia University,
2006., p.24
according to the plan of information security, because their responsibilities are usually mixed and
intertwined, but the same happens also with the risks shared throughout the organization
structure of the companies. For example, if one department of the organization maintains data
related to health of the employees, even though such data seems to be operative for that
particular department, the damage of its disclosure may be high and have significant impact for
the whole organization, so information security in such a case is not any more just operative, but
becomes strategic task. Therefore, when evaluating criticality of information security, it is
necessary not only to rely on initial evaluations and classifications but to take into consideration
the big picture, that will enable creation of overall perspective, arising from the true business
case.
Indeed, the most important initial activity on a strategic level for every enterprise is to clearly
identify organizational units, departments and key users who all commonly share the
responsibility for the information system security as a whole. All levels included need to
cooperate with nominated information security officer to create a robust information protection
plan, periodically test it and adjust it to new circumstances. The end results has to be a
continuously set process of revision of information security and report presented to the top
management of the organizations that outlines current state of affairs and measures and budget to
mitigate any gaps. Such a report should at least contain the following elements4:
1) additions to the information protection plan arising from technological and operative
development of information technology and business needs in the past period,
2) evaluation of current state of implementation of information protection plan,
3) proposed measures for improvement of information security,
4) time needed for implementation and
5) related costs and budget needed to implement proposed measures.
It is both the responsibility and right of every key user to develop and implement their own
strategic plans of information and document protection. The minimum requirements of such a

4
Aksentijevic, S.: „Operative Information Protection Plan“ , WI-SMS-ICT-105-E rev2, working instruction of
ISO 9001 system, Saipem Mediterranean Services LLc., Rijeka, 01.02.2009., p. 17.
plan is that it is signed and accepted by the key user, contains the timeframe and defines the
following requirements5:
1) name of the office, department, project or organization unit using sensitive information,
2) names of the persons authorized to access such data along with access levels,
3) administrative controls used to minimize the number of people authorized to access
sensitive information,
4) description of methods of physical protection,
5) description of the retention time of sensitive information,
6) description of methods of destruction and deletion of obsolete information,
7) description of implemented human resource training, frequency and ways of sensitive
information transfer.
The array of required knowledge to achieve all this is quite way, the main drivers behind that
are very specialized activities and short time for their implementation. For this reason, many
organizations resort to outsourcing information security as a whole, or partially. Such
outsourcing contracts have to be carefully managed and subcontractors have to prove their ability
to provide sensitive information management and security services in appropriate manner. The
main tool used to achieve this legally are exhaustive confidentiality clauses.
Enterprise information security is achieved through tight regulation of access to information

contained inside information systems. It is technically and organizationally very demanding
activity that itself can be a subject of a separate debate. It involves all actions undertaken inside
organizational and technical systems of organizations to limit access to sensitive data and to
allow it just to those persons authorized. That goal is achieved by using specific controls
regulating the following areas6:
1) computer network access controls,

2) user groups controls,
3) e-mail and communication controls,
4) Internet services controls,

5
Ibidem, p.13.
6
Cf. Ibidem, p.103.-104.
5) telephony and fax access controls,
6) remote access controls,
7) virtual private networks controls.
2.1.3 Impact of the risk concept on information security
Risk is a stochastic concept that describes potentially negative impact on enterprise activities
that can be a consequence of some ongoing process or future event. The term itself is often used
simultaneously with possibility of known loss, therefore, risk is closely connected with
expectations. In enterprises, risk is always connected with evaluation of possibility of occurrence
of certain event, and they are difficult to evaluate because of constant operative changes in the
environment and constant increase of number of potential risks. Therefore, it is almost
impossible to identify all risks: at the very moment when a risk table is drafted for a particular
enterprise, the new risks that are not identified are already present, so risk assessment is as
ongoing activity as is the implementation of the information security itself. Risk assessment
methodology is therefore also subjected to periodical evaluations to identify and mitigate new
risks or at least lower their possible impact.
Some of the most common risks of compromising enterprise data and corporate information
capital will be described.
1) Access to sensitive data by unauthorized personnel. Historically, both internal and

external parties are equally culprits that are trying to compromise sensitive data. The
reasons for such behavior are many, ranging from pure curiosity, information theft,
competition attempts to malicious intent.
2) Compromised information security as a result from hacking. Hacking is by definition
unauthorized attempt to use or access information systems or networks. Initially, hackers7
were highly skilled persons with knowledge of information systems, and this term was
used just inside the community, but nowadays it has a derogatory meaning and it is used
for people who steal, destroy or compromise information systems and cause damage and
destruction, usually resorting to illegal activities.

7
http://www.cs.berkeley.edu/~bh/hacker.html (06.05.2010.)
3) Data interception during transaction. Modern information transaction systems are a
mixture of distributed and hierarchical system: end users like physical persons or
enterprises are connected to service providers who are connected to “backbone”
providers Special computers and network equipment called routers and gateways send
these data packets to their final destinations enabling connectivity. After data package
leaves the service provider`s network, it is almost impossible to predict its route because
it primarily depends on the destination. If the destination remains unchanged, the route to
it still can be changed. This enables data interception and possibly its change during
transaction. Minimum requirements for information security during transaction is its
coding on hardware or software level. The same technology has to be used when virtual
private networks or remote connectivity is used.
4) Loss of data due to user`s mistake. This is the most common reason that leads to
sensitive data disclosure. The nature and impact of the damage depends on the type of
compromised information and the severity of the mistake. There are numerous
unintentional mistakes done by users in enterprise environments that can lead to serious
damage.
5) Physical loss of information due to disaster. Physical loss of data due to disasters like
fire, flood, terrorist actions can lead to most severe consequences including complete
interruption of activity. Enterprises plan measures of mitigation of these activities by
disaster recovery and business continuity planning.
6) Incomplete and non-documented transactions. Every transaction inside information
systems should be documented and originators who can vouch for their completeness.
However, there is a risk over “over-documenting” all transactions, so it is necessary to
limit transaction documentation just to relevant auxiliary information to vouch for its
integrity
7) Unauthorized access of employees to sensitive information. Access to information
systems has to be limited to those people who need to have access for business reasons.
Every information system requires segmentation of its elements according to owners,
users and purpose and subsystems have to be access password protected with password
rotation. A formal matrix of authorization has to be maintained that has to be subjected to
periodic reviews. Those in charge of information security (usually dedicated departments
or instances) have to undertake reasonable and adequate actions to keep pace with
development of technology to ensure security of information in transit and availability of
information only to those that are authorized.
8) Unauthorized access to sensitive information by third parties (“phishing”).
“Phishing”8 is a form of criminal activity that uses social engineering techniques in order
to get access to sensitive information. However, unauthorized access to information can
be also gained through paper documents and report or by third parties. To mitigate risk of
unauthorized internal access, information stored in electronic or paper form has to be
carefully stored to be available only to those that have proper levels of authorization.
Risk of external unauthorized access is usually diminished by introducing physical
barriers like anti-intrusion devices, cameras, visitor registrations and overall measures of
physical security.
Described risks imposed on enterprise information security are just some of the most
common scenarios that can be encountered. Despite popular opinion, information security
function is a senior management function and just partially operative and technical discipline.
Security functions have to be formally identified across the structure. Access approvals are
given based on the evaluation of the key user that certain person has to get access to certain
information. In enterprise environments, such actions are subject to compliance both to
internal information security plans but also local legislation under which the enterprise
operates. A solid set of formal procedures has to be put in place to regulate areas like
employee information security education, risk treatment and mitigation and security incident
processing. Furthermore, no enterprise should gather and store information unless that is
relevant for the business side. If it is possible, they should be gathered directly from the
information source, and not from the second hand.
As a summary, information capital risk management is a structured approach to

insecurity and uncertainty management using the tools of risk assessment and management.
These strategies usually include transferring the risks to third parties (for example,
insurance), risk avoidance, mitigation of the risk or, as the final possibility, acceptance of a
certain level of residual risk. Traditionally, information capital risk management is focused

8
http://www.microsoft.com/protect/yourself/phishing/identify.mspx (05.05.2010.)
on risks that emanate from technical or legal sources, while financial risk management is
focused on risks that can be mitigated through usage of tradable financial instruments.
The final goal of every risk treatment process is lowering the risk to a level that is
acceptable by the enterprise.
2.2 ELEMENTS OF THE INFORMATION CAPITAL
This chapter outlines in details the following sub-chapters: 1) definition and inception
of information capital, 2) data, information and knowledge as basic components of
information capital and 3) enterprise information capital management.
2.2.1 Definition and inception of information capital
Information security and information capital seem to be seemingly understandable at first

sight, but their interaction in achievement of business goals of modern companies is often
clouded due to the influence of very complex business forms, patterns and tools used to
ensure information and knowledge that exists inside enterprises. Every employee uses a
unique set of tools in order to achieve the result, while in the same time, it has to be done
inside the organizational framework set by the enterprise in order to safeguard information
capital through measures of information security. Furthermore, additional problem is that
enterprise information capital is intangible in form.
Therefore, enterprise information capital can be defined as non-material form of capital

whose usage in business activity acts as a catalyst in production of goods and services, and it
is represented by classified information and knowledge stored inside information and
documentation systems of the enterprise.9 It is important to stress that term “classified” in the
definition does not refer to “confidential”, rather it refers to structural identification and
classification of information that is important for the organization and that is further managed
in a structured way.

9
The definition of information capital is original author’s definition.
2.2.2 Data, information and knowledge as basic components of information
capital
Definitions of data, information, knowledge and information capital are often not very
well delimited. In order to make clear boundaries, all of them need to be clearly defined and
put into mutual relations. Data is a set of symbols that by itself does not have a particular
meaning, or can be directly used in the enterprise. They maintain such a form as long as they
do not enter certain usable form. Data does not have to be just a set of symbols, it can be also
signals or stimuli often defined as subjective data, to make distinction from objective data,
that is a product of observation. What the raw data is missing is business context. Only data
that possesses business context can have potential value for the enterprise.
The data that can be useful for particular enterprise and its activity is information. It is
represented by organized and well-structured data, processed in a way that is relevant for
certain purpose or context. Its main values are significance, value, usability and relevance.
Knowledge is a concept that is very elusive and difficult to define. Usually, its definition
is very similar to the definition of information. Knowledge is a combination of experience,
value, context, professional insight and founded intuition that represents a framework and
environment for evaluation and inclusion of new experiences and information in enterprise
environment. Accumulated enterprise knowledge can be seen not only in documentation and
processed information stored inside information systems, but also in organizational routine,
practices and norms. Those enterprises that have the highest level of produced knowledge
and usage of new technologies based on knowledge achieve the highest growth rates.
Especially important form of knowledge is leadership knowledge, also known as “business
wisdom”.
After defining data, information and knowledge, it is possible to derive the relationship
between information capital and them. This relationship is shown on Fig 1.
Fig. 1. Pyramid of relationship: data, information, knowledge and business strategy
Usage of information to achieve set goals and
Business
produce enterprise results
strategy

Knowledge
Analysis and synthesis of derived information
Information Data with added significance/context
Business data and facts
Data

Source: created by ph.d. candidate
Informations are a basis for enterprise decision making, they respond to the question „how to
achieve something“.However, enterprise leaders operate on a different level, they have a deep
understanding of why is something the way it is in the business environment and what is the best
course of action with given input. Therefore, enterprise leadership has a distinctive note of
deeper understanding leaned towards future, while daily usage of data, information and
knowledge is usually oriented towards the past.
Definition of information capital implies that enterprises have awareness of information
intrinsic value that can be used as means of exchange inside the enterprise and towards its
surroundings. Some authors take position that information capital is just that part of overall
information pool that makes so called „knowledge capital“ that can be exchanged. However,
identification of enterprise information capital depends on business strategy and differs between
enterprises and across business sectors. For example, information capital that is of high value in
pharmaceutical sector might be completely useless in wood processing industry; information
capital of high importance for complex technology industry will be insignificant in construction
business enteprises. Therefore, when evaluating true importance of information capital, it is very
important to put it inside business case context of particular enterprise.
2.2.3 Enterprise information capital management
Information capital management consists of a set of strategies and practical blueprints used in
organizations to identify, create, represent, distribute and enable assimilation of that kind of
knowledge inside enterprise that enhances its output. Information capital is therefore necessarily
integral element of the knowledge that makes possible for all participants to follow
organizational processes in a way outlined in business strategy. Its management is relatively new
discipline developed in the past 20 years, even though enterprises have historically been
implementing measures aimed towards protection of their information capital. It has roots in
those business functions and disciplines that are open to new technologies endorsed by business
management or information science.
Most large enterprises and organizations have separate task or organizational groups
dedicated to internal information capital management and their exact formulation is usually
embodied in functions of business strategy development, information technologies or human
resource management. Due to the “elusive” nature of information capital and the fact that related
activities are both systematic and long term and not single-instance effort, companies tend to
outsource these activities, sometimes to other companies that provide strategic advising support.
Information capital management should not serve its own purpose, it has to be focused on set
organizational goals like improvement of corporate performance, its competitiveness,
innovations, integration and quality improvement. It is clear that in modern systems, information
capital management and quality control/quality assurance are tightly connected activities.
However, every modern enterprises has to match not only internal, but also external criteria that
can be divided to three different sets of criteria and perspectives to be satisfied10:
- Techno centric perspective, with a strong focus on underlying technology, enabling

knowledge creation and sharing,
- Organizational perspective, focused on how the company has to be organized to
promote knowledge creation,

10
Aksentijevic, S: “Information security in function of information capital management”, seminary paper,
Economy of University, Rijeka, 2010., p. 26 (not published)
- Ecological perspective, focused on interaction between people, their identity,
knowledge and surrounding factors, starting from the fact that human cooperation on
knowledge creation is comparable to functioning of natural eco-system, because both
systems are complex and adaptable.
Information capital and, consequentially, knowledge, can be further divided to explicit

and tacit forms. While explicit knowledge can be easily defined and managed, tacit knowledge is
a more abstract concept represented by knowledge without “consciousness” of that particular
knowledge. That kind of knowledge is not easily transferred – only once it becomes transferred
to other people, it becomes explicit knowledge. Therefore, explicit knowledge is a result of
conscious, intentional information management and processing, using power of mental focus,
and resides in form that is easily transferred to others.
Information capital management principally consists of two mutually connected

activities: information security management and knowledge management. Information security
management is a separate business function that is usually considered to be a “technical” or
“information science function”, but in fact, it is not so: it is a multidisciplinary activity that has to
be sponsored from very top of the management and executed using measures equally applied to
all business functions. Implementation activity of information security is never considered to be
finished, function is never fully implemented and its final goal is to ensure confidentiality,
integrity and availability of information so they can be successfully utilized to support the
business case. In order to avoid unnecessary utilization of financial, time and organizational
resource to achieve information security goals, methods of information classification and
information lifecycle management are used. During their use, basic components of information
capital (and knowledge) are ranked according to their life-cycle in business process, thus creating
a dynamic system where constant input are new information and constant output are those that
are not anymore relevant for the enterprise business.
3. INFORMATION SECURITY – DECISIVE FACTOR OF SUCCESSFUL
INFORMATION CAPITAL MANAGEMENT
To prove that information security is a decisive factor of successful information capital
management, the following topics have to be discussed) information security management
cycle and 2) legal and best practice measures in information capital management.
3.1 INFORMATION SECURITY MANAGEMENT CYCLE
Explaining information security management cycle consists of four separate topics: 1)

Information capital identification, 2) data and information classification, 3) data and
information lifecycle management and 4) information security planning.
3.1.1 Information capital identification
The key issue most enterprises is facing is – how to identify information capital? Information
systems usually store data, as already shown, if that data is given a certain context, they represent
information and information may become knowledge and information capital if they help the
management and enterprise to improve business outcome. However, it is very difficult to delimit
and identify information capital. It is achieved by deployment of measures of data and
information classification, using information lifecycle management techniques. Information
capital identification has to be done inside enterprises to achieve the following11:
1) Achieving the goals of excellence. Usage of identified information capital results in

increased efficiency, productivity and increased profit.
2) Creation of new products, services and business models. Information capital facilitates
creation of new business models, products and services and satisfy clients` needs.
3) Improved connection with clients and vendors. Favorable climate in relations towards
clients and vendors deepens the cooperation possibilities, increases revenue, margin and
lowers operative costs.
4) Enhanced decision making process. Managers recognize the importance of utilization
of adequate information in the right moment. Usage of inadequate, compromised or

11
Cf. Tijan, E.:“Data classification and information lifecycle management in port community systems“, Journal
of maritime studies, The faculty of maritime studies, Rijeka year. 23, num.. 2, 2009., p. 557.-568.
incorrect information may results in wrong decisions, business result and loss of clients.
Structurally classified and stored information capital enables usage of data and
information in real time during critical decision making.
5) Comparative advantage. Usually, when enterprises are oriented towards achievement of
one of business goals, like goals of excellence, new products, services and models, it is
quite obvious they have already achieved certain level of comparative advantage against
competition. Additional deployment of information capital results in increased business
efficiency.
6) Daily operations. Enterprises typically primarily invest in information technology
because it is necessary for daily operations. With deeper analysis, this may lead to more
structured approach, but information capital is certainly main facilitator behind daily
operations of enterprises.
It can be concluded that information capital is only that set of data, information and
structured knowledge used inside enterprises to create new forms or organization, management,
products and services and that gives enterprises competitive edge. Enterprise information capital
is protected by technical and organizational measures of integral and information security and by
legal regulations.
3.1.2 Data and information classification
Data classification and information lifecycle management are two mutually connected
activities. Once the data and information are adequately classified, the rules for their
management may be selectively applied. The rules for data classification do not differ
significantly from the rules for object classification in a domain system where similar objects or
users are grouped and a set of rules specific for that group is applied on them. The main goal is
to group information to classes having similar characteristics and therefore, requiring similar
approach to their management. There are several reasons why information classification is a
demanding and complex task. This process refers not only to existing information, but also to
information that might enter the system after it was once initially deployed. It is much easier to
add new information into already established system than introduce classification process to
existing data. The reason for this is rather simple: new information can be adjusted to existing
classification framework while already existing information may be present in form that does not
allow for such malleability. These reasons may take form of different database structures,
application and business layers or internal information owners.
There are also strict requirements for enterprises to maintain information in a structured
form. Data classification refers to enterprise information capital regardless of its form: it can be
documents stored on papers, centralized servers, transaction systems, other types of databases or
stored in a distributed way. Data classification can also be applied on services like electronic
mail or data contained on smart phones or telephones. Activity of information classification has
to be sponsored by highest management levels and information process management. The steps
in information lifecycle management are outlined in fig 2.
Fig 2: Steps in information lifecycle management
Information capital classification and categorization
Balancing of information classes and business needs
Determining service levels and cost goals
Establishing support services
Selection of inf. infrastructure management tools
Source: modified by the candidate, according to Tijan, E.:“Data classification and information
lifecycle management in port community systems“, Journal of maritime studies, The
faculty of maritime studies, Rijeka, year. 23, br. 2, p.562.
Information classification has to follow business processes and has to be adjusted to the
form of enterprise, real issues, goals and quality control system. Its goal is to set up a system that
enables not only information capital protection but also competition advantage arising from
systematic management of one`s own knowledge.
Modern policy of information classification and lifecycle management has to include
wider perspective than just legal requirements and information maturity (age). Among criteria to
be evaluated is also management of content, Intranet and Extranet management, connection of
enterprise information system with other enterprise systems, data mining and requirements of top
management decision systems. The end result of this process, and in the same time, input signal
for the information lifecycle management process is addition of business value to different
categories of data. This is best achieved in technologically highly developed enterprises where
service levels are well established and translated into standard offering of information services.
However, despite popular opinion, information capital is dynamic in nature and its attributes
rapidly change. This means that information capital movement inside organization may cause
change of their attributes. Such a process is best managed using a consistent system of best-
practice information service management like ITIL.
3.1.3 Data and information lifecycle management
As already shown, information capital classification is a basis for setup of coherent

information lifecycle management that cannot be by itself consistent. Information lifecycle
management enables cost efficiency, optimization of capital investments and related operative
costs and promotes goals of information security.
Information lifecycle management is in fact, sustainable strategy that balances costs of

data and information retention and storage with their business value that is always changing due
to internal and external changes in enterprises or organizations. It provides a practical
methodology to align those costs to priorities and goals of business policy. Considering that
during information lifecycle management, the underlying layer (data classification) also changes,
a new paradigm emerges – dynamic data classification. There are many reasons why it changes,
and some of them are12:
1) Changes in information classification or service levels

2) Changes in purpose of information usage
3) Changes in classification taxonomy
There are several models that can be utilized to create taxonomy of information classification.
Each of them assigns attribute to stored information. One of the most often used models is

12
Cf. Ibidem, p. 565
developed by Bell and LaPadula and it relies to classic concept of integrity, availability and
confidentiality. There are however also other models that can be partially of fully used during
introduction of the process of system of data and information classification:13
1) Graham-Denning model14
2) Discretional access control15
3) Mandatory access control 16
4) Clark-Wilson integrity model of access control 17
5) Multilevel security access control18
6) Biba integrity model19
Discussion of all these models is not further developed as most of these models are a part of
information science technology and practice and more information on them is readily available.20
3.1.4 Information security planning
As it was shown, information security is a decisive factor of enterprise business.

Information security is executed through a well-documented system that defines general criteria,
risks, functions and responsibilities in ensuring information capital. In order to enable the
management to fulfill these requirements, security procedures are put in place to protect
information and data and therefore contribute to enterprise activities. Basic document defining
critical factors of information security management is information security plan that has to be
aligned with the organization and therefore can have varying levels of complexity. Such a plan
tries to anticipate all possible risks that can have negative impact on the enterprise business
system and suggest various actions to avoid risks or mitigate their impact. Information security

13
Cf. Ibidem, p. 559.
14
Smith, R.: „Introduction to Multilevel Security“, http://www.cs.stthomas.edu/faculty/resmith/r/mls/index.html
(20.04.2009.)
15
Curphey, M., /et al./: „A Guide to Building Secure Web Applications, The Open Web Application Security
Project (OWASP)“,2002., http://www.cgisecurity.com/owasp/html/ch08s02.html (20.04.2009.)
16
http://www.freebsd.org/cgi/man.cgi?mac_biba (11.04.2009.)
17
Blake, S. Q.: „The Clark-Wilson Security Model“, http://www.lib.iup.edu/comsci-sec/SANSpapers/blake.htm
(20.04.2009.)
18
http://ou800doc.caldera.com/en/SEC_admin/IS_DiscretionaryAccCntlDAC.htm (11.04.2009.)
19
http://www.freebsd.org/cgi/man.cgi?mac_biba (11.04.2009.)
20
for detailed discussion of these models Cf. Aksentijevic, S: “Information security in function of information
capital management”, seminary paper, Economy of University”, Rijeka, 2010., p. 35-37 (not published)
plan is developed in line with internal documentation and processes. This document initially
states what is the dependency between business case of the enterprise and information capital of
the enterprise, and willingness of the enterprise management to implement a documented
procedure that promotes information capital security business function. After all necessary
procedures are identified along with legal requirements, a methodology used to implement
information capital security planning can be implemented gradually. Such a methodology is
shown on fig. 3.
Fig 3.: Steps in creation of information security plan
LEGAL REQUIREMENTS OF INFORMATION SEC.
BEST PRACTICE OF INFORMATION SECURITY
INTERNAL DOCUMENTATION
Identification of standards and underlying documentation
Evaluation of achieved level of information security
Defining information security priorities
Identification of responsible functions and operative levels
Identification of possible risks
Suggesting methods for risk mitigation

INTERNAL DOCUMENTATION
BEST PRACTICE OF INFORMATION SECURITY
LEGAL REQUIREMENTS OF INFORMATION SEC.
Source: Aksentijevic, S.: “Integral enterprise security function and information security
management system – Saipem Mediterranean Services LLc, Rijeka”, master thesis, University of
Economy, Rijeka, 2008, p.91. (not published)
Information security plan therefore defines also key organization’s positions. Initially,
needs for confidentiality, availability and integrity of information capital inside the business
context are being established. After that, inside established framework, need to distribute
information on a “need to know” basis and best practices during treatment and utilization of
information capital is being defined. Discretion levels are being created according to Bell-
LaPadulla model that are further used during information classification. After all possible risks
are identified, models to lower them or completely avoid them are implemented. The main tools
used in those models are constant education of employees, setting requirements and checks of
confidentiality towards third parties, and creation of business unit and department information
security plans. At the very end, key users (usually middle management) are identified, and they
are put in charge to execute and follow up information security plans inside their lines of
responsibility and ensure security of that part of enterprise information capital that is under their
control, and considered especially sensitive and confidential.
3.2 LEGAL AND BEST PRACTICE MEASURES IN INFORMATION

CAPITAL MANAGEMENT
There are several best practice systems that are used in process of information capital
management. Some of those systems are national, some are connected more with certain sectors
(for example, military complex or pharmaceutical industry) or they are a part of general
management of documentation and information technologies or project management
methodology.
COBIT21 is a framework for management of information technology created by ISACA22 and
ITGI23 in 1992. COBIT provides to managers, auditors and users of information systems a set of

21
Abbreviation for „Control Objectives for Information and related Technology“, for more details cf.
http://www.ezcobit.com/UsingCobit/html/00Intro2.html (19.05.2010.)
generally accepted measures, processes, indicators and rules that can help in maximization of
benefits of information capital, but also ensure adequate management of information resources
and control inside enterprises. It was issued in 1996. and its mission is research, development,
publishing and promoting of international set of accepted control goals used by managers and
auditors of information systems and security levels and controls. COBIT provides a basis for
decision making of investments in information infrastructure. It is based on 34 processes
covering 210 controls in 4 main groups: planning and organization, delivery, support and
delivery and follow up and evaluation. Entire COBIT system contains six publications:24
1) Management report
2) Framework
3) Control goals
4) Audit guidelines
5) Implementation tools
6) Management guidelines
Between years 2000. and 2002., a number of corporate scandals and frauds were
discovered in USA. Among them the most famous were scandals in companies Enron,
WorldCom and Tyco. Lessons learned from those scandals resulted in creation of Sarbanes-
Oxley law. Lack of control mechanisms has caused that enterprise consultants were in the same
time auditors that should provide independent opinion. Full title of Sarbanes-Oxley Law is
„Public Company Accounting Reform and Investor Protection Act of 2002“25. This law sets new
and enhances existing standards in accounting and businesses of American publicly owned
companies. As a consequence of this law, a number of agencies that supervise, regulate, inspect
and punish accounting and consultancy companies that are included in the process of audit.
American SEC defines that methodology used to achieve compliance with Sarbanes-Oxley Law

22
Abbreviation for “ Information Systems Audit and Control“, for more detailed description of the standard, cf.
http://www.isaca.org/ (19.05.2010.)
23
Abbreviation for „IT Governance Institute“, head office is in Rolling Meadows, Illinois, USA, cf.
http://www.itgi.org/ (19.05.2010.)
24
http://www.itsm.hr/itil-itsm-metodologija/metodologija-cobit.php (19.05.2010.)
25
Sarbanes-Oxley Law is mandatory for all enterprises regardless of size. To ensure information security
compliance, the most important are articles 302, 401, 404, 409 and 802, cf. http://www.soxlaw.com/s302.htm,
http://www.soxlaw.com/s401.htm, http://www.soxlaw.com/s404.htm, http://www.soxlaw.com/s409.htm,
http://www.soxlaw.com/s802.htm (18.05.2010.)
is COSO.26 COSO defines five main areas (components) of internal controls that support
requirements set by Sarbanes-Oxley. These five areas are the following:27
1) Risk assessment
2) Control environment
3) Control activities
4) Supervision
5) Informing and communicating
PRINCE 2 is acronym for “Projects In Controlled Environments”, and it is in fact a
methodology for project management. It was developed from previous version of PRINCE
technique issued by CCTA28 as a standard of project management in information sector, but
since then, the methodology was widely adapted and because de facto standard of project
management in United Kingdom and fifty other world countries. It does not provide a direct
framework for evaluation and support of information capital security activities inside enterprises.
PRINCE2 is structured in a way not only to mitigate possible risks, but also to derive benefits
from positive impact of unforeseen events, if applicable.
Another set of techniques used to manage infrastructure of information technologies is
described in ITIL29, a series of publications copyrighted in United Kingdom. It provides a set of
descriptions of important practices in management of tasks and procedures that can be adjusted
to suit needs of particular organizations. Currently valid version (v3) is issued in 2007.
The final concept of security management recognized by ITIL is – information security
and similarly to other standards, its main goal is to guarantee security of the information towards
risk, therefore, security is a way to achieve security from the risk. The main disadvantage of ITIL
information security process is the fact that ITIL controls are enriched by physical security
controls but lack in area of application, program and logical security.

26
Abbreviation for Committee of Sponsoring Organizations of the Treadway Commission, for detailed chart of the
committee, cf. http://www.coso.org (18.05.2010.)
27
The brochures regulating supporting matter are available on the Internet free of charge, cf.
http://www.coso.org/guidance.htm (19.05.2010.)
28
Abbreviation for Central Computer and Telecommunications Agency, that became in 2000. godine a part of
British Office of Government Commerce (OGC) agency. For more details on OGC agencys cf.
http://www.ogc.gov.uk/about_ogc_who_we_are.asp (19.05.2010.)
29
Abbreviation for “Information Technology Infrastructure Library”, for formal explanation of meaning cf. official
Internet pages on address http://www.itil-officialsite.com/AboutITIL/WhatisITIL.asp (19.05.2010.)
Finally, the most comprehensive norm of implementation of information security is
30
ISO/IEC 27001. It has in 2005. replaced British norm BS 7799-2. It is a standard of
information system security management intended to be used in conjunction with ISO/IEC
27002, formerly known as ISO/IEC 17799, a practical codex defining goals of security controls
and recommending their practical area of influence. It provides a practical model for
establishment, usage, follow up, maintenance and constant improvement of information security
management. Those organizations that use ISO/IEC 27002 during evaluation of their systems are
likely to be compliant to ISO/IEC 27001 norm. 31
Regardless of the formal system of certification or management of information security,
every enterprise or organization is a subject of a set of laws that regulate this area. Usually, the
most developed set of legal regulation relates to financial and banking sector.
4. CONSIDERATIONS OF USAGE OF ENTERPRISE INFORMATION
CAPITAL IN ACHIEVEMENT OF EFFICIENCY

To outline thoroughly connection between information capital and enterprise efficiency, two
topics need to be discussed: 1) Solow residual and information capital and 2) Information
capital and principles of Pareto efficiency.
4.1 SOLOW RESIDUAL AND INFORMATION CAPITAL
Efficiency and productivity are two very distinctive principles, so are macroeconomic
and microeconomic perspective, but nevertheless, investigation into some macroeconomic
aggregates may reveal interesting insight into unexpected behavior of some forms of capital in
economic reproduction. Clearly distinguishing between economic efficiency, analyzed as
microeconomic phenomenon, being a measure of resource utilization in achievement of certain
level of goods and services and economic productivity, as a macroeconomic phenomenon, and a
measure of output of production process in comparison to input (typical input factors being labor

30
Abbreviation for “International Organization for Standardization”, cf. http://www.iso.org/iso/about.htm
(19.05.2010.)
31
For detailed expansion of ISO 27001 topic, Cf. Aksentijevic, S: “Information security in function of
information capital management”, seminary paper, Economy of University, Rijeka, 2010., p. 45-51 (not
published)
and capital), further analysis can be done to establish whether in a macroenomic model,
additional deployment of information capital can be beneficial for overall economy productivity.
To achieve this, Solow32 residual may be deployed. After World War II, mass
industrialization and large investments into capital resources and automated production was
undertaken. Even the Soviet experience of controlled economy that achieved (at least initially)
high growth rates was sometimes cited as a right choice. Even though over-investment into
capital as a production factor may lead to diminishing returns due to equipment depreciation, this
was the path to be followed in many countries. However, other economists have taken the view
that once that marginal rate of return on capital becomes equal to marginal rate of return on
labor, the returns will diminish.
This consideration lead to a conclusion that only those countries that had previously
under-invested into capital stock will benefit greatly from additional investments in
infrastructure but other nations should concentrate on improving labor productivity. It was
Solow`s merit to identify an indicator (per-capita economic growth above the rate of capital
stock growth), named in his honor – Solow`s residual. Real economies data showed that
measured growth in standard of living could not be matched just in the growth or capital/labor
ratio. Solow explained that new technologies and innovation, rather than capital accumulation,
was the way for national economies to achieve growth. Solow`s residual is therefore a useful tool
to show the effect of so called “technology” growth, as opposed to “industrial” growth.
Some economists have over the time developed some major objections to the Solow
33
residual. The influence of technologies and, consequently, information capital, has been a
major source of disputes. In 1982, Nathan Rosenberg said that “economists have long treated
technological phenomena as events transpiring inside a black box....[and]adhered rather strictly
to a self-imposed ordinance not to inquire too seriously into what transpires inside that box.”34
These authors usually consider that such a large gap in unaccounted proportion of growth that is
not explained for by factors of production by itself poses a big problem. Another problem is the

32
Robert Merton Solow (born August 23, 1924) is an American economist particularly known for his work on the
theory of economic growth that culminated in the exogenous growth model named after him.
33
Cf. Francisco Louçã :”The Solow Residual as a Black Box: Attempts at Integrating Business Cycle and
Growth Theories”, History of Political Economy vol. 41, 2009, 334-355.
34
Nathan Rosenberg: “Inside the Black Box: Technology and Economics”, McGraw-Hill, 1983, p. 193-195, 225-
238.
neoclassical approach cultivated by Solow was not able to explain the emergence of crisis (this is
also issue with many other neoclassical – and other – microeconomic models. There is also some
empirical data that proves to be problematic to explain. For example, Plosser's and Mankiw's
panels may elaborate further on this, and they are shown in Fig. 4 and Fig. 5.
Fig 4.: Annual growth rate of technology
Source: Plosser, C.I., "Understanding Real Business Cycles," RCER Working Papers ,
University of Rochester - Center for Economic Research (RCER)., 1989, p. 198.
Fig. 4. shows annualized percentual rate of technology and Plosser’s conclusion was that
residuals are behaving according to the random walk theory. However, Mankiw has, on the other
hand, plotted residuals against the income series and claimed that residual was quite literally a
“leftover”, as shown on fig. 5.
Fig. 5: Solow Residuals and output growth

Source: Francisco Louçã :”The Solow Residual as a Black Box: Attempts at Integrating Business
Cycle and Growth Theories”, History of Political Economy vol. 41, 2009, 344.
There is also another interesting concept that can be derived from evaluations of Solow
residual. In 1987, after receiving a Nobel prize, Robert M. Solow said “You can see the
computer age everywhere but in the productivity statistics." This has since been known as
„Solow productivity paradox“ – and usually interpreted that the productivity of labour has not
risen after information technology has been introduced in industry and across enteprises.
Empirical evidence is that usage of new technologies boosts output in industry and office
evironments but such evidence cannot be confirmed by growth indicators. It is interesting that
exactly after 1970s, when computerization and usage of information science and capital was
really booming, the productivity has fallen down or at best, stagnated, as shown in table 1.
Table 1: productivity growth (%) in some world countries and associations 1960-2007
Source: calculations are based on The Conference Board and Groningen Growth and
Development Centre, total Economy Database, September 2008.
Let us also evaluate downtrend of annual productivity growth rates in output per hour for EU-
1535 and USA, as shown in Fig 6.

35
EU-15 consists of the following 15 countries of European Union: Austria, Belgium, Denmark, Finland, France,
Germany, Greece, Ireland, Italy, Luxembourg, the Netherlands, Portugal, Spain, Sweden and the United Kingdom.
Fig. 6: Trend in output per hour for EU-15 and U.S.A. 1981.-2004.
Source:
http://www.metrics2.com/blog/2007/01/24/2006_us_labor_productivity_growth_at_the_lowest_i
n.html (26.01.2011).
It would be interesting to evaluate this paradox, considering that even incidental evidence
show that intensive usage of computer capital should improve productivity and that additional
investments in information technology and accumulation of structural capital (information
capital included) should result in additional growth. Here are several possibilities why is that so:
1. Processes that involve intensive application of information capital are those that are
somewhat remote from “real economy” processes and production (even though
deployed technology in production process necessarily depends both on innovation
and underlying processes). That is why information capital enhances underlying
processes, but that does not translate into real productivity increase, neither in labor
nor in capital sense,
2. Similar analogy has been noted by some other authors. For example, economist Paul
David did not approve Solow’s position on this paradox and claimed that the problem
was a lag in productivity improvements since a new technology is introduced until it
produces tangible results. He underlined his opinion by drawing analogy with
introduction of electric motor in 1880. whose impact in statistics was negligible until
1913.36,
3. Finally, it is possible that information capital and innovations do not significantly

contribute to overall productivity of labor and capital. Some economists have proved
that information technology related capital accounts for less than two percent of used
capital in the world. 37.
Therefore, looking at impact of information capital on macroeconomic concept of

productivity yields divers and surprising results with inconclusive results that may be followed
up and evaluated only with flow of time.
4.2 INFORMATION CAPITAL AND PRINCIPLES OF PARETO EFFICIENCY
In its simplest form, Pareto efficiency model is a model of multi-criteria optimization that
is often used not only in economy, but also technical and social sciences. It is based around
change of parameters to get the best possible outcome for the set problem. In economics, Pareto
efficient solution is the one where there is no way to further improve the situation of one
participant, without worsening the situation of another. Such a distribution, or input, that satisfies
this requirement is considered to be “Pareto optimal”.Pareto efficiency model can be equally
applied in production of several goods, when outcomes have to be calculated in terms of quantity
of produced goods, or when adequate allocation of production factors like capital and labor has
to be achieved. Possible combinations of production factors that can be combined to create
output make so called Pareto Frontier, where any additional output of a certain product would
inevitably lead to less production of another, thus inevitably leading further away from Pareto
optimum.
Pareto efficiency is devoid of moral dilemmas. This means that all situations where one
person has all the riches in the world and some persons have none; or when a certain product is

36
Paul A. David: “The Dynamo and the Computer: An Historical Perspective on the Modern Productivity
Paradox”, The American Economic Review, Vol. 80, No. 2 , p.355-357
37
Stephen D. Oliner, Daniel E. Sichel, Kevin J. Stiroh: “Explaining a Productive Decade”, FEDS Working Paper
No. 2007-63, p.17
fully produced just by labor almost no capital; or when a quantity of certain product is produced
“at the expense” of another – may be on the Pareto Frontier and Pareto optimal and/or efficient.
A number of possible outcomes may be further explored by introduction of Kaldor-Hicks

model of distribution, where it is possible to build a brand new frontier if those who are made
better off by initial distribution compensate those that are made worse off to achieve balance, as
shown on fig. 7.
Fig 7.: Kaldor-Hicks improvements
Source: http://www.newworldencyclopedia.org/entry/John_Hicks (27.01.2011.)
When further evaluating properties of information capital stock in regard to efficiency, it

is important to establish connection between information and its price: typically, it is the market
that establishes the information value as a price that does not have to be monetary or financial, it
can also be established as barter or its exchange utility. However, it is very difficult to deal with
terms like price of the information. To try to do so, one has to start with definition of a good –
“Good: commodity or service that is regarded by economists as satisfying a human need. An
economic good is one that is both needed and sufficiently scarce to command a price.”38
Furthermore, information rarely has rival goods that could diminish its utility but certainly has
many properties of excludable good, meaning that unwanted people can be excluded from using
it. Value and type of the price of information or any other tradable good is not intrinsic to the
nature of the product and may change with e.g. technology.
Despite popular belief, as it was the case with the relation between information and
macroeconomic productivity, information capital within enterprises behaves as a fix investment
cost and a sunk cost, many analysts believe that ICT investments have no or little value for the
price of a firm (despite the fact that analysts themselves use expensive ICT tools!) and while
information and knowledge have positive connotations in sciences, traditional economic
perspective relates information to inefficient markets, with few exceptions.39 Usual economic
model calls for perfect knowledge, information and convexity of preferences while those markets
that are associated with information are typically limited and information is in fact present in
shortage, not allowing market mechanisms to match demand and supply, as shown on Fig. 8.
Fig 8.: Classical supply-demand model under inefficient conditions of information capital market
Source: George A. Fodor: “The Value of Information”, Short version of the Milano University
presentation, ABB AB, Sweden, Milano, October 2008., p/ 28.

38
The New Oxford American Dictionary, Erin McKean, 2005.
39
Cf. Margaretha Levander,” Så gör analitikerna när de värderar ditt bolag” (Translation from Swedish: This is
how analysts are evaluating your company), CIO Sweden, http://cio.idg.se/2.1782/1.181573, 27.01.2011.
Orthodox evaluations of classical forms of capital, therefore, cannot answer the dilemma
posed by general behavior of information capital in economic reproduction. The key resource is
therefore not anymore information capital itself, but ownership over information capital that
prevents others from gaining access to it; it is a barrier for entry of competition. Additional
difficulty in this evaluation is present because of duality in information nature: information that
has convex properties is already embedded in equilibrium price, while information that is not
convex (for example, future markets and patents) is not included in the equilibrium, bit will
appear in future in the market. Therefore, enterprises are typically interested only in value of
non-convex type of information.
5. CONCLUSION

Behavior of information capital in the cycle of economic reproduction is quite diverse,

depending on the level of aggregation. On the company level, information capital is a factor of
competitive advantage that is protected by the technical measures of information security, legal
framework and organizational measures aimed towards ensuring confidentiality, availability and
integrity of enterprise capital stock. Increased levels of information capital stock are connected
with increased productivity.
On the microeconomic level, there are serious problems present in evaluation of information
capital as it behaves differently than physical of financial capital. Main trait of information
capital in that scenario are expectations and scarcity and its main property is unavailability to
other market players. This makes information capital elusive for analysis as it is typically
considered to function in non-efficient strata of the market.
On the macroeconomic level, surprisingly, increased levels of information capital are not
significantly correlated with higher productivity. It remains to be seen what exactly is the source
of this phenomenon as new forms of capital caused by technical progress typically required
several decades in order to be statistically measurable.
Maintenance of information capital stock is technically very demanding and financially very
expensive business function, both in terms of investments and running costs, therefore,
enterprises should aim to optimize what is the productive part of their information stock through
methods of data classification and information lifecycle management, in line with their own
needs and procedures and legislative requirements and maintain and manage only that part of
overall information capital in order to achieve goals of cost efficiency.
LITERATURE
BOOKS
1. Canzer, B.: „E-Business: Strategic Thinking and Practice“, McGill University, and
Concordia University, 2006.
2. Louçã, Francisco :”The Solow Residual as a Black Box: Attempts at Integrating
Business Cycle and Growth Theories”, History of Political Economy vol. 41, 2009.
3. Rosenberg, Nathan: “Inside the Black Box: Technology and Economics”, McGraw-
Hill, 1983.
ARTICLES
1. Tijan, E.:“Data classification and information lifecycle management in port

community systems“, Journal of maritime studies, The faculty of maritime studies,
Rijeka year. 23, num.. 2, 2009.
2. Curphey, M., /et al./: „A Guide to Building Secure Web Applications, The Open Web
Application Security Project (OWASP)“, 2002.
3. Plosser, C.I., "Understanding Real Business Cycles", RCER Working Papers ,
University of Rochester - Center for Economic Research (RCER)., 1989.
4. Paul, A. David: “The Dynamo and the Computer: An Historical Perspective on the
Modern Productivity Paradox”, The American Economic Review, Vol. 80, No. 2
5. Oliner, Stephen D., Sichel, Daniel E., Stiroh, Kevin J: “Explaining a Productive
Decade”, FEDS Working Paper No. 2007-63
6. Fodor, George A: “The Value of Information”, Short version of the Milano University
presentation, ABB AB, Sweden, Milano, October 2008.
OTHER SOURCES
1. Aksentijevic, S: “Information security in function of information capital

management”, seminary paper, Economy of University, Rijeka, 2010. (not published)
2. Aksentijevic, S.: „Operative Information Protection Plan“ , WI-SMS-ICT-105-E rev2,
working instruction of ISO 9001 system, Saipem Mediteran Usluge d.o.o., Rijeka,
01.02.2009.
3. Levander, Margaretha: “Så gör analitikerna när de värderar ditt bolag” (Translation
from Swedish: This is how analysts are evaluating your company), CIO Sweden, 2008.
4. The Conference Board and Groningen Growth and Development Centre, total Economy
Database, September 2008.
5. The New Oxford American Dictionary, Erin McKean, 2005.
INTERNET SOURCES
1. Blake, S. Q.: „The Clark-Wilson Security Model“, http://www.lib.iup.edu/comsci-

sec/SANSpapers/blake.htm (20.04.2009.)
2. Smith, R.: „Introduction to Multilevel Security“,
http://www.cs.stthomas.edu/faculty/resmith/r/mls/index.html (20.04.2009.)
3. http://ou800doc.caldera.com/en/SEC_admin/IS_DiscretionaryAccCntlDAC.htm
(11.04.2009.)
4. http://www.freebsd.org/cgi/man.cgi?mac_biba (11.04.2009.)
5. http://www.ezcobit.com/UsingCobit/html/00Intro2.html (19.05.2010.)
6. http://www.isaca.org/ (19.05.2010.)
7. http://www.itgi.org/ (19.05.2010.)
8. http://www.itsm.hr/itil-itsm-metodologija/metodologija-cobit.php (19.05.2010.)
9. http://www.soxlaw.com/s302.htm, http://www.soxlaw.com/s401.htm,
http://www.soxlaw.com/s404.htm, http://www.soxlaw.com/s409.htm,
http://www.soxlaw.com/s802.htm (18.05.2010.)
10. http://www.coso.org (18.05.2010.)
11. http://www.coso.org/guidance.htm (19.05.2010.)
12. http://www.ogc.gov.uk/about_ogc_who_we_are.asp (19.05.2010.)
13. http://www.itil-officialsite.com/AboutITIL/WhatisITIL.asp (19.05.2010.)
14. http://www.iso.org/iso/about.htm (19.05.2010.)
15. http://www.metrics2.com/blog/2007/01/24/2006_us_labor_productivity_growth_at_the_l
owest_in.html (26.01.2011).
16. http://www.newworldencyclopedia.org/entry/John_Hicks (27.01.2011.)
17. http://cio.idg.se/2.1782/1.181573 (27.01.2011.)
18. http://www.cs.berkeley.edu/~bh/hacker.html (06.05.2010.)
19. http://www.law.cornell.edu/uscode/44/usc_sec_44_00003542----000-.html (18.05.2010.)
20. http://www.microsoft.com/protect/yourself/phishing/identify.mspx (05.05.2010.)
21. http://www.cgisecurity.com/owasp/html/ch08s02.html (20.04.2009.)
22. http://www.freebsd.org/cgi/man.cgi?mac_biba (11.04.2009.)
ILLUSTRATIONS
1. Fig. 1. Pyramid of relationship: data, information, knowledge and business strategy

2. Fig. 2: Steps in information lifecycle management
3. Fig. 3.: Steps in creation of information security plan
4. Fig. 4.: Annual growth rate of technology
5. Fig. 5: Solow Residuals and output growth
6. Fig. 6: Trend in output per hour for EU-15 and U.S.A. 1981.-2004.
7. Fig. 7.: Kaldor-Hicks improvements
8. Fig. 8.: Classical supply-demand model under inefficient conditions of information
capital market
1. Table 1: productivity growth (%) in some world countries and associations 1960.-2007.

Impact of Information Capital On Enterprise Efficiency - An Overview

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Impact of Information Capital On Enterprise Efficiency - An Overview

Transféré par

Droits d'auteur :

Formats disponibles

UNIVERSITY IN RIJEKA

THE FACULTY OF ECONOMY IN RIJEKA

IMPACT OF INFORMATION CAPITAL ON ENTERPRISE EFFICIENCY

Mentor:prof.dr.sc. Maks Tajnikar

Doctoral candidate: Sasa Aksentijevic

Field: Business economy

Reg. number: 37/09

Rijeka, January 2011.

IMPACT OF INFORMATION CAPITAL ON ENTERPRISE EFFICIENCY

Running business is nowadays characterized by immanent need to treat information

Change of identification and classification concept of information capital through its

Key words: information capital, information security, productivity, Pareto efficiency

1.1 RESEARCH PROBLEM, SUBJECT AND OBJECT.................................................. 7

2. IMPORTANT CHARACTERISTICS OF INFORMATION SECURITY AND

2.1 DEFINITION, DEVELOPMENT AND IMPORTANCE OF INFORMATION

2.2 ELEMENTS OF THE INFORMATION CAPITAL..................................................... 19

3. INFORMATION SECURITY – DECISIVE FACTOR OF SUCCESSFUL

3.1 INFORMATION SECURITY MANAGEMENT CYCLE……….............................. 24

4. CONSIDERATIONS OF USAGE OF ENTERPRISE INFORMATION CAPITAL

4.1 SOLOW RESIDUAL AND INFORMATION CAPITAL……………………………. 33

1.1. Research problem, subject and object

1.2 Working and support hypotheses

1.3 Research goal and purpose

Goal of the research is to prove existence of independent form of capital – information

This paper will provide answers to the following questions:

1) What is information capital?

5) What is the impact of utilization of information capital on enterprise efficiency?

1.5 Paper structure

Topics in this paper will be presented in five connected chapters.

IMPORTANT CHARACTERISTICS OF INFORMATION CAPITAL AND

INFORMATION SECURITY – DECISIVE FACTOR OF SUCCESSFUL

CONCLUSION is the final chapter of the paper, containing a systematic recapitulation of

2.1 DEFINITION, DEVELOPMENT AND IMPORTANCE OF

2.1.1 Definition and development of information security

Information security is protection of information and information systems from unauthorized

Change of focus of information security towards information technologies was prominent

2.1.2 Strategic importance of information security in enterprises

Strategic importance of information security in enterprise management can be evident from

Enterprise information security is achieved through tight regulation of access to information

1) computer network access controls,

2.1.3 Impact of the risk concept on information security

1) Access to sensitive data by unauthorized personnel. Historically, both internal and

As a summary, information capital risk management is a structured approach to

2.2 ELEMENTS OF THE INFORMATION CAPITAL

2.2.1 Definition and inception of information capital

Information security and information capital seem to be seemingly understandable at first

Therefore, enterprise information capital can be defined as non-material form of capital

Source: created by ph.d. candidate

- Techno centric perspective, with a strong focus on underlying technology, enabling

Information capital and, consequentially, knowledge, can be further divided to explicit

Information capital management principally consists of two mutually connected

3.1 INFORMATION SECURITY MANAGEMENT CYCLE

Explaining information security management cycle consists of four separate topics: 1)

3.1.1 Information capital identification

1) Achieving the goals of excellence. Usage of identified information capital results in

3.1.2 Data and information classification

Fig 2: Steps in information lifecycle management

3.1.3 Data and information lifecycle management

As already shown, information capital classification is a basis for setup of coherent

Information lifecycle management is in fact, sustainable strategy that balances costs of

1) Changes in information classification or service levels

3.1.4 Information security planning