S_Asset (Asset Toxicity Score)
Intrinsic risk score of a dataset, independent of owner context
S_Asset (Asset Toxicity Score) measures the inherent privacy risk of a dataset based solely on its contents, independent of who owns it or how it's used. This score captures the "raw material" risk that exists regardless of context—the intrinsic danger posed by the data itself before considering security measures, organizational controls, or regulatory jurisdiction.
The score is calculated from multiple factors weighted by regulatory significance and re-identification potential. PII category severity forms the primary input: direct identifiers (Social Security numbers, government IDs, biometric data) carry the highest weights; sensitive categories under GDPR Article 9 (health, genetic, racial/ethnic, political opinions, religious beliefs, sexual orientation) score next highest; and quasi-identifiers (ZIP code, birth date, gender, job title) are weighted by their cardinality and linkage potential. A dataset containing Social Security numbers inherently scores higher than one with only email addresses, regardless of security controls.
Additional factors modify the base severity. Data volume affects exposure scale—a million-record database represents more potential harm than a thousand-record database with identical PII types. Retention period matters because older data is more likely to have been exposed through past breaches or shared with defunct third parties. Dataset dimensionality (number of attributes) increases mosaic effect risk, as more quasi-identifier combinations create higher re-identification probability.
S_Asset is deliberately context-independent. The same dataset receives the same S_Asset score whether held by a Fortune 500 company with sophisticated security or a startup with minimal controls. This enables standardized comparison across organizations and transactions: when evaluating an M&A target's data assets, S_Asset provides an apples-to-apples measure of raw data toxicity that can be compared against other deals or industry benchmarks.
The chemical toxicity analogy is precise. S_Asset measures potential harm from the substance itself, like the LD50 of a compound—before considering exposure pathways, protective equipment, or storage conditions. A highly toxic compound remains dangerous regardless of how carefully it's stored; a dataset with biometric data and Social Security numbers remains high-risk regardless of encryption. This baseline toxicity score is then modified by contextual factors (jurisdiction, security posture, consent documentation) to produce R_Total, the comprehensive liability metric.