Risk: A Financial View

Markets and money are imperfect metaphors for security metrics when it comes to risk analysis. But, as Senior Editor Todd Datz's discussion with Kellogg School finance professor Kathleen Hagerty demonstrates, CSOs can learn from economists

November 01, 2004 — CSO — Security executives must factor risk into everything they do. Should the fence be 8 feet high or 10? Did we do an extensive enough background check on the new engineer? How many people have access to the CEO's travel itinerary? Should we upgrade our intrusion detection software?

Unfortunately, just like when your child asks you how big the universe is, questions like these rarely have easy, concrete answers ("Really big, son"). Security is a field that's rife with uncertainty. And though security execs work hard to quantify their contributions to the business, the practice of applying metrics to security is relatively immature. CSOs don't have reams of data to help them make decisions or justify investments; in fact, even if they do, there may not be agreement on how those metrics are defined.

The field of finance, on the other hand, has been around for comparative eons. Two of the key foundations of finance, probability and risk, used by both practitioners and academics to think about uncertainty, can be traced back to a couple of 17th century French mathematicians, Blaise Pascal and Pierre de Fermat. "It's everything. We wouldn't have anything to teach if we didn't have risk," says Kathleen Hagerty, the First Chicago Distinguished Professor of Finance and Codirector of the Center for Financial Institutions and Markets at Northwestern University's Kellogg School of Management.

Senior Editor Todd Datz spoke with Hagerty to gain an understanding of how a finance professor thinks about risk and how the study of risk in financial markets might apply to the field of security.CSO: Please answer the following: Risk is....?Kathleen Hagerty: In a financial setting there are a lot of different kinds of risk. It's uncertainty, so you don't know what's going to happen. It could be both good or bad; it isn't always bad. Can you explain the idea of good risk?I teach options. You can expect a stock price to be $100, but it could be $120 or $80. So there's uncertainty, and some of the outcomes are better and some are worse. It isn't necessarily all bad.

The real issue is you're not sure how it's going to go. The benchmark you're starting from isn't the best-case scenario, it's somewhere in the middle. Most of the risk we talk about in finance is risk associated with price uncertaintythe stock price, the option price, the price of a bond. The uncertainty of prices reflects the uncertainty in the world, but we concentrate on price uncertainty.Have there been any changes in the whole concept of risk, any ground-breaking models?In the 1960s, [academics] developed more precise models of how stock prices are determined. One of the big insights was the development of portfolio theory, which said that there are certain kinds of risk you can reduce or eliminate through diversification. If you can eliminate it, you're not going to get any compensation for varying it. Certain kinds of risk matter in the sense that you want a return for bearing it. Other kinds of risk you can eliminate; so you're not going to get anything.