Risk: A Financial View

Markets and money are imperfect metaphors for security metrics when it comes to risk analysis. But, as Senior Editor Todd Datz's discussion with Kellogg School finance professor Kathleen Hagerty demonstrates, CSOs can learn from economists

You also might be interested in who buyers and sellers are. That you can't always see. Sometimes it would be interesting to know why they did what they did. Are there certain tried-and-true formulas that are integral to calculating finance risk?There are formulas that are very well-knownfor instance, the formula for beta, the measurement for how much economywide risk a certain stock has. Different stocks have different exposures. So there will be some firms that are very cyclicalwhen their product's up, they do great; when it's down, they do terrible.

For option pricing, there's the Black-Scholes formula. That's a very well-known formula. (For definitions of these and other terms in this article, see "Glossary," this page.)

None of these are perfect. The expectation is that over time they'd be improved. People continue to evaluate the models, figure out how they can do better. Let's talk about security. In finance, metrics have been worked on and developed over decades. The idea of applying metrics to security is relatively new. What are some of the lessons or models of finance that could be applied to security?One of the ideas in finance is that you have a lot of different eventsstock price changes, lots of different firms. I don't know if security is like thatthat is, there are 100,000 things that happen, and you're kind of looking at the average. In finance there are lots and lots of different stocks, lots of different days. Finance is about insuranceevaluating risk, how to move it around between people so that some people can bear the risk better than others. It's pooling risk.

There are two strategies for handling risk. One is diversification strategy, which is: We pool our risk, and everybody takes a little piece. The other idea is from optionshedgingin which we find two people that have the opposite exposure. There are these things called weather derivatives. For some people a lot of snow is a good thing, for others, it's bad. If you own a ski resort, lots of snow would be good. If you're a city and you have a snow removal budget, lots of snow would be bad. So people who have opposite exposures get together and they self-insure each other. If I'm a ski resort owner and it snows a lot, I'll make lots of money, so I'll give part of the money I make to the city and vice versa.

In security, I don't think anybody would say a computer virus is good for them, so an options strategy probably doesn't work. In financial markets, there are two sides to every transaction. When prices go up, there's usually somebody out there who likes it, and when prices go down, somebody out there who likes it. I don't think you have that kind of exposure in security.Portfolio management is an important topic in finance. In fact, some CIOs are using that model to help them look at their overall portfolio of IT projects, and decide which projects to do and not do. Do you think that a portfolio model could help CSOs?One of the things portfolio theory looks at is how different stocks relate to each other. That I guess is an idea that can be carried over. Some stocks tend to move together; some tend to move up when others are down. It's the idea of correlation. You could think of security projects [using this model]; if all my projects overlappedor were connected to each otherand one didn't work out, then that's probably a bad thing. You could imagine using the idea of correlation in the sense that if some projects didn't work out, at least others would, or at least that they had some independence from each other. It's like companies that have different product lines, so that if one doesn't go exactly right, the whole thing won't fall apart.