Risk: A Financial View

Markets and money are imperfect metaphors for security metrics when it comes to risk analysis. But, as Senior Editor Todd Datz's discussion with Kellogg School finance professor Kathleen Hagerty demonstrates, CSOs can learn from economists

By Todd Datz

Page 4

Not only do you want things different, you don't want them to all succeed or fail at the same time. I think security executives could think about that.

There's also the portfolio idea of high risk, high return. You could imagine where you might have a project and it might be very expensive, and if it works it might be fabulous. But it's kind of risky. So maybe you think about doing something else simpler, maybe not quite as good, but more of a sure thing. What about options theory?Options are all about contingency contracts. The big innovation that came with option pricing theory was how to figure out a fair price for those contracts. If I give you the right to walk away in the future, I'm at a disadvantage. So how much should you compensate me? What's a reasonable price? Option pricing helps you figure that out.

Prices are easiest to figure out; there's good data and prices are objective. There isn't disagreement about what the price of IBM is. You could also use options theory to come up with the temperature at the San Francisco airport at noon on Dec. 3; it's just a little harder. Our readers generally have tight budgets and have to allocate their spending to achieve a maximum return. What role can measuring risk play in helping them achieve that?Suppose you were doing capital budgeting for a network security project. You'd say, "Here's the project. It will cost me this much today. I will either get some stream of revenue or some stream of cost savings over time. We're going to save X dollars a year because we won't have disruptions, viruses and so on. So if I spend this money today, the benefits are going to accrue over, say, 10 years." The way that risk comes in is that you don't know exactly what the benefit is going to be. You want a single number that picks up what you're going to spend today and the cash flows and savings that are going to come in over time. You want to reflect some things about those cash flows, in particular, when those savings are coming in. You also want to reflect how certain you are about what those benefits are going to be. That's where the risk comes in: "I'm positive it's going be $100 a year" versus "I think it might be $100, but it could be zero or $200," which is a riskier set of savings.