Risk: A Financial View

Markets and money are imperfect metaphors for security metrics when it comes to risk analysis. But, as Senior Editor Todd Datz's discussion with Kellogg School finance professor Kathleen Hagerty demonstrates, CSOs can learn from economists

That happens in all capital budgets; you take the cash flows and discount them. There are two ways that cash flows are handicapped: One is they're handicapped by how far in the future they come; things that happen right away get a little handicap, things far away get a bigger handicap. The other handicap is how certain you are. If it's a sure thing, there's no handicap; the more uncertain you are, the bigger the handicap. That handicapping is where the risk comes in. Things that are riskier get a bigger handicap. Beta is a way of getting a number for the handicap.

Typically, betas are computed by a financial person. He or she looks at the risk of a project and the nature of the risk. Security projects aren't, presumably, any different from other projects in a firm. Everybody's doing something to either generate revenue or cost savings. In financial markets, if you mess up, you lose money. In security, if you mess up, the result could be a nuisance, such as a computer virus that shuts down a system for a few hours, or a catastrophe, such as an explosion at a chemical plant. How can you take a financial markets strategy and modify it to account for the wide variety of security risks?Some would argue that you could assign a dollar value to every outcome: If a really terrible thing happens, I lose X dollars. That would be like financial markets, where every outcome has a number associated with it. Finance is premised on the idea that you can put a number on everything, even if it's a gigantic number.

But there are people who feel like there isn't really a number you can assign to every bad thing, such as a 9/11-type event. But, [even in a case like that], I guess people don't think there's any infinite loss, where you'd spend everything you had to avoid any possibility of something ever happening. That suggests you can assign some finite number. With its long history, finance must have scores of commonly accepted definitions and formulas. Security executives, on the other hand, often have different definitions of what constitutes a security breach and different ways of measuring the costs of fixing a breach. Does that make it harder to deal with the issue of risk?I think it does. A lot of measurement has to do with getting statistical measures; that requires that you're talking about the same thing. If you want a time series on a certain kind of thing, you need to know what those things are. People probably get too focused on getting it exactly right, but it's important to have some homogeneity of what you're talking about. In finance, the trick is to turn them into a dollar cost or dollar benefit. Potentially security could do that; you might use the cost of something happening as the metric.