Frank Bernhard: The Art of Uncertainty

To hear Frank Bernhard tell it, economics is anything but the dismal science—and risk management is the key to a CSO's success.

The economics of risk. if you shuddered when you read that, then you're like most of us who see in the phrase a migraine waiting to happen. probability curves, contrapositives, null hypotheses and egghead professors with Nobel prizes. The economics of risk is not for the faint of heart.

Economist Frank J. Bernhard must have a strong ticker, then, because he'll talk to you all day (trust us, he visited our office) about the economics of risk andwith eagerness, verve and a Magic Marker to jot down some Greek lettersexpound on behavioral economic theory. Bernhard is a technology economist and managing principal with Omni Consulting Group in Davis, Calif. His latest book, Beyond Collaboration: How Supply Chains Meet Demand Chains (CRC Press, 2002), describes economic evidence of the sustainable partnerships and innovation that will unfold in the next century.

Thankfully, Bernhard's greatest skill seems to be his ability to wax statistic but then translate it into a language that you understandand can use: Security insurance is like Goldilocks. Car thieves know how much you should spend on security. He even condones (gasp!) guesstimation as a risk management tool.

Managing Editor Elaine M. Cummings spoke with Bernhard to learn what in the world an economist thinks of the current state of security, how CSOs should be thinking about the economics of risk, and, most important, how they should be communicating it. Read on to see what Bernhard had to say. We promise you won't shudder once.CSO: The concept of risk can be a little nebulous. Is there a working definition?Frank Bernhard: Yes. Simply put, risk is something that happens if you don't do something elsemore specifically, it's a computed chance or probability of something negative happening.Are economic risk and business risk the same things?No. Economic risk can involve things like supply-and-demand conditions or geopolitical events. Business risk extends to the outcome of not getting investors. Or losing customers. Or the failure of a product or service. Business and economic risk can coexist in various cycles of the economy and may be interrelated to other causal relationships, such as waning demand coupled with diminished investor confidence. Why does an economist care about risk?Economics is about choice, about how we allocate resources. It's about trading one resource for another. So as an economist, I focus on the outcomes of risk, which I see as a binary situationthat is, something either happens or it doesn't. One resource has to be conserved or maximized to influence an outcomethat guides some of the primary influencers in making an event happen or not. And I'm interested in the things that contribute positively to the risk equation. I could get fancy and tell you that the null hypothesis of something happening is contrapositive to one outcome over the other....OK, stop there. So should a CSO look at risk like a businessperson or an economist?Well, both are interested in the mitigation of risk. But whenever you look at security, whether you're a CSO or an economist, you have to look at it as a trade-off. You need to ask, Am I actually trading something of positive value that's going to help me be more productive, or will it cost me productivity? If you stop and think about the real effect of security, in addition to perhaps mitigating risk, you've probably slowed things down. Everything in the enterprise is scarce in resources and abundant in demands. The challenge is to achieve balance between sensible investment in security and not lose productive business ground in the process. When it comes to security, most people talk about the technology of security, not the economics of it.That's because risk is difficult to measure. And when something is difficult to decipher, we tend to look at well-defined solutions of technology instead of focusing on its risk-reduction perspective.So that means you can measure risk?Risk is certainly measurable. Since risk is a factor of probability and it has an outcome, you can measure it and model it and start to understand its core attributes with some level of specificity. And then you can develop some sort of rubric or schedule as far as how to curb risk or induce risk. Like a simple scorecard that takes inventory of risk types and assigns the cost of such outcomes, a CSO can begin to apply sensitivity analyses to derive a calculated picture of an enterprise's given risk model. But how can you anticipate every risk? If you look at homeland security, for instance, most of us never imagined before 9/11 that some of those things could happen. Sure. The new risks we're dealing with today simply have to be added to the inventory of risk. It's a pool of risk-based scenarios. Sadly, it's becoming something more than just the benign and basic risk elements. Security officers today need to take inventory of their risk elements in their environment and their IT landscapes. And then they need to start by assigning some sort of probabilityor at least some ranking measures and triageto the risk equation. Where do you begin?Take an inventory of all the different possible riskslike the loss of dataand then assign probabilities to those risks. The number of risks can extend to infinitum, but you can start by deductively measuring the most prominent, rather than the highly obscure. When do you know the optimal timing to take risks, when to be risk averse?I think that it's human nature to be risk averse. Some people have less appetite or propensity for risk. But we are, at our core, risk-averse people. That means we want to challenge the notion that something we don't want to happen, in fact, will. So we have to ask, If I do X procedure or make Y decision, then is Z outcome going to occur? And have I set thresholds for myself?What kind of thresholds?Life is never without risk. Every day we go out into the world, drive our cars, get on airplanes, get on the Internet. And we have a certain amount of risk that we accept in doing those things. In economic terms, we can't mitigate risk to a zero valuethere's no such thing as zero in risk. It's all about how much risk you're willing to take on and actually absorb. So you set logical thresholds for what you're willing to accept as an appetite for risk. In the stock market, for instance, investment performance is calculated by assigning what we call a risk coefficient. You can actually put numbers to the predicted risk performance. If the risk coefficient is computed to be less than a market- equilibrated threshold, then your investment position is said to be conservative. If the risk coefficient is greater than that threshold, you're said to be risk dominant. In other words, you're willing to accept some measure of risk as a higher economic payment in the event of a positive outcome.

Likewise, you have to set thresholds in your enterprise within your control for the amount of risk you're willing to accept. Then determine where to establish a coefficient that's within your comfort zone. How do you determine that threshold?First, consider your resources and possible contingencies. If the risk of losing a server is greater than the ability to recover the data in that server, then do not proceed with whatever procedure might jeopardize the loss of the server. You start with asking yourself what the very essence of risk is in your enterprise. The answer will be very individualistic. And the trade-offs are numerous.What would you identify as the number-one area for information security concern today?It's threefold, really. First, you need to control access. Most attacks happen because people have access to systemsnot the server, per se, because the server is the only end point of access. Access happens when I walk into the building. So you need to think about access cards that give free-moving entrance to facilities. Access may also be logging on to a network. So you create passwords or authentication to the network.

The second part is to think about information assets and their hierarchy in the organization. For example, is your customer data the most important asset to running your organization? Or is it the financial systems? The supply chain system? Or your data warehouse? And do your employees use the data on their desktop, or is it used strictly on a protected server? You have to start by doing some hierarchical mapping of what your information assets are to prioritize what is most at risk.

Then, thirdly, you need to consider mobilitythe combination of access and assets. I mean, how do people interface with your systems? You have wireless LANs [local area networks] and VPNs [virtual private networks], and all that comes with technology, but the problem is, you still have people in the equation. And people are using systems and assets outside of the wired environment that they've traditionally operated in. So they have to come back to the basics of how to control that mobility.And then how do you know how much to spendand on whatto mitigate risk?It's difficult to know how much spending is enough. You need to determine how much risk you're willing to accept and assume. And then financially and methodically compute that risk. And that's where most people really get stuck. Either the tendency has been to spend without concern for a bottom-line impact or go overboard with governance that maniacally destroys the productivity of an organization.

Guesstimation is not an exact science, but it's a good start. Pay attention to that visceral feeling about where you think your risk is most obvious. Then boil it down to the top three areas driving security: access, information assets and mobility. That makes up about 85 percent of your concerns.And the other 15 percent?Is around the physical buildings, facilities and perimeter securitylargely those elements of risk being waged against in the efforts of homeland security. If you think about security in general, the safety of a democratic and civil society imposes enough moral restraint to diminish rampant chaos. But security does extend to physical infrastructure of organizations and the challenge to maintain order amidst the outbreak of terrorism and overt violation of public law.Spending on insurance is just one way to mitigate risk. How much is enough there?It's a tale right out of Goldilocks. Typically, people sign up for either too much or too little insurance. They don't ever have just the right amount of insurance. You have to start by asking, What's the valuation of the assets I'm protecting? What's the probability of risk assignment? And then what's the cost to protect those assets?

To spend the appropriate amount on insurance, you want the cost of insuring an asset to be less than or equal to the cost of the asset itself. The premium must justify the means of loss protection. Pooled risk dictates that some loss is inevitable but the premium schedule for such assurance should be commensurate with the risk basis. So if an insurance policy protects your million-dollar asset and the policy costs $900,000and the risk of destruction or complete loss is, say, 15 percentthen the risk of loss is grossly disproportionate to the premium paid for asset assurance.

The numbers may be high as an example, but they speak to a point. Insurers want the least of risk for the maximum amount of premium. The enterprise wants the maximum amount of protection for the least amount of investment. Therein lies the economic argument for investment and risk mitigation: The equation must balance at a level of security adequacy and fiscal prudence.

Think about buying an extended warranty on a television, for example, where the asset life is relatively short but the policy is almost 30 percent of the item's original cost. If you divide the useful life by its original cost and compare the premium for replacement, the math seldom favors the consumer. Much in the same way, companies spend on protecting their assets, but they can actually get to a point of diminishing returns.How do you optimize that spending on security?First, it comes down to common sense. You want to be risk cautious, but you don't want to be risk absurd. The practical question you have to ask is, Does the behavior or the policy in the governance of my enterprise match the level of risk that it's willing to accept?

1 2 Page 1
Page 1 of 2
The 10 most powerful cybersecurity companies