Risk: A Financial View

Markets and money are imperfect metaphors for security metrics when it comes to risk analysis. But, as Senior Editor Todd Datz's discussion with Kellogg School finance professor Kathleen Hagerty demonstrates, CSOs can learn from economists

Security executives must factor risk into everything they do. Should the fence be 8 feet high or 10? Did we do an extensive enough background check on the new engineer? How many people have access to the CEO's travel itinerary? Should we upgrade our intrusion detection software?

Unfortunately, just like when your child asks you how big the universe is, questions like these rarely have easy, concrete answers ("Really big, son"). Security is a field that's rife with uncertainty. And though security execs work hard to quantify their contributions to the business, the practice of applying metrics to security is relatively immature. CSOs don't have reams of data to help them make decisions or justify investments; in fact, even if they do, there may not be agreement on how those metrics are defined.

The field of finance, on the other hand, has been around for comparative eons. Two of the key foundations of finance, probability and risk, used by both practitioners and academics to think about uncertainty, can be traced back to a couple of 17th century French mathematicians, Blaise Pascal and Pierre de Fermat. "It's everything. We wouldn't have anything to teach if we didn't have risk," says Kathleen Hagerty, the First Chicago Distinguished Professor of Finance and Codirector of the Center for Financial Institutions and Markets at Northwestern University's Kellogg School of Management.

Senior Editor Todd Datz spoke with Hagerty to gain an understanding of how a finance professor thinks about risk and how the study of risk in financial markets might apply to the field of security.CSO: Please answer the following: Risk is....?Kathleen Hagerty: In a financial setting there are a lot of different kinds of risk. It's uncertainty, so you don't know what's going to happen. It could be both good or bad; it isn't always bad. Can you explain the idea of good risk?I teach options. You can expect a stock price to be $100, but it could be $120 or $80. So there's uncertainty, and some of the outcomes are better and some are worse. It isn't necessarily all bad.

The real issue is you're not sure how it's going to go. The benchmark you're starting from isn't the best-case scenario, it's somewhere in the middle. Most of the risk we talk about in finance is risk associated with price uncertaintythe stock price, the option price, the price of a bond. The uncertainty of prices reflects the uncertainty in the world, but we concentrate on price uncertainty.Have there been any changes in the whole concept of risk, any ground-breaking models?In the 1960s, [academics] developed more precise models of how stock prices are determined. One of the big insights was the development of portfolio theory, which said that there are certain kinds of risk you can reduce or eliminate through diversification. If you can eliminate it, you're not going to get any compensation for varying it. Certain kinds of risk matter in the sense that you want a return for bearing it. Other kinds of risk you can eliminate; so you're not going to get anything.

There's also the idea that there are different kinds of risk. There's a distinction between risk you can do something about through diversification and risk you can't do anything about. Here's an example of two risks that you can do something about: 1. A CEO gets sick; 2. Someone in that CEO's firm accidentally discovers NutraSweet. You get these sort of good and bad things across different firms, and those kind of net each other out. If I had an [investment] portfolio of a lot of different firms, these kinds of idiosyncratic good and bad things [can offset] each other. You can kind of eliminate that kind of risk in a portfolio as a whole by holding a lot of different stocks.

There's another [type] of risk, which is a risk you can't eliminate. For example, certain things in the economy affect every firmfor instance, oil prices, recessions, taxes and regulatory policy. They all kind of hit everybody the same way. So diversification doesn't work. What types of data, numbers and metrics are important for figuring out risk in finance?In finance, most of the measures we use come straight from statisticsstandard deviation, expected value, variance. The data we work with is mostly price data, such as the bond and stock prices and exchange rates. Price data is pretty cut and dry; there's no question what the price of IBM is. You're interested in how prices move around and there's good data on prices, tons of publicly available information; the price of IBM you can see all day every day. You also have a really good sense, historically, of the behavior of IBMthe volatility, the average, how listings have changed over time. There's almost a problem of too much information. Are there any data categories that are less precise, a little fuzzier?There are parts of financial markets where people are very interested in seeing prices, but aren't able. There are two venues where people trade. One is on exchanges, such as the NYSE and the Chicago Mercantile Exchange. Those are public exchanges; everybody can see all the prices. The other big part of financial markets are trades between banksinvestment banks. [Those transactions aren't] run through exchanges; so they're not publicly available. So there's all these trades between institutions that you don't see; prices you don't see.

Also the cost of trading can be hard to see. What are the commissions? If I buy 10 shares, I'll get one price. If I buy 10,000 shares, I have to pay a different price. What are those two different prices?

You also might be interested in who buyers and sellers are. That you can't always see. Sometimes it would be interesting to know why they did what they did. Are there certain tried-and-true formulas that are integral to calculating finance risk?There are formulas that are very well-knownfor instance, the formula for beta, the measurement for how much economywide risk a certain stock has. Different stocks have different exposures. So there will be some firms that are very cyclicalwhen their product's up, they do great; when it's down, they do terrible.

For option pricing, there's the Black-Scholes formula. That's a very well-known formula. (For definitions of these and other terms in this article, see "Glossary," this page.)

None of these are perfect. The expectation is that over time they'd be improved. People continue to evaluate the models, figure out how they can do better. Let's talk about security. In finance, metrics have been worked on and developed over decades. The idea of applying metrics to security is relatively new. What are some of the lessons or models of finance that could be applied to security?One of the ideas in finance is that you have a lot of different eventsstock price changes, lots of different firms. I don't know if security is like thatthat is, there are 100,000 things that happen, and you're kind of looking at the average. In finance there are lots and lots of different stocks, lots of different days. Finance is about insuranceevaluating risk, how to move it around between people so that some people can bear the risk better than others. It's pooling risk.

There are two strategies for handling risk. One is diversification strategy, which is: We pool our risk, and everybody takes a little piece. The other idea is from optionshedgingin which we find two people that have the opposite exposure. There are these things called weather derivatives. For some people a lot of snow is a good thing, for others, it's bad. If you own a ski resort, lots of snow would be good. If you're a city and you have a snow removal budget, lots of snow would be bad. So people who have opposite exposures get together and they self-insure each other. If I'm a ski resort owner and it snows a lot, I'll make lots of money, so I'll give part of the money I make to the city and vice versa.

In security, I don't think anybody would say a computer virus is good for them, so an options strategy probably doesn't work. In financial markets, there are two sides to every transaction. When prices go up, there's usually somebody out there who likes it, and when prices go down, somebody out there who likes it. I don't think you have that kind of exposure in security.Portfolio management is an important topic in finance. In fact, some CIOs are using that model to help them look at their overall portfolio of IT projects, and decide which projects to do and not do. Do you think that a portfolio model could help CSOs?One of the things portfolio theory looks at is how different stocks relate to each other. That I guess is an idea that can be carried over. Some stocks tend to move together; some tend to move up when others are down. It's the idea of correlation. You could think of security projects [using this model]; if all my projects overlappedor were connected to each otherand one didn't work out, then that's probably a bad thing. You could imagine using the idea of correlation in the sense that if some projects didn't work out, at least others would, or at least that they had some independence from each other. It's like companies that have different product lines, so that if one doesn't go exactly right, the whole thing won't fall apart.

Not only do you want things different, you don't want them to all succeed or fail at the same time. I think security executives could think about that.

There's also the portfolio idea of high risk, high return. You could imagine where you might have a project and it might be very expensive, and if it works it might be fabulous. But it's kind of risky. So maybe you think about doing something else simpler, maybe not quite as good, but more of a sure thing. What about options theory?Options are all about contingency contracts. The big innovation that came with option pricing theory was how to figure out a fair price for those contracts. If I give you the right to walk away in the future, I'm at a disadvantage. So how much should you compensate me? What's a reasonable price? Option pricing helps you figure that out.

Prices are easiest to figure out; there's good data and prices are objective. There isn't disagreement about what the price of IBM is. You could also use options theory to come up with the temperature at the San Francisco airport at noon on Dec. 3; it's just a little harder. Our readers generally have tight budgets and have to allocate their spending to achieve a maximum return. What role can measuring risk play in helping them achieve that?Suppose you were doing capital budgeting for a network security project. You'd say, "Here's the project. It will cost me this much today. I will either get some stream of revenue or some stream of cost savings over time. We're going to save X dollars a year because we won't have disruptions, viruses and so on. So if I spend this money today, the benefits are going to accrue over, say, 10 years." The way that risk comes in is that you don't know exactly what the benefit is going to be. You want a single number that picks up what you're going to spend today and the cash flows and savings that are going to come in over time. You want to reflect some things about those cash flows, in particular, when those savings are coming in. You also want to reflect how certain you are about what those benefits are going to be. That's where the risk comes in: "I'm positive it's going be $100 a year" versus "I think it might be $100, but it could be zero or $200," which is a riskier set of savings.

That happens in all capital budgets; you take the cash flows and discount them. There are two ways that cash flows are handicapped: One is they're handicapped by how far in the future they come; things that happen right away get a little handicap, things far away get a bigger handicap. The other handicap is how certain you are. If it's a sure thing, there's no handicap; the more uncertain you are, the bigger the handicap. That handicapping is where the risk comes in. Things that are riskier get a bigger handicap. Beta is a way of getting a number for the handicap.

Typically, betas are computed by a financial person. He or she looks at the risk of a project and the nature of the risk. Security projects aren't, presumably, any different from other projects in a firm. Everybody's doing something to either generate revenue or cost savings. In financial markets, if you mess up, you lose money. In security, if you mess up, the result could be a nuisance, such as a computer virus that shuts down a system for a few hours, or a catastrophe, such as an explosion at a chemical plant. How can you take a financial markets strategy and modify it to account for the wide variety of security risks?Some would argue that you could assign a dollar value to every outcome: If a really terrible thing happens, I lose X dollars. That would be like financial markets, where every outcome has a number associated with it. Finance is premised on the idea that you can put a number on everything, even if it's a gigantic number.

1 2 Page 1
Page 1 of 2
7 hot cybersecurity trends (and 2 going cold)