Risk: A Financial View

Markets and money are imperfect metaphors for security metrics when it comes to risk analysis. But, as Senior Editor Todd Datz's discussion with Kellogg School finance professor Kathleen Hagerty demonstrates, CSOs can learn from economists

1 2 Page 2
Page 2 of 2

But there are people who feel like there isn't really a number you can assign to every bad thing, such as a 9/11-type event. But, [even in a case like that], I guess people don't think there's any infinite loss, where you'd spend everything you had to avoid any possibility of something ever happening. That suggests you can assign some finite number. With its long history, finance must have scores of commonly accepted definitions and formulas. Security executives, on the other hand, often have different definitions of what constitutes a security breach and different ways of measuring the costs of fixing a breach. Does that make it harder to deal with the issue of risk?I think it does. A lot of measurement has to do with getting statistical measures; that requires that you're talking about the same thing. If you want a time series on a certain kind of thing, you need to know what those things are. People probably get too focused on getting it exactly right, but it's important to have some homogeneity of what you're talking about. In finance, the trick is to turn them into a dollar cost or dollar benefit. Potentially security could do that; you might use the cost of something happening as the metric.

If you have some structure of the problem, you can probably develop some metrics. If you can look at a series of security problems and say, "What ways are they all kind of the same?" That's really the contribution of academic finance. You create models that don't pick up every little detail. What is the fundamental structure that is the same in every situation? That gives you some metrics. Of all the zillions of things that can happen, what are the key commonalities?Are there any new trends among academia or companies in thinking about risk?There was huge innovation in finance in the 1960s and 1970s. The beta [calculations] came in the '60s, options pricing in the '70s; a lot of work since then has been in refining and developing those. There hasn't been anything totally revolutionary [since then]. My guess is that the way a corporate finance textbook looked in 1980 is pretty different than today, but that a 1980 book would look hugely different from a 1960 textbook. The work done in the '60s and '70s completely revolutionized financial markets. It not only changed what was taught to people; it changed financial practice. What are some practical ways security execs, many of whom lack a strong background in business or finance, can get a handle on some of the things we've talked about?Kellogg and other schools have weeklong programs called Finance for Non-Finance Executives. Those are good ways to quickly get the essence of what you need to know so that when a CFO comes in and shows you the numbers, you know what they're designed for, what they mean, what case they're trying to make. They're perfect for that type of person. The people who typically show up for these are marketing people; they're kind of in a similar situation [as security leaders]. They're not finance people; they're salespeople. They still have to justify whatever it is they're doing.What standard book on finance would you recommend for someone who wants to get a good overview of the topic?Principles of Corporate Finance by Richard A. Brearley and Stewart Myers. It's the standard, basic finance textbook. Wharton, Chicago and the vast majority of business schools use that book. The problem is, it's a giant book. The way textbooks work now is if there's anything anyone could possibly want, they put it in. Someone would need to read [only] a subset of the book. Any other ways CSOs could brush up on their financial chops?If they weren't embarrassed to do it, they could always sit down with someone in their finance department. A lot of this is basic MBA finance; I think there are probably plenty of people in an organization that could sit down and explain it to you.

Copyright © 2004 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)