Risk, Information Security, and Economics

In the world of business, risk—for all its uncertainty—has a rule book. in fact, the financial and insurance industries have built an entire discipline around predicting the chance of an injury or loss, protecting against it and reaping the benefits if bad things never happen.

The rules are the principles behind risk management, and they’re fueled by the raw data of financial statements from public companies, complex actuarial tables of past events and decades of academic rigor.

Information security, however, is a whole new game in which the economic goal is clear: Spend the smallest amount of money necessary to protect the enterprise. Win in a photo finish.

But how? Companies have a hard enough time counting how many dimes they’re spending to protect how many dollars, never mind calculating the damage from an employee who inadvertently (or not) reveals company secrets or the value of the training that might prevent such an occurrence. Security’s only rewardif you could call it thatis that weaker competitors are often the ones plagued by such mistakes and miscreants. But because companies are reluctant to talk about either their best practices or their breaches, it’s hard to know exactly where the competition stands. With numbers fuzzy and the payoff vaguenothing bad happened to us today, thanksrisk management in information security has traditionally had a different meaning than it does for the rest of the business community.

But all that is about to change.

As information security—and along with it the CSOrises in prominence, so too does the need for practitioners to apply traditional theories and models of risk management to information securityto put structure around the process of mitigating risks, accepting some of them and transferring others to third parties.

“If you don’t manage risk you’re going to lose money,” says Steve Katz, former CISO for Merrill Lynch, Citigroup and J.P. Morgan who’s now a consultant. “Companies have been great about looking at credit risk or the risks of a particular customer or region. Companies and regulators are simultaneously beginning to realize the importance of operational risk and information security as a component of it.”

Right now, several factors are converging to make this, the economics of risk, the issue for CSOs in 2003. Companies offering cyberinsurance are creating actuarial models, rather than guesstimates, that map security practices to financial losses. They’ll soon be helped along by the new Basel Capital Accord (see “Safety at a Premium,” Page 50), which will establish ways for financial services companies to measure operational risks. Courts are starting to apply dollar signs to losses from security breaches. Legal precedents and emerging standards will make it easier to quantify exactly when companies have done enough.

Meanwhile, CEOs and CFOs are demanding accountability for every dollar spent, providing new incentives for CSOs—and security vendors, analysts and consultancies as well—to help prove themselves worthwhile. As a result, companies are starting to calculate a return on security investment, based primarily on the cost of security, the cost of breach and the probability that it will happen.

It would be naive at best to suggest that any of this is a science. “We’re just leaving puberty,” is how Katz describes the field of information security. Far from knowing the answers about how much money to spend and where to spend it, we’re just starting to know the questions.

But one thing is certain: In the coming years, the information security community has the chance to work with auditors, economists, accountants, lawyers, insurance companies and a bevy of other experts to find ways to put structure around the money spent on information security. The ability to join in this dialogue is vital to individual CSOs and the burgeoning professional as a whole. But, to hear at least one observer tell it, the convergence of risk management and information security might have even greater implications.

“I think this is going to make or break the economy,” says Thomas Koulopoulos, president, CEO and founder of the Delphi Group. “Unless we can find a way to more securely, and with greater trust, transact across enterprise lines, I don’t think we’re going to have the economic growth everyone is hoping for. I think this is fundamental to growing—and I hate to use this phrase—a new economy, if there is a new economy out there.”

For your business and profession to survive, you have to play the game of risk. If you want to win, then help write the rules. We’ll help you get started.