Markets and money are imperfect metaphors for security metrics when it comes to risk analysis. But, as CSO's discussion with Kellogg School finance professor Kathleen Hagerty demonstrates, security experts can learn from economists how to look at risk as a collection of factors that account for events both real and anticipated.
Security executives must factor risk into everything they do. Should the fence be two-metres high or three? Did we do an extensive enough background check on the new engineer? How many people have access to the CEO's travel itinerary? Should we upgrade our intrusion detection software?
Unfortunately, just like when your child asks you how big the universe is, questions like these rarely have easy, concrete answers ("Really big, son"). Security is a field that's rife with uncertainty. And though security execs work hard to quantify their contributions to the business, the practice of applying metrics to security is relatively immature. CSOs don't have reams of data to help them make decisions or justify investments; in fact, even if they do, there may not be agreement on how those metrics are defined.
The field of finance, on the other hand, has been around for comparative eons. Two of the key foundations of finance, probability and risk, used by both practitioners and academics to think about uncertainty, can be traced back to a couple of 17th century French mathematicians, Blaise Pascal and Pierre de Fermat. "It's everything. We wouldn't have anything to teach if we didn't have risk," says Kathleen Hagerty, the First Chicago Distinguished Professor of Finance and Codirector of the Center for Financial Institutions and Markets at Northwestern University's Kellogg School of Management.
CSO (US) senior editor Todd Datz spoke with Hagerty to gain an understanding of how a finance professor thinks about risk and how the study of risk in financial markets might apply to the field of security.
Kathleen Hagerty: In a financial setting there are a lot of different kinds of risk. It's uncertainty, so you don't know what's going to happen. It could be both good or bad; it isn't always bad.
Can you explain the idea of good risk?
I teach options. You can expect a stock price to be $100, but it could be $120 or $80. So there's uncertainty, and some of the outcomes are better and some are worse. It isn't necessarily all bad.
The real issue is you're not sure how it's going to go. The benchmark you're starting from isn't the best-case scenario, it's somewhere in the middle. Most of the risk we talk about in finance is risk associated with price uncertainty - the stock price, the option price, the price of a bond. The uncertainty of prices reflects the uncertainty in the world, but we concentrate on price uncertainty.
Have there been any changes in the whole concept of risk, any ground-breaking models?
In the 1960s, [academics] developed more precise models of how stock prices are determined. One of the big insights was the development of portfolio theory, which said that there are certain kinds of risk you can reduce or eliminate through diversification. If you can eliminate it, you're not going to get any compensation for varying it. Certain kinds of risk matter in the sense that you want a return for bearing it. Other kinds of risk you can eliminate; so you're not going to get anything.
There's also the idea that there are different kinds of risk. There's a distinction between risk you can do something about through diversification and risk you can't do anything about. Here's an example of two risks that you can do something about: 1. A CEO gets sick; 2. Someone in that CEO's firm accidentally discovers NutraSweet. You get these sort of good and bad things across different firms, and those kind of net each other out. If I had an [investment] portfolio of a lot of different firms, these kinds of idiosyncratic good and bad things [can offset] each other. You can kind of eliminate that kind of risk in a portfolio as a whole by holding a lot of different stocks.
There's another [type] of risk, which is a risk you can't eliminate. For example, certain things in the economy affect every firm - for instance, oil prices, recessions, taxes and regulatory policy. They all kind of hit everybody the same way. So diversification doesn't work.
What types of data, numbers and metrics are important for figuring out risk in finance?
In finance, most of the measures we use come straight from statistics - standard deviation, expected value, variance. The data we work with is mostly price data, such as the bond and stock prices and exchange rates. Price data is pretty cut and dried; there's no question what the price of IBM is. You're interested in how prices move around and there's good data on prices, tons of publicly available information; the price of IBM you can see all day every day. You also have a really good sense, historically, of the behaviour of IBM - the volatility, the average, how listings have changed over time. There's almost a problem of too much information.
Are there any data categories that are less precise, a little fuzzier?
There are parts of financial markets where people are very interested in seeing prices, but aren't able. There are two venues where people trade. One is on exchanges, such as the NYSE and the Chicago Mercantile Exchange. Those are public exchanges; everybody can see all the prices. The other big part of financial markets are trades between banks - investment banks. [Those transactions aren't] run through exchanges; so they're not publicly available. So there's all these trades between institutions that you don't see; prices you don't see.
Also the cost of trading can be hard to see. What are the commissions? If I buy 10 shares, I'll get one price. If I buy 10,000 shares, I have to pay a different price. What are those two different prices?
You also might be interested in who buyers and sellers are. That you can't always see. Sometimes it would be interesting to know why they did what they did.
Are there certain tried-and-true formulas that are integral to calculating finance risk?
There are formulas that are very well-known - for instance, the formula for beta, the measurement for how much economy-wide risk a certain stock has. Different stocks have different exposures. So there will be some firms that are very cyclical - when their product's up, they do great; when it's down, they do terrible.
For option pricing, there's the Black-Scholes formula. That's a very well-known formula. (For definitions of these and other terms in this article, see "Glossary", Page 26)
None of these are perfect. The expectation is that over time they'd be improved. People continue to evaluate the models, figure out how they can do better.
Let's talk about security. In finance, metrics have been worked on and developed over decades. The idea of applying metrics to security is relatively new. What are some of the lessons or models of finance that could be applied to security?
One of the ideas in finance is that you have a lot of different events - stock price changes, lots of different firms. I don't know if security is like that - that is, there are 100,000 things that happen, and you're kind of looking at the average. In finance there are lots and lots of different stocks, lots of different days. Finance is about insurance - evaluating risk, how to move it around between people so that some people can bear the risk better than others. It's pooling risk.
There are two strategies for handling risk. One is diversification strategy, which is: We pool our risk, and everybody takes a little piece. The other idea is from options - hedging - in which we find two people that have the opposite exposure. There are these things called weather derivatives. For some people a lot of snow is a good thing, for others, it's bad. If you own a ski resort, lots of snow would be good. If you're a city and you have a snow removal budget, lots of snow would be bad. So people who have opposite exposures get together and they self-insure each other. If I'm a ski resort owner and it snows a lot, I'll make lots of money, so I'll give part of the money I make to the city and vice versa.
In security, I don't think anybody would say a computer virus is good for them, so an options strategy probably doesn't work. In financial markets, there are two sides to every transaction. When prices go up, there's usually somebody out there who likes it, and when prices go down, somebody out there who likes it. I don't think you have that kind of exposure in security.
Portfolio management is an important topic in finance. In fact, some CIOs are using that model to help them look at their overall portfolio of IT projects, and decide which projects to do and not do. Do you think that a portfolio model could help CSOs?
One of the things portfolio theory looks at is how different stocks relate to each other. That I guess is an idea that can be carried over. Some stocks tend to move together; some tend to move up when others are down. It's the idea of correlation. You could think of security projects [using this model]; if all my projects overlapped - or were connected to each other - and one didn't work out, then that's probably a bad thing. You could imagine using the idea of correlation in the sense that if some projects didn't work out, at least others would, or at least that they had some independence from each other. It's like companies that have different product lines, so that if one doesn't go exactly right, the whole thing won't fall apart.
Not only do you want things different, you don't want them to all succeed or fail at the same time. I think security executives could think about that.
There's also the portfolio idea of high risk, high return. You could imagine where you might have a project and it might be very expensive, and if it works it might be fabulous. But it's kind of risky. So maybe you think about doing something else simpler, maybe not quite as good, but more of a sure thing.
What about options theory?
Options are all about contingency contracts. The big innovation that came with option pricing theory was how to figure out a fair price for those contracts. If I give you the right to walk away in the future, I'm at a disadvantage. So how much should you compensate me? What's a reasonable price? Option pricing helps you figure that out.
Prices are easiest to figure out; there's good data and prices are objective. There isn't disagreement about what the price of IBM is. You could also use options theory to come up with the temperature at the San Francisco airport at noon on December 3; it's just a little harder.
Our readers generally have tight budgets and have to allocate their spending to achieve a maximum return. What role can measuring risk play in helping them achieve that?
Suppose you were doing capital budgeting for a network security project. You'd say: "Here's the project. It will cost me this much today. I will either get some stream of revenue or some stream of cost savings over time. We're going to save X dollars a year because we won't have disruptions, viruses and so on. So if I spend this money today, the benefits are going to accrue over, say, 10 years." The way that risk comes in is that you don't know exactly what the benefit is going to be. You want a single number that picks up what you're going to spend today and the cash flows and savings that are going to come in over time. You want to reflect some things about those cash flows, in particular, when those savings are coming in. You also want to reflect how certain you are about what those benefits are going to be. That's where the risk comes in: "I'm positive it's going be $100 a year" versus "I think it might be $100, but it could be zero or $200", which is a riskier set of savings.
That happens in all capital budgets; you take the cash flows and discount them. There are two ways that cash flows are handicapped: One is they're handicapped by how far in the future they come; things that happen right away get a little handicap, things far away get a bigger handicap. The other handicap is how certain you are. If it's a sure thing, there's no handicap; the more uncertain you are, the bigger the handicap. That handicapping is where the risk comes in. Things that are riskier get a bigger handicap. Beta is a way of getting a number for the handicap.
Typically, betas are computed by a financial person. He or she looks at the risk of a project and the nature of the risk. Security projects aren't, presumably, any different from other projects in a firm. Everybody's doing something to either generate revenue or cost savings.
In financial markets, if you mess up, you lose money. In security, if you mess up, the result could be a nuisance, such as a computer virus that shuts down a system for a few hours, or a catastrophe, such as an explosion at a chemical plant. How can you take a financial markets strategy and modify it to account for the wide variety of security risks?
Some would argue that you could assign a dollar value to every outcome: If a really terrible thing happens, I lose X dollars. That would be like financial markets, where every outcome has a number associated with it. Finance is premised on the idea that you can put a number on everything, even if it's a gigantic number.
But there are people who feel like there isn't really a number you can assign to every bad thing, such as a 9/11-type event. But, [even in a case like that], I guess people don't think there's any infinite loss, where you'd spend everything you had to avoid any possibility of something ever happening. That suggests you can assign some finite number.
With its long history, finance must have scores of commonly accepted definitions and formulas. Security executives, on the other hand, often have different definitions of what constitutes a security breach and different ways of measuring the costs of fixing a breach. Does that make it harder to deal with the issue of risk?
I think it does. A lot of measurement has to do with getting statistical measures; that requires that you're talking about the same thing. If you want a time series on a certain kind of thing, you need to know what those things are. People probably get too focused on getting it exactly right, but it's important to have some homogeneity of what you're talking about. In finance, the trick is to turn them into a dollar cost or dollar benefit. Potentially security could do that; you might use the cost of something happening as the metric.
If you have some structure of the problem, you can probably develop some metrics. If you can look at a series of security problems and say: "What ways are they all kind of the same?" That's really the contribution of academic finance. You create models that don't pick up every little detail. What is the fundamental structure that is the same in every situation? That gives you some metrics. Of all the zillions of things that can happen, what are the key commonalities?
Are there any new trends among academia or companies in thinking about risk?
There was huge innovation in finance in the 1960s and 1970s. The beta [calculations] came in the 60s, options pricing in the 70s; a lot of work since then has been in refining and developing those. There hasn't been anything totally revolutionary [since then]. My guess is that the way a corporate finance textbook looked in 1980 is pretty different from today, but that a 1980 book would look hugely different from a 1960 textbook. The work done in the 60s and 70s completely revolutionized financial markets. It not only changed what was taught to people; it changed financial practice.
What are some practical ways security execs, many of whom lack a strong background in business or finance, can get a handle on some of the things we've talked about?
Kellogg and other schools have weeklong programs called Finance for Non-Finance Executives. Those are good ways to quickly get the essence of what you need to know so that when a CFO comes in and shows you the numbers, you know what they're designed for, what they mean, what case they're trying to make. They're perfect for that type of person. The people who typically show up for these are marketing people; they're kind of in a similar situation [as security leaders]. They're not finance people; they're salespeople. They still have to justify whatever it is they're doing.
What standard book on finance would you recommend for someone who wants to get a good overview of the topic?
Principles of Corporate Finance by Richard A Brearley and Stewart Myers. It's the standard, basic finance textbook. Wharton, Chicago and the vast majority of business schools use that book. The problem is, it's a giant book. The way textbooks work now is if there's anything anyone could possibly want, they put it in. Someone would need to read [only] a subset of the book.
Any other ways CSOs could brush up on their financial chops?
If they weren't embarrassed to do it, they could always sit down with someone in their finance department. A lot of this is basic MBA finance; I think there are probably plenty of people in an organization that could sit down and explain it to you.
Definitions for some of the terms and concepts mentioned in this article.
Some terms, such as risk, CSOs deal with on a regular basis. Others are important to understanding and valuing risk in corporate finance.
Beta: A measure of the volatility of a stock relative to the overall market. A beta of less than one indicates lower risk than the market; a beta of more than one indicates higher risk.
Black-Scholes formula: Groundbreaking options-pricing formula derived in 1973 by economists Fischer Black, Myron Scholes and Robert Merton. It is a way to determine the worth of an option to buy at a given time.
Expected value: The weighted average of a probability distribution.
Option: A contract that gives the holder the right, but not the obligation, to buy or sell a specified quantity of a security at a specified price within a specified period of time.
Portfolio management: A way of diversifying a portfolio of investments (that could mean all the security projects in your organization) that takes into account risk and return. For example, high-risk, high-reward investments or projects are balanced with low-risk, low-reward investments or projects. Introduced by economist Harry Markowitz in 1952.
Risk: The degree of uncertainty of return on an asset. Exposure to potential loss or damage.
Standard deviation: A measure of dispersion of a set of data from its mean.
Variance: A measure of the volatility or risk on an investment. Dispersion of a set of data points around their mean value. In mathematical terms, the square root of the variance is the standard deviation.
Advanced concepts for measuring risk and value can be useful for CSOs, as are methods for making investment decisions such as portfolio management. But Bill Wipprecht, CSO at Wells Fargo, reminds security pros not to take their eyes off the ball. Wipprecht says security still needs to measure and communicate its value in the most basic terms: dollars saved (through theft prevention) and dollars recovered (through investigations and collections).
"Everybody would like to be considered an investment instead of a cost centre, sure," he says. At Wells Fargo, Wipprecht says he tracks "intangible" value provided by the security group - including benefits such as employee and customer confidence, the value of a safe workplace, and the safety of intellectual property. "But the bottom line is still tangible saves," he says. In two particular cases last year, the work of Wipprecht's security group saved the company US$43 million. Those are the kinds of hard numbers that inspire confidence from upper management.