THE ECONOMICS of risk. if you shuddered when you read that, then you're like most of us who see in the phrase a migraine waiting to happen. probability curves, contrapositives, null hypotheses and egghead professors with Nobel prizes. The economics of risk is not for the faint of heart.
Economist Frank J Bernhard must have a strong ticker, then, because he'll talk to you all day (trust us, he visited our office) about the economics of risk and — with eagerness, verve and a texta to jot down some Greek letters — expound on behavioural economic theory. Bernhard is a technology economist and managing principal with Omni Consulting Group in Davis, California. His latest book, Beyond Collaboration: How Supply Chains Meet Demand Chains (CRC Press, 2002), describes economic evidence of the sustainable partnerships and innovation that will unfold in the next century.
Thankfully, Bernhard's greatest skill seems to be his ability to wax statistic but then translate it into a language that you understand — and can use: Security insurance is like Goldilocks. Car thieves know how much you should spend on security. He even condones (gasp!) guesstimation as a risk management tool.
Managing Editor Elaine M Cummings spoke with Bernhard to learn what in the world an economist thinks of the current state of security, how CSOs should be thinking about the economics of risk, and, most important, how they should be communicating it. Read on to see what Bernhard had to say. We promise you won't shudder once.
CSO: The concept of risk can be a little nebulous. Is there a working definition? Frank Bernhard: Yes. Simply put, risk is something that happens if you don't do something else — more specifically, it's a computed chance or probability of something negative happening.
Are economic risk and business risk the same things? No. Economic risk can involve things like supply-and-demand conditions or geopolitical events. Business risk extends to the outcome of not getting investors. Or losing customers. Or the failure of a product or service. Business and economic risk can coexist in various cycles of the economy and may be interrelated to other causal relationships, such as waning demand coupled with diminished investor confidence.
Why does an economist care about risk? Economics is about choice, about how we allocate resources. It's about trading one resource for another. So as an economist, I focus on the outcomes of risk, which I see as a binary situation — that is, something either happens or it doesn't. One resource has to be conserved or maximised to influence an outcome — that guides some of the primary influencers in making an event happen or not. And I'm interested in the things that contribute positively to the risk equation. I could get fancy and tell you that the null hypothesis of something happening is contrapositive to one outcome over the other....
OK, stop there. So should a CSO look at risk like a businessperson or an economist? Well, both are interested in the mitigation of risk. But whenever you look at security, whether you're a CSO or an economist, you have to look at it as a trade-off. You need to ask, Am I actually trading something of positive value that's going to help me be more productive, or will it cost me productivity? If you stop and think about the real effect of security, in addition to perhaps mitigating risk, you've probably slowed things down. Everything in the enterprise is scarce in resources and abundant in demands. The challenge is to achieve balance between sensible investment in security and not lose productive business ground in the process.
When it comes to security, most people talk about the technology of security, not the economics of it. That's because risk is difficult to measure. And when something is difficult to decipher, we tend to look at well-defined solutions of technology instead of focusing on its risk-reduction perspective.
So that means you can measure risk? Risk is certainly measurable. Since risk is a factor of probability and it has an outcome, you can measure it and model it and start to understand its core attributes with some level of specificity. And then you can develop some sort of rubric or schedule as far as how to curb risk or induce risk. Like a simple scorecard that takes inventory of risk types and assigns the cost of such outcomes, a CSO can begin to apply sensitivity analyses to derive a calculated picture of an enterprise's given risk model. But how can you anticipate every risk? If you look at homeland security, for instance, most of us never imagined before 9/11 that some of those things could happen. Sure. The new risks we're dealing with today simply have to be added to the inventory of risk. It's a pool of risk-based scenarios. Sadly, it's becoming something more than just the benign and basic risk elements. Security officers today need to take inventory of their risk elements in their environment and their IT landscapes. And then they need to start by assigning some sort of probability — or at least some ranking measures and triage — to the risk equation.
Where do you begin? Take an inventory of all the different possible risks — like the loss of data — and then assign probabilities to those risks. The number of risks can extend to infinitum, but you can start by deductively measuring the most prominent, rather than the highly obscure.
When do you know the optimal timing to take risks, when to be risk averse? I think that it's human nature to be risk averse. Some people have less appetite or propensity for risk. But we are, at our core, risk-averse people. That means we want to challenge the notion that something we don't want to happen, in fact, will. So we have to ask, If I do X procedure or make Y decision, then is Z outcome going to occur? And have I set thresholds for myself?
What kind of thresholds? Life is never without risk. Every day we go out into the world, drive our cars, get on airplanes, get on the Internet. And we have a certain amount of risk that we accept in doing those things. In economic terms, we can't mitigate risk to a zero value — there's no such thing as zero in risk. It's all about how much risk you're willing to take on and actually absorb. So you set logical thresholds for what you're willing to accept as an appetite for risk. In the stock market, for instance, investment performance is calculated by assigning what we call a risk coefficient. You can actually put numbers to the predicted risk performance. If the risk coefficient is computed to be less than a market- equilibrated threshold, then your investment position is said to be conservative. If the risk coefficient is greater than that threshold, you're said to be risk dominant. In other words, you're willing to accept some measure of risk as a higher economic payment in the event of a positive outcome.
Likewise, you have to set thresholds in your enterprise within your control for the amount of risk you're willing to accept. Then determine where to establish a coefficient that's within your comfort zone.
How do you determine that threshold? First, consider your resources and possible contingencies. If the risk of losing a server is greater than the ability to recover the data in that server, then do not proceed with whatever procedure might jeopardise the loss of the server. You start with asking yourself what the very essence of risk is in your enterprise. The answer will be very individualistic. And the trade-offs are numerous.
What would you identify as the number-one area for information security concern today? It's threefold, really. First, you need to control access. Most attacks happen because people have access to systems — not the server, per se, because the server is the only end point of access. Access happens when I walk into the building. So you need to think about access cards that give free-moving entrance to facilities. Access may also be logging on to a network. So you create passwords or authentication to the network.
The second part is to think about information assets and their hierarchy in the organisation. For example, is your customer data the most important asset to running your organisation? Or is it the financial systems? The supply chain system? Or your data warehouse? And do your employees use the data on their desktop, or is it used strictly on a protected server? You have to start by doing some hierarchical mapping of what your information assets are to prioritise what is most at risk.
Then, thirdly, you need to consider mobility — the combination of access and assets. I mean, how do people interface with your systems? You have wireless LANs [local area networks] and VPNs [virtual private networks], and all that comes with technology, but the problem is, you still have people in the equation. And people are using systems and assets outside of the wired environment that they've traditionally operated in. So they have to come back to the basics of how to control that mobility.
And then how do you know how much to spend — and on what — to mitigate risk? It's difficult to know how much spending is enough. You need to determine how much risk you're willing to accept and assume. And then financially and methodically compute that risk. And that's where most people really get stuck. Either the tendency has been to spend without concern for a bottom-line impact or go overboard with governance that maniacally destroys the productivity of an organisation.
Guesstimation is not an exact science, but it's a good start. Pay attention to that visceral feeling about where you think your risk is most obvious. Then boil it down to the top three areas driving security: access, information assets and mobility. That makes up about 85 per cent of your concerns.
And the other 15 per cent? Is around the physical buildings, facilities and perimeter security — largely those elements of risk being waged against in the efforts of homeland security. If you think about security in general, the safety of a democratic and civil society imposes enough moral restraint to diminish rampant chaos. But security does extend to physical infrastructure of organisations and the challenge to maintain order amidst the outbreak of terrorism and overt violation of public law.
Spending on insurance is just one way to mitigate risk. How much is enough there? It's a tale right out of Goldilocks. Typically, people sign up for either too much or too little insurance. They don't ever have just the right amount of insurance. You have to start by asking, What's the valuation of the assets I'm protecting? What's the probability of risk assignment? And then what's the cost to protect those assets?
To spend the appropriate amount on insurance, you want the cost of insuring an asset to be less than or equal to the cost of the asset itself. The premium must justify the means of loss protection. Pooled risk dictates that some loss is inevitable but the premium schedule for such assurance should be commensurate with the risk basis. So if an insurance policy protects your million-dollar asset and the policy costs $US900,000 — and the risk of destruction or complete loss is, say, 15 per cent — then the risk of loss is grossly disproportionate to the premium paid for asset assurance.
The numbers may be high as an example, but they speak to a point. Insurers want the least of risk for the maximum amount of premium. The enterprise wants the maximum amount of protection for the least amount of investment. Therein lies the economic argument for investment and risk mitigation: The equation must balance at a level of security adequacy and fiscal prudence.
Think about buying an extended warranty on a television, for example, where the asset life is relatively short but the policy is almost 30 per cent of the item's original cost. If you divide the useful life by its original cost and compare the premium for replacement, the math seldom favors the consumer. Much in the same way, companies spend on protecting their assets, but they can actually get to a point of diminishing returns.
How do you optimise that spending on security? First, it comes down to common sense. You want to be risk cautious, but you don't want to be risk absurd. The practical question you have to ask is, Does the behavior or the policy in the governance of my enterprise match the level of risk that it's willing to accept?
But it also comes down to what we label the economic value proposition. You have to weigh the economic value being created by security before you invest in it. And I come back to this point of diminishing returns. Does doing all of this — going to the airport and having to show your ID five different times to get on board the airplane — effectively mitigate the risk of an unknown passenger gaining access to get on that plane? What if the identity is forged? It seems you may have done nothing more than cause longer lines. You've certainly slowed productivity, and you've prevented people from doing the job they set out to do. Most security measures in some way or another harm the economic productivity of an organisation or a customer base.
But how do you spend just enough to protect yourself against the negative outcome of something that you're trying to protect against? Therein lies the ultimate economic equation. You only need to win the race by a nose. Basically you're trying to optimise the formula to say that if you put X dollars into security, you have Y risk that you feel comfortable with. And the investment sign should always be less than or equal to the amount of risk that's being borne.
What do you tell the CEO who asks, So why should I buy security? Because you gotta have it. It's like, how do you sell the value of a dishwasher to a restaurant? You've got to have it because you've got to have clean dishes. Think of it not as an ROI problem but as an economic value discussion. What economic value does that dishwasher drive? Maybe it's a substitute for manual labour. We have to start with the conclusion that we want to have clean dishes. If you don't, that's a health-code violation.
I don't think people have a hard time understanding that security is something we have to offer because, if we don't, we're open to liability. That's a secondary outcome. And if we're open to liability, we may get sued. So we want to do those things that are obvious within man's control. That's the litmus test — that it's within a reasonable person's control to mitigate risk and ensure that they're not liable. They don't want to act with negligence, the way a restaurant doesn't want to have dirty dishes. It's a quality-of- life issue. If you don't have security, what happens when that worm annihilates your database? Then you've got a real problem.
How do you sell that idea to a CEO? The CEO sits atop the jungle and looks at the landscape and says, Here's where we're going as an organisation, and here are the risks that we're willing to absorb and thwart with appropriate security. The budget is almost formulaic to the extent that companies look at their annual revenue, productivity, assets that drive productivity within them, and they have to compute a value. Maybe it's a small percentage of their total revenue that they apply to security. It's almost like their marketing equation. How much do you spend on marketing? It's a percentage of sales. Some companies don't want to spend anything on marketing. Others spend in the double digits. What results are you trying to achieve and, in this case, what risks are you willing to mitigate, to bring it back to a cost basis? But no matter what, the CEO has to buy into the strategy. Think of the former USSR. and the Russian spending race in the 1980s to build a superior military presence, but a strategy that ultimately caused the demise of a bankrupt nation's inability to take care of its people — on the homeland. Your competitors might invest in Star Wars as a defence strategy, but don't always mimic their behaviour to secure your future.
How do you measure the economic value being created by risk? Every time you have a restriction there's a consequence. And it's an economic consequence. We talked about standing in line at the airports. What does that mean? It's about business productivity. And when it's hampered, it really doesn't do you a lot of good, especially when you're in a recession.
There is no substitution for common sense. There is a rational human mind that wishes to counteract the devious human mind, and that's what you're dealing with when you think about risk. Not everything that happens as far as risk is human driven. You can have the risk of losing your data because the store server collapsed. If the mail server suffers a blow to its caching drive — basically that's a risk, right? How do we protect against that? Well, there's tape backup or there's a failover situation so that the system keeps working. So we want to look at risk in terms of probability assignment; you couple that to rational human thinking and common sense, and look what you get. You get something that's much greater than anything you can put together in a mathematical sense.
So, if a structural balance between spending and just enough security is the goal in mind, then how effective is the whole mix? Let me answer this way: Travellers are reassured that flying aboard commercial aircraft is safe, but that's not exactly true. In reality, safety in flying is about managing risk. Likewise, security is about managing risk. While total protection from loss can never be achieved, we act with discretion toward spending appropriately to protect those assets at stake.
SIDEBAR: The Top Five Concerns for a CSO
1. ACCESS Control to the enterprise and basic functions of the enterprise should be high on your list.
2. ASSETS Consider information as well as operations. Protecting them is your raison d'être.
3. EMPLOYEE MOBILITY Think about how assets can be moved around.
4. HUMAN CAPITAL Pay attention to the telltale signs that could predict an employee threat.
5. PERCEPTION You need to make employees feel safe without going overboard. Knee-jerk reactions won't gain any ground or achieve a competent effect.