Richard tries to compare the world of finance to the world of InfoSec after he takes the following notes on a Wall Street CISO’s InfoSec comments:
The present author was confronted with this list, exactly as it is, by the CISO of a major Wall Street bank with the preface “Are you security people so stupid that you cannot tell me….”
This particular CISO came from management audit and therefore was also saying that were he in any other part of the bank, bond portfolios, derivative pricing, equity trading strategies, etc., he would be able to answer such questions to ﬁve digit accuracy.
Richard’s post replies with his InfoSec thoughts on Business, Accumulation, Assumptions and Accuracy as ways of contrasting our field of InfoSec to that of finance. In his post he discusses InfoSec ROI, the Black-Scholes model, properties of money and more.
I showed Richard’s blog response to some friends of mine who work in financial risk management as well as equity sales to get other informed opinions. Our conclusions were:
1. Either the CISO does not know what he’s talking about at all or Richard clearly misinterpreted him
It’s most likely the later: Richard misinterpreted him. Richard’s focus on ﬁve digit accuracy is misleading. What the CISO is saying is that within finance, one has the ability to model the upper and lower bounds of risk quantifiably to the point of five digit accuracy. This is not the same as predicting a particular outcome with certainty. All the CISO was saying is that Wall Street has sophisticated models to help guide their financial decision making process: he’s asking, “Why can’t risk be quantified in the Information Security field like it can be in the field of finance?”
2. Information Security does not have an ROI and that security mechanisms are not business enablers
My friend in the financial risk department read Richard’s statement that “Security does not have an ROI” and he laughed. He commented, “Just let some hackers change some numbers in a banks financial system and you’ll see that security has ROI.” That’s a finance guy talking, not an InfoSec guy. Also, the paper I co-authored with Sam DeKay rebuffs the claim that “Only security vendors make money from security”: in addition, see my reply to Richard on security as a business enabler.
3. Some quotes are just wrong or nonsensical because they take the five-digit accuracy too literally instead of using modeling to understand risk :
- “Assumptions make financial “five digit accuracy” possible.”
- Actually mathematics make five digit accuracy possible: I can assume anything
- “If financial five digit accuracy were possible, no markets could be sustained.”
- 1/3 = 0.3333333333 – Hey! I’m past five digit accuracy and the markets are still going!
- “If trading houses all figure out how to make money with five digit accuracy, their advantage is not going to be sustained because no one will want to trade with anyone else — they’re all want to take the same positions.”
- See 1/3 point above… People take different positions because each assess that the future will play itself out in a different way: modeling and quantifying risk is just one expression of trying to understand what has happened and how what *may* happen will effect their market positions
Let’s return to the question I assume the CISO is trying to ask:
“Why can’t risk be quantified in the Information Security field like it can be in the field of finance?”
Here are a number of ways to respond:
- InfoSec can be quantified but it is a young field and we do not have mature models
- InfoSec can be quantified with existing models but is not worth the time and effort to adapt it to each environmental architecture (especially due to the volume of changes within a particular architectural landscape)
- Quantified analysis is not as meaningful as qualified analysis when describing InfoSec events [Note: This is my personal belief and I think it’s one reason why DHS uses colors and words instead of numbers.]
- Not all risk can be translated into numbers (unquantifiable risk)