Saturday, February 28, 2009

Financial Markets Meltdown: Risk Management Lessons

Example of god action: lightning
I just finished reading the book "Against The Gods, The Remarkable Story Of Risk, Peter L. Bernstein". This is part of my current study of financial risks and relationship with information security risks. The book is written by an economist, Peter Bernstein and provides, in my opinion very good insight on how risk analysis evolved as discipline to respond to human needs. Along the course of history, risk management has evolved as discipline to help humans in calculating risks for decision making in different aspects of human condition such as nation's and individual wealth, human health, engineering, warfare etc.

As a technical discipline, risk management also evolved as part of the progress made by mathematicians in predicting risk. Most of us now associate the likelihood factor of risk to a calculation of a probability such as the likelihood that the occurrence of significant events might have impact in our human lives. Risk analysis had a shift in the course of human history with the mathematical discovery of probability theory that originated back in 1,600 Century, thanks mostly to the works of mathematical geniuses such as Pascal and Fermat. These mathematicians were the first to devise a mathematical method to forecast the Pacioli’s puzzle game. From a way to predict the outcomes of games and help gamblers, probability theory evolved in the 1700 century to respond business needs such as by helping the English government to predict life expectancies so they could help the finances with the sale of life annuities. This event marked the start of the Insurance Business. Later Bernoulli and Leibniz invented methods of statistical sampling that are used today in scientific methods for asserting quality, health of populations, demographic and political studies etc etc. We had the discovery of the normal distribution that is used for statistical analysis: events could predicted when the number of observations of the sample increased. In 1800 Century we had the chaos theory and the discovery of critical concepts in statistical analysis such as"the regression from the mean" that explains that events are affected by a random variance so that a market can be expected to fall after going up and viceversa. In the 1900 financial risk theories also demonstrated mathematically that putting all eggs in one basket is unacceptable risk strategy for buying stocks.

Human factors is the
 fundamental risk "element"
In modern times, risk models got help from information technology and computerized risk modeling. These risk models are used to predict financial trends and support decision making. Nevertheless these models also fail. Being risk calculation a complex, multi-variable and non-linear problem to solve, the accuracy of these models is always in question. For example,these computerized models clearly failed to predict the house mortgage risks and the impact on the financial markets. In my opinion this is because risk in essence ties fundamentally to the human element and irrational decision making. It also ties to unpredictable events that we did not include in the analysis of the mathematical model. At the root of the meaning of risk we have to dare, as Bernstein points out, the origin word for risk (sounds like I am paraphrasing the movie, the fat greek wedding :) from the Italian (risicare) that means act, to dare. There is actually a say for it that is a proverb for the one of who that know Italian Language “chi risica non rosica” it means who does not risk do not gain for it…

The point I want to make here is that human factors determine how we react to risk. From this perspective, learning about human history as a factor to make risk decisions is the key for effective risk management

One interesting lesson that can be learn is the "attitude" or the "appetite" for risk was obviously not calculated and lead the financial markets to the current meltdown. During the so called "housing price bubble" era of the last 5-7 years we had people buying houses by borrowing money with mortgages that were at high risk of not being repaid. The home buyers and the financial institutions allowed this party to happen, home owners happy to own houses that according to risk should not have afforded and the financial institutions taking high risks for pure financial gains along with speculators inflating the home values by buying and selling property for their quick profit.

Then things started to change for the worst, rumors spread that some banks were running out of cash and that big institutional investors pulled out from the market. Acting upon "rumors" investors start selling financial stocks. This despite CEOs of such financial institutions are still trying to reassure investors. Rumors eventually become reality, the big investors pull out from the market and all the sudden, financial institutions need to raise capital to keep them afloat. At last resort the government comes to help to contain the impact to the overall economic system.

Co-risk for financial institutions
One lesson that you can learn it that this is a case of systemic risk. Systemic risk are the most dangerous risks because scale up to different entities all interconnected and might end up impacting the all financial system. For example the US financial meltdown started with the failing of financial institutions that depended on each other because they shared the risk: from Bear Sterns to Lehman Brothers, from Merry Lynch to AIG and then to Bank Of America and Citigroup. Most recently, the US Government acted to contain the systemic risk with extraordinary measures and very timely, bailing out financial institutions with enormous amount of money.

From the perspective of information security we might also have similar systemic risks. An example of systemic risk is the impact that a critical information system such as the one that serves as backbone to all infrastructure and operations one day might fail. This can be for example attacks to bring down the Internet such as with denial of service attacks to the root domain servers that serve the DNS protocol. Another example of systemic risk is the one posed by botnet driven distributed denial of service attacks toward financial transaction systems as well as the financial infrastructure. Attacks that potentially pose a systemic risk to the information infrastructure of a country or a company need to be taken very seriously and analyzed using attack trees and threat modeling.

Credit Default Swap:
Source:Invest2success blog
Another lesson that you can learn from the financial market meltdown are the gaps in laws and regulations to control risk. Take for example the unregulated Credit Default Swaps used by banks to make million of dollars with a form of insurance based upon spreading the risk. A CDS meant that you could get insurance on a bond that you owned on the assumption that if the bond did not go “belly up”: you just had to pay the insurance installment and you only needed to repay the all amount of the bond if the bond were going down. This is basically an instrument for risk transfer and risk avoidance that also contributed to increase the systemic risk.

The analogy in information security would be that while your operations expand to new data centers as well as in the value of the data assets you manage, you do not step up in the security controls by investing in security technology, processes as well as people. You might also decide to transfer the risk to another entity and have you services managed by them. In some cases a certification from auditors still lacks clear oversight on the security risks you are facing.

Once you face the impacts of systemic risk you need to act with extraordinary measures to contain the risk and still it takes a lot of time to recover to normal.

Another lesson you can learn from human attitude toward risk is that there is always a Cassandra that is someone that prophetically had made his risk assessment as negative against the common thinking being positive as Cassandra told all the people in Troy to watch out for the Trojan Horse, but nobody paid any attention.. As humans we doubt of "doomers" especially when everybody else is partying..

Unfortunately, one of the greatest lessons from the learning of human perception of risk is that is humans do not usually make decisions based upon previous generation mistakes. For this reason, risk education is fundamental. Risk managers had to learn human sciences and understand human attitude toward risk, the perception of events, which risk indicators are critical and which facts are relevant.

From the perspective of computational models, we should have expected this financial meltdown to happen sooner or later because of a drop of the home prices of 10-20% and other factors could have been built into the model. Besides some indicators of systemic risk such as CDSs could have issued a warning from distribution of risk and business impact perspective:the financial institution inter-dependency and reliance on risk transfer with unregulated transactions should have raised some economist eyebrows.. did risk model factor these elements in their risk model? This questions are still open in my mind.

December 1941 Dec,
Japanese attack US Navy at Pearl Harbor:
A small boat rescues a seaman from
 the 31,800 ton USS West Virginia
 burning in the foreground.

From the information security perspective, we do not have such sophisticated risk models, rather risk assessment is still mostly done as qualitative assessment by risk analysts that understand the business impact of system vulnerabilities. Nevertheless, the equivalent of a meltdown of the Internet cannot be excluded. Some referred to this threat as the digital Pearl Harbor referring to the Pearl Harbor Japanese attack in WWII. We had recently incidents that seems to indicate that such attacks might be possible in the future. We had for example a distributed denial of service attack to the information infrastructure of an entire country such as Estonia, allegedly caused by the Russian Business Network. We proved that cyber attacks to the SCADA power grid are possible as well as distributed denial of service attacks via botnets directed toward financial institutions. Recent examples include coordinated attacks toward ATMs with cloned cards causing RBS 9 ML $ of fraud in one day. The recent credit card information leak involves credit card account information for 100 million users and involves 500+ institutions(Heartland Data Breach).

These kind of systemic attacks require governments and financial institutions to work together to build defenses for preventing potential large scale information systemic risks. There is a need for threat analysis of cybercrime attacks and a reconsideration of what is system critical and what is acceptable risk. Risk mitigation provisions need to be the topic of research and new information security technologies need to be developed to mitigate these kind of attacks. Information security managers need to learn the lessons that the financial risks meltdown posed to the financial markets, how could have been predicted and find the analogies with information risks so a similar systemic risk to the information infrastructure can be prevented.

No comments: