One of the information security best books I have read this year is the Dhandho Investor by Mohnish Pabrai. Pabrai mines a key distinction missed by many infosec programs which is the difference between risk and uncertainty. Many people equate risk with volatility but this is the wrong definition. For one thing in technology volatility is pretty constant so its not very useful. For a more useful definition we can look to Warren Buffett who equates risk with "the permanent loss of capital". So many measurements in security look at things like "lost hours spent responding to an event" or dollars per password reset. The problem is they are not "lost" - they are someone's job. You only get back the Gartner $35/per password reset if you *fire* those people once you spend $2 million on your Sun or IBM identity management systems. With regard to hours spent responding - does anyone think that those hours are "lost"? I don't. If your website is down you don't incur losses because people couldn't get there - you incur losses if they never make the purchase they were going to make or if this confidence is permanently damaged. So you measure risk more with a permanent loss not with volatility.
Uncertainty is not readily measurable or predictable. Unfortunately, people don't decouple risk and uncertainty and spend a lot of time attempting to measure volatility and uncertainty and then call it risk. You can handicap for uncertainty, one way to do this is to model threats, but you won't ever get this near perfect. And in fact you will find it very hard to move the needle on uncertainty at all - technology, business, and attackers simply evolve too quickly. You can reduce risk, you have to deal with uncertainty. Big difference. If you want to make forward progress, focus on risk. Invoking Frank Knight, Richard Bejtlich has posted on this distinction as well. This leads to strange behavior we see in IT, where Infosec invests in the polar opposite set of priorities from the business. I used to think it was because people came up as firewall jocks and never dealt with apps and data, but I have come to realize it is the distinction between risk and uncertainty that trips our infosec colleagues up.
If you want to make a bunch of acquisitions, outsource a ton of work, send a bunch of projects overseas, have multiple reorgs, connect up a ton of historically siloed systems, hook everything to the web and THEN GO ON A QUEST FOR CERTAINTY - well good luck to ya, mate. I think your time is better spent finding ways to lower your risk of permanent loss than trying (pretending) to achieve some semblance of certainty in that environment. (Note similarities to any F500 business - strictly intentional)
Good example of this difference from Pabrai
when the future in uncertain, Wall Street punishes the company and usually the punishment is really rigorous! Stewart Enterprises (STEI), also mentioned as an example in a previous column, is the second largest company in the “death care” industry worldwide. Stewart has about $700 million in annual revenues and owns about 700 cemeteries and funeral homes in nine countries, with the bulk of them in the United States.As shown in Figure 2, Stewart was trading at about $2 per share for several months during Q3 and Q4 of 2000. Its historical high was about $28 per share (achieved in 1999). At the time, Stewart had a book value of $8.50 per share. It was thus trading at less than one quarter of book value.
At the time, Stewart’s free cash flow was about $0.72 cents per share. The stock was trading at less than three times cash flow! It was also trading at about one quarter of annual revenue. Like ADP, Stewart has a highly predictable revenue stream. We don’t know who will die in Boise, Idaho in 2006, but any number of life insurance actuaries can tell you with a fair degree of accuracy how many will die in Boise in 2006 — or for that matter any year for the next 10 years. Why was Wall Street pricing Stewart at three times cash flow and ADP at more than 40 times cash flow?
The reason was that Stewart is a leveraged company with a lot of debt. About $500 Million of that debt was coming due in 2002 and there was no clear answer in July 2000 as to how the company was going to pay it. Wall Street assumed the company may have to declare bankruptcy when it defaulted on its debt and tanked the stock to under $2 per share (from $28 per share).
When I looked at Stewart, I envisioned three possible scenarios for Stewart over the next 24 months:
Each individual funeral home is a distinct stand-alone business. Stewart was a roll-up that had bought hundreds of family-owned funeral homes. It had kept the same name etc. Most customers did not know that ownership had even changed hands. Thus, to raise cash, Stewart could elect to sell some of their “stores.” Presumably, many of the previous owners might buy them back. The company had typically paid eight or more times cash flow for each home. They should be able to sell these for at least five to eight times cash flow. Thus 50 to 100 homes might be sold to take care of the debt.Stewart’s lenders or bankers could look at the company’s solid cash flow and predictable business model and extend the loan maturities.
Stewart goes into bankruptcy. In a bankruptcy reorganization like Stewart, the judge would order that some of the stores be sold and cash proceeds be used to repay defaulted debt. In a distress sale, these stores should still go for at least five to seven times cash flow due to competition among buyers. more than 100 stores get sold and the company emerges clean from bankruptcy.
Even under scenario three, the stock was mispriced at $2 per share. Once one of the above scenarios unfolded, I thought that the uncertainty would go away and the stock would go to 10 times cash flow or $7 to $8 per share. The Pabrai Investment Funds bought Stewart at about $2 per share in Q3 and Q4 of 2000 with the intent of exiting at anything more than $4 per share within two years.
In Q4 2000, the company announced its intent to sell some international funeral homes and in Q1 2001 had definitive buyers. The stock was at $4 per share by the end of Q1 2001, for a 100 percent gain in less than nine months. The funds exited their entire position at about $4 per share. Subsequently, Stewart has been trading between $6 and $8 per share.
Stewart had high uncertainty about its future course in Q3 2000. However, there was very low risk in terms of shareholder return or the company’s future. Wall Street could not distinguish between risk and uncertainty and got confused between the two.
Again, its a question of focus - people spend too much time trying to reduce uncertainty and too little time focusing on reducing risk. What is really at risk in an enterprise? I would say your customers, your data and your apps. In that order.
Along with "Against the Gods" (thanks jsq!), Dhandho Investor is one of the best books, its worth your time to think about what Pabrai has to say, you'll learn some new perspectives on the infosec problem space and you might even make a few bucks.
If you want to dig a little deeper into Dhandho, here is an interview with Mohnish Pabrai and an interview with the Motley Fool. (note in a future post I will look at how restful web services hosed my motley fool experience).
If you are curious why federated identity is important, even though its not a "classic" infosec type solution - this is why - federation does *nothing* to reduce uncertainty, it only reduces risk.
You made it too easy with the link, now. I'm finally going to pick this up and give it a read!
Posted by: Jon | November 28, 2007 at 09:24 PM
Gunnar, as always a very interesting post. Two things come to mind:
I (also?) continue to find it bizarre that Infosec continues to focus on what was accepted in the early 20th century (Knightian thoughts on risk, uncertainty and probability) and ignore the progress made in the entire latter half of the century (Jaynes & the Bayesian Objectivists, Bayesian Subjectivists, etc...).
Second, I, too am interested in our focus on gathering statistics that go along with metrics of dubious worth. However, if, as some believe, the mind *is* a little Bayesian machine, then it would seem this is simply our attempt to gather useful prior information in order to see if it makes a better framework for analysis more apparent - a sort of a bottom up approach to developing a framework for risk (def - probable frequency & probable impact) decisions. Not that it's a useful endeavor, it just seems that's the way we're wired up.
Posted by: Alex | November 28, 2007 at 09:38 PM
"people spend too much time trying to reduce uncertainty and too little time focusing on reducing risk." My impression is the exact opposite. Companies spend to much time (and money!) on ad-hoc attempts in reducing risk with no control of where their biggest risks are or how these countermeasures actually pays of in terms of risk reduction. There is too much focus on headline-threats and efforts resembling "fire-fighting" and "socker-goal security". Companies buy firewalls, intrusion prevention systems, data leak prevention solutions for millions so the can put them into place and forget them. There is too much uncertainty in daily security operations, which is why I think that reducing uncertainty is crucial. Companies often can't answer the simplest questions (that's where metrics comes in). I say implement solutions that give you insights in vulnerabilities, threats, assets and ultimately risks (no, the answer isn't an annual risk-analysis paper exercise). Then (!) implement measures for risk reduction.
Posted by: Göran Sandahl | November 29, 2007 at 03:29 PM