Security Metric of the Week #43: VaR Value at Risk
VaR is one of several metrics used to measure the financial aspects of information security.
VaR is normally used in investment management, for insurance purposes, and to determine the appropriate levels of contingency cash reserves needed by banks etc., but it can be applied to measure other kinds of risk.
In the financial world, VaR is the calculated value of a portfolio of financial assets (e.g. stocks and shares) at which there is a stated probability of loss within a defined period, assuming normal trading. For example, a 5% daily VaR of $1m means the value of the portfolio is predicted to fall by more than $1m on one day out of twenty, on average.
Management of ACME Enterprises Inc calculates the PRAGMATIC score for VaR at just 38%:
Although VaR appears to be quite Predictive and Relevant to information security, the remaining AGMATIC criteria reflect management's misgivings about this metric:
- Actionability is low since there is not much that information security people can do to influence the value of information assets, aside from making it more expensive for adversaries to compromise it;
- Genuinness: the ambiguities and assumptions involved in calculating VaR;
- Meaningfulness: the variety of definitions and interpretations of VaR implies confusion about its meaning unless we take the trouble to explain it properly in this context;
- Accuracy may be acceptable for commonplace security incidents that occur with predictable frequencies and outcomes, but not for rarer and often more extreme events;
- Timeliness is limited because of the practical difficulties of re-calculating and updating the metric as assets and risks change;
- Independence: the people best placed to determine the metric are the information asset owners, in conjunction with information security/risk management professionals. They all have a vested interest in assuring management that information assets are not unduly at risk, hence their VaR calculations may be biased;
- Cost-effectiveness suffers because of the effort required to calculate and update VaR relative to the utility of the metric.
Your opinions on the criteria and scoring may well differ, and that's fine - a good sign in fact. If you had been involved in the PRAGMATIC ratings discussion, you would have had the chance to influence the outcome. We are simply reporting the discussions that took place, hinting at the thinking processes and rationale behind the assigned ratings. The analysis and discussion is a vital part of the PRAGMATIC process, and if anything is more important than the final score. To understand the scoring fully, you would need to appreciate contextual factors such as the business of ACME Enterprises Inc., the nature of its information assets and information security risks, and the backgrounds, motivations and current interests of the managers involved.