Optimal filter and Cost-Benefit Analysis. Outline. Information security risk management. Risk management terminology overview. Notes. Notes.
|
|
- Alannah Summers
- 5 years ago
- Views:
Transcription
1 Optimal filter and Cost-Benefit Analysis Tyler Moore CSE 7338 Computer Science & Engineering Department, SMU, Dallas, TX Lecture 3 Outline / 53 Just as it can be useful to translate infosec risks and defenses into the language of investment (ROSI, NPV, etc.), one must also be aware of terminology from risk management As IT becomes essential to many businesses, border between information security investment and general risk management has blurred 4 / 53 Risk management terminology overview Risk analysis identification quantification Risk management acceptance mitigation avoidance transfer Cyberinsurance Risk monitoring validation documentation 5 / 53
2 Risk acceptance Risk acceptance After risks are identified and quantified, they must be managed The simplest option is to do nothing Such risk acceptance is prudent when: Worst-case loss is small enough to be paid from proceeds or reserves 2 Probability of occurrence is smaller than other business risks that threaten the organization s survival This is why the security policies for start-ups are often weaker than for entrenched firms 6 / 53 Risk mitigation Risk mitigation If risk is too big and probable to be accepted, risk mitigation aims to reduce the probability and severity of a loss This is where security investment comes in Recall that the optimal level of investment normally leaves residual risk that must be dealt with using acceptance, avoidance, or transfer 7 / 53 Risk avoidance Risk avoidance Aims to reduce the probability and severity of loss, as in risk mitigation However, rather than use technology, here one forgoes risky activities This introduces opportunity costs of lost business opportunities Example: online merchant refusing overseas orders due to high fraud risk Example: company disconnects database with customers personal information online Question: what are the opportunity costs in these cases? 8 / 53 Risk transfer Risk avoidance The final option is to buy an insurance contract to recover any future losses incurred This is only available in limited circumstances Why has the cyber-insurance market remained small? Difficulty in quantifying losses Even when possible, many firms would rather keep quiet than share with an insurance company Externalities mean that the costs of insecurity are often borne by others Correlated risk is prevalent 9 / 53
3 Risk avoidance Risk management example: credit card issuers Credit card issuers regularly manage fraud Risk acceptance: fraud is paid from the payment fees charged to merchants 2 Risk mitigation: install anti-fraud technology (raises costs of security) 3 Risk avoidance: downgrade high-risk cardholders to debit or require online verification (leads to lost business) 4 Risk transfer: structure consumer credit risk and sell it on the market 0 / 53 Domain-specific models Up to now we have modeled security investment at a very high level Map costs to benefits, assume diminishing marginal returns to investment, etc. Useful for when justifying security budgets compared to non-security expenditures Not useful for deciding how best to allocate a given security budget Today, we discuss a model for a tactical security investment decision: configuring a filter to balance false positives and negatives 2 / 53 ROC curves Binary classification is a recurring problem in CS Common task: distill many observations to a binary signal {0, }: communications theory S = {undervalued, overvalued}: stock trading S = {reject, accept}: research hypothesis S = {benign, malicious}: security filter Such simplification inevitably leads to errors compared to reality (aka ground truth) 3 / 53 Filter defense mechanism ROC curves Reality Signal no attack attack benign α β malicious α β α: false positive rate, β: false negative rate 4 / 53
4 Receiver operating characteristic ROC curves 0Detection rate β 45 False positive rate α 5 / 53 Receiver operating characteristic ROC curves 0Detection rate β 45 EER dashed EER solid α = β False positive rate α 5 / 53 Model for optimal filter configuration Binary classifiers are imperfect Finding the optimal trade-off, say for an IDS or spam filter, is hard Can be framed as an economic trade-off between opportunity cost of false positives and losses incurred by false negatives 6 / 53 Model for optimal filter configuration We can see from ROCs that β can be expressed as a function of α. β : [0, ] [0, ] defines the false negative rate as a function of the false positive rate α β(0) =, β() = 0 We assume β (x) < 0 and β (x) 0 7 / 53
5 Model for optimal filter configuration Suppose we rely on a filter to scan incoming attachments for malware a: cost of false positive (blocking a benign ) b: cost of false negative (delivering malicious ) p: probability of containing malware Cost C(α) = p β(α) b + ( p) α a Suppose p = 0., a = $250, b = $500, α = 0., β =.2 C(α) = = $ / 53 : exercise Suppose we rely on a filter to scan incoming attachments for malware. Suppose the cost of dealing with a false negative event is $400, and the cost of dealing with a false positive is $ % of incoming has malware. You can choose between two configurations Config. A: 0% false positive rate and 30% false negative rate Config. B: 25% false positive rate and 5% false negative rate Your task: compute the expected costs for both configurations, and state which configuration you prefer. 9 / 53 Model for optimal filter configuration α = arg min p β(α) b + ( p) α a α which has first-order condition (FOC) after rearranging, we obtain: 0 = δ α ( p β(α ) b + ( p) α a ) β (α ) = p p a b 20 / 53 (continuous ROC curves) 0Detection rate β ( p)a p b α B α A Indifference curves False positive rate α 2 / 53
6 (continuous ROC curves) A B 0Detection rate β 45 EER A = EER B α = β AUC A = AUC B False positive rate α 2 / 53 (continuous ROC curves) A 0Detection rate β ( p)a p b α B 45 α A B False positive rate α 2 / 53 (discrete ROC curves) E F ( p)a p b 0Detection rate β C α D 45 False positive rate α 22 / 53 example (discrete ROC curves) 0.9 E slope /3 0.3 F 0. Detection rate β C 0.2 α D slope 2 ( p)a p b 0.4 slope α = 0.2 if ( p)a p b False positive rate α 23 / 53
7 : exercise 2 Suppose we rely on a filter to scan incoming attachments for malware. Suppose the cost of dealing with a false negative event is $400, and the cost of dealing with a false positive is $ % of incoming has malware. You can choose between two configurations Config. A: 0% false positive rate and 30% false negative rate Config. B: 25% false positive rate and 5% false negative rate Your task Draw the ROC curve for configurations A and B (plus (0% FP, 00% FN) and (00% FP, 0% FN)) 2 Calculate the slope of the indifference curve for the optimal configuration 3 Select the optimal point for the ROC curve 24 / 53 Review of security investment so far Metrics for quantifying security benefits ALE 0 : expected loss without security investment 2 ALE s : expected loss with security investment 3 EBIS s : ALE 0 ALE s 4 ENBIS s : ALE 0 ALE s c High-level investment metrics ROSI 2 NPV 3 IRR 26 / 53 Security investment questions worth answering Q: Should we invest in security? A: Yes, if ENBIS > 0 Q: Should we invest in defense A or B? A: Choose the one with higher ROSI (or NPV if considering longer time horizons) Q: How much should we invest? A: Security investment models (e.g., Gordon-Loeb) say to invest until marginal cost of added security equals marginal benefit Q: Is a security investment cost-effective? A: Yes, if ENBIS > 0 A2: Probably, if the minimum probability of attack required to break even is high enough 27 / 53 (CBA) Used widely in public policy to justify expenditures Quite similar to the security metrics presented earlier, especially ENBIS Emphasis placed on making best-effort estimates of key figures Costs of insecurity (ALE 0 ) 2 Costs of security countermeasures (c) 3 Probability of attack (p 0 ) 4 Risk reduction r = p0 ps p0 In CBA, a security investment is considered cost-effective if ENBIS > 0. CBA exercises estimate the above figures and use the findings as evidence when deciding whether or not to adopt (or continue spending money on) a countermeasure When there is uncertainty over some figures, a range of values is considered 28 / 53
8 ENBIS using risk reduction ENBIS equations from earlier presentations using Bernoulli loss assumptions used p 0 and the improved probability p s We can equivalently express this in terms of reduced risk ENBIS = (p 0 p s ) λ c ENBIS = p 0 p0 p s λ c p 0 ENBIS = p 0 r λ c 29 / 53 ENBIS for multiple sources of loss Up to now, we have assumed that there is a single financial loss λ associated with an attack In fact, losses can take many forms, each with its own magnitude and probability of occurrence Ideally, we would like to account for each type of loss independently and combine into an aggregate measure Suppose there are n loss types. We can calculate the ENBIS as follows: ENBIS = p 0 r λ c n ENBIS = p 0 r (P(λ i attack) λ i ) c i= 30 / 53 tasks Estimate p 0 using available data (sometimes hard) Enumerate the loss types, estimate their cost and conditional probability of occurring once an attack takes place Estimate (or take as input) security costs c Estimate (or take as input) risk-reduction rate r We discuss cost-benefit efforts for two examples: terrorist attacks targeting highway bridges (reading ) and sewer overflows at wastewater facilities (reading 2) 3 / 53 Case : terrorist attacks targeting highway bridges Estimate p 0 using available data (sometimes hard) No known instances in past, so assign small probability (p 0 = 0 4 ) Enumerate the loss types, estimate their cost and conditional probability of occurring once an attack takes place Bridge replacement: $40 million (average of replacement costs for prior collapses), cond. prob. =.0 2 Loss of life: 80 lives with actuarial value $6.3M each, occurring with cond. prob. 0.2 (estimated from prior collapses) Estimate (or take as input) security costs c NPV of 20% of bridge-replacement value amortized over 25 years = $260,000 Estimate (or take as input) risk-reduction rate r Taken to be r = 0.9 High value selected to give benefit the best possible chance of exceeding costs 32 / 53
9 Case : terrorist attacks targeting highway bridges n ENBIS = p 0 r (P(λ i attack) λ i ) c i= ENBIS = Fill in the equation ENBIS = 247K Based on this calculation, the security investment does not seem to be justified. 33 / 53 Case 2: sewage overflows at wastewater facilities Estimate p 0 using available data Original goal: estimate probability of malicious attack triggering large overflows, but there have only been a few publicly reported attacks Revised goal: estimate probability of large sewage overflows triggered by accident or attack, since both can be detected and sometimes prevented by incident detection system California Water Board reported 46 large overflows in one year in state They separately reported that facilities cover 0,593 sewer miles Hence the number of overflows can be expressed as = # miles. Cities with population over 00,000 have an average of,300 sewer miles in their facilities Hence p 0 = 0.54 Note that p 0 is more accurately interpreted here as the expected number of overflows during the time period 34 / 53 Case 2: sewage overflows at wastewater facilities Enumerate the loss types, estimate their cost and conditional probability of occurring once an attack takes place Loss category Data? Direct losses Cleanup costs yes Property damage yes Regulatory costs yes Lost business for victims no Victim health costs no Indirect losses Lost business for non-victims no Broader environmental impact no Psychological distress no We can estimate the costs for the categories we have to arrive at a lower bound for the total cost 35 / 53 Case 2: sewage overflows at wastewater facilities Enumerate the loss types, estimate their cost and conditional probability of occurring once an attack takes place i Loss category λ i P(λ i SO) Comments Cleanup costs 22K Likely underestimate 2 Property damage.4m 0.25 no data for cond. prob. 3 EPA fine 2.89M violations SOs in CA in yrs 2.% of US pop. in CA 36 / 53
10 Case 2: sewage overflows at wastewater facilities Estimate (or take as input) security costs c City Cost factor Cost/year Sewer miles Reference 20K 300 Atlanta 2 39K 225 DC 3 59K 800 San Francisco 6 8K 993 New Orleans 8 57K 600 Estimate (or take as input) risk-reduction rate r Taken to be r = 0.4 Argued that some overflows couldn t be prevented, but some should be 37 / 53 Case 2: sewage overflows at wastewater facilities n ENBIS = p 0 r (P(λ i attack) λ i ) c i= ENBIS = Fill in the equation ENBIS = 67K Based on this calculation, the security investment is justified for the average city. 38 / 53 Case 2: sewage overflows at wastewater facilities Recall that security investment costs and the expected number of large overflows vary by city City Cost/year Sewer miles ENBIS Reference 20K K Atlanta 39K K DC 59K K San Francisco 8K 993-5K New Orleans 57K K 39 / 53 Case 2: sewage overflows at wastewater facilities 40 / 53
11 What if we are uncertain about the accuracy of estimates? When we are uncertain about one or more of the estimated parameters, we can do a breakeven analysis to identify the value a parameter must take for ENBIS = 0. The best parameter to vary is the one that is most uncertain Often, this is p 0, the probability of attack without security investment 4 / 53 Cybersecurity is not the only discipline where estimating probabilities of rare events is difficult The assessment of the probabilities that adversaries will choose courses of action should be the outputs of analysis, not required input parameters Quote is from National Academies of Science report on bioterrorism risks What does this mean for cost-benefit analysis? 42 / 53 Breakeven analysis with probability of attack as output ENBIS = (p 0 p s ) λ c ENBIS = p 0 p0 p s λ c p 0 ENBIS = p 0 r λ c Setting ENBIS to 0 and solving for p 0 : p 0 = c r λ We can then see for a range of parameter values what the corresponding breakeven probability of attack must be to justify security investment 43 / 53 Breakeven analysis for case p 0 = c r λ p 0 = Fill in the equation p 0 = / 53
12 Breakeven probabilities (as percentages) for case Source: 45 / 53 Breakeven analysis for case 2 p 0 = c r λ c p 0 = r (22K +.4M M 0.00) c p 0 = r 40K 46 / 53 Breakeven probability of sewage overflow for case 2 p_0 (Expected # overflows) c=20k c=50k c=00k Risk reduction probability 47 / 53 Breakeven analysis with risk reduction as output ENBIS = (p 0 p s ) λ c ENBIS = p 0 p0 p s λ c p 0 ENBIS = p 0 r λ c Setting ENBIS to 0 and solving for r: r = c p 0 λ We can then see for a range of parameter values what the corresponding breakeven risk reduction must be to justify security investment 48 / 53
13 Breakeven risk reduction for case 2 Breakeven risk reduction probability sewer miles 500 sewer miles 3000 sewer miles Cost ($K) 49 / 53 R code to generate plot br < f u n c t i o n ( c, l, p ) c /( l p ) c o s t s < seq (0,500, by=) p o v e r < f u n c t i o n ( m i l e s =300) 46/0593 m i l e s pdf ( c b r r sewer. pdf ) p l o t ( x=c o s t s, y=br ( c o s t s, 4 0, p o v e r ( ) ), type = l, y l a b = Breakeven r i s k r e d u c t i o n p r o b a b i l i t y, x l a b = Cost ($K ), lwd =2, y l i m=c ( 0, ) ) l i n e s ( x=c o s t s, y=br ( c o s t s, 4 0, p o v e r ( ) ), l t y = dashed, lwd=2) l i n e s ( x=c o s t s, y=br ( c o s t s, 4 0, p o v e r ( ) ), l t y = dotted, lwd=2) l e g e n d ( b o t t o m r i g h t, l e g e n d=c ( 300 sewer m i l e s, 500 sewer m i l e s, 3000 sewer m i l e s ), l t y=c ( s o l i d, dashed, d o t t e d ), lwd=2) 50 / 53 dev. o f f ( ) Exercise: CBA for patient data breaches Suppose that the Acme hospital chain is considering investing in controls to reduce the likelihood of suffering a breach of personal health records Security improvements will cost $2 million per year, and Acme estimates it would lose $50 million from a successful breach of its records Acmes risk management team estimates that protection would reduce its risk to suffering a breach by 40% Problem : Calculate the break-even annual probability of a breach occurring. 5 / 53 Exercise: for patient data breaches Problem : Calculate the break-even annual probability of a breach occurring. Solution: Set ENBIS to 0 and solve for p 0, we get the following: 52 / 53
14 Exercise: for patient data breaches Suppose instead that it is determined that the breach probability is 5%. Problem 2: Based on this updated information, calculate the risk reduction that would be required of security mechnismsm in order to break even. Solution: set ENBIS to 0 and solve for r, we get the following: 53 / 53
Security Metrics, Security Investment Models and Intro to R. Outline. Motivation. Security cost and benefits. Notes. Notes. Notes. Notes.
Security Metrics, Security Investment Models and Intro to R Tyler Moore CSE 7338 Computer Science & Engineering Department, SMU, Dallas, TX Lecture 2 Outline 1 Managing security investment 2 3 R 4 5 6
More informationManaging Security Investment. Outline. Homework assignment. Cost of security. Notes. Notes. Part II. Tyler Moore. September 20, 2012
Managing Security Investment Part II Tyler Moore Computer Science & Engineering Department, SMU, Dallas, TX September 2, 212 Outline 1 2 Introducing Exploring models and metrics with 2 / 39 Homework assignment
More informationPerformance and Economic Evaluation of Fraud Detection Systems
Performance and Economic Evaluation of Fraud Detection Systems GCX Advanced Analytics LLC Fraud risk managers are interested in detecting and preventing fraud, but when it comes to making a business case
More informationCorporate Financial Management. Lecture 3: Other explanations of capital structure
Corporate Financial Management Lecture 3: Other explanations of capital structure As we discussed in previous lectures, two extreme results, namely the irrelevance of capital structure and 100 percent
More informationCost Benefit Analysis
Cost Benefit Analysis Cost-benefit framework CBA widely accepted economic principle for managing organizational resources Requires cost of activity compared with the benefit Cost > Benefit? Cost < Benefit?
More informationTests for Two ROC Curves
Chapter 65 Tests for Two ROC Curves Introduction Receiver operating characteristic (ROC) curves are used to summarize the accuracy of diagnostic tests. The technique is used when a criterion variable is
More information13.1 Quantitative vs. Qualitative Analysis
436 The Security Risk Assessment Handbook risk assessment approach taken. For example, the document review methodology, physical security walk-throughs, or specific checklists are not typically described
More informationDebt. Firm s assets. Common Equity
Debt/Equity Definition The mix of securities that a firm uses to finance its investments is called its capital structure. The two most important such securities are debt and equity Debt Firm s assets Common
More informationPrudential Standard GOI 3 Risk Management and Internal Controls for Insurers
Prudential Standard GOI 3 Risk Management and Internal Controls for Insurers Objectives and Key Requirements of this Prudential Standard Effective risk management is fundamental to the prudent management
More informationA Model to Quantify the Return On Information Assurance
A Model to Quantify the Return On Information Assurance This article explains and demonstrates the structure of a model for forecasting, and subsequently measuring, the ROIA, or the ROIA model 2. This
More informationREGULATORY REPORT CARD May 2015
AGENCY Department of Health and Human Services, Food and Drug Administration Rule title Focused Mitigation Strategies to Protect Food against Intentional Adulteration RIN 0910 AG6 Publication Date December
More informationPortfolio Management Philip Morris has issued bonds that pay coupons annually with the following characteristics:
Portfolio Management 010-011 1. a. Critically discuss the mean-variance approach of portfolio theory b. According to Markowitz portfolio theory, can we find a single risky optimal portfolio which is suitable
More informationLecture 4: Barrier Options
Lecture 4: Barrier Options Jim Gatheral, Merrill Lynch Case Studies in Financial Modelling Course Notes, Courant Institute of Mathematical Sciences, Fall Term, 2001 I am grateful to Peter Friz for carefully
More informationFIN 6160 Investment Theory. Lecture 7-10
FIN 6160 Investment Theory Lecture 7-10 Optimal Asset Allocation Minimum Variance Portfolio is the portfolio with lowest possible variance. To find the optimal asset allocation for the efficient frontier
More informationChoosing the Wrong Portfolio of Projects Part 4: Inattention to Risk. Risk Tolerance
Risk Tolerance Part 3 of this paper explained how to construct a project selection decision model that estimates the impact of a project on the organization's objectives and, based on those impacts, estimates
More informationCHAPTER 13 WEB/CD EXTENSION
Webext_13_Brigham 3/28/01 1:30 PM Page 13E-1 CHAPTER 13 WEB/CD EXTENSION The Marginal Cost Capital and the Optimal Capital Budget If the capital budget is so large that a company must issue new equity,
More informationu (x) < 0. and if you believe in diminishing return of the wealth, then you would require
Chapter 8 Markowitz Portfolio Theory 8.7 Investor Utility Functions People are always asked the question: would more money make you happier? The answer is usually yes. The next question is how much more
More informationEMP 62 Corporate Finance
Kellogg EMP 62 Corporate Finance Capital Structure 1 Today s Agenda Introduce the effect of debt on firm value in a basic model Consider the effect of taxes on capital structure, firm valuation, and the
More informationSolving Cyber Risk. Security Metrics and Insurance. Jason Christopher March 2017
Solving Cyber Risk Security Metrics and Insurance Jason Christopher March 2017 How We Try to Address Cyber Risk What is Cyber Risk? Definitions Who should be concerned? Key categories of cyber risk Cyber
More informationRisk Evaluation. Chapter Consolidation of Risk Analysis Results
Chapter 9 Risk Evaluation At this point we have identified the risks and analyzed their likelihood and consequence. From this we can establish the risk level and compare it to the risk evaluation criteria,
More informationBusiness Auditing - Enterprise Risk Management. October, 2018
Business Auditing - Enterprise Risk Management October, 2018 Contents The present document is aimed to: 1 Give an overview of the Risk Management framework 2 Illustrate an ERM model Page 2 What is a risk?
More informationLecture 2 Dynamic Equilibrium Models: Three and More (Finite) Periods
Lecture 2 Dynamic Equilibrium Models: Three and More (Finite) Periods. Introduction In ECON 50, we discussed the structure of two-period dynamic general equilibrium models, some solution methods, and their
More informationWeb Extension: The ARR Method, the EAA Approach, and the Marginal WACC
19878_12W_p001-010.qxd 3/13/06 3:03 PM Page 1 C H A P T E R 12 Web Extension: The ARR Method, the EAA Approach, and the Marginal WACC This extension describes the accounting rate of return as a method
More informationElements of Economic Analysis II Lecture II: Production Function and Profit Maximization
Elements of Economic Analysis II Lecture II: Production Function and Profit Maximization Kai Hao Yang 09/26/2017 1 Production Function Just as consumer theory uses utility function a function that assign
More informationStock Prices and the Stock Market
Stock Prices and the Stock Market ECON 40364: Monetary Theory & Policy Eric Sims University of Notre Dame Fall 2017 1 / 47 Readings Text: Mishkin Ch. 7 2 / 47 Stock Market The stock market is the subject
More informationA brief introduction to economics
A brief introduction to economics Part IV Tyler Moore Computer Science & Engineering Department, SMU, Dallas, TX September 13, 2012 Outline 1 2 Exercise 1: antivirus software (still!) Let s finish exercise
More informationRisk Management Framework. Group Risk Management Version 2
Group Risk Management Version 2 RISK MANAGEMENT FRAMEWORK Purpose The purpose of this document is to summarise the framework which Service Stream adopts to manage risk throughout the Group. Overview The
More informationA brief introduction to economics. Outline. Reading reminder. Risk attitude example (take 3): antivirus software. Notes. Notes. Notes. Notes.
A brief introduction to economics Part IV Tyler Moore Computer Science & Engineering Department, SMU, Dallas, TX September 13, 2012 Outline 1 2 3 2 / 23 reminder I have updated the economics lecture notes
More informationAGEC 604 Natural Resource Economics
AGEC 604 Natural Resource Economics Cost Benefit Analysis Part I Guidelines for Preparing Economic Analysis U.S. Environmental Protection Agency September 2000 Click for Report Cost Benefit Analysis (CBA)
More informationInformation Security Risk Assessment by Using Bayesian Learning Technique
Information Security Risk Assessment by Using Bayesian Learning Technique Farhad Foroughi* Abstract The organisations need an information security risk management to evaluate asset's values and related
More informationEquivalence Tests for One Proportion
Chapter 110 Equivalence Tests for One Proportion Introduction This module provides power analysis and sample size calculation for equivalence tests in one-sample designs in which the outcome is binary.
More informationFinancial Distress Costs and Firm Value
1 2 I. Limits to Use of Debt According to MM Propositions with corporate taxes, firms should have a capital structure almost entirely composed of debt. Does it make sense in the real world? Why? Note 14
More informationLecture notes on risk management, public policy, and the financial system Credit risk models
Lecture notes on risk management, public policy, and the financial system Allan M. Malz Columbia University 2018 Allan M. Malz Last updated: June 8, 2018 2 / 24 Outline 3/24 Credit risk metrics and models
More informationYou ve been hacked. Riekie Gordon & Roger Truebody & Alexandra Schudel. Actuarial Society 2017 Convention October 2017
You ve been hacked Riekie Gordon & Roger Truebody & Alexandra Schudel Why should you care? U$4.6 - U$121 billion - Lloyds U$45 billion not covered 2 The plot thickens 2016 Barkly Survey: It s a business
More informationECO303: Intermediate Microeconomic Theory Benjamin Balak, Spring 2008
ECO303: Intermediate Microeconomic Theory Benjamin Balak, Spring 2008 Game Theory: FINAL EXAMINATION 1. Under a mixed strategy, A) players move sequentially. B) a player chooses among two or more pure
More informationCyber Insurance I don t think it means what you think it means
SESSION ID: GRC-T10 Cyber Insurance I don t think it means what you think it means John Loveland Global Head of Cyber Security Strategy & Marketing Verizon Enterprise Solutions Plot A brief history of
More informationBreaking down OpRisk Value-at-Risk for management purposes
for management purposes Stefan Look, Deutsche Börse 1 OpRisk Value-at-Risk at Deutsche Börse Group Breaking down OpRisk Value-at-Risk Deutsche Börse Group 2 Operational Risk Analysis Operational Risk at
More informationENTERPRISE RISK MANAGEMENT (ERM) The Conceptual Framework
ENTERPRISE RISK MANAGEMENT (ERM) The Conceptual Framework ENTERPRISE RISK MANAGEMENT (ERM) ERM Definition The Conceptual Frameworks: CAS and COSO Risk Categories Implementing ERM Why ERM? ERM Maturity
More informationAn Overview of Cyber Insurance at AIG
An Overview of Cyber Insurance at AIG Michael Lee, MBA Cyber Business Development Manager AIG 2018 Brittney Mishler, ARM Cyber Casualty Underwriting Specialist AIG Cyber Insurance It s a peril, not a product
More informationChapter 1 Microeconomics of Consumer Theory
Chapter Microeconomics of Consumer Theory The two broad categories of decision-makers in an economy are consumers and firms. Each individual in each of these groups makes its decisions in order to achieve
More informationFalse_ The average revenue of a firm can be increasing in the firm s output.
LECTURE 12: SPECIAL COST FUNCTIONS AND PROFIT MAXIMIZATION ANSWERS AND SOLUTIONS True/False Questions False_ If the isoquants of a production function exhibit diminishing MRTS, then the input choice that
More informationCard fraud costs to banks increase to $40bn
Card fraud costs to banks increase to $40bn Revisiting the benefits of advanced fraud risk management systems January 2017 source: Featurespace Advanced fraud management systems offer $15.8bn of savings
More informationRisk Management: Assessing and Controlling Risk
Risk Management: Assessing and Controlling Risk Introduction Competitive Disadvantage To keep up with the competition, organizations must design and create a safe environment in which business processes
More informationRisk Associated with Meetings
Risk Associated with Meetings Risks Associated with Meetings & Events: No Company is Exempt Meetings and events remain a necessary way for people and organizations to communicate information, build relationships,
More informationWe consider three zero-coupon bonds (strips) with the following features: Bond Maturity (years) Price Bond Bond Bond
15 3 CHAPTER 3 Problems Exercise 3.1 We consider three zero-coupon bonds (strips) with the following features: Each strip delivers $100 at maturity. Bond Maturity (years) Price Bond 1 1 96.43 Bond 2 2
More informationPh.D. Preliminary Examination MICROECONOMIC THEORY Applied Economics Graduate Program June 2015
Ph.D. Preliminary Examination MICROECONOMIC THEORY Applied Economics Graduate Program June 2015 The time limit for this exam is four hours. The exam has four sections. Each section includes two questions.
More informationProblem set 5. Asset pricing. Markus Roth. Chair for Macroeconomics Johannes Gutenberg Universität Mainz. Juli 5, 2010
Problem set 5 Asset pricing Markus Roth Chair for Macroeconomics Johannes Gutenberg Universität Mainz Juli 5, 200 Markus Roth (Macroeconomics 2) Problem set 5 Juli 5, 200 / 40 Contents Problem 5 of problem
More informationTONGA NATIONAL QUALIFICATIONS AND ACCREDITATION BOARD
TONGA NATIONAL QUALIFICATIONS AND ACCREDITATION BOARD RISK MANAGEMENT FRAMEWORK 2017 Overview Tonga National Qualifications and Accreditation Board (TNQAB) was established in 2004, after the Tonga National
More informationLecture 3: Prospect Theory, Framing, and Mental Accounting. Expected Utility Theory. The key features are as follows:
Topics Lecture 3: Prospect Theory, Framing, and Mental Accounting Expected Utility Theory Violations of EUT Prospect Theory Framing Mental Accounting Application of Prospect Theory, Framing, and Mental
More informationAnswers to chapter 3 review questions
Answers to chapter 3 review questions 3.1 Explain why the indifference curves in a probability triangle diagram are straight lines if preferences satisfy expected utility theory. The expected utility of
More informationHow do we cope with uncertainty?
Topic 3: Choice under uncertainty (K&R Ch. 6) In 1965, a Frenchman named Raffray thought that he had found a great deal: He would pay a 90-year-old woman $500 a month until she died, then move into her
More informationEconomic policy. Monetary policy (part 2)
1 Modern monetary policy Economic policy. Monetary policy (part 2) Ragnar Nymoen University of Oslo, Department of Economics As we have seen, increasing degree of capital mobility reduces the scope for
More informationThe company s capital (in millions of $) determined according to Basel III requirements is:
Basel Pillar Three Disclosure as of September 30, 2017 1. Introduction Industrial Alliance Trust Inc. ( ia Trust or the company ) is a trust and loan company subject to the Trust and Loan Companies Act
More informationCERA Module 1 Exam 2015
CERA Module 1 Exam 2015 In total you can reach 90 points. In order to pass the exam you need 45 points. Good luck! 1. Case study ERM Concept mandated by the management (total 30 P) Assume that you have
More informationManagerial Economics Uncertainty
Managerial Economics Uncertainty Aalto University School of Science Department of Industrial Engineering and Management January 10 26, 2017 Dr. Arto Kovanen, Ph.D. Visiting Lecturer Uncertainty general
More informationPrivacy and Data Breach Protection Modular application form
Instructions The Hiscox Technology, Privacy and Cyber Portfolio Policy may be purchased on an a-la-carte basis. Some organizations may require coverage for their technology errors and omissions, while
More informationInvesting through Economic Cycles with Ensemble Machine Learning Algorithms
Investing through Economic Cycles with Ensemble Machine Learning Algorithms Thomas Raffinot Silex Investment Partners Big Data in Finance Conference Thomas Raffinot (Silex-IP) Economic Cycles-Machine Learning
More informationENTERPRISE RISK AND STRATEGIC DECISION MAKING: COMPLEX INTER-RELATIONSHIPS
ENTERPRISE RISK AND STRATEGIC DECISION MAKING: COMPLEX INTER-RELATIONSHIPS By Mark Laycock The views and opinions expressed in this paper are those of the authors and do not necessarily reflect the official
More informationRoad Map. Does consumption theory accurately match the data? What theories of consumption seem to match the data?
TOPIC 3 The Demand Side of the Economy Road Map What drives business investment decisions? What drives household consumption? What is the link between consumption and savings? Does consumption theory accurately
More informationCyber, Data Risk and Media Insurance Application form
Instructions The Hiscox Technology, Privacy and Cyber Portfolio Policy may be purchased on an a-la-carte basis. Some organizations may require coverage for their technology errors and omissions, while
More informationInnealta AN OVERVIEW OF THE MODEL COMMENTARY: JUNE 1, 2015
Innealta C A P I T A L COMMENTARY: JUNE 1, 2015 AN OVERVIEW OF THE MODEL As accessible as it is powerful, and as timely as it is enduring, the Innealta Tactical Asset Allocation (TAA) model, we believe,
More informationInvestment in Information Security Measures: A Behavioral Investigation
Association for Information Systems AIS Electronic Library (AISeL) WISP 2015 Proceedings Pre-ICIS Workshop on Information Security and Privacy (SIGSEC) Winter 12-13-2015 Investment in Information Security
More informationFinal Exam Suggested Solutions
University of Washington Fall 003 Department of Economics Eric Zivot Economics 483 Final Exam Suggested Solutions This is a closed book and closed note exam. However, you are allowed one page of handwritten
More informationS atisfactory reliability and cost performance
Grid Reliability Spare Transformers and More Frequent Replacement Increase Reliability, Decrease Cost Charles D. Feinstein and Peter A. Morris S atisfactory reliability and cost performance of transmission
More informationThe Two-Sample Independent Sample t Test
Department of Psychology and Human Development Vanderbilt University 1 Introduction 2 3 The General Formula The Equal-n Formula 4 5 6 Independence Normality Homogeneity of Variances 7 Non-Normality Unequal
More informationPerspectives On 2004 and Beyond Ron Surz, President, PPCA, Inc.
Volume 8, No. 1 Senior Consultant The Voice of the Investment Management Consultant Perspectives On 24 and Beyond Ron Surz, President, PPCA, Inc. Due to a 4th quarter rally, the stock market returned 12%
More informationAS-4: Contingencies & Events Occurring after the Balance Sheet Date
AS-4: Contingencies & Events Occurring after the Balance Sheet Date IPCC PAPER 5 ADVANCED ACCOUNTING CHAPTER 2 CA. ANAND J. BANKA 1 Scope Contingencies Covered by AS 29 Provisions, Contingent Liabilities
More informationAligning Risk Management with CU Business Strategy
Aligning Risk Management with CU Business Strategy Managing your most pressing risks CUNA Mutual Group Proprietary Reproduction, Adaptation or Distribution Prohibited 2016 CUNA Mutual Group, All Rights
More informationCS 237: Probability in Computing
CS 237: Probability in Computing Wayne Snyder Computer Science Department Boston University Lecture 12: Continuous Distributions Uniform Distribution Normal Distribution (motivation) Discrete vs Continuous
More informationINV2601 DISCUSSION CLASS SEMESTER 2 INVESTMENTS: AN INTRODUCTION INV2601 DEPARTMENT OF FINANCE, RISK MANAGEMENT AND BANKING
INV2601 DISCUSSION CLASS SEMESTER 2 INVESTMENTS: AN INTRODUCTION INV2601 DEPARTMENT OF FINANCE, RISK MANAGEMENT AND BANKING Examination Duration of exam 2 hours. 40 multiple choice questions. Total marks
More informationAligning an information risk management approach to BS :2005
Interested in learning more about cyber security training? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written
More informationValue at risk might underestimate risk when risk bites. Just bootstrap it!
23 September 215 by Zhili Cao Research & Investment Strategy at risk might underestimate risk when risk bites. Just bootstrap it! Key points at Risk (VaR) is one of the most widely used statistical tools
More informationChapter-8 Risk Management
Chapter-8 Risk Management 8.1 Concept of Risk Management Risk management is a proactive process that focuses on identifying risk events and developing strategies to respond and control risks. It is not
More information[D7] PROBABILITY DISTRIBUTION OF OUTSTANDING LIABILITY FROM INDIVIDUAL PAYMENTS DATA Contributed by T S Wright
Faculty and Institute of Actuaries Claims Reserving Manual v.2 (09/1997) Section D7 [D7] PROBABILITY DISTRIBUTION OF OUTSTANDING LIABILITY FROM INDIVIDUAL PAYMENTS DATA Contributed by T S Wright 1. Introduction
More information14.03 Fall 2004 Problem Set 2 Solutions
14.0 Fall 004 Problem Set Solutions October, 004 1 Indirect utility function and expenditure function Let U = x 1 y be the utility function where x and y are two goods. Denote p x and p y as respectively
More informationPAPER 2 : STRATEGIC FINANCIAL MANAGEMENT
Question 1 PAPER 2 : STRATEGIC FINANCIAL MANAGEMENT Question No. 1 is compulsory. Attempt any five questions from the rest. Working notes should form part of the answer. (a) Mr. Tamarind intends to invest
More informationWhy your PSP should be your best defence against fraud
Why your PSP should be your best defence against fraud July 2017 processing.paysafe.com Why your PSP should be your best defence against fraud If recent crime statistics have taught us anything, it s that
More informationThe working roundtable was conducted through two interdisciplinary panel sessions:
As advancements in technology enhance productivity, develop new businesses and enhance economic growth, malicious actors continue to advance as well, seeking to exploit technology for any number of criminal
More informationEconomics 826 International Finance. Final Exam: April 2007
Economics 826 International Finance Final Exam: April 2007 Answer 3 questions from Part A and 4 questions from Part B. Part A is worth 60%. Part B is worth 40%. You may write in english or french. You
More informationI. BACKGROUND AND CONTEXT
Review of the Debt Sustainability Framework for Low Income Countries (LIC DSF) Discussion Note August 1, 2016 I. BACKGROUND AND CONTEXT 1. The LIC DSF, introduced in 2005, remains the cornerstone of assessing
More informationThe William and Flora Hewlett Foundation Financial Statements as of and for the Years Ended December 31, 2017 and 2016
The William and Flora Hewlett Foundation Financial Statements as of and for the Years Ended Report of Independent Auditors To the Board of Directors of The William and Flora Hewlett Foundation: We have
More informationRutgers University Department of Economics. Midterm 1
Rutgers University Department of Economics Econ 336: International Balance of Payments Spring 2006 Professor Roberto Chang Midterm 1 Instructions: All questions are multiple choice. Select the correct
More informationCHAPTER 9: THE CAPITAL ASSET PRICING MODEL
CHAPTER 9: THE CAPITAL ASSET PRICING MODEL 1. E(r P ) = r f + β P [E(r M ) r f ] 18 = 6 + β P(14 6) β P = 12/8 = 1.5 2. If the security s correlation coefficient with the market portfolio doubles (with
More informationAFM 271 Practice Problem Set #2 Spring 2005 Suggested Solutions
AFM 271 Practice Problem Set #2 Spring 2005 Suggested Solutions 1. Text Problems: 6.2 (a) Consider the following table: time cash flow cumulative cash flow 0 -$1,000,000 -$1,000,000 1 $150,000 -$850,000
More information7 STEPS TO BUILD A GRC FRAMEWORK FOR BUSINESS RISK MANAGEMENT BUSINESS-DRIVEN SECURITY SOLUTIONS
7 STEPS TO BUILD A GRC FRAMEWORK FOR BUSINESS RISK MANAGEMENT BUSINESS-DRIVEN SECURITY SOLUTIONS TO MANAGE INFORMATION RISK AND KEEP YOUR ORGANIZATION MOVING FORWARD, YOU NEED A SOLID STRATEGY AND A GOOD
More informationA Financial Perspective on Commercial Litigation Finance. Lee Drucker 2015
A Financial Perspective on Commercial Litigation Finance Lee Drucker 2015 Introduction: In general terms, litigation finance describes the provision of capital to a claimholder in exchange for a portion
More informationDefining Operational Risk
Defining Operational Risk Jack L. King We consider operational risk in the context of the firm. An analysis of various losses in terms of their causes and the events that trigger them is presented. The
More informationDifferential Cost Analysis for PowerPoint Presentation by LuAnn Bean Professor of Accounting Florida Institute of Technology
CHAPTER 7 Differential Cost Analysis for PowerPoint Presentation by LuAnn Bean Professor of Accounting Florida Institute of Technology Operating Decisions 2012 Cengage Learning. All Rights Reserved. May
More information4. E , = + (0.08)(20, 000) 5. D. Course 2 Solutions 51 May a
. D According to the semi-strong version of the efficient market theory, prices accurately reflect all publicly available information about a security. Thus, by this theory, actively managed portfolios
More informationJFSC Risk Overview: Our approach to risk-based supervision
JFSC Risk Overview: Our approach to risk-based supervision Contents An Overview of our approach to riskbased supervision An Overview of our approach to risk-based supervision Risks to what? Why publish
More informationProblem Set 2. Theory of Banking - Academic Year Maria Bachelet March 2, 2017
Problem Set Theory of Banking - Academic Year 06-7 Maria Bachelet maria.jua.bachelet@gmai.com March, 07 Exercise Consider an agency relationship in which the principal contracts the agent, whose effort
More informationCONTRASTING MARKET AND CREDIT RISKS
Feature Mukul Pareek, CISA, ACA, AICWA, PRM, is a risk professional based in New York, USA. He has more than 20 years of audit and risk experience in industry and financial services. He is copublisher
More informationCatastrophe Reinsurance Pricing
Catastrophe Reinsurance Pricing Science, Art or Both? By Joseph Qiu, Ming Li, Qin Wang and Bo Wang Insurers using catastrophe reinsurance, a critical financial management tool with complex pricing, can
More informationSubmissions must confirm the following additional requirements:
Best Paper Awards As part of the International Congress of Actuaries in 2018, the Scientific Committee will award a number of Best Paper Awards in six given subject areas. After consideration of all submissions,
More informationWeek 2 Quantitative Analysis of Financial Markets Hypothesis Testing and Confidence Intervals
Week 2 Quantitative Analysis of Financial Markets Hypothesis Testing and Confidence Intervals Christopher Ting http://www.mysmu.edu/faculty/christophert/ Christopher Ting : christopherting@smu.edu.sg :
More informationPresentation to August 14,
Audit Integrity Presentation to August 14, 2006 www.auditintegrity.com 1 Agenda Accounting & Governance Risk Why does it matter? Which Accounting & Governance Metrics are Most Highly Correlated to Fraud
More informationTable of Contents. Chapter 1 Introduction to Financial Management Chapter 2 Financial Statements, Cash Flows and Taxes...
Table of Contents Chapter 1 Introduction to Financial Management... 1 22 Importance of Financial Management 2 Finance in the Organizational Structure of the Firm 3 Nature and Functions of Financial Management:
More informationAccepted Manuscript. Enterprise Credit Risk Evaluation Based on Neural Network Algorithm. Xiaobing Huang, Xiaolian Liu, Yuanqian Ren
Accepted Manuscript Enterprise Credit Risk Evaluation Based on Neural Network Algorithm Xiaobing Huang, Xiaolian Liu, Yuanqian Ren PII: S1389-0417(18)30213-4 DOI: https://doi.org/10.1016/j.cogsys.2018.07.023
More informationUPDATED IAA EDUCATION SYLLABUS
II. UPDATED IAA EDUCATION SYLLABUS A. Supporting Learning Areas 1. STATISTICS Aim: To enable students to apply core statistical techniques to actuarial applications in insurance, pensions and emerging
More informationUniversity of Siegen
University of Siegen Faculty of Economic Disciplines, Department of economics Univ. Prof. Dr. Jan Franke-Viebach Seminar Risk and Finance Summer Semester 2008 Topic 4: Hedging with currency futures Name
More information