Does Modern Portfolio Theory (MPT) apply to cyber security risks?

Many months ago, my colleague David Severski asked on Twitter how Modern Portfolio Theory (MPT) does or does not apply to quantified cyber security risk:

I replied that I would blog on this “…soon”.  Ha!  Almost four months later.  Well, better late than never.

Short answer: No, MPT doesn’t apply.  Read on for explanations.

NOTE: “Cyber security risk” in this article is quantified risk – probabilistic costs of loss events or probabilistic total costs of cyber security.  Not talking about color-coded risk, categorical risk, or ordinal scores for risk.  I don’t ever talk about them, if I can help it.

A Short Summary of Modern Portfolio Theory (MPT)

This is a “For Dummies…” explanation, with only enough to serve our purposes.  It’s a sketch that leaves out many details and elaborations. See “Further Reading” at the end for more.

The Basics

Modern Portfolio Theory (MPT) is a sub-field in Economics of Investment and Finance.

Economists are not like you and me.  They look at investments in a very particular way: Every investment is reduced to a cash flow – a regular or irregular sequence of cash payments to or from an investor.  
For example, if you buy a rental property for cash, the cash out is your initial investment, the cash in is the monthly rental income, with possibly cash from the sale after some years. Periodically you have cash out for maintenance costs, taxes, etc.
MPT adopts a general scheme for characterizing all investments so they can be compared uniformly.  Two parameters completely characterize each investment: 1) average rate of return per year (mean return); and 2) average variability per year (variance, also called “risk”).  Variance includes both upside and downside variations from the mean return.

The square root of variance is “standard deviation”. These are the same two parameters that completely characterize the familiar Normal distribution (a.k.a. Gaussian):

Like the rest of Economic Finance, MPT assumes that everyone knows the mean return for all investments, or at least that nobody is systematically better or worse at estimating mean returns.  All uncertainty is captured in the variance (or its square root, standard deviation).

No rational investor would ever choose a security with a negative mean return. Investors will only lose money if they have bad luck (i.e. variability on the downside wipes out the mean return) or if they foolishly over-pay for the asset.

A portfolio is an allocation/commitment of a pot of capital (i.e. cash money) to a set of investments, with an eye toward collecting future uncertain cash flows. All possible investments and portfolios can be plotted as points in a 2-dimensional space of mean return vs. variance (“risk”):

Due to market forces (the “pricing of risk”), investors cannot earn higher mean returns without also taking on higher variance (“risk”).  All investors have the option of a “risk-free investment” which is the safest government bonds (currently USA).

Investors seek to assemble portfolios of investments that match their appetite for risk and reward. Variance (“risk”) has two components: 1) “idiosyncratic” that is unique to each investment; and 2) “systematic” that is common to all investments.  By pooling many, many investments, an investor can “diversify away” the idiosyncratic risk, and thereby improving their return/risk ratio.

Investments inside a firm (i.e. capital investments) are treated the same as investments in firms themselves via common stock.  In fact, finance economists view firms as nothing more that bundles of cash flows.

Investments are assumed to be independent, but their returns may or may not be correlated.  This can get complicated but here’s a simple way to think about it.  Imagine two rental properties, A and B, in the same metropolitan area.  The returns on property A does not depend on whether you buy property B, and vice versa.  It doesn’t matter what sequence you buy them, or what sequence you sell them.  That is independence.   But the returns from property A and B will probably be correlated (rise and fall together, by the same percentage), because rents, maintenance costs, taxes, and resale prices are all governed by common processes.

Inside firms, economists assume that all dependencies between investments are, themselves, investable securities.  These include options, futures, insurance, and so on.  

MPT ignores many real-world factors, like borrowing limits, collateral for borrowing, budget constraints, and bankruptcy (“going bust”).

What’s the Big Deal About MPT?

The promise of MPT for investors is defining a unique set of optimal portfolios for each level of risk – at the efficient frontier. Furthermore, it posits the existence of an optimal portfolio (the “tangency portfolio”) that is both on the efficient frontier and also has the highest ratio of return to risk (“Sharp ratio”) along the best possible Capital Allocation Line (CAL), which is a mix of a risky portfolio and the risk-free asset.

Why Might MPT Be Useful for Cyber Security Risk?

If you think of cyber security as a collection of distinct “risks” (what I call “Little-r risk” or “risk bricks”),  maybe it is possible to use MPT to choose an optimal portfolio of cyber security risks.  Maybe using MPT will also harmonize cyber security risk inside the general theoretical framework of economic finance.  Maybe economists and Chief Financial Officers (CFOs) will be happier.

No.  MPT Does Not Apply to Cyber Security Risk.

There are four reasons why cyber security does not fit the Modern Portfolio Theory (MPT) mold.
  1. Operational Risk is not Investment Risk
  2. It doesn’t make sense to “invest” in cyber security risks
  3. You can’t ignore dependencies
  4. “Big R Risk” is the best way to aggregate
I’ll try to explain these as simply as possible.

1. Operational Risk is not Investment Risk

In the view of Enterprise Risk Management, cyber security risk is a subset of the broader category called Operational Risk, which includes supply chain disruptions, outages due to natural disasters, process and quality problems, fraud losses, etc.  It is a mistake to try to bundle all these uncertain down-side costs into the variance of individual investments.  They are distinct (random, uncertain) generative processes with distinct effects on cash flow.  

The Only Reason Cyber Risk Exists is to Enable the Main Profit-making Activities

The profit-making assets (e.g. resources, equipment, people, projects, etc.) are primary.  Cyber security is only a supporting player.  It exists to serve and enable the primary profit-making assets.  Your business has to take on cyber security risk to even have the possibility of realizing investment returns (and risk).  In this way, it is more like your capital investment than it is the variable stream of investment returns.
Analogy: cyber security is like the backup singers or band in a group centered on a star – e.g. the Pips in Gladys Knight and the Pips and Elvis Presley’s backup band, TCB.  
Even better analogy: cyber security is like the sound system and sound technicians for the band.
Many people notice that investment risk includes both upside and downside variability, while cyber security risk is all downside, all cost. This is because investors can take either side of the investment (in principle).  For every borrower there is a lender.  For every buyer of a stock there is a seller, including potentially short sellers. And so on.

What’s the upside of cyber security risk?  It’s the profit-making assets that cyber security enables.

(Even though threat agents profit (sometimes) from your cyber security loss events, their profits do not count as “upside” to your company.)

Here’s a very crude example:  
Let’s say you run a team of gamblers playing blackjack in a casino.  It’s a special casino where the house odds are negative, meaning that, on the whole and on average, gamblers make a profit. There is one catch. At random intervals, a random gambler is selected to play Russian Roulette with a labeled gun with an unknown number of chambers and unknown number of bullets.  A player can’t earn any money from gambling unless that gambler also risks playing Russian Roulette.  If a gambler shoots a blank, they can report to you the label on the gun.  If a gambler kills themself, you learn nothing.  Even if you “buy” or “rent” your team members and replacements, it doesn’t make since to bundle the cost and uncertainties of the Russian Roulette into the ups and downs of gambling winnings.  Some other method for estimating and accounting for risk is needed.
Let’s look our simplistic example of rental property: 
The variability in returns is governed mostly by the “normal” ups and downs in maintenance costs, rents, resale values, etc. that are driven by the local and national economies.  But there are other possible downside “shocks” like fire or natural disaster.  In the absence of insurance or risk pooling, any one of these shocks could destroy an individual rental property, or even a whole portfolio of rental properties in the same local area.  If the shock is big enough, it could wipe out an investor.  
How would we compare these two rental properties?  
  • Property A has high return and high cash flow variability (“investment risk”), but low risk of fire.
  • Property B has low return and low cash flow variability, but higher risk of fire.
Because destructive house fires are rare, it becomes important to know how long you intend to hold each property before selling.  If you only hold Property B for a short time, maybe you can ignore the fire risk.  But a short holding time also increases the chances you will get lower than normal return or experience higher than normal downside cashflow.  You can’t earn a return on A or B unless you take on some fire risk, so in that way it resembles your cash investment to buy the property.

The solution is to fully price the “cost of fire risk” in the form of insurance premiums you pay every month to cover the full cost of any fire.  (This simple example works if even if you buy all your insurance through an external carrier, pool your risk among other investors, self-insure, or a combination of these risk finance methods.)

This solution is the essence of “Risk-adjusted Return on Capital” (RAROC) that is common in large banking and insurance companies. Unfortunately it is not well known or practiced in other industries.

(Skip this example if you understand the section, above) 

Let’s look at a very simple (and simplified) cyber security example.  
Say you have a 100% on-line business with a single dedicated web server.  Customers pay you a monthly fee to access and use the server through the Internet.  You do all the development and maintenance on this server.  You pay yourself a salary to keep up with the local cost of living.  Other recurring costs include office rent, taxes, accounting services, electricity, and Internet services.  You have some non-recurring costs for software, equipment, repairs, and security appliances and add-on software.
Maybe you want to get investments from friends or family to expand, so you need to estimate their return on investment and risk. Assuming you have reached “steady-state growth”, you can forecast revenue and costs pretty well, though there are ups and downs each month, quarter, and year.  Since you are a solo operator, part of the variability relates to your own capabilities, effort, and energy (including health).  Your investors can compare your forecast return and risk to other solo operator businesses to get a good idea of a reasonable “price” (i.e. share of the business).
But what about potential losses due to cyber security breaches?  Is your business is vulnerable to ransomware that might wipe out all your customer data and all your business data, too? What about the losses your customers might experience if their data is breached on your system? What about fines from regulators or lawsuits from customers? And the list goes on and on. In their frequency and severity, these loss events look completely different from the normal “ups and downs” of the business. It’s a mistake to try to roll these into normal variability. 
Instead, it’s better to pay a monthly premium to cover the total cost of all non-recurring security costs – a combination of self-insurance, commercial insurance, and contingent professional services.    This monthly premium is different from your other monthly costs, because it goes into a reserve account for future use or investment in the mean time.  (Investing the premiums is how insurance companies make profits.)
Plug in the cyber-insurance premium in a Risk-adjusted Return on Investment formula and you will be able to give your investors an accurate measure of investment risk and cyber security risk.

2. It doesn’t make sense to “invest” in cyber security risks

Normally, we talk about “accepting” or “absorbing” or “mitigating” or “preparing for” operational risk.  We don’t “invest” in operational risk the same way as we do capital investments (e.g. assets, securities, projects, etc.).

This isn’t just a quirk of language.  Investment risk is chosen, while cyber security risk is imposed upon you just for the right to be in business.  Investment risk is positively related to expected return.  The same is not true for cyber security risk.

Someone might say: “But maybe we ‘invest’ in certain cyber risks when we decide to pursue certain lines of business or markets or business models.  Can’t we call these ‘investments’ under MPT?”

I don’t think this works.  You can’t get an MPT-style return-risk model that bundles in cyber security risk into these different scenarios.  In each scenario, you have to “pay the ante” of cyber security risk to play the game.  Yes, you want to minimize the cost of risk through mitigations, controls, response & recovery, etc., but that’s a separate dynamic from the normal “ups and downs” of the business.

3. You can’t ignore dependencies

Above, I said that MPT treats each investment as an independent (but possibly correlated) cash flow, independent from all the other investments.  That is most emphatically not true for cyber security investments and risks.  Cyber security and associated loss events are run through with dependencies and contingencies.  

Consider the significance of your company’s business model and enterprise architecture (people, process, and technology), coupled with your information security architecture.  These are platforms on which you build your business, and all the security decisions and investments you make here will determine the performance and results of everything else.  Each individual cyber security risk (“Little r”) is dependent on all these platform elements.  Likewise, there is also dependence between “Little r risks”. Somehow, we need a way to factor in all these dependencies and platform effects.  That’s where “Big R Risk” comes in.

4. “Big R Risk” is the best way to aggregate

Instead of trying to build a “portfolio” of many “Little r risk” bricks, I recommend a different approach called “Big R Risk”. I’ve written a long blog post explaining it, so I won’t go into depth here.  Basically, the goal is to minimize Total Cost of Risk to enable the business.  Total Cost of Risk (TCoR) is the sum of:
  1. Total budgeted cyber security costs (direct and indirect, frequent incidents)
  2. Self-insurance premiums (including commercial insurance, if any)
  3. Allocation of disaster recovery and business continuity costs
Estimating these costs, and making them operational, takes a bit of doing, but is not out of the realm of possibility or feasibility.  Every business should be able to estimate the first element – Budgeted Costs – using nothing but accounting resources and methods (e.g. activity-based costing).  The trickiest one is 2) Self-insurance, but that’s beyond our scope in this article.

Further Reading

Here are a few good articles that assume you already know something about economic analysis and investment finance, some math and some code:

Article Link: