HANDBOOK OF INTEGRATED RISK MANAGEMENT for E-BUSINESS Measuring, Modeling, and Managing Risk Edited by Abderrahim Labbi Copyright ©2005 by J Ross Publishing, Inc ISBN 1-932159-07-X Printed and bound in the U.S.A Printed on acid-free paper 10 Library of Congress Cataloging-in-Publication Data Handbook of integrated risk management for e-business / edited by Abdel Labbi.—1st ed p cm Includes and index ISBN 1-932159-07-X (hardback : alk paper) Electronic commerce Risk management I Labbi, Abdel HF5548.32.H355 2004 658.15′5—dc22 2004013334 This publication contains information obtained from authentic and highly regarded sources Reprinted material is used with permission, and sources are indicated Reasonable effort has been made to publish reliable data and information, but the author and the publisher cannot assume responsibility for the validity of all materials or for the consequences of their use All rights reserved Neither this publication nor any part thereof may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written permission of the publisher The copyright owner’s consent does not extend to copying for general distribution for promotion, for creating new works, or for resale Specific permission must be obtained from J Ross Publishing for such purposes Direct all inquiries to J Ross Publishing, Inc., 6501 Park of Commerce Blvd., Suite 200, Boca Raton, Florida 33487 Phone: (561) 869-3900 Fax: (561) 892-0700 Web: www.jrosspub.com TABLE OF CONTENTS Foreword by Dr Krishna Nathan v About the Editor vii Contributors ix Chapter Enterprise Risk Management: A Value Chain Perspective William Grey and Dailun Shi Chapter Integrated Risk Management 33 Samir Shah Chapter Human Factors Issues in Computer and E-Business Security 63 Pascale Carayon, Sara Kraemer, and Vicki Bier Chapter Managing Risks within Supply Chains: Using Adaptive Safety Stock Calculations for Improved Inventory Control 87 Richard Boedi and Ulrich Schimpel Chapter Securing Your E-Business by Managing the Inherent IT Security Risks 113 Andreas Wespi Chapter A Predictive Model for E-Bank Operational Risk Management 135 Marcelo Cruz Chapter Predictive Data Mining for Project Portfolio Risk Management 151 Abderrahim Labbi and Michel Cuendet iii iv Handbook of Integrated Risk Management for E-Business Chapter Elements of Financial Risk Management for Grid and Utility Computing 169 Chris Kenyon and Giorgos Cheliotis Chapter Service Level Agreements for Web Hosting Systems 193 Alan J King and Mark S Squillante Chapter 10 Optimal Control of Web Hosting Systems Under Service Level Agreements 213 Alan J King and Mark S Squillante Chapter 11 Sequential Risk Management in E-Business by Reinforcement Learning 263 Naoki Abe, Edwin Pednault, Bianca Zadrozny, Haixun Wang, Wei Fan, and Chid Apte Chapter 12 Predicting and Optimizing Customer Behaviors 281 Louis Anthony Cox, Jr Index 311 FOREWORD Today’s increasingly competitive environment is causing companies to transform their businesses into more efficient and dynamic entities Such businesses will, among other things, need the ability to quickly respond to outside forces, increase their variable-to-fixed-cost ratio, and be resilient to unexpected and potentially catastrophic events Much of this will require a thorough understanding of risk, how to model and manage it, and finally, how to turn such knowledge into competitive advantage It is easy to see that oversubscription of resources to accommodate peak demand is inefficient and results in much higher fixed costs But it is another matter entirely to understand and weigh the consequences of not meeting service level agreements for some period of time and to set a lower level of fixed resources accordingly Likewise, it is straightforward to specify a system or process to be resilient to both internal and external factors But what price is one willing to pay for this? Once again, a thorough understanding of the likelihood of an event, be it malicious or otherwise, and the risk (consequences) associated with it is critical to optimally answering this question and implementing a solution The importance of risk management is further magnified by the fact that decisions are taken increasingly frequently and with greater consequence than ever before This is partly because of the availability of often real-time data from sensors, systems, and related processes, as well as the dynamic nature of the business processes themselves It is worthwhile to note that there are two fundamental types of variability that need to be considered: internal variability within the system and external variability imposed upon the system For example, in the power generation industry, internal variability may correspond to the variable output of individual power plants in a grid, while external variability may be due to the weather or the spot market price for power Such problems v vi Handbook of Integrated Risk Management for E-Business have led to an increased awareness of the need to model the variability in most processes with a greater degree of reliability Recent advances in analytical decision support systems have resulted in more reliable modeling and are routinely used to model this variability and the ensuing risk This handbook on risk management provides a comprehensive overview of the various kinds of risk — operational, security, service level, etc — in realworld settings While much has been written on the actual topic of integrated risk management, this is one of the first instances where the tools and technologies that allow for the implementation of solutions to solve specific problems are outlined One could say that this book provides a recipe for the practical application of technology When considering real problems, it becomes clear that one cannot treat individual sources of risk in isolation The interconnected nature of processes and their often global nature lead to an interaction of risks that necessitates an integrated risk management solution In fact, this is one of the key messages of this book The business need for the study of this topic makes this work very topical Not only are businesses transforming themselves in order to drive increased revenue and profit, but they are also doing so to enhance the visibility into their own systems Integrated risk management or enterprise risk management is a key step toward this transformation Dr Krishna Nathan Vice President and Director IBM Research – Zurich Research Laboratory ABOUT THE EDITOR Dr Abdel Labbi received a Ph.D in Applied Mathematics in 1993 from the University of Grenoble, France He is currently a Research Program Leader at the IBM Zurich Research Laboratory in Rüschlikon, Switzerland Over the last four years, he has been leading several projects in the areas of operational risk management and customer relationship and supply chain risk management using advanced mathematical and statistical models Prior to joining IBM Research, Dr Labbi was Assistant Professor at the University of Geneva, Switzerland, where he led several research and development projects on mathematical modeling and data mining with scientific and industrial organizations He has published more than 30 articles on subjects related to this book in international conferences and journals and holds four patents on related technologies vii CONTRIBUTORS Naoki Abe IBM T.J Watson Research Center Yorktown Heights, New York Louis Anthony Cox, Jr Cox Associates Denver, Colorado Chid Apte IBM T.J Watson Research Center Yorktown Heights, New York Marcelo G Cruz RiskMath, Inc Jersey City, New Jersey Vicki Bier Department of Industrial Engineering University of Wisconsin-Madison Madison, Wisconsin Michel Cuendet Lab for Inorganic Chemistry ETH Hönggerberg Zurich, Switzerland Richard Boedi IBM Zurich Research Laboratory Rüschlikon, Switzerland Wei Fan IBM T.J Watson Research Center Yorktown Heights, New York Pascale Carayon Department of Industrial Engineering University of Wisconsin-Madison Madison, Wisconsin William Grey IBM Retirement Funds White Plains, New York Giorgos Cheliotis McKinsey & Company Zurich, Switzerland Christopher M Kenyon IBM Zurich Research Laboratory Rüschlikon, Switzerland ix 304 Handbook of Integrated Risk Management for E-Business will suffer and its prescriptions for action will be less valuable (Laffont, 1990) Thus, it is important to evaluate the quality of the predictions from the model after its parameters have been estimated Predictive validity can be assessed using model cross-validation (Hjorth and Urban, 1994) First, multiple randomly selected disjoint subsets of customer data are used to fit the model, thereby creating multiple model replicates The replicates are created using data available up to some time period, t Each replicate is then used to predict the next-state transitions and future states of several thousand randomly selected customers, none of whom was used in fitting the model replicates The predictions are made over periods t + 1, t + 2, …, t + h, where h is the forecast horizon (e.g., 12 months) Finally, predicted behaviors (i.e., product add and drop probabilities and account drop probabilities) are compared to actual behaviors to assess the predictive utility of the model Predictions from Tables 12.3 and 12.4 were tested via model cross-validation in samples of customers not included in the data used to construct the model The criterion for predictive usefulness was the lift provided by the model in predicting which customers are most likely to undergo attrition, buy specific products next, etc Lift is a marketer’s term Suppose that we wish to predict the 1% of customers who are most likely to buy an additional line (ADD) next month, based on the data in Table 12.1 Table 12.3 indicates that state 15 contains these customers and that, although randomly selecting 1% of the customers would yield an average of only 0.0024 additional line purchasers per sampled customer, selecting the customers from among those in state 15 more than doubles the expected yield, from 0.0024 to 0.0053 The ratio of 0.0053/0.0024 = 2.2 is called the lift ratio, achieved by using Table 12.3 compared to random selection of customers (Actually, of course, it is only an estimate of the lift ratio Repeating this calculation for many random samples of customers gives a frequency distribution of estimates for the lift ratio [i.e., the cross-validation estimate] In 100 cross-validation replicates, the mean lift ratio was also slightly greater than 2.) As long as the fraction of the population is less than about 3.6%, customers can be selected from state 15 Once all customers in state 15 (i.e., about 3.6% of them, according to Table 12.4) have been selected, however, the next highest yield state in Table 12.3 becomes state 8, with a lift ratio of only 0.0041/0.0024 Continuing in this way creates an entire lift chart or lift curve, showing the lift obtained (compared to randomly selecting customers) by using states to predict the x% of the population that is most likely to add a line in the next month, for all ≤ x ≤ 100% The lift curve consists of consecutive piecewise linear segments Each segment corresponds to a specific state, and the slopes of the Predicting and Optimizing Customer Behaviors 305 Table 12.5 Average Lifts for Several Products (Nonpremiers) ADD CC CF CID CR CW CWID 10% Model based Random 10% lift 73.90 29.28 2.52 580.80 123.19 4.71 253.24 67.69 3.74 478.13 213.28 2.24 58.33 11.14 5.23 227.02 92.12 2.46 348.06 100.61 3.46 50% Model based Random 50% lift 202.95 146.43 1.39 1168.07 615.98 1.90 589.47 338.44 1.74 1283.46 1066.44 1.20 100.39 55.72 1.80 571.77 460.63 1.24 872.98 503.07 1.74 Key: ADD = additional line, CC = custom choice, CF = call forwarding, CID = caller ID, CR = custom ring, CW = call waiting, CWID = call waiting ID segments indicate the yield rate of the corresponding state for the transition being analyzed Table 12.5 shows the mean lift ratios at x = 10% and x = 50%, estimated by averaging over 100 cross-validation replicates, achieved by state-based predictions for several products and for a subset of customers (the nonpremier customers, representing the majority of telephone account holders) These ratios are based on the average number of customers making each product purchase transition in a randomly selected x% of the population, for x = 10% and x = 50%, compared to the average number making the same transition among the x% of the population identified by the model as being most likely to make it This testing was carried out in a different set of customers from those used to define states and estimate transition rates The lifts in Table 12.5 were calculated for a three-month forecast horizon (h = 3); with longer horizons of up to a year, lifts gradually decline However, extrapolating from short-term estimates of transition rates and initial conditions provides useful forecasts out to a year, the longest horizon tested For example, the 10-month forecast for attrition in a particular hotly contested market area, based on attrition rates estimated from months worth of data, was 0.23, compared to an observed rate of 0.19 Lift charts can be used to compare predictive models In general, one model is more useful than another for predicting a specific transition if it yields a higher lift curve for that transition In the framework of Section 12.3, a choice of core products determines a model The core states imply a set of macrostates (e.g., Table 12.2) These, with a database, generate a set of microstates via the state refinement procedure The microstates yield predictions via Equations 12.1 to 12.3, and the predictions can be compared to actual transitions to create lift charts Thus, finally, comparing lift charts allows evaluation of the initial choice of core products based on the lifts that they generate 306 Handbook of Integrated Risk Management for E-Business Since the same set of states can be used to predict multiple transitions, choosing a “best” set of states may require reducing multiple criteria to one We have used each of the following as an evaluation criterion: Average lift, evaluated at x = 5% (the size of population that might be addressed by targeted promotions or mail campaigns) This is the lift from use of state-based predictions, averaged over all transitions of interest (i.e., product and account adds and drops) weighted by their relative frequencies Maximin lift, which prescribes choosing state definitions to maximize the smallest lift obtained for any of the transitions of interest For both criteria, the five core products in Table 12.2 yield higher lifts than other choices for the core products 12.4.2 Estimating the Prescriptive Value of a Model Lift charts help to quantify the predictive value of a model for marketers, but they not quantify the success of decisions based on the model Table 12.6 shows examples of prescriptions from a state transition model (The states shown are the most frequent of 81 microstates obtained from the macrostates in Table 12.2 via state refinement The frequency counts shown are for a large sample of customers disjoint from the data sets used in earlier examples.) NLP1 to NLP3 are, respectively, the most likely, next most likely, and third most likely products to be purchased from each state To assess the economic value of such a table, it must be turned into recommended actions The revenue consequences of the actions must be estimated and compared to those from the actions that would otherwise have been taken This agenda is being pursued at US WEST as part of an ongoing project The project is creating a real-time advisory system to advise sales agents about what products individual customers are most likely to want, given all available data about them (and subject to customer privacy and information protection and usage constraints) Until the results of that effort become available, the value of prescriptions based on state transition models can be estimated as follows: Assume that a sales agent with access to Table 12.6 will offer each of the top three recommended products to a customer (i.e., NLP1 to NLP3) based on the customer’s current microstate (This does not consider dynamic revision of microstates as offers are made and accepted or rejected Such adaptation may be implemented later.) Predicting and Optimizing Customer Behaviors 307 Table 12.6 Next Logical Product Prescriptive Lookup Table State 15 32 34 36 40 42 Frequency 15,635 39,729 16,192 5,318 5,696 5,046 9,600 3,131 3,005 13,510 3,668 12,116 3,483 NLP1 NLP2 NLP3 CID CID Toll Toll CW Toll Toll CID CID CID Toll CC CID TP TP TP TP VM CW CW TP CWID Toll CID CF CWID CW Toll CID CID CC TP CC CW TP TP TP TWY TP Key: CC = custom choice, CF = call forwarding, CID = caller ID, CW = call waiting, CWID = call waiting ID, TP = toll plan, TWY = three-way calling, VM = voice messaging Assume that the customer accepts an offered product at the time it is offered if it is one that he or she would otherwise have bought within the next six months (Actual customer choices are known from count data over time, as in Table 12.1 If the sales agent successfully offers the next product that a customer will buy, then we assume that the purchase date and resulting revenue stream occur now instead of later.) Assume that a sales agent without access to Table 12.6 always offers the three most popular products that the customer does not yet have Again, offers are assumed to be accepted if they correspond to what the customer would have bought anyway within the next six months This simple model of sales agent offers and customer purchase behaviors allows one to simulate resulting sales and revenues with and without the prescriptions implied by Table 12.6 The result is that the average net present value per customer can be increased by over 10% for customers in many microstates by following the prescriptions in Table 12.6 More realistic modeling of customer behaviors and of the economic value of state transition models for optimizing offers will be undertaken as data are collected on offers and responses for individual customers However, it appears that product history data (Table 12.1) and prescriptions based on them (Table 12.6) already suffice to target products to customers in a way that can significantly increase the average economic values of many customers 308 Handbook of Integrated Risk Management for E-Business 12.5 SUMMARY AND CONCLUSIONS Our procedure for defining the states of a state-transition predictive model from historical data such as those in Table 12.1 can be summarized as follows: Identify core products using any of the heuristics described in Section This step eliminates from the core any products that can be well predicted from the products in the core Create initial macrostates Generate all logically possible combinations of the core products Find the frequencies of these combinations and prune (or combine into an other category) any combinations that occur too infrequently to significantly affect state-based predictions of transition rates The surviving combinations are the initial macrostates Refine the initial macrostates by augmenting them (via a state refinement tree-growing step that iteratively splits the next-state frequency distributions on other variables) with the information needed to make transition rates among them CI of the data, given the augmented state definitions These new states are called (core) microstates Make predictions The refined set of states can be used to create state lookup prediction tables (Tables 12.3 and 12.4) for predicting probable next core states and for predicting probable product and account adds and drops from each core microstate Evaluate predictions with lift charts The average or maximin lift (or other criteria, depending on the decisions to be supported) from the state lookup prediction tables measures the utility of the defined states in predicting customer behaviors If desired, this evaluation can be fed back to step to guide the search for the most useful set of core products to be used in defining states This iterative loop is relatively CPU-intensive compared to using classification tree voting or other noniterative heuristics to identify core products In applications to US WEST Communications data, this procedure has yielded lift ratios (evaluated at x = 10% of the population) of between and for most product adds (see Table 12.5) Most of these lift ratios are more than twice as great as the ones obtained from previous predictive models that used logistic regression, rather than a state transition framework, to predict probabilities of customer behaviors Thus, the approach appears promising as a guide for predicting customer purchasing behaviors and optimizing product offers, as well as for predicting account attrition rates, forecasting product demands, and planning marketing campaigns (Section 12.3) That it can be implemented using Predicting and Optimizing Customer Behaviors 309 only a few months worth of data (to estimate A and X0) may be a decisive advantage in settings where more extensive historical data are not available Finally, from a methodological perspective, the approach of this chapter complements a rich literature on estimation, filtering, and prediction techniques (Elliott et al., 1995) by focusing on how data can be used to best define the states of a state-space (Markov) prediction model This complements methods that focus on optimal estimation of states and of transition rate parameters from data, taking the definitions of the states as given REFERENCES Aoki, M (1996) New Approaches to Macroeconomic Modeling, Cambridge University Press, Cambridge, U.K Biggs, D., de Ville, B., and Suen, E (1991) A method of choosing multiway partitions for classification and decision trees, Journal of Applied Statistics, 18(1), 49–62 Breiman, L., Friedman, J., Olshen, R., and Stone, C (1984) Classification and Regression Trees, Wadsworth Publishing, Belmont, CA Cox, L A., Jr (2001) Forecasting demand for telecommunications products from crosssectional data, Telecommunications Systems, 16(3), 439–456 Elliott, R J., Aggoun, L., and Moore, J B (1995) Hidden Markov Models: Estimation and Control, Springer-Verlag, New York Hjorth, J and Urban, S (1994) Computer Intensive Statistical Methods: Validation, Model Selection, and Bootstrap, Chapman & Hall/CRC, Boca Raton/London Laffont, J J (1990) The Economics of Uncertainty and Information, MIT Press, Cambridge, MA Lancaster, T (1990) The Econometric Analysis of Transition Data, Cambridge University Press, New York Schober, D (1999) Data detectives: What makes customers tick? Telephony, 237(9), 21–24 Shaked M and Shanthikumar, J G (1994) Stochastic Orders and Their Applications, Academic Press, New York Strouse, K A (1999) Weapons of mass marketing, Telephony, 237(9), 26–28 INDEX A Absolute contribution, 159 Access control, 76 Accident analysis, 78 Accidental causes in e-business security, 72–73 Account age, 298 Acquisitions, 20, 25 Action space complexity, 255–256 Active intrusion detection system, 124, 129 Active participation, 80 Actuarial methods, 53, 56 AdaBoost, 156, 157–158 Adaptive safety stock calculations, 96–99 Adversary behavior, 65–70 Allocation, robust, 200–202 Alternative risk transfer, 29 ANOVA table, 148 Antivirus software, 76 Approximate linear programming, 250–251 Arbitrage, 183 Architectural changes, IT, 120 Arrival rates, 249, 257 Attacker behavior, 65–70 Attribute global contribution, 159–160, 161 Auctions, Audit processes, 17 Audit source, 122, 123, 124, 129–130 Audit trails, 71 Availability, 173, 176, 209–210 Average load, 199 B Balanced contribution, 160 Bandwidth multiresource assignment, 245–258 multiresource scheduling, 216, 227–245 single-resource provisioning, 216–227 Banking risk management, see E-bank operational risk management Barings Bank, 135 Basel Committee on Banking Supervision, 35 Basel II, 35 Batch reinforcement learning with functional approximation, 268–270 Bayesian belief networks, 53 Behavior-based intrusion detection system, 122–123, 127, 128 Behavior on detection, 122, 123, 124–125 Below-target risk, 51 Benchmarking, 17 Biometrics, 76 Boosted decision trees, 162 Boosting, 156–158 AdaBoost algorithm, 157–158 Brand value, 71 Browsers, characteristics of, 256 Bursts, 257 Business disruption, 138 Business practices, 138 Business risk, 4, Buyers, characteristics of, 256 C California electricity market crisis, 185 Call options, 39 Capacity, 143 Cash flow, 142, 142, 144, 173, 174, 175 risk in utility computing, 183–184 Causality risks, 37 Cause-effect relationships, 55 Centers, 102, 104 311 312 Handbook of Integrated Risk Management for E-Business CERT® Coordination Center, 116, 117 Chief risk officer, 17 Cisco Systems, Classification tree analysis, 284–286, 296, 297, 298, 299, 300, 301 Clustering, 96, 97, 98, 105–108 Kohonen, 99–105 topological, 102–103 CoCo report, 34 Cognitive walk-through, 77, 78 Combined Code, 34 Commodity price risk, 39 Commodity prices, 37 Communication, 73, 80, 81 Competitor risks, 51, 54 Complexity, 15 Complexity risk, Computer crime, see IT security Computer security, see also IT security breaches, 63 human factors in, see Human factors Computing, conventional, 173–175 Computing utility, service level agreements for, see Service level agreements for Web hosting systems Conditional independence, 284, 296, 298 Confidential information, 71 Conscience, 103 Consistency of results, 48–49 Contingent financing, 57 Continuous intrusion detection system, 125, 131 Contracts, 20, 24, 28, see also specific types for financial risk management in conventional utilities, 171, 172 service, see Service level agreements for Web hosting systems Control environment, 137, 139, 145 Control policies for bandwidth allocation, 220–221 simulation and comparison of, 222–225 Conventional computing, 173–175 Core products, 286, 288, 289, 301–303, 309 Corporate raiders, 65 Correlation coefficients, 55 Correlation risk in utility computing, 184, 186 COSO, 35 Cost model, 233 Cost-sensitive learning, 264 Credit-card numbers, 71 Credit risk, 4, 50, 53, 142, 143, 144, 186–187 Critical phase, 208, 209 Customer behavior, predicting and optimizing, 281–309 data and basic methods of analysis, 282–295 from raw data to state transition models, 282–289 optimizing, 292–295 state lookup tables for predicting, 289–292 defining states from data, 296–303 initializing the state refinement loop by identifying initial states, 299–303 iterative state refinement loop, building macrostates, 296–299 estimating the prescriptive value of a model, 306–307 lift charts for comparing and evaluating models, 303–306 Customer choice of committed service levels, 202–207 Customer-directed allocation in service level agreements, 207–210 Customer retention, 71 Cyber-terrorism, 66, 67, 69 D Data, 102 Data clustering, 96, 97, 98, 105–108 Kohonen, 99–105 topological, 102–103 Data mining for project portfolio risk management, 151–167 boosting project risk assessment, 158–160, 161 boosting techniques, 156–158 data consolidation, 152–153 decision trees for project classification, 154–156 estimation of portfolio financial performance, 154 Monte Carlo simulation, 161–165 process, 152–154 project portfolio segmentation, 153–154 Decision making, sequential, 265–271 Decision support, on-line dynamic, 293–294 Decision trees boosted, 162 for project classification, 154–156 Default, 53 Deliberate causes in e-business security, 72–73 Delivery risk factors in utility computing, 177–182 Delphi method, 53 Demand adaptive safety stock calculations, 96–99 Kohonen clustering, 99–105 warehousing model, 89–94, 95 Depreciation, 173, 174 Derivatives, 27–28, 39, 56 Detection, 64 Index Detection method, 122–123 Detection paradigm, 122, 123, 125 Determined attackers, 66, 68–69 Dey report, 34 Digital signature, 76 Dimensionality, 250 Direct-mail promotions, 264, 265, 271 Directors and officers liability insurance, 36 Disclosure policies, 18 Discounted cash flow, 140 Discrete-time dynamic programming, 217 Diversification, 20, 22–23, 24–25 Downside standard deviation, 50 Dynamic IT security risk management, 114, 118, 126–131 Dynamic programming policy, 222–227 E Earnings value at risk, 49, 54, 56, 58 Earnings variance, 40 Earthquake risk, 38 E-bank operational risk management, 135–149 classification scheme for losses, 138 estimating the level of risk, 141–144 modeling an operational risk database, 137–140 multifactor models to predict risk, 144–149 real options, 140–141 E-business security, human factors in, see Human factors Economic order quantity, 91 Electricity, 171, 172, 173, 185, see also Utility and grid computing price-quantity curves, 176–177 Employee participation, 80–81 Employment practices, 138 Encryption, 76, 77 End-user knowledge, 73, 75 End-user participation, 80 Energy deregulation, 171 Engulfing, 103, 104 Engulfing centers, 104–105, 106 Enterprise information, access to, Enterprise risk management, 1–32 financial, 26–28 framework, 6–7 insurance, 28–31 operational, 23, 26 organizational structure and controls, 17–19 risk characterization, 6, 9, 11–16 risk identification, 6, 7–9, 10 strategic, 19–23, 24–25 value chain, 5–6 Environment, 78 313 Episode data, 271 Époques, 103 Ericsson, 1–2 Ethical hacking, 70 European Commission, 35 Everquest, 188 Expected deficit, 51 Expert input, 52, 53, 54 External fraud, 138 Extreme value theory, 53 F Failure, 114 Favoring stumps, 159 Feasibility planning, 199–202 Feedback, 80, 81 Financial diversification, 20 Financial hedging, 21 Financial innovation, Financial institutions, see E-bank operational risk management Financial leverage, 19 Financial objectives alternatives for managing risk factors, 56–59 financial model linking risk factors to, 54–56 risk factors that threaten, 48–54 stating, 48–49 Financial performance, portfolio, estimation of, 154 Financial risk management, 26–28 for utility and grid computing, see Utility and grid computing Financial Services Authority, 35 Fingerprint recognition, 77 Finite risk insurance, 29, 30 Firestone, Firewall, 76, 119 Ford, Forecasting, 200 Foreign exchange fluctuations, 37 Forward contracts, 39, 40, 41, 42, 43, 44, 45, 46, 171, 172, 182–183 Fraud, 138 ftp protocols, 119 Futures, 39 Fuzzy logic, 54 G Gaming, on-line, 188, 189, 190 Gas, 171 General caching problem, 221 Generalization error, 155 Generalized processor sharing, 230 Going red, 208, 209 314 Handbook of Integrated Risk Management for E-Business Hackers, 65, 66, 67, 69, 70, 71, 114, 117 classes of, 65, 70 Hardware, 78, 173–175 Hedge ratio, 39, 40, 41, 42, 44 optimal, see Optimal hedge ratio Hedging, 21–22, 24–25, 27, 28, 37, 38, 56 Historical analysis, 7–8, 53, 54, 55, 144, 284 Host-based intrusion detection system, 124, 129 Human factors, 63–85 attacker behavior/adversary perspective, 65–70 human error, 71–76 usability and implementation of security methods, 76–81 Intrusion detection, IT, 121–125 Intrusion detection engines, 125 Intrusion detection systems, IT, 76, 122–125 risk assessment, 128 risk identification, 126–128 risk monitoring, 129–131 risk resolution, 129 Intrusion prevention systems, 124 Inventory control, see Supply chain risk management using adaptive safety stock calculations Irani’s algorithm, 222 IT security, 113–133 dynamic risk management, 126–131 intrusion detection, 121–125 static risk management, 118–121 threats, 114–118 Iterative state refinement loop, initializing by identifying initial states, 299–303 I J Implementation, of computer security methods, 76–81 Information, 80, 81 Information technology security, see IT security Information warfare, 67 Infrastructure, 17, 18 Inherent risk, 36 Initial states, initializing the state refinement loop by identifying, 299–303 Inside attackers, 66, 67, 68 Insurable risks, 54 Insurance, 28–31, 36, 37 Integrated risk management, 33–62 mathematical examples of, 38–48 oil price, 39–42 oil price and weather, 44–48 weather, 42–44 modeling process, 48–59 develop financial model, 54–56 evaluate alternative strategies, 56–59 identify and assess risk factors, 49–54 state corporate financial objectives, 48–49, 50, 51 motivation for enterprise risk management, 34–38 Integrated risk measurement and management framework, 17 Intellectual capital risks, 51, 54 Intentional uncertainty, 70 Interface design, 78, 79 Internal fraud, 138 Internal management, 57 International Actuarial Association, 36 Joint ventures, 20 Greedy policy, 222–227 Grid computing, see Utility and grid computing Growth, 48, 49 H K KDD Cup, 264 Key risk indicators, 137, 139–140 KL space, 100–103 Knowledge-based errors, 72, 74, 75 Knowledge-based intrusion detection system, 122–123, 127 Kohonen clustering, 99–105 KonTraG, 34 L Lead time, 89, 90, 91 Learning, 80, 81 batch reinforcement with functional approximation, 268–270 Learning classification rules, 264 Legal risks, 51, 54 Leverage, 19–20, 24–25 Lifetime profits, 274–275, 277, 278 Lift charts, 303–306, 308 Liquidity risk, 37 Long-term value optimization, 294–295 Lookup tables, see State lookup tables Lot size, 90 M Machine reconfiguration, 121 Macrostates, 282, 286, 306 refining definitions, 298 refining to obtain microstates, 296, 297, 298 Marketing effects, causal modeling of, 294 Market risk, 3, 8, 50, 53, 143, 144 Index Markov chain theory, 290 Markov decision process, 53, 217, 249–250, 265, 271, 273, 274 Markov model, 283–284 Material risks, 52 Methodologies, 17, 18 Microstates, 282, 303 building, 296–299 refining macrostates to obtain, 296, 297, 298 Monte Carlo simulation, 142, 144, 161–165 Moore’s Law, 193, 194 Multitrigger products, 57 N Natural hazard, 51, 56, 56 n-dimensional Kullback-Leibler space, 100–103 Need, 209–210 Net cash flow, 142, 144 Net present value, 140 Network administrator, 75 Network-based intrusion detection system, 124, 130 New Basel Capital Accord, 35 Next logical product, 307 Nike, Nokia, 1, Nontraditional insurance, 29 O Obsolescence, 15 Off-line algorithms for bandwidth allocation, 221–222 Oil, 171 Oil price risk management, 39–42 integration of weather risk, 44–48 On-line gaming, 188, 189, 190 Operating leverage, 19–20 Operational diversification, 20 Operational hedging, 21 Operational loss data, 137, 138, 139 Operational risk, 4, 35, 51, 54, 135 defined, 136 Operational risk management, 23, 26 e-bank, see E-bank operational risk management OpinionWorld, 71 Opportunistic attackers, 66, 68, 69–70 Optimal hedge ratio, 39–40, 41, 44, 45, 46, 47 Optimality equation for bandwidth allocation, 219–220 Optimal value function, 250 Optimizing customer behavior, see Customer behavior, predicting and optimizing Option on forward contracts, 171, 172, 183 Options, 39, 42 315 Organizational conditions, 78, 79 Organizational structure and controls, 17–19 Organized crime, 65, 67 Outside attackers, 66, 67 Outsourcing, 20, 25, 194 IT, 174 P Partnerships, 25 Passive intrusion detection system, 124, 129 Passive participation, 80 Passwords, 79, 117, 119, 121 strategies for good, 76, 77 Patches, 120 Peak load, 199 Pensions, 37 People risks, 51, 54 Periodic intrusion detection system, 125, 131 Peters Report, 35 PGP 5.0, 77 phf program, 117 Philips Electronics, Physical assets, damage to, 138 Physical environment, 79 Policies, 17, 18 Political risks, 51, 54 Portfolio planning, 199–202 Predicting customer behavior, see Customer behavior, predicting and optimizing Predictor, 156 Preemptive priority scheduling, 230, 234 Prevention, 64 Price, 14 Price-quantity curves, 176–177, 182 Price risk, 9, 175–176, 182–187 ProbE™, 270–271, 273 Process mapping, Product design risk, 37 Product ownership states, 282, 286, 287, 288, 289 Product portfolio design, 25 Professional criminals, 65, 66 Profit, 71 lifetime, 274–275, 277, 278 Project classification, decision trees for, 154–156 Project management, 80, 81 Project portfolio risk management, data mining for, see Data mining for project portfolio risk management Project portfolio segmentation, 153–154 Project risk assessment boosting, 158–160, 161 attribute global contribution, 159–160, 161 Project risk groups, 153 316 Handbook of Integrated Risk Management for E-Business Property risks, 37, 51, 54, 56 Protocols, 119 Pruning, 156, 255 Public-key encryption, 76 Q Q-learning, 267–268, 269, 270, 277–279 drawback of, 267–268 Qualitative analysis, 11 Quality, 14 Quality of service, 194, 195 measurement, 195 thresholds, 196 Quality-of-service-adjusted charging, 197–198 Quality-of-service-adjusted throughput, 198 Quality-of-service-adjusted utilization, 197–198 Quality risk, Quantitative analysis, 11 Quantity, 14 Quantity risk, Queuing network model, 230–233 R Ratings risk, 37 Reaction, 64 Real options, 140–141, 142 Red teams, 70 Regression model, 40, 43, 44, 45, 55 Regulatory risks, 51 Reinforcement learning, sequential risk management by, 263–280 experimental results, 274–279 experimental setup, 271–274 sequential decision making, 265–271 Reliability engineering, 72 Reorder point, 90, 91 Replenishment cycle, 89, 91, 92 Reputation, loss of, 71 Request admission policy, 225 Request dispatcher implementations, 225 Resource allocation, 208–210 optimal, 294 Resources charging for, 196–197 loss of, 71 shared, allocation of, 214–216 in utility computing, 176 Response times, 196 Restructuring, 22, 24–25 Retail users of conventional utilities, 170 Returns, 48, 49 Revenue management, 226 Revenue risk, 38 Risk, see also specific types accountability for managing, 38 classification of, 36 factors, 54–59 measures, 49, 50, 51 quantification of, 52–53 types of, 50–55 Risk assessment, 17 IT security, 119, 120, 128 project, boosting, 158–160, 161 Risk characterization, 6, process, 9, 11–12 risk interactions with value chain processes, 13–16 risk propagation, 16 value at risk, 12–13 Risk factors, 140–141 Risk identification, IT security, 119–120, 126–128 techniques, 7–8 value chain risk taxonomy, 9, 10 Risk management, 6, 7, 16–17, see also specific topics cost of, 46–48 e-bank operational, see E-bank operational risk management enterprise, see Enterprise risk management financial, 26–28 for utility and grid computing, see Utility and grid computing human factors in computer and e-business security, see Human factors inherent IT security, see IT security insurance, 28–31 integrated, see Integrated risk management operational, 23, 26 organizational structure and controls, 16–19 project portfolio, predictive data mining for, see Data mining for project portfolio risk management sequential by reinforcement learning, see Reinforcement learning, sequential risk management by strategic, 19–23, 24–25 supply chain, see Supply chain risk management using adaptive safety stock calculations Risk management cycle, 119 Risk monitoring, IT security, 119, 121, 129 Risk propagation, 16 Risk resolution, IT security, 119, 120–121, 128–129 Risk securitization, 30 Risk transfer, 26 Robust allocation, 200–202 Index Rule-based errors, 72, 74, 75 Ruthless exercise, 183 S Safety stock, 88, see also Supply chain risk management using adaptive safety stock calculations calculation of, 90, 91 Sarsa learning, 268, 269, 270, 277–279 Scenario analysis, 7, Schwartz-Smith two-factor model, 53 Script kiddies, 117, 118 Securities and Exchange Commission, 34 Securitization, 56–57 Security scanner, 121 Security threats, IT, 114–118 Seismic imaging, 187, 188, 189 Self-insurance, 57 Sequential decision making, 265–271 Sequential risk management by reinforcement learning, see Reinforcement learning, sequential risk management by Sequential targeted marketing, 265 Server scheduling policies, 230 Serviceability, 15 Service contracts, see also Service level agreements for Web hosting systems requirements for, 194–195 Service level agreements for Web hosting systems, 193–211, 213–261 allocation of shared resources, 214–216 analysis of customer choice of committed service levels, 202–207 charging for resources, 196–197 customer-directed allocation, 207–210 dynamic multiresource assignment, 245–258 action space complexity, 255–256 approximate linear programming, 250–251 arrival rate process, 249 experimental results, 256–258 formal framework, 246–249 Markov decision process model, 249–250 scheduling and routing problems, 246–249 state space complexity, 251–255 dynamic multiresource scheduling, 227–245 cost model, 233 experimental results, 241–245 formal framework, 229–233 network queuing model, 230–233 optimization of profits under preemptive priority scheduling, 234–241 server scheduling policies, 230 Web hosting environment, 229 dynamic single-resource provisioning, 216–227 317 control policies, 220–221, 222–225 formal framework, 217–221 off-line algorithms, 221–222 optimality equation, 219–220 request durations, 218 simulation and implementation issues, 225–226 portfolio feasibility planning, 199–202 provisions, 195–196 quality-of-service-adjusted charging, 197–198 requirements for, 194–195 workload measurement, 196 normal versus exceptional, 198–199 Service levels, 91, 92, 94, 95, 108, 109 Shared resources, allocation of, 214–216 Shortfall risk, 50 Simulation, 55–56, 58, 273–274 Single-event targeted marketing, 275, 271 Single-price auction, 172 Skill-based errors, 72, 74, 75 Smart card, 76 SMS messages, 188 Software, 78 installation, 74 poorly designed, 116–117 risk analysis, 64 Solvency II, 35 Sourcing strategy, 24 Spare parts inventory, 92 Special-purpose vehicle, 56 Spies, 65, 66, 67 Spot contracts, 171, 172 Spot markets, Spot prices in utility computing, 182 Standard deviation, 50 State-based intrusion detection system, 125, 130 State lookup tables, 308 for predicting customer behavior, 286, 287, 288, 289–292, 293 State refinement loop initializing by identifying initial states, 299–303 iterative, 296–299 State-relevance weights, 251 State space complexity, 251–255 State transition diagram, 286, 288 State transition model building, 296–303 for predicting customer behavior, 282–289 structure of, 286, 288 State variable, defining requirement for, 284 Static IT security risk management, 114–121 Stochastic differential equations, 53, 55 Stochastic dynamic programming, 142 318 Handbook of Integrated Risk Management for E-Business Stockout, 90, 91, 92 Strategic alliances, 20, 25 Strategic goals, 71 Strategic risk management, 19–23, 24–25 Stress testing, 13 Structured deals, 29, 30 Stumps, 157, 159 Submetric space, 100, 102 Suppliers of conventional utilities, 170 Supply chain risk management using adaptive safety stock calculations, 87–111 adaptive safety stock calculations, 96–99 clustering results, 105–108 Kohonen clustering, 99–105 simulation results, 108–110 warehouse model, 89–91, 94–96 simulation results, 91–94, 95 Swing contracts, 171, 172 System dynamics, 53 System failure, 114, 138 System integration, 152 T Tail-conditional expectation, 51 Take-or-pay supply contracts, 20 Targeted marketing, 265 Task analysis, 76–77, 78 Tasks, 78, 79 Technological change, 79–81 Telnet, 119 10-K statement, 34 10-Q statement, 34 Terrorists, 66, 67, 69 Test error, 155 Test set, 155 The Sims Online, 188 Throughput, 196, 197 Time since last transition, 297–298 Tools and technologies, 78 Topological clustering, 102–103 Traders of conventional utilities, 170 Training, 80, 81 Transaction costs, 27 Transaction data, 96 Transaction processing, 146 Transition-based intrusion detection system, 125, 130 Transition rate indicators, 299 TV game shows, 188, 189, 190 U Usability of computer security methods, 76–81 versus security, 120–121 Usage frequency, 122, 123, 125, 131 User test, 77, 78 Utility and grid computing, 169–191 conventional computing, 173–175 conventional utilities, 170–173 delivery scenarios, 177–182 financial risk management elements, 175–187 delivery risk factors, 177–182 price risk factors, 182–187 financial risk management examples, 187–190 Utilization, 196, 197–198 V Valuation methodologies, 18 Value, creating, 48 Value at risk, 12–13, 49, 50, 54, 56, 58, 144–145 Value chain design, 24 enterprise risk management, see Enterprise risk management restructuring, 22, 24–25 risk interactions with processes, 13–16 risk taxonomy, 9–10 Vandals, 65, 66, 67 Variable service, price-directed allocation for, 199 Variable service level charging, 198–199 Volatility risk in utility computing, 184, 185 Vulnerabilities, IT, 116 Vulnerability audit, 76 Vulnerability scanner, 121 W Warehouse model for safety stock, 89–91 simulation results, 91–94, 95 Water, 173 Weather derivatives, 28 Weather risk, 51, 53 Weather risk management, 42–44 integration of oil price risk, 44–48 Web hosting systems, service level agreements for, see Service level agreements for Web hosting systems Web voting, 188 Western Union, 71 Wholesale users of conventional utilities, 170, 171, 177 Workload measurement, 196 normal versus exceptional, 195, 198–199 Workplace safety, 138 Work system, 78 design of, 73 ... exchange equity prices commodity prices interest rate Market Risk Recurring Risk 10 Handbook of Integrated Risk Management for E- Business Enterprise Risk Management: A Value Chain Perspective 11... inventory write-downs See entry under “Quality.” Enterprise Risk Management: A Value Chain Perspective 15 16 Handbook of Integrated Risk Management for E- Business at different stages of the value... matter entirely to understand and weigh the consequences of not meeting service level agreements for some period of time and to set a lower level of fixed resources accordingly Likewise, it is