Posted by:
admin
15 years, 11 months ago
A while back (still catching up on my blogging since the site update), there was a great article on risk management. You will need to read the whole, long but worth-while article to understand what's doing on. I found this bit interesting:
What caused VaR to catapult above the risk systems being developed by JPMorgan competitors was what the firm did next: it gave VaR away. In 1993, Guldimann made risk the theme of the firm’s annual client conference. Many of the clients were so impressed with the JPMorgan approach that they asked if they could purchase the underlying system. JPMorgan decided it didn’t want to get into that business, but proceeded instead to form a small group, RiskMetrics, that would teach the concept to anyone who wanted to learn it, while also posting it on the Internet so that other risk experts could make suggestions to improve it. As Guldimann wrote years later, “Many wondered what the bank was trying to accomplish by giving away ‘proprietary’ methodologies and lots of data, but not selling any products or services.” He continued, “It popularized a methodology and made it a market standard, and it enhanced the image of JPMorgan. JPMorgan later spun RiskMetrics off into its own consulting company. By then, VaR had become so popular that it was considered the risk-model gold standard.
Basically, JPMorgan developed a great tool to see how much of their portfolio was at risk at the end of each day. It was released into the wild; RiskMetrics got hundreds of customers; when the SEC mandated that firms disclose their risk to investors, VaR was deemed the standard. The only problem was that people took the measurement at face-value without considering the inputs (e.g. they used two years of history for mortgage-backed securities) or how best to use the measure (as one tool of many). The original developers at JPMorgan who developed the system understood its limitations.
So, despite my provocative title, open-sourcing VAR didn't cause the financial industry's woes. And certainly, VaR was only one of many mis-used tools. I can't help but think of the continuing debate about web-applications scanners "versus" a consultants actively reviewing an app by hand. The answer is that you can't rely on just one tool. App scanners are a great way to constantly check your web apps after they change or after new vulnerabilities are discovered. But to rely on them solely would be a mistake.
The other thing to take away is that the open source strategy worked in so far as it promote VaR throughout the industry and RiskMetrics became a successful spin-off.
Share on Twitter Share on FacebookRecent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)