A Quantitative Index for Software Usability in Trustworthy Computing

Sahinoglu, Ang, Morton, Vasudev, and Kramer

1

Quantitative Metrics to Assess and Manage Business Contracting Risk Using Risk-O-Meter Software Mehmet Sahinoglu Informatics Institute, Auburn University at Montgomery Montgomery, AL 36117, USA David Ang College of Business, Department of Information Systems Auburn University at Montgomery, Montgomery, AL 36117, USA Scott Morton Preethi Vasudev William Kramer Informatics Institute, Auburn University at Montgomery Montgomery, AL 36117, USA ABSTRACT The risk factors that affect business operations are many. Identifying and managing those vulnerabilities and threats scientifically are key to conducting successful business operations. Failure to identify and manage these sources of risk will have very real consequences ranging from poor financial performance to business collapse. The current study proposes a software tool to facilitate assessment and management of business risk. This tool – the Business Risk-O-Meter – provides a critical aid for management and high-level decision makers. Using game theory and statistically driven methodologies, the Risk-O-Meter provides objective, quantitative risk assessment, and, unlike any other tool available today, it offers guidance for allocating resources for cost-effective risk mitigation. It will therefore assist managers and decision makers in commerce and industry in their efforts to achieve optimal business operations by effectively assessing and managing risk. Keywords: Business contracting risk, quantitative, Risk-O-Meter, cost, game theory

Volume 11, Number 1, March 2016

2

Quantitative Metrics to Assess and Manage Business Contracting Risk Using Risk-O-Meter Software

1. INTRODUCTION The sources of business operation vulnerabilities and threats can range from the quality of personnel to macro-economic factors. The consequence to those corporations and organizations that fail to identify and manage vulnerabilities and risks is diminished financial performance, if not business failure. Indeed, the U.S. Census Bureau puts the survival rate of new firms founded in 2005 through 2010 at only 43% [1]. To minimize and avoid such threats and potential business failures, a rational, scientific approach that identifies, assesses, and manages business risk is required. Many methods of predicting business risks and failure have been developed by academia and researchers over the last three decades. Altman’s 1968 model [2] uses discriminant analysis to develop a discriminant function with five financial ratios for predicting business failure and at-risk. Altman’s is the first model to use discriminant analysis and is, by far, the most popular and cited research for business at-risk and failure prediction. Other discriminant models – such as those using multivariate discriminant statistical analysis for business at-risk and failure prediction – were also developed by Altman [3], Beaver [4], Courtis [5], and Dimitras et al. [6]. Since Altman’s 1968 model was developed, other methods have been developed to improve prediction accuracy. These methods are logit analysis by Ohlson [7], probit analysis by Zmijewski [8], mathematical programming by Gupta et al. [9], expert systems by Messier and Hansen [10], and neural networks by Altman et al. [11]. A complete review of these methods for the prediction of business at-risk and failure can be read in Dimitras et al. [6]. The identification and management of risk are key aspects of successful business operations. The Business Risk-O-Meter tool proposed here provides a special and objective methodology that is critically needed. This pioneering work represents a paradigm shift in risk assessment. The Business Risk-O-Meter provides a quantitative risk assessment, unlike the subjective high-medium-low or red-yellow-green scales commonly seen in other assessment methodologies. There are other approaches to identifying and managing risk as detailed in the Institute of Management Accountants’ Enterprise Risk Management: Tools and Techniques for Effective Implementation [12], but none provide a means of allocating risk mitigation expenditures. In contrast, the Business Risk-O-Meter provides objective and scientific guidance in allocating monetary resources for managing risk in accordance with budgetary constraints. Additionally, the Business Risk-O-Meter provides a means to shift from often subjective and crude International Journal of Business and Information


3

risk evaluation mechanisms to a verifiable, quantitative approach to risk management, resulting in an optimized expenditure of risk remediation dollars. The current research adopts a model of business risk that quantifies the respondent’s experience with 10 crucial aspects of business risk. Those responses were subsequently used to calculate the business risk index through a designed algorithm by the principal author. To accomplish this task, the authors collected numerical and/or cognitive data from 40 respondents to supply the input parameters to calculate the quantitative business risk index. This paper not only presents a quantitative model, but also provides a remedial cost-optimized gametheoretic analysis about how to bring an undesirable risk down to a userdetermined “tolerable level.” The proposed framework is adaptable and can be customized and configured by the analyst with no custom coding (XML inputs).

2. METHODOLOGY This applied research implements a methodology on how to reduce business risk using modern probability analysis and game theoretic risk computing. A software-centered holistic approach is proposed to aid management and decision makers in identifying, assessing, and managing business risk. Ten vulnerabilities are assessed:  Personal quality  Cost factors  Delivery time  Client perceptions  Local service reps missing  Communication problems  Hardware deficiency  Software deficiency  Management quality  Macro-economic factors Within each category, questions pertain to specific threats and countermeasures (Figure 1). To cite one example, within the delivery time vulnerability, the 40 respondents in this study were asked about threats and countermeasures pertaining to logistics, delivery companies, adverse events, and alternative delivery measures. Respondents’ answers to the questions were then used to generate a quantitative business risk index. Volume 11, Number 1, March 2016

4


Figure 1. Business Contract Risk Tree Diagram International Journal of Business and Information


5

The primary author’s innovation – i.e., the Business Risk-O-Meter – will provide management and decision makers with a measurable assessment of their current business risk and will also detail associated cost and risk mitigation suggestions for identified vulnerabilities and threats. The Business Risk-O-Meter will be demonstrated to provide such assessment and guidance for the allocation of resources for mitigating that risk. The business risk metric out of 100% will be assessed and a remedial cost-optimized game-theoretic analysis provided to bring an undesirable risk down to a user-determined “tolerable level.” The approach the authors propose is a game theoretical-based approach that emphasizes the quantitative analysis of vulnerabilities, threats, and countermeasures, as shown in the business risk diagram in Figure 1. The theoretical framework of the diagram in Figure 1 is a tree diagram with vulnerability branches, threat twigs, and countermeasure branches (Figure 2) that calculate total residual risk as elaborated by Sahinoglu [3, 4]. This framework allows for the quantitative analysis of vulnerabilities and threats and the costoptimal allocation of resources to countermeasures that will mitigate or lower the risk from those vulnerabilities and threats. The framework is used by the Business Risk-O-Meter software tool described in the next section to output total residual risk. Note that RR (residual risk) = Risk of Vulnerability * Risk of Threat * Risk of Lack of Countermeasure. TRR (Total Residual Risk) is the sum of RRs.

Figure 2. General Tree Diagram Used for Business Risk-O-Meter (V = branches, T = twigs, and LCM = limbs)


6


Although the Business Risk-O-Meter can be used for virtually any business process, this particular implementation focuses on 10 key areas that are critical to ensure optimal business operations. 

Personnel Quality: Because employees are fundamental to daily operations as well as long-term success, it is critically important to employ the highest quality personnel. This key area focuses on education level, pay and benefits, turnover, and dedication. Each must be addressed to ensure selection and retention of the highest quality personnel.



Cost Factor: This area focuses on the costs and revenue streams integral to doing business; i.e.: standard cost itemization failure, elevated cost, international currency bottlenecks, and inconvenient payment plans.



Delivery Time: Critical to modern commerce, this key component must be optimized to prevent delays and subsequent customer dissatisfaction. This key area focuses on logistics, delivery companies, adverse events, and alternative delivery methods.



Client Perceptions: Assuring positive perceptions by the public and the goodwill of clients is critical to continued business success. This key area focuses on reliability, financial soundness, relationship history, and public relations.



Local Service Reps Missing: This factor is critical because of potential market share loss; therefore, it is essential to have a business presence. This key area focuses on expansion planning, recruitment, turnover, and compensation.



Communication Problems: Critical to international business, this key component is a must in today’s global economy. This key area focuses on language barriers, customs barriers, legal system differences, and technology.



Hardware Deficiency: Essential for keeping up in today’s tech-driven economy, this key area focuses on funding, technology trends, staff knowledge, and management backing.



Software Deficiency: Also essential for keeping up in today’s tech-driven economy, this key area focuses on funding, software trends, staff knowledge, and management backing. International Journal of Business and Information


7



Managerial Quality: The quality of a company’s leadership often makes or breaks it. This key area focuses on education, compensation, retention, and commitment.



Macro-Economic Factors: This key area provides the environment in which businesses must operate and focuses on growth rates, interest rates, commodity prices, and the regulatory environment.

Although these 10 areas are not exhaustive, they are relatively comprehensive of, and critical to, business risk. This research focuses on the areas vital to business operations and provides management and decision makers with an analytical framework they can use to more efficiently structure their business operations. For more details on the Security Meter tree diagrams, see references [13-17] by the primary author who invented Security Meter.

3. ASSESSMENT QUESTIONS Questions in this study were designed to elicit the user’s response regarding the perceived business risk from particular threats, and the countermeasures the user may employ to counteract those threats. For example, in the area of communication problems vulnerability, questions regarding legal system differences include both threat and countermeasure questions (see Appendix). Threat questions would include:  Does the country lack a well-established legal system?  Is the legal system based on something other than English common law?  Are judicial decisions based on other than the rule of law?  Does litigation take several years, if not a decade?  Do you lack a clear sense of what the legal system is in a particular country? Countermeasure questions would include:  Did the parties agree to outside arbitration or adjudication in a third country?  Has the company hired local legal representation?  Did the company purchase political risk insurance?  Did the company require prior payment?  Did the company have staff familiar with the legal systems of other countries?


8


4. A CASE STUDY FOR BUSINESS CONTRACT RISK ASSESSMENT AND MANAGEMENT For this study, a random sample of 40 respondents was used. Essentially, the users responded yes or no to the questions posed. Their responses were used to calculate a residual risk index. Using a game-theoretical mathematical approach, the authors employed the calculated risk index to generate an optimization or lowering of risk to desired levels [13, 14]. Further, mitigation guidance were generated to aid management and decision makers in resource allocation decisions for lowering risk. That is, in which areas can the risk be reduced to optimized or desired levels, such as from 47.6% to 37.6%, as shown in the screenshot (Figure 3) representing the median response from the study participants? Figure 3 depicts the median information for a certain respondent who personifies and epitomizes the company. The residual risk results for all respondents are shown in Table 1. The business risk survey, including all the questions posed, is shown in the Appendix.

Figure 3. Median Respondent’s Business Risk-O-Meter Results International Journal of Business and Information


9

Table 1 Respondents’ Residual Risk Results Survey results for the Business Risk-O-Meter study (rounded to two decimal places), ranked overall, where median: 47.61% (Respondent20) and average: 48.14% (Respondent21, with 48.22% comes the closest) Survey Taker

Residual Risk (%)

Respondent1 Respondent2 Respondent3 Respondent4 Respondent5 Respondent6 Respondent7 Respondent8 Respondent9 Respondent10 Respondent11 Respondent12 Respondent13 Respondent14 Respondent15 Respondent16 Respondent17 Respondent18 Respondent19 Respondent20 Respondent21 Respondent22 Respondent23 Respondent24 Respondent25 Respondent26 Respondent27 Respondent28 Respondent29 Respondent30 Respondent31 Respondent32 Respondent33 Respondent34 Respondent35 Respondent36 Respondent37 Respondent38 Respondent39 Respondent40

28.92 33.65 34.36 36.19 39.15 40.35 42.08 42.86 44.61 44.94 45.21 45.63 45.69 46.63 46.75 47.08 47.13 47.23 47.57 47.61 48.22 49.03 49.10 50.22 50.24 50.34 50.78 50.78 50.82 51.27 51.40 55.08 56.13 56.75 57.45 60.22 60.22 62.46 63.39 83.24


Rank from Least to Greatest (Out of 40) 1st 2nd 3rd 4th 5th 6th 7th 8th 9th 10th 11th 12th 13th 14th 15th 16th 17th 18th 19th 20th 21st 22nd 23rd 24th 25th 26th 27th 28th 29th 30th 31st 32nd 33rd 34th 35th 36th 37th 38th 39th 40th

Remarks

Overall Median Overall Average

10


5. CONCLUSION AND DISCUSSIONS The business contracting (loss of) Risk-O-Meter breaks new ground by providing the user with a quantitative assessment of risk as well as recommendations for mitigating that important corporate life-line risk. Although studies (mostly statistically based) have been conducted [2-11] with regard to estimating business-contracting risk, they did not include the combination of risk assessment and related risk management components. In some of the earlier works, goal programming was applied as well. In contrast, the currently proposed technique combines probabilistic analysis and game-theoretic optimization at the risk assessment and management stages, respectively. Moreover, in spelling out what guidance to follow, the cost-based optimization is a major breakthrough. The most obvious innovation that the suggested algorithmic software-based approach brings is the simplicity with which companies can now tackle their contracting-risk handicaps with a hands-off approach that offers a pragmatic, cost-efficient, and unbiased road map indicating how far to improve and how much to spend should it be necessary to go through an auditing stage. For these reasons, the proposed technique will be highly useful to managers and decision makers seeking to minimize and mitigate business risk in an objective, quantitatively based manner. The co-authors have run the experimental software with 40 respondents from different echelons of business (names withheld because of privacy issues) in order to obtain a realistic picture of the situation, rather than guessing how they would respond. The business risk survey instrument is included in the Appendix, and the respondents’ residual risk results are shown earlier in Table 1. The proposed method is easy to apply, and the Risk-O-Meter (RoM) software is practical to use, easy to understand, and cost-conscious. Best of all, it is free of any subjectivity or bias. If questions do not fit the company’s lifestyle, then new ones can be custom-tailored in the XML files. Regarding the proposed probabilistic risk assessment and cost-optimal gametheoretic management algorithm, the RoM in this article uses Neumann’s mixedstrategy with respect to business practices and probabilistic laws. The gaming concept entails that whatever one player challenges, the rival player concurs with, leading to complete agreement, in effect minimizing the damage or maximizing the gain from whatever angle one views it.

International Journal of Business and Information


11

Future work will incorporate new vulnerabilities and questions in order to better refine user responses and the calculation of risk and mitigation recommendations. Minimization and mitigation of business risk will greatly benefit not only the companies deploying the tool, but also society at large through greater prosperity and economic stability. The business contracting Risk-O-Meter tool and its future refinement provide the means to do so.

APPENDIX


12





13

14





15

16





17

18





19

20





21

22





23

24


REFERENCES [1]

Census Bureau, U.S. Dept. of Commerce. Business Dynamics Statistics. http://www.census.gov/ces/dataproducts/bds/data_firm.html (accessed 5/16/2014).

[2]

Altman, E.I. 1968. Financial ratios, discriminant analysis, and the prediction of corporate bankruptcy, The Journal of Finance 23, 589-609.

[3]

Altman, E.I. 1993. Corporate Financial Distress and Bankruptcy, New York: John Wiley & Sons.

[4]

Beaver, W.H. 1966. Financial ratios as predictors of failure, empirical research in accounting: Selected studies, Journal of Accounting Research, Supplement to Vol. 4, pp. 71-111.

[5]

Courtis, J.K. 1978. Modeling a financial ratios categorical framework, Journal of Business Finance and Accounting 5(4), 371-386.

[6]

Dimitras, A.I.; S.H. Zanakis; and C. Zopounidis. 1996. A survey of business failures with an emphasis on prediction methods and industrial applications, European Journal of Operational Research 90: 487-513.

[7]

Ohlson, J.A. 1980. Financial ratios and the probabilistic prediction of bankruptcy, Journal of Accounting Research (Spring), 109-131.

[8]

Zmijewski, M.E. 1984. Methodological issues related to the estimation of financial distress prediction models, Studies on Current Econometric Issues in Accounting Research, pp. 59-82.

[9]

Gupta, Y.P.; R.P. Rao; and P.K. Bagghi. 1990. Linear goal programming as an alternative to multivariate discriminant analysis: A note, Journal of Business Finance and Accounting 17(4), 593-598.

[10] Messier, W.F.; and J.V. Hansen. 1988. Including rules for expert system development: An example using default and bankruptcy data, Management Science 34(12), 1403-1415. [11] Altman, E.I.; G. Marco; and F. Varetto. 1994. Corporate distress diagnosis: Comparisons using discriminant analysis and neural networks (the Italian experience), Journal of Banking and Finance 18, 505-529. [12] Institute of Management Accountants. Enterprise Risk Management: Tools and Techniques for Effective Implementation http://www.imanet.org/PDFs/Public/Research/SMA/ERM_Tools%20and%20Techn iquess.pdf (Accessed 5/16/2014). [13] Sahinoglu, M. 2007. Trustworthy Computing, New York: John Wiley & Sons. International Journal of Business and Information


25

[14] Sahinoglu, M. 2008. An input-output measurable design for the security meter model to quantify and manage software security risk, IEEE Transactions on Instrumentation and Measurement 57(6), 1251-1260. [15] Sahinoglu M. 2005. Security Meter: A practical decision tree model to quantify risk, IEEE Security and Privacy 3(5), 18-24. [16] Sahinoglu M.; Y.-L. Yuan; and D. Banks. 2010. Validation of a security and privacy risk metric using triple uniform product rule, International Journal of Computers, Information Technology and Engineering 4(2), 125–135. [17] Sahinoglu M., and L. Cueva-Parra. 2012. Game-theoretic computing in risk analysis, WIREs Comput. Stat 2012, doi: 10.1002/wics, 1205, 2012. http://authorservices.wiley.com/bauthor/onlineLibraryTPS.asp?DOI=10.1002/wics. 1205&ArticleID=961931

ABOUT THE AUTHORS Mehmet Sahinoglu is the founding director of the Informatics Institute and the cybersystems and information security graduate program at Auburn University in Montgomery. He authored Trustworthy Computing by Wiley [2007], Cyber-Risk Informatics by Wiley [2015], and more than 170 journal articles and conference proceedings. He holds a Ph.D. in statistics and ECE from Texas A&M (1981), an MSEE from the University of Manchester Institute of Science and Technology (1975), and a BSEE from METU, Ankara, Turkey. David Ang is a professor and department chair of Information Systems at Auburn University Montgomery. He has 20-plus years of professional practical work experience. His areas of research include systems engineering, business process and production management, and information systems risk assessment and management. He has published more than 70 articles in academic business research journals and conference proceedings. He has a Ph.D. in industrial management and systems engineering from the University of Alabama in Huntsville. Scott Morton is a program associate at Auburn University at Montgomery and cybersystems (CS) instructor at Troy University Montgomery and South University. He holds an M.S. in computer science from Troy University, an M.A. from Georgetown University, and a B.A. from Johns Hopkins University.


26


Preethi Vasudev has been a part-time graduate research assistant at Auburn University Montgomery since January 2013. She graduated from Auburn’s cybersystems and information security (CSIS) graduate program with a master’s degree (summa cum laude) in August 2014. She holds a B.E. in computer science from Bangalore University, India. She has worked in the investment banking domain as a senior consultant with Blackrock Inc. in London, England, from 2008 to 2012. She is currently employed by UP&RUNNING Inc. as a software developer. William F. Kramer has more than 25 years of experience in the information technology field. His experience includes application design, development, software life-cycle management, and systems engineering. His education includes a B.S. in computer science from Chapman University, an M.S. in management science from Faulkner University, and an M.S. in cybersystems and information security from Auburn University at Montgomery. He is currently employed with the U.S. Air Force as a federal civilian.
