Is anybody out there interested in / knowledgeable about means of quantifying risks arising from buggy software? My interest is mainly in how this is done in the banking industry, for instance measuring the risk of an algorithmic trading system in an investment bank issuing erroneous trades.

 

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

Votes: 0
Email me when people reply –

Replies

  • There is actually an entire field of study dedicated to this question and related ones (which fall under the heading of "information security economics"). I've done some work in that field, but far better names than I include the following: Ross Anderson (Cambridge), Tyler Moore (Harvard), Arjen Lenstra (EPFL), Jean Camp (IU), Eric Johnson (Dartmouth). Perhaps start out with Eric Johnson to begin with. All top people.
  • Compared with 10 years ago, the software industry are both more complex and mature. It's more mature no necessary in term of the quality of the software, but the development environment and means to catch the defects. For example, there are quite a lot of study of software defect patterns in the last 10 years. And there are quite a few outstanding commercial and freeware tools to help you detecting the defects. The means are not only applied to the regular software, but also to trading software as well in the banking industry.

    I actually used a tool called Fortify from HP to perform such an evaluation for a large bank in a project last month. The result was pretty positive. We caught hundreds of security defects in the software code base such as buffer overflow, memory leak, null dereference, potential DoS etc.. As a direct result of the project, the software code base is getting both safer, and at the same time, meeting the critical performance requirements. 

  • Very interesting post, I am aware of vulnerability assessments for RDBMS, Network, OSes etc. Internally developed code is also thoroughly tested but cannot remember a lot about the application software acquired from external sources. I think I will need to visit some friends in banks to understand how they quantify such risk.
  • Software-bugs are part of the Operational Risk and can only be dealt with through procedural changes. They are certainly not quantifyable, unless you assign ratings to different severities (ie. severity of a report-column header being wrong vs severity of a total system crash vs. severity of wrong numbers in a calculation).

    As for op-risk procedure changes - quality measures (such as for example SixSigma) can be applied beautifully to Software development and help to drastically reduce the number of bugs in Software.

  •  

    My experiences help to categorize three types of software applications (my opinion; may not be industry standard):

     

    -- commercial software. 

    Commercial software are products of those software firms.  Therefore such software products are of higher quality in general than non-for-sale software.  However it is not being ruled out that some small companies may not pay much attention to the testing part.

     

    -- proprietary software.

    "In-house", proprietary software are developed for a company's own use, and not for sale.  Therefore, their "buggy" condition largely depends on relevant managers.  Ignorant managers/bosses particularly from small companies may not follow software engineering's recommended methodology.  And then "buggy" proprietary application becomes part of a company's operational risk source.

     

    -- opensource software.

    Opensource software are 'open'.  Therefore their conditions of being "buggy" or not are also open facts to careful people.

This reply was deleted.

Introducing the Global Risk Series - Book 1 Risk Management How Tos

Dear GlobalRisk Community member, Our community’s mission is to foster business, networking and educational explorations among members. Learn from some of the top experts in the industry as they clearly explain how to approach the most important Risk management concepts. Check out their expert tips and use the link at the end of each article to navigate back to the website to leave your comment or ask a question.   Some of the topics include: How do you Explain Risk Appetite?  How to Prepare a…

Read more…
16 Replies · Reply by GlobalRiskCommunity Mar 21
Views: 1106

[Free COVID-19 Framework] What's the path to recovery look like?

We created a free presentation (attached), which discusses both global and organizational impacts of the COVID-19 pandemic, along with critical actions organizations should take immediately. This presentation introduces a framework that helps regions and organizations navigate a path to recovery via 9 potential scenarios. These scenarios capture outcomes related to GDP impact, public health response, and economic policies. The presentation also breaks down 6 immediate and critical actions…

Read more…
4 Replies · Reply by Steve Diaz Jul 8, 2023
Views: 236

If risk management is about decision making, are current risk management solutions irrelevant?

Now that the updated COSO and ISO risk management standards emphasize a connection to enterprise objectives and decision making, does this mean ERM and GRC solutions focused on risk registers and regulatory compliance are missing the true value of risk management?Will current risk management solutions evolve to integrate more decision support functionality or will standalone prescriptive analytics and other technology solutions take a more prominent role in enabling risk-informed…

Read more…
3 Replies
Views: 163

A question related to classification of instruments between trading and banking book.

We have an interesting question from one of our members.       "We usually perform OTC FX transactions with clients backed-to-back on the market (with Banks). Now we are going to perform a FX swap (i.e. Spot + forward) JPY/EUR for the Bank account for 1 week at the longest. The purpose is to get EUR place @ CB for LCR compliance purpose (no trading purposes). Bank's Management think that this should be considered as a trading position and therefore be classified within the Bank's trading book.…

Read more…
5 Replies · Reply by Prisha Singh Dec 26, 2023
Views: 372

Plunging oil prices: curse or blessing in disguise?

The recent sudden crash of oil prices has had a major impact on the world economy, leading to many troubled faces in the international arena. The Russians fear the effects of yet another powerful hit on their economy, Venezuela seems to be considering default and the Americans are weary of the consequences for its young and emerging shale oil industry. And then you have the Middle East, where the smallest match is enough to ignite the largest fire. But are these worries really justified or…

Read more…
1 Reply
Views: 106

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!

lead