# Para Bellum

“*Si vis pacem, para bellum*“, goes the old adage. If you want peace,

prepare for war. In our case, the worst possible risky scenario our

information assets could go into. While probability distributions, loss

exceedance curves, simulated scenarios, etc, are all great for the

quants in the office, at the end of the day big, important decisions

need to be supported by single numbers that can be easily compared to

one another. In risk management, this number is the *Value at Risk* or`VaR`

. Fortunately, once you have one you have the other.

`VaR`

measures this scenario by telling us beyond how much our losses

will *not* go, with a certain degree of confidence, over a definite

period of time. Thus a daily 1% `VaR`

of $10 million means that the

probability that you will lose more than ten million is 1%, i.e., are

99% confident that the losses will not exceed that.

So we need to define over what time period our `VaR`

will be taken and

how extreme the worst-case scenario. Typical periods and confidences

used in the industry are a single day or week, and confidence levels of

95% or 99%.

There are at least three workable ways to compute the value at risk:

Examining the distribution of the returns,

Using the loss exceedance curve (

`LEC`

)

The normal

distribution

is perhaps the most popular one for modeling real-word situations and

natural phenomena, and with good

reason.

It could be used, to model the value of a portfolio over a one-year

period, with mean return 10%, and standard deviation (volatility) 30%:

Figure 1. Normal distribution of value

Knowing the probability distribution, which tells us probabilities of

point values, we can find probabilities of ranges with the corresponding*cumulative* distribution function (`CDF`

):

Figure 2. Cumulative distribution function of value

Looks like a vertically reflected `LEC`

. In a cumulative probability

plot the `VaR`

is just the x-value corresponding to the confidence.

We can use a spreadsheet,

for this, with the`NORM.DIST`

function. The probability that the loss exceeds 20% is

` =NORM.DIST(-20,10,30,1) 0.158655253931457`

i.e., around 15.8%. The 10 and 30 above are the distribution parameters,

and the -20 is the value whose probability we need. Notice that it is

negative, meaning a loss. The 1 means to make the computations

cumulative.

We can also use the inverse function so that, given a probability, we

get the point at which this probabilty is attained. It is the same

process as above, but backwards.

At what point is the 1% probability? More exactly, for which value *V*

is it true that the probability that the final value is less than or

equal to *V* is 1%? That’s just the 1% `VaR`

:

` =NORM.INV(0.01,10,30) -59.7904362212252`

This is the 1% *quantile*, or

the first *percentile* of the distribution, the point under which the

remaining 1% of points are, weighing by the probability. Thus the *Valueat Risk* in this example will be 59.8% of what we invested. Had we

invested $100 million, then we know the

`VaR`

is $59.8 million, andhence that the losses will not exceed that amount in 99% of the cases,

only in that rare 1%. Notice that the

`VaR`

, being a single figure, doesnot tell us exactly or otherwise what the losses might be in that

catastrophic 1%. But if we are ready to lose that much, we are halfway

prepared for the metaphoric war.

The *tail* (or *conditional*) value at risk, or `TVaR`

(`CVaR`

) for

short, tries to fill that void by giving us the expected value or mean

in the catastrophe region, i.e., in case of a `VaR`

breach. Much like

the actual mean of a distribution is a center of gravity of sorts, where

we could “hold” the `PDF`

in balance, besides being the value with more

repetitions if we repeatedly draw numbers from such a distribution:

Figure 3. Expected value of a beta distribution.

Via Wikimedia.

The `TVaR`

is thus the expected value of the loss, given that the `VaR`

has been surpassed. In terms of the above analogy, it is the center of

gravity of the “catastrophe” region of the distribution plot:

Figure 4. Illustration of `VaR`

and `TVaR`

. Via

Nematrian.

In our case, since we are mainly interested in cybersecurity risk, which

we quantify via simulations, we can

always re-run them and aggregate the results differently in order to

obtain the density function and recreate the example above. But given

that the main result of our simulations was a loss exceedance curve:

Figure 5. Loss exceedance curve

We can just use this to obtain the `VaR`

, just like we did with the

distribution `CDF`

. This graph is already cumulative, so there is no

need to compute areas under the curve behind the scenes. We simply

obtain the value in millions corresponding to the percentage of the

scenario in which we are interested. In this particular graph, the 5%

yearly `VaR`

appears to be $500 million (recall that this graph has a

logarithmic scale in the x-axis). The 1% is not even visible here, but

at least that tells us that it must be beyond $1000 million.

Monitoring a short-termed `VaR`

can be usefulto evaluate the performance

of risk management or to understand events from the past:

Figure 6. Artificial VaR monitoring

(via MathWorks)

and real example from Bankers

Trust, via [3].

In the first we see a steady, if slow, decline in `VaR`

over the years.

Also notice how the returns are almost always above their corresponding

values-at-risk, save for a few rare breaches, which is to be expected.

In the image to the right there is an interesting moment around February

1994, where there is a sharp decrease in the `VaR`

, after which it

pretty much stays stable under the risk appetite line (dashed). This

phenomenon is explained in Jorion’s book ^{[3]} as a

response to a rise in interest rates at that moment, which was just as

sharp as the decrease in the `VaR`

.

However, a decreasing `VaR`

is not all. Shying away from investments to

keep the `VaR`

low will, by symmetry, mean lower chance of great

returns:

“A risk manager has two jobs: make people take more risk the 99% of

the time it is safe to do so, and survive the other 1% of the time.`VaR`

is the border.”— Aaron Brown

So, the VaR tells us in a single number what can happen with an

investment or any risky situation the worst that might happen. However

its greatest strength is also where it falls short. This particular

number, while it gives an upper bound for the losses, is also unable to

tell us anything else about what happens in that 1% of the cases. The`TVar`

tries to fill this void, but it is still just a number, meaning

that it inherits this same weakness.

## References

S. Benninga and Z. Wiener (1998).

*Value-at-Risk (*.`VaR`

)

Mathematica in Education and

Research 7(4)P. Jorion (2006).

*Value at Risk: The New Benchmark for Managing*.

Financial Risk

McGraw-Hill.N. Pearson (2002).

*Risk Budgeting: portfolio problem solving with*.

value-at-risk

Wiley.

*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Rafael Ballestas. Read the original post at: https://fluidattacks.com/blog/para-bellum/