Information Security. Trading. Business
This is another example of using small sized strangles as an income strategy. This is an Aug 27/39 Strangle in $FB. The trade was opened on 6/27 for a .95 and .70 credit on the two strikes. Implied Volitility for August was at 62%. These two strikes were selected at the 20 Delta level. The area on the risk graph is very wide giving a good chance for being successful. One week after putting the trade on there’s approximately a 30.30% gain due to Theta and a 5% reduction in volatility.
Amazon ($AMZN) made headlines over the weekend with the regional failure of AWS. We won’t go deep into the details of what happened or who was affected since that has been covered by many other outlets. In general, a incident caused loss of service in a particular region. The service providers were not able to deliver to their customers during the outage. While it is sexy to call it a cloud failure, the same end result could have occurred with any single site implementation. Hosting in your own data center, using the co-lo facility downtown, or an unfortunate GoDaddy location could cause your net presence to disappear.
Business leaders should evaluate what needs to be improved or changed in terms of resiliency. Decisions will need to be made based upon the size of your business and what your concerns are. A nano cap company (sub $50M market cap) will most likely have different requirements than a Large Cap global enterprise. Rather than invent the wheel, you can make use of frameworks to organize your activities. There are many out there, but today we will focus on ISO 27001 and ISO 22301.
Business Continuity is a component of ISO 27001, while ISO 22301 attempts to address Business Continuity as a whole. Section 4.2.1(d) of ISO 27001 requires that you identify the assets of the in scope portion of the business and the business owners of these assets, the threats to the assets, vulnerabilities that might be exploited by the threats, and the impacts to confidentiality integrity and availability.
Conducting a risk assessment in its most rudimentary form is a good exercise for any business of any size. The information that you put together as part of the risk assessment can be useful in other areas as well, such as obtaining the right insurance coverage at the right price. Fire or flood could impact your data center or it could impact manufacturing and logistics. Knowing this up front, you can take action to mitigate those risks or accept those risks.
Not everything needs to be corrected or addressed in some way, but having a running checklist of issues can be a good road map. A pizza restaurant with an online shopping cart may not care if the cloud provider of their online order application goes down. There’s always telephone, fax, and walk-in that will keep the business running. Cash flow, CapEx, OpEx, and other business drivers will influence the need for availability. Not every business will need multiple data centers if they are self-hosting or multiple availability zones in the cloud.
This is a farther dated option strategy than most but the option volatility is good here. First let’s look at an Iron Condor near 30 Deltas. Our max profit is 41 which is good for a 30 Delta.
The Strangle provides 1.61 Credit per spread, compared to the .41 per spread for the Iron Condor. This position is Theta positive, but the decay will not affect the position that much for a few weeks. The Strangle provides us with a wide area to profit in. The margin requirement will be higher since these are uncovered options. The advantage is that it takes fewer Strangle give a good credit when compared to the Iron Condor. The P&L curve is also more forgiving as the edges are approached.
This position will benefit over time, but a reduction in volatility will produce results even faster. If Volatility drops by 5% we can see from the simulation that almost 50% of the max gain can be realized if the price remains close to where it is today. Since the position is slightly Delta positive there can also be a little upside before the gains begin to drop off. If the position moves too much then it is possible to roll both strikes to cover the new range. The Strangle can be an effective alternative to the Iron Condor if your trading size is reduced and if you have the margin available.
IWM has fallen below the neck line of a head & shoulders pattern. We took action on May 4 to hedge risk by moving into a 76 Put Calendar after seeing the beginning of a H&S pattern. The 20MA was under the 50MA which lead us to believe there would be continued weakness.
This position benefitted from the increase in volatility (RVX) over the past few days. We traded through the max profit point one day before expiration which meant the position worked perfectly. The measured move from the head to the neckline places IWM around the 71 level. There is also some prior support close to there. There could be a small bounce at the 200MA, but if news out of Europe continues to be uncertain this could end up being a textbook H&S pattern.
If there is a continued downside move, buying more PUT calendars here could be a good choice. Buying a June PUT and selling a May Weekly PUT against it could offer several opportunities to roll the calendar or switch it to a diagonal. A double calendar gives a large area to salvage the trade in a one week period, but it reduces the reward.
A different strategy would be to sell a 30 Delta PUT Vertical around 72 in anticipation of a bounce. They are currently going for .24, but putting in a limit order to ask for more premium might be in order, especially if there is more downside. .36 would be at roughly 73
Hewlett Packard may be putting in a bottom here. There are several bounces above the 25 level in late November and through December. The Market Forecast indicator is also showing a crossover. This may be a good area to deploy a APR 25/24 Bull Put spread. After hours quote is currently at .36. Anywhere from .30-.45 should be a good entry point.
A few days ago the Persons Proprietary Signal displayed a buy on JCOM after bouncing off the lower Linear Reg Channel. MACD and Stochastics were also showing a bullish crossover. We entered at 28.23 and trailed up our stops daily. We were stopped out at 28.89 at market open and did not reopen the position due to earnings. It may have been better to close the position near the top of the Linear Reg Channel in hindsight with all of the activity from Greece affecting the market.
The Shadow Trader ProSwing report announced an entry into a short XHB position. This turned out to be hard to borrow, but there are always options.
Shadow trader suggested the following prices
Price: $18.80
Stop: $19.75
Target: $17.50 (first target)
We’re going to use the ITM March 19 Put and the OTM March 17 Put to minimize Theta. This puts our entry price at $69 per contract. Max gain is $393 per contact on March expiration. Stopping out 19.75 means we lose about $80 per contract. Assuming the direction holds this has a decent risk/reward. One strategy here is to exit when the target is reached, which would be worth at least $115 per contract depending on the Theta loss in the short put.
This week we continue our previous piece on HR Keywords for Growing Your Infosec Skills and Career. In our previous installment we examined some training and knowledge cultivating terms for increasing the value of their team or themselves. This week we will focus on another aspect of creating opportunity in your career, the Scanlon Plan.
Scanlon Plans are gain sharing programs where employees are rewarded for cost savings. This can be something as informal as placing ideas into a suggestion box, to company wide assigned areas for cost reduction or efficiency improvement on a recurring basis. If your company does not have a Scanlon Plan, then this is a great opportunity to bring it to the attention the executives in your organization. Who doesn’t want to hear about improved efficiencies, reduction in waste, and better margins? With a properly designed Scanlon Plan employees can receive financial rewards for making the organization more efficient. Who doesn’t want extra money?
How does this relate to Information Security or anything else? Do we really want to cut costs in our own area? Companies that implement Scanlon Plans as a suggestion box are looking for any way to save costs. This does not necessarily apply to your department, but the company as a whole. This can be an opportunity for Infosec personnel to help other departments find ways of cuttings costs. Working with other departments may be an “extra-curricular” activity to some supervisors; however, the importance of supporting the business should factor into middle management’s support for these programs.
Proactively working with other managers provides the opportunity to understand the business more, which will help Infosec personnel understand what is important to the business, and what needs to be protected. For example, working with manufacturing to reduce waste by implementing a recycling program can reduce costs which frees up capital for other purposes, such as information protection. Some of the scrap from the manufacturing process could be sold to a recycler, reducing the overall operating costs of the manufacturing operation. These savings are not only of interest to the manufacturing department, but it could be helping the goals of the Corporate Social Responsibility (CSR) department or program if one exists. This provides recognition from management, but can also help with improving security.
Another example involves finding something unrelated to Infosec that allows the VP of Operations to save money. That’s great! What if Infosec professionals approach him/her and offer to help them implement the changes that will save them money? In exchange for becoming the project manager and seeing the changes through to completion, the VP agrees to spend part of the savings on additional security measures. The VP of Operations gets a bonus for reducing their budget, the Infosec professional receives their bonus for a cost reducing idea, and security was improved during the process. A little barter was used in this scenario, but several end goals were accomplished.
This approach is a transition from employee to stakeholder. It offers opportunity for Infosec professionals to grow into GRC roles over time by helping the organization with its efficiency. Inefficient business processes are one Risk in GRC. By promoting process improvement and efficiency Infosec professionals go from the department that always says, “No!” to true stakeholders in the business. This gets us a seat at the executive table because we are involved in the business and we can demonstrate value by using our creativity to solve business problems. That alone can be a career changer or career booster.
Further Reading:
Human Resource Management 12th ed. Mondy
There are different approaches to building skills for career advancement. Rather than focus on specific skills for Infosec, we will focus on creative approaches to Human Resources for developing skills. These ideas may also be useful to management in developing a team. The concepts can also be applied to other careers in addition to Infosec. We will be covering some terminology that may be useful when discussing career development with Human Resources professionals and potential ideas for implementing them. Depending on the organization Human Resources may or may not want to be directly involved in these ideas. The term workers refers to anyone performing work whether they are a contractor, part-time, full-time, or temporary.
Job Enlargement is the an easy step to growing an worker’s skills. Job enlargement consists of adding more tasks at the same level of responsibility. In the physical world teaching an employee how to operate multiple machines on a manufacturing floor is an example of job enlargement. In the IT field this could be adding/removing users from both Windows and Linux systems or supporting Mac and Windows desktops. Workers managing perimeter firewalls could be given responsibility to manage end point protection in addition to the single task they had previously.
Job Enrichment is different from job enlargement. Job enrichment involves increasing the responsibility that workers have, where job enlargement is adding tasks at the same level. This can be adding more difficult and complex tasks to an worker’s duties. This can also include delegating higher level duties by management. In these arrangements accountability would remain at the same level (management), but the worker would gain hands on experience by completing the task with management supervision. Additional technical skills can be acquired through job enrichment. On the job training for supervisor responsibility can also be accomplished through job enlargement.
Job Sharing is normally for part time positions where one worker may work 20 hours and another worker will do the some job for 20 hours making up 40 hours of productivity. Modifying job sharing for full time workers can also create growth opportunities. A worker can be given two distinct jobs and split a 40 hour week between the two jobs. This can occur under the same supervisor or employees can be shared among departments. One example is the financial auditor who has previous experience in IT audit. Rather than hiring a full time auditor for IT, the company may have the financial auditor do 10 hours of work in the IT department per week or as needed. Job sharing also allows workers to gain skills in a different line of work part time while continuing to perform their existing work tasks.
Job Rotation involves moving workers from position to position to broaden their skills. This is normally a full time reassignment rather than splitting time as with job sharing. Some security standards recommend job rotation to detect fraud, which can also be a benefit. This can be an area where Human Resources and Security can work together in justifying a formal job rotation program. This would guarantee opportunities to learn new skills from being moved from position to position. Job rotation and job sharing also can be part of a continuity of operations program where workers are cross trained to reduce impact to the business in the event of a disaster or someone simply departing the company.
Job Sculpting involves tailoring job descriptions to the skills, and talents, and interests of each employee. If a supervisor engages in job sculpting, employees will have customized job descriptions on an individual basis rather than a one size fits all approach. There are several steps that go into job sculpting that we won’t cover, but it does allow workers to put their other talents to use which can benefit the organization and the worker.
These concepts can be used by workers to gain additional skills and increase their marketability in the job market. Approaching supervisors or Human Resources with the desire to broaden skills is one way to shift your career into high gear. By being proactive and participating in job enlargement or any of the other career growth strategies Infosec professionals can expand their skills or discover new lines of work, such as project management, that relate to Infosec. Supervisors can also put these concepts to use in order to have workers back each other up through cross training and to help workers in developing themselves to serve the organization and the profession. In the coming weeks we will go over different ways of using these concepts to grow your skills and responsibilities.
