Job cuts: What sectors are most at risk?

NEW YORK (CNNMoney.com) -- As the impact of the economic crisis takes hold, employees from Wall Street to Main Street are feeling nervous about their jobs, and with good reason.

As of September, 760,000 jobs have already been lost this year, according to data from the Bureau of Labor Statistics.

And a quarter of U.S. employers expect to make layoffs in the next 12 months, according to a recent report by consulting firm Watson Wyatt.

But which industries will suffer the most? Experts say certain sectors are more vulnerable to layoffs than others.

Housing: Jobs in the housing sector were the first to go when the mortgage meltdown took hold. But with the industry outlook at an all-time low, even more layoffs could follow.

Beyond mortgage lenders and homebuilders, jobs in commercial real-estate and at real-estate agencies will be the next to go, according to Dean Baker, director of the Center for Economic and Policy Research in Washington, D.C.

With the worst September for new home sales since 1981, "some of the big [real-estate] chains will do some consolidation," Baker said, "clearly you need fewer offices," Baker said.

Finance: Few in the financial sector are feeling secure about their positions. The latest employment figures from the Department of Labor show financial firms have eliminated an estimated 110,000 jobs over the past year through September, and experts say there will be even more losses in the months ahead.

As financial firms reorganize and consolidate, there are going to be a lot more layoffs, Baker said.

"Financial services firms have cut tremendously and I don't think that's over," echoed Lee Pinkowitz, associate professor at Georgetown University McDonough School of Business.

Retail: Before the credit crunch, retailers were already struggling with soft sales as high gas prices and falling home equity forced consumers to curtail non-essential purchases. Now retail sales are dismal heading into the holiday season. "This could be the weakest holiday hiring season since 2001," said John Challenger, chief executive of global outplacement firm Challenger, Gray & Christmas, and that's not good for those employed in the retail industry.

"I doubt we'll see the pick up in seasonal hiring that we'd normally see," Pinkowitz said.

But while department stores and high-end boutiques may be particularly hard hit, discount retailers, like Wal-Mart (WMT, Fortune 500) could fare well in the current climate, Challenger said. Wal-Mart is also the nation's largest private-sector employer, and could be a safe haven for those who work there.

Publishing: As consumers cut back, advertisers follow, and that means tough times for print publications, including newspapers and magazines, experts say.

According to Bureau of Labor Statistics data, employment in the publishing industry has been contracting since the beginning of last year.

But the "grand decline" of jobs in the media industry, which also includes broadcast and digital media, began with the dot-com bust in 2001, noted Heidi Shierholz an economist at the Economic Policy Institute, a research group based in Washington. Now a loss of jobs in traditional publishing is being exacerbated, in part, by the move away from print toward digital media.

"Every time you have a recession it pushes companies that have been holding on by their fingernails out of business," Challenger said. "It clears away an old generation of companies and I think we'll see that with print."

Autos: While sales at the Big Three automakers have fallen 20% this year and are likely to tumble further, trouble in the auto sector is not confined to manufacturing. All told, about 2 million Americans work in the industry.

While declining sales will likely lead to more job losses, those in "the tentacles of the auto industry" could be particularly hard hit in the coming months, Pinkowitz said, which includes those jobs at dealerships and suppliers.

Travel: Airlines have already announced layoffs across the board, but as consumers and businesses continue to scale back discretionary spending on travel, the implications go far beyond flying.

"All the industries under the umbrella of travel are going to be at risk" Challenger said, including rental cars, hotels and even restaurants.

If people are cutting back, travel and leisure activities are the easiest things to do without, explained Baker. Big restaurant chains will close locations, he said, which means eliminating many wait staff and service jobs, while some smaller restaurants will be forced out of business entirely.

But despite the mostly doom-and-gloom predictions, some say there are some bright spots ahead for American workers.

"Even if you're in an industry where there has been some job downturns, there still can be some opportunities," said Kimberly Bishop, vice chairman of Chicago-based executive search firm Slayton Search Partners.

Bishop suggests focusing on those skills and experiences that can translate beyond the industry in which you work. There are certain roles that every organization needs, she said, and you may be able to fulfill that role in another industry that has more promise. 

In Pictures: What Is The Greatest Risk You Ever Took?

 

What is anything worth? Easy: The amount of fear, pain and suffering you are willing to risk to get it.

But of course we know the math is infinitely more complicated--especially for those suffused with fear, greed and hubris that inevitably fog the equation.

The crisis on Wall Street, now coursing like a virus throughout the broader economy, is testament to our collective innumeracy when it comes to estimating risk. Complicating matters: a vast web of impenetrable financial contracts putatively designed to "absorb" risk (and reap billions in transaction fees) by sprinkling it throughout the entire financial system. Thanks to such securitization, thousands of people moved into homes they couldn't afford. No cash? No worries--there's plastic. And the band played on.

In Pictures: What Is The Greatest Risk You Ever Took?

So the question remains: What's worth the risk? In search of illumination, we asked a slew of strivers--entrepreneurs, politicians, athletes and show-business types--what they consider to have been the riskiest moves of their lives.

Their responses were as diverse as their careers, but all support the same conclusion: The best results come to those willing to take a chance--an important reminder for entrepreneurs, financiers and political leaders as the global economy braces for even rougher weather.

Several subjects spoke of moments when their careers hung in the balance--the sputtering start-up, a challenging job offer or the decision to walk away from what they knew to pursue far grander dreams.

Some sneered at death, or at least dismemberment. Take Kit DesLauriers, the first person to ski from all seven summits. Of her descent from the top of Mount Everest, she says: "There were no safety nets, no fixed lines established, freezing winds. We had to spend an unplanned night at 26,000 feet, with very little food and water. The next day, we skied the Lhotse Face, 5,000 feet of blue ice on a 50-degree slope ... At one point, we ran out of oxygen. I kept telling myself: 'Don't sit down and die. Just keep going.' It's really easy to let your mind get a hold of you, but the journey taught me we are much more than our minds."

In 1992, Puneet Nanda, chief executive of Dr. Fresh, maker of oral care products, then based in New Delhi, decided to brave the burgeoning Russian market. "Everybody there had to pay a Mafia fee," he recalls. "These ex-KGB guys controlled everything."

One day, he continues, a new Mafia boss came by and chopped off his office manager's hand; later, thugs roughed up Nanda in his own home. Nanda fled Russia, but not the fight. Dr. Fresh products now sell in 42 different countries--including, just as of August, Russia.

Richard Jackson, chief executive of Jackson Healthcare--which provides clinician staffing, anesthesia management and heath-care IT services for U.S. hospitals--has a story for risk-taking entrepreneurs hunting for suddenly cheap assets. Two years ago, Jackson decided to acquire World Health Alternatives, a publicly traded medical-staffing firm which was then twice the size of Jackson's company.

Jackson recalls: "It was a hairy deal: [World Health] was pulling in $300 million in annual revenue but losing $1 million per month and rapidly approaching bankruptcy; its financial documents were inaccurate, the CEO had quit after some suspicious ethical behavior and the FBI was getting involved. But I believed we had the industry expertise to turn the business around. We paid $43 million for the company in 2006; last year, it took in $18 million on $220 million in sales. It was a huge risk--and an even bigger success."

Michael Chasen, co-founder of Blackboard (nasdaq: BBBB - news - people ), an education technology company, went so far as to jeopardize his new marriage. Despite making nice coin at KPMG, Chasen and college buddy Matthew Pittinsky decided to start their own company making software to facilitate instruction at schools that were outfitting fully Internet-wired classrooms and dormitories.

"The biggest risk was telling my fiancé one month before our wedding that I was going to quit my high-paying job to gamble on a 'big idea' with my old college roommate," says Chasen. "Not exactly what she had signed up for." (Happy ending: They still tied the knot. "Risk averted," he adds.)

Still others we spoke with considered smaller, even mundane challenges to carry enormous risk. Case in point: Brian Binnie, whom Forbes.com interviewed for the first iteration of this article in 2007. Binnie piloted the craft that rocketed 69 miles above the earth in pursuit of the $10 million Ansari X Prize, funded by the likes of First USA Bank, a unit of JPMorgan Chase (nyse: JPM - news - people ), and author Tom Clancy.

Ironically, the sky-scraping aviator's greatest risk was among the most down-to-earth: speaking in front of a public audience. "The choice between a poke in the eye or the opportunity for public speaking sends me into serious deliberation," admitted Binnie. (Still, an invitation to appear on The Late Show with David Letterman proved too tasty to pass up.)

Who better to assess risk then a guy who gets paid big bucks to do just that? When asked last year about his greatest risk, gold-plated venture capitalist Tim Draper, co-founder of Draper Fisher Jurvetson, recalled not one of his sizable bets on a promising (but by no means proven) young company; rather, he mentioned the time he mustered the courage to board an unknown, unsaddled horse.

"I don't remember all the risks I have taken, since if they worked out, they were no big deal," said Draper.

That's one way of looking at it.

 

Let's start with NIST publication SP 800-30: Risk Management Guide for Information Technology Systems. In the text we read:

"Risk is a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system."

The document outlines common threats:

• Natural Threats: Floods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and other such events.
  
• Human Threats Events that are either enabled by or caused by human beings, such as unintentional acts (inadvertent data entry) or deliberate actions (network based attacks, malicious software upload, unauthorized access to confidential information).
  
• Environmental Threats: Long-term power failure, pollution, chemicals, liquid leakage.
  

I see no mention of software weaknesses or coding problems there. So how does NIST define a vulnerability?

"Vulnerability: A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy."

The NIST pub's threat-vulnerability pairings table makes the difference between the two terms very clear:



SP 800-30 talks about how to perform a risk assessment. Part of the process is threat identification and vulnerability identification. Sources of threat data include "history of system attack, data from intelligence agencies, NIPC, OIG, FedCIRC, and mass media," while sources of vulnerability data are "reports from prior risk assessments, any audit comments, security requirements, and security test results."

The end of SP 800-30 provides a glossary:

• Threat: The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.
  
• Threat-source: Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.
  
• Threat Analysis: The examination of threat-sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment.
  
• Vulnerability: A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy.
  

For those of you Microsoft-only shops, consider their take on the problem in the The Security Risk Management Guide. Chapter 1 offers these definitions:

• Risk: The combination of the probability of an event and its consequence. (ISO Guide 73)
  
• Risk management: The process of determining an acceptable level of risk, assessing the current level of risk, taking steps to reduce risk to the acceptable level, and maintaining that level of risk.
  
• Threat: A potential cause of an unwanted impact to a system or organization. (ISO 13335-1)
  
• Vulnerability: Any weakness, administrative process, or act or physical exposure that makes an information asset susceptible to exploit by a threat.
  

Microsoft then offers separate appendices with common threats and vulnerabilities. Their threats include catastrophic incidents, mechanical failures, malicious persons, and non-malicious persons, all with examples. Microsoft's vulnerabilities include physical, natural, hardware, software, media, communications, and human. Microsoft clearly delineates between threats and vulnerabilities by breaking out these two concepts.

I'd like to add that the comment on my earlier posting said I should look up "threat" at dictionary.com. I'd rather not think that "security professionals" use a dictionary as the source of their "professional" understanding of their terms. Still, I'll debate on those grounds. The poster wrote that dictionary.com delivers "something that is a source of danger" as its definition. Here is what that site actually says:

1. An expression of an intention to inflict pain, injury, evil, or punishment.
   
2. An indication of impending danger or harm.
   
3. One that is regarded as a possible danger; a menace.
   

Remember what we are debating here. I am concerned that so-called "security professionals" are mixing and matching the terms "threat" and "vulnerability" and "risk" to suit their fancy.

Here's vulnerability, or actually "vulnerable":

1. Susceptible to physical or emotional injury.
   
2. Susceptible to attack: “We are vulnerable both by water and land, without either fleet or army” (Alexander Hamilton).
   
3. Open to censure or criticism; assailable.
   
4. Liable to succumb, as to persuasion or temptation.
   

You'll see both words are nouns. But -- a threat is a party, an actor, and a vulnerability is a condition, a weakness. Threats exploit vulnerabilities.

Finally, risk:

1. The possibility of suffering harm or loss; danger.
   

Risk is also a noun, but it is a measure of possibility. These are three distinct terms. It is not my problem that I define them properly, in accordance with others who think clearly! I am not inventing any new terms. I'm using them correctly.

I'd like to thank Gunnar Peterson for reminding me of the NIST and Microsoft docs.