Risk approaches in finance versus Information Security

Risk management in industries such as finance (broadly defined) and engineering are much more matured than in Information Security. It is worthwhile to take stock of how they currently compare.

Risk management is an important process in any organization, but the specific risks and risk management strategies differ significantly between the finance and information security sectors. Finance is primarily concerned with risks related to investments, loans, cash flows, and other monetary assets and liabilities. Information security is focused on managing risks to data confidentiality, integrity, and availability. While there are some overlaps, the risk identification, assessment, and treatment processes have fundamentally different frameworks, stakeholders, priorities, and methods in these two fields. The key areas I will cover include:

- The objectives and priorities of risk management in each sector

- Risk identification processes and the types of risks considered

- Risk analysis and assessment models used

- Risk treatment strategies and methods deployed

- Involvement of leadership, oversight, auditing and reporting

- Use of metrics to quantify and track risks

- Role of regulatory requirements in shaping risk practices

- Impacts of recent trends such as digitalization, remote work, and cloud migrations

By thoroughly comparing and contrasting risk management in these two critical business domains, we can better understand the current practices and opportunities for improving organizational resilience. The knowledge gained can be applied to develop integrated, holistic enterprise risk management frameworks that incorporate financial and information security threats.

Objectives and Priorities

The core objectives of risk management in finance are to maximize profits or investment returns within the organization’s defined risk tolerance and to ensure continuity of operations.

Risk Identification

Risk identification is the process of recognizing potential threats, hazards and vulnerabilities that could adversely impact an organization’s business objectives. Finance and information security professionals go about this process in very different ways due to the nature of risks in their fields.

On the finance side, risk identification often begins with business impact analysis and resource valuation to determine the organization’s risk capacity based on its financial position. Common financial risks include market, credit, liquidity, operational, and systemic risks. Well-defined probabilistic and statistical models are available to quantify these risk exposures based on historical data, economic indicators, credit scores and other financial metrics.

For example, value-at-risk (VaR) modeling is commonly used by financial institutions to estimate maximum potential investment losses based on normal market movements and volatility. Risk managers also evaluate insurer stability, cost and extent of coverage to transfer risky exposures.

In contrast, information security threats are often difficult to quantify and dynamic in nature. While some cyber risks have associated cost figures, the probability and business impact can be subjective or unpredictable.

Information security professionals utilize threat intelligence reports, vulnerability scans, risk questionnaires, and audits to identify potential weaknesses in their data, systems, processes and personnel. Analysts map data flows and classify information assets by criticality. Long lists of possible natural, technical and human threat vectors are assessed based on their technical feasibility and likely incentive for malicious actors.

Given the stealthy and asymmetric nature of cyberattacks, past incidents are weak indicators of future attack likelihoods. Information asymmetry and zero-day threats lead to unforeseen surprises. So while finance focuses on modeling known risks based on past statistical loss data, infosec prepares to expect the unexpected.

Risk Analysis Models

Once pertinent risks have been identified, the next step is to analyze the cumulative exposures to ascertain the likelihood and potential impacts of those risks manifesting. Financial risk analysis models are often quantitative, seeking to assign numerical probability and severity estimates. Information security risk analysis may rely more on subjective qualitative assessments, especially when hard statistical data is lacking.

Common financial risk analysis methods include sensitivity analysis, probabilistic models like Value-at-Risk or Expected Shortfall, scenario analysis, stress testing, forecast modeling, and backtesting on historical data.

Financial variables that can be modeled probabilistically include assets/liabilities, cash flows, interest rates, counterparties’ credit scores, bond prices, FX rates, commodities prices, and various market indices. Quantitative analysts assess correlation across risk factors and potential portfolio losses.

For risks with high uncertainty, finance may supplement quantitative models with expert judgement on probability or severity. But in most cases, finance relies on mathematical risk models over qualitative opinions.

In comparison, information security threats are often newfound, rapidly evolving, and initiated by malicious threat actors seeking to evade protections. This makes statistical modeling of cyber risks more difficult. While past cyber incidents can provide some indications of areas of concern, their fast-changing nature limits predictability.

Information security risk analysis leans more heavily on deterministic and qualitative approaches. Common techniques include expert judgment, threat/vulnerability scoring criteria, scenario analysis, impact/uncertainty matrices, risk matrices showing severity and likelihood ratings, and descriptive vulnerability and risk assessment reports.

Risk Treatment Approaches

After analyzing and evaluating identified risk exposures, decisions must be made on how to best handle or treat the risks to achieve management objectives.

There is a famous saying that “you cannot manage what you cannot measure.” Financial risk managers follow this principle in employing quantitative metrics and models to measure exposures and risk-adjusted returns to guide investment decisions that align with stakeholder risk tolerances.

Common finance risk treatment strategies include risk avoidance/elimination, risk transfer to insurers, risk acceptance through sufficient capital buffers, risk mitigation through financial instruments like options & derivatives, and risk diversification across asset classes and geographies. Portfolio optimization provides mathematical guidance on balancing risk-return tradeoffs.

Information security managers have a tougher task, given the inherent uncertainties in cyber threats. While cyber insurance can transfer some risk, coverage is often limited against catastrophic attacks. As eliminating all vulnerabilities is infeasible, infosec priorities focus on reducing attack surfaces through cyber hygiene and control implementation.

But deciding which controls provide the best risk reduction for limited IT security budgets can be challenging when threat models and vulnerabilities lack reliable quantitative severity/likelihood metrics. This is where qualitative risk assessment and expert judgment plays a bigger role.

Information security treatment options fall under the categories of risk avoidance, transference, mitigation, and acceptance. Avoiding risk often centers on denying access to sensitive systems and data wherever possible. Data encryption, access controls, network segmentation, multi-factor authentication, regular patching, user awareness training, and physical security controls help mitigate countless cyber risks.

Given resource constraints, infosec professionals prioritize their efforts through flexibility-oriented frameworks like NIST’s risk management framework. Cyber risks are impossible to completely eliminate, so residual risk acceptance is inherent.

Monitoring, Reporting & Compliance

Both financial and information security risk managers utilize key risk indicators (KRIs), metrics, dashboards and early warning systems to monitor accepted risks and risk treatment effectiveness. Trends are tracked to enable risk responses ahead of external audits or incidents.

They also regularly report risk exposures and control gaps to business leaders and oversight committees. Financial risk reporting provides executives and the board greater visibility into volatility, tail risks, credit quality changes, liquidity needs, capital adequacy, debt servicing ability, and portfolio concentrations.

Likewise, information security reports highlight cyber risks tied most directly to business objectives, data and systems criticality, compliance gaps, control failures like recurring vulnerabilities, effectiveness of security spending, security culture maturity, and new attack developments relevant to the organization.

Financial services firms and public companies have mandatory risk management reporting requirements like Basel capital adequacy reporting or Sarbanes-Oxley (SOX) internal control disclosures. General data protection regulation (GDPR) in the European Union also imposes cyber risk assessment and reporting rules around personal data.

Regulations enforce minimum risk governance standards for financial stability or information security accountability. Non-compliance can lead to fines, criminal charges, and loss of customer trust that threatens business viability. This regulatory oversight incentivizes greater investment in risk management by enterprises.

Impacts of Emerging Trends

Advances in financial engineering have increased market volatility and systemic risks. Complex derivative products and automated algorithmic trading lead to flash crashes. Integrating environmental, social and governance (ESG) metrics into investment decisions manages some systemic risks but can create new data vulnerabilities.

Other finance trends like cryptocurrencies, decentralized finance (DeFi), and embedded finance show promise but also expose consumers to higher fraud risks, market manipulations, and data privacy issues. Financial institutions adopting AI/ML technologies improve predictive capabilities but face model risks.

Similarly, information security risk landscapes are continually altered by emerging technologies. Cloud migrations reduce on-site data centers but increase third-party privacy and security risks with vendors. Lacking visibility into provider controls and compliance makes risk analysis difficult. Multi-tenant cloud vulnerabilities or misconfigurations can lead to widespread service disruptions.

Workforce mobility and remote work trends for business continuity became hugely popular during the pandemic, but this demolished legacy network security models. Growing numbers of IoT and operational technology (OT) devices are enlarging attack surfaces and posing safety risks.

The convergence of IT and OT systems with production environments risks cyber-physical attacks that endanger human lives and critical infrastructures. Expanded data collection fuels digital transformation but amplifies privacy regulation penalties and data leakage risks.

Proliferation of third-party vendors, offshore development, global supply chains and dynamic partnerships enable business efficiencies but also outsource risk management responsibilities. Lacking holistic views across these external connections obscures risk analysis.

Other emerging infosec threats come from malicious use of exponential technologies like artificial intelligence/machine learning, quantum computing, augmented reality, robotics, drones, 3D printing, nanotech, and biotech. Adoption of new technologies creates new and harder to predict risk tradeoffs.

So while innovations bring many benefits, managing their second and third order cascading risks becomes highly complex for both financial and information security managers. It requires deeper systems thinking, expertise diversity, flexibility, and foresight when making risk decisions under growing uncertainty. Historical models have shortening usefulness.

With continuously evolving risks from increasing complexity and interconnectivity across financial, information, physical and geopolitical domains, enterprise risk management must take a wider lens. Siloed risk management has inadequate field of vision.

What’s needed is holistic, integrated risk governance centrally coordinated by Chief Risk Officers and their teams working seamlessly with Chief Information Security Officers. This ensures technical cyber risks are analyzed in context of business objectives and vice versa.

Both financial and cyber risk managers must align behind common organizational strategies to anticipate fast-changing threats. This proactive vs reactive stance is crucial for sustainability amidst market disruptions and security surprises.

Conclusion

While finance and information security both employ risk management concepts like risk identification > analysis > evaluation > treatment, the specific processes used exhibit significant divergence.

Quantitative financial risk models and metrics enable portfolio optimization guided by statistical probabilities and severity estimates using historical data. Information security deals with rapidly evolving threats, motived attackers, and lack of reliable indicators hamper predictive modeling and measurement for cyber risks.

These fundamental differences drive variance in risk management objectives, priorities,stakeholders involved, terminologies employed, assessment approaches, treatment strategies, monitoring mechanisms, and regulatory reporting mandates.

Yet despite the differences, there are commonalities like executive engagement, reliance on skilled professionals, need for sober risk-based decision making, leveraging technology capabilities, and focus on cost-benefit tradeoffs.

As interconnected technological innovations continue growing in the finance sector while money becomes increasingly digitalized, managing cyber risks is becoming integral to financial risk management frameworks.

Likewise, as information security professionals are expected to advise businesses beyond technical controls, speaking the language of risk requires understanding finance and operational objectives.

So convergence of risk concepts between these specializations seems inevitable and mutually beneficial. With advanced persistent threats intensifying globally, we need deeper interdisciplinary collaboration to strengthen organizational risk resilience.