Welcome to the CXOWARE blog. We hope you’ll join us for lively and good natured discussion about risk and risk issues!  We’re risk geeks, plain and simple. We’re big advocates of the Factor Analysis of Information Risk (FAIR) framework for quantifying risk.

If people managed their personal finances like information security manages risk

By: Jack Jones

Find me on:

Imagine that you need to manage your personal finances, but there is one constraint in how you’re able to go about it, specifically:

You can only measure income and spending using qualitative values (e.g., High, Medium-High, Medium, Medium-Low, and Low). There are no monetary figures involved.

With this as the setting, let’s look at some specifics regarding your financial management situation:

  • You currently earn what your boss tells you is a Medium-sized paycheck every two weeks. You’re not so sure though -- it feels more like Medium-Low to you.
  • Your spouse’s paycheck is also “Medium”. When you put the two of them together you’re not sure whether they add up to a Medium-High income or just a higher level of Medium.
  • Monthly expenses are typically what you suspect are Medium-ish, but you’re not sure how to add up a bunch of Low and Medium-Low expenses. You’re also not sure how to factor in the costs associated with repairing the basement last spring when the sump pump failed. Those costs had to be at least Medium-High.
  • Because you’re not able to know where your finances stand, you and your spouse are continually concerned about the possibility of running out of money. Besides that, you’d also like to be able to retire with Medium-High retirement savings so that you can travel and maybe buy that motorhome the two of you have been talking about for years.
  • With that in mind, and as your financial advisor suggests, you try to put a Low amount of money into a retirement account every payday. You’ve been doing that for years now, but your financial advisor says recent market conditions knocked your savings from what they think of as Medium-Low to Low over the last couple of years. She’s not able to tell you though, whether it’s at the low end of Low or the high end of Low (or whether your version of Low is the same as theirs).

In summary, you and your spouse try to be smart about your finances. You work hard, are reasonably careful with your spending, and you seek financial advice from professionals. These actions mean that you’re more likely to be in a better place financially than if you quit your job and spent money like a drunken sailor. In other words, your actions imply a better condition than if you were less intelligent about it, but you really have no clear idea where your finances stand today and you aren't able to explicitly measure progress (or lack thereof) toward an objective. You also don’t know how comfortable you should feel about one-off spending opportunities like taking an vacation cruise to celebrate your anniversary, or how worried you should be about unforeseen expenses like the basement repairs.

The bottom line is that implicit financial management like this isn't inherently bad. Certainly it’s better than acting in ways that increase the odds of a poor outcome. But assumptions abound regarding whether you’re doing enough or too much. You’re essentially ungrounded.

Besides the obvious challenge of not really knowing where your finances stand relative to your objective (or even what your objective really looks like), did you catch the other more subtle problem? The same qualitative values are used for discrete transactions (e.g., paychecks and expenses) and for big picture conditions (e.g., the bank balance and the retirement goal). Clearly however, a “Medium” paycheck is not likely to be the same thing as having a “Medium” amount in your retirement savings account.

Given the above, there’s probably not much more that needs to be said about what this means from a risk management perspective.

About The Author

Jack Jones
Jack Jones is the EVP of R&D and a Founder of RiskLens. He has worked in technology for over 30 years, the past 28 years in information security and risk management. He has a decade of experience as a Chief Information Security Officer (CISO) with three different companies, including a Fortune 100 financial services company. His work there was recognized in 2006 when he received the Information Systems Security Association (ISSA) Excellence in the Field of Security Practices award. In 2007, he was selected as a finalist for the Information Security Executive of the Year, Central United States, and in 2012, he was honored with the CSO Compass Award for leadership in risk management. Jones, who lives in Spokane, Washington, has served on the ISACA CRISC Certification Committee and RiskIT Task Force, as well as the ISC2 Ethics Committee. He is the author and creator of the Factor Analysis of Information Risk (FAIR) framework. He writes about that system in his book Measuring and Managing Information Risk: A FAIR Approach, which was inducted into the Cyber Security Canon in 2016, as a must-read in the profession.