Long before the shenanigans and financial collapse of 2007-8, Dan Geer said that in the financial world risk management works because there is zero ambiguity over who owns which risk and rightly fretted that here in infosec we suffer from nothing but ambiguity over who owns what risk.
First for the Good News, in infosec we're now a lot closer to the financial world in terms of risk management.
Now for the Bad News, the reason we're closer is that many parts of the financial world do not seem to know who owns which risk any better than infosec does.
The majority of these cases in the past decades' financial meltdowns have Derivatives playing a starring role (and yes there are many other drivers but stay with me), the interesting thing here going back to Dan's point on ambiguity in finance is that Derivatives were introduced a Risk Management tool, to smooth out volatility and such, (whether this is even possible is a topic for another day) but in doing so Derivatives introduced an enormous amount of complexity into the system and at the same time inserted ambiguity into where the risk was and how big it was.
We can already buy and sell shares, what derivatives did was give people a way to amplify returns through models, but it also amplifies risk. Derivatives are at the heart of all the rogue trading (Barings, SocGen, UBS, NAB) scandals (watch for my review of How to be A Rogue Trader), and Derivatives are at the heart of 2007-08 collapses.
Derivatives is a case of something with good or at least benign intentions, intended for safety making the system overall much less safe.
One of my favorite derivatives quotes from Warren Buffett:
"Long ago, Mark Twain said: “A man who tries to carry a cat home by its tail will learn a lesson that can be learned in no other way.” If Twain were around now, he might try winding up a derivatives business. After a few days, he would opt for cats."
Charlie Munger on derivatives in 2004:
The system is almost insanely irresponsible. and what people think are fixes aren't realy fixes. It's so complicated I can't do it justice here - but you can't believe the trillions of dollars involved. You can't believe the complexity. You can't believe how difficult it is to do the accounting. You can't believe how big the incentives are to have wishful thinking about values and wishful thinking about ability to clear.
People don't think about the consequences of the consequences. People start by trying to hedge against interest rate changes, which is very difficult and complicated. Then, the hedges make the [reported profits] lumpy. So they use the new derivatives to smooth this. Well, now you've morphed into lying. This turns into a Mad Hatter's Tea Party. This happens to vast, sophisticated corporations.
Somebody has to step in and say, "We're not going to do it - it's just too hard."
I think a good litmus test of the mental and moral quality at any large institutions [with significant derivative exposure] would be to ask them, "Do you really understand your derivatives book?" Anyone who says yes is either crazy or lying.
It's easy to see [the dangers] when you talk about [what happened with] the energy derivatives - they went kerflooey. When [the companies] reached for the assets that were on their books, the money wasn't there. When it comes to financial assets, we haven't had any such denouement and the accountings hasn't changed so the denouement is ahead of us.
Derivatives are full of clauses that say if one party's credit gets downgraded then it has to put up collateral. It's like margin - you can go broke [just putting up more margin]. In an attempt to protect themselves, they've introduced instability. Nobody seems to recognize what a disaster of a system they've created. It's a demented system.
In engineering people have a big margin of safety. But in the financial world, people don't give a damn about safety. They let it balloon and balloon and balloon. It's aided by false accounting. I'm more pessimistic about this than Warren is.