Risk Sensitivity

Risk Sensitivity, also referred to as Greek, is the measure of a financial instrument’s value reaction to changes in underlying factors. The value of a financial instrument is impacted by many factors, such as interest rate, stock price, implied volatility, time, etc. Sensitivities are risk measures that are more important than fair values. Greeks are vital for risk management. They can help financial market participants isolating risk, hedging risk and explaining profit & loss.^[1]

Explaining Risk Sensitivity^[2]
Risk sensitivity is a crucial concept in a risk program. While it appears to be a fairly simple concept to prioritize resources based on several factors of criticality; in reality this evaluation becomes the basis for all future risk decisions. It affects which resources one assesses at all, how often one reassesses them, how detailed the assessment needs to be, how one prioritizes any risk findings, what level of risk is acceptable, and even the level of management needed to approve an exception. Designing a comprehensive and accurate risk profile form may take a couple of tries before one finds the right mix of questions.

Assessing the risk sensitivity of a data flow requires focusing well beyond the risk sensitivity of the asset as a whole and beyond even that of any one application or function of that resource. The specific characteristics of the individual flow need to be considered. There are two primary aspects of a flow to consider: the sensitivity of the data in that flow or directly accessible by that flow and the privilege to the asset or application that the flow allows. These two factors will help guide risk assessment decisions made regarding the application of security controls.

In fact, a particular flow may have access only to a very specific interface on an application, one for instance that displays a small subset of data from a system, which is determined to be less risk sensitive than the larger collection of data. A certain system may gather data from many resources of varying risk sensitivity and the compiling system should assume the risk sensitivity of the most sensitive source with which it communicates. The particular data that are gathered and compiled must be reviewed to determine the risk sensitivity of the compiled set. For example, a billing system may gather data from highly risk-sensitive resources, but the actual cost-center and usage statistics information may be deemed to be low risk because only partial data have been gathered. A similar example would be a performance monitoring system that tracks the uptime of a resource. This performance data may be classified as low sensitivity even though the systems it monitors are determined to be highly risk sensitive.

Similarly, the risk sensitivity of the aggregated data should be considered based on the combined value of individual information. Often, seemingly nonsensitive data can be combined into more meaningful groupings that may have higher risk sensitivity in their aggregated form and therefore require stronger protections. All these behaviors should be considered when resources of varying risk sensitivity need to communicate and share data.