BACKGROUND
We emphasize from the very beginning that it is important to use the terminology accurately because our words define our understanding. Therefore, before describing in detail the role of ITSG in e-banking, we need at least a literature review over e-banking and ITSG as separate contexts.
Fundamentally, banking services has evolved in a service of “anytime/anywhere/anyhow” (Chen, 2009) and the term e-banking is used to describe banking applications, including products and services, with the use of technology. Specifically, the proliferation of Internet technology has led the development of new products such as aggregation of services, bill presentment and personalized financial services. Today the competition in the banking sector is determined by the success of a bank to adopt and deliver innovative products and services that meet the changing needs of a customer (Daniel, 1999). In this respect most banks has some type of Web presence however this is restricted primarily for marketing purposes (Ho Bruce and Wu, 2009). However, e-banking can offer much more than a static banking presence online. Specifically, e-banking has the potential to:
• Eliminate physical or geographical boundaries, enabling a wider market share.
• Use a variety of devices (e.g. phone, personal computer) for instant admission to banking services without the expenses of facilities or labor.
• Satisfy consumer demands via mass-customization and self-service.
• Lower operational, transaction and production costs via the use of technology.
• Showcase community activities and attractions offering multilingual sites.
• Build public relations and reputation by supporting social welfare and local needs.
• Provide effortless (all time) accessibility for disabled people.
While there are various definitions in the literature about e-banking (Insley et al., 2003; Kolondisky et al., 2004; Shah and Clarke, 2009; Angelakopoulos and Mihiotis, 2011) we conclude that e-banking is an umbrella term including all possible transactions of a bank which are performed with the use of electronic means, mainly through the Internet but also via VPNs (Virtual Private Networks), Intranet, Extranet, phone and mobile phone and other devices such as ATMs, and these transactions do not require the customer to visit a bank branch.
According to (Akinci et al., 2004; Aggelis, 2005) there are a number of retail banking services, distribution channels and target markets included in an e-banking environment (see Figure 1) but three major types of e-banking distinguish depending on the channel by which the transactions are performed: 1. Internet banking,2. Phone banking, 3. Mobile banking.
1. Internet banking (or web banking), as its name implies, is operated mainly through the Internet. The customer of the bank must have access to a personal computer and to the network of the bank. Usually, due to the increased security requirements regarding e-transactions, banks must ensure that e-banking customers’ records remain safe under all conditions. In this regard, banks use security tools such as tokens, specialized software, digital signatures and other security defenses to protect the security requirements (confidentiality, integrity, availability) of the assets supporting e-banking.
2. Phone banking services are processed via a phone device that is not mobile. This service is divided (Aggelis, 2005) into two categories a) manually via real-person contact and b) automatically through IVR (Interactive Voice Response) systems where the customer responds to voice messages.
3. Mobile banking (m-banking) is a relative new channel which has not reached as much a penetration rate in usage as it should have. The main reasons are lack in security and marketing strategy. M-banking is performed thought the installation of specialized software program in the user’s mobile device and precautions for safeguarding security such as the usual change of the password are essential.
According to (Nsouli and Schaechter, 2002), e-banking is considered an electronic financial service that belongs to the wider e-commerce area. E-commerce is conceived as a broad term that includes all business through the use of electronic networks. E-commerce is divided in two broad categories namely a) e-finance, a term which includes financial services via e-channels and b) e-money, a term that includes all the mechanisms for stored value or pre-paid payment.
The main difference between e-money and e-banking is that the former balances are not kept in financial accounts within banks but are rather seen as digital money or cash. Direct deposit and electronic funds transfer (EFT) are usual examples of e-money. E-finance includes e-banking and other financial services and products such as insurance and online brokering. Figure 2 summarizes this notion.Figure 1. Retail banking services and distribution channels
Source: Adopted from Akinci et al., 2004
E-banking cannot operate without the aid of technology and specifically the Internet. Therefore, the role of technology in supporting the e-banking function has become increasingly complex. In this respect, IT operations have become highly dynamic and usually include distributed environments, integrated applications, telecommunication options, Internet connectivity, different computer operating platforms as well as increased reliance on third parties (e.g. vendors, partners) for delivering e-banking solutions (Rao et al, 2007). For this reason, IT security can no longer be regarded as a purely technical issue since it involves different stakeholders with different security behavior (e.g. investors, employees, society) and unfortunately, security is rarely at the forefront of stakeholders concerns, with the exception to comply with standards and/or legal requirements (Mellado et al., 2010). Particularly, IT security is a subset of information security (IS), a concept which has become an integral part of daily life and banks need to ensure that their information as well as the delivery of services are adequately secured (Saint- Gemain, 2005). For this reason, the purpose is to set the “desired state” of security to achieve the Information Security Governance (ISG) objectives for e-banking (Kondabagil, 2007; Solms and von Solms, 2009) namely:
1. Strategic alignment.
2.
Risk management.3. Business process assurance/convergence.
4. Value delivery.
5. Resource management.
6. Performance measurement.
It is time to describe the ITSG concept, a term which derives from the ITG (Information Technology Governance) term with an emphasis on the technological factor. In trace of its roots, Rastogi and Von Solms (2006) use a number of references such as Weill and Woodham (2002, p. 4) to define IT Governance as: ‘’specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT,” moreover, Van Grembergen (2002, p. 1) defines IT Governance as: “the organizational capacity exercised by the Board, executive management and IT management to control the formulation and implementation of IT strategy and in this way ensuring the fusion of business and IT.”
There is a variety of definitions in the literature about the role of ITSG in general, however, most academicians and practitioners have lack of consensus in the definition and adherence of this term and some others use the term ISG to describe both the technological aspect in an institution (Monks and Minow, 2004; Kritzinger and von Solms, 2006; Rao et al., 2007). Moulton and Cole (2003) defined ITSG as the establishment and maintenance of the control environment to manage the risks relating to the confidentiality, integrity and availability of information and its supporting processes and systems. The IT Governance Institute (2006) supports that ITSG is compliment to ISG and is the set of responsibilities various stakeholders possess with the goal of providing strategic direction, ensuring that risks and resources are managed efficiently. In addition, Rastogi and Von Solms (2006) describe ITSG as a decision-making process including protection of stakeholder value and the most valuable assets of a financial institution. This definition matches well with this chapter’s work since the objective is to examine how an ITSG program can benefit an e-banking system.
To make this definition more accurate in the context of e-banking, we extend the aforementioned description and clarify the role of ITSG in e-banking as a “cognitive process that adds value to the business and IT infrastructure resulting in a set of actions among several stakeholders towards managing e-banking risks.”It is argued that the assurance of protecting information in financial services should not become an “one-man responsibility” but should be treated as a government issue (Abu Masa, 2010). For this reason, the term “Corporate Governance” (CG) is used to specify the relationships between, and the distribution of rights, information and responsibilities among, the four main groups of participants in a corporate body naming
1. Board of directors,
2. Managers,
3. Employees, and
4. Various stakeholders.
CG can also be defined as the system by which business operations are directed and controlled (Biri and Tentra, 2004). According to the same author, examples of international best practices for CG are: The King 2 Report and The Organization for Economic Co-operation and Development (OECD) Principles of CG. A highly related term that compliments and consists an integral part of ITSG, and thereby ISG, is the enterprise governance (EG) concept. According to IFAC (2004) EG is a more generic term, closely related to corporate governance (CG), referring to the organizational structures and processes that aim to ensure the organization’s business objectives and IT sustains and delivers business value to the financial institution and stakeholders.
Moreover, relevant aspects of ISG include accountability to stakeholders, compliance with legal requirements, setting clear security policies, spreading security awareness and education, defining roles and responsibilities, contingency planning and instituting best practice standards (Monks and Minow, 2004). In other words, the scope of ISG is to describe the rules and procedures for making decisions regarding corporate affairs and the structure through which the corporate objectives are set.
Moreover, it aims to fulfill the security objectives (confidentiality, availability and integrity), monitor corporate performance against those objectives and communicate it to the stakeholders (Long et al., 2008). However, there are sound examples that ISG has failed to live up to expectations due to high visibility failures such as Enron, Tyco, WorldCom, and Arthur Andersen (Ralph Spencer Pool, 2005). For this reason, the need for ITSG has become apparent in an attempt to support ISG achieve its role. At its core, ITSG is concerned with two things namely delivery of value to the business and mitigation of IT risks (Moreira et al., 2008). A comprehensive definition of ITSG (Solms and von Solms, 2009) is as an integral part of enterprise (corporate) governance consisting of the leadership and organizational structures that ensure the organization’s IT infrastructure sustains and extends the organization’s strategies and objectives.From a theoretical perspective ITSG is compliment to ISG, which is a subset of CG, but these two terms are not congruent. Particularly, ITSG focuses on the application of technology to business and how and to what degree this application provides value to the business. In practice, this concept reflects more the arguments of the technology itself (e.g. computer failures, technology obsolescence) rather than of the information itself. But because the primary purpose of any governance program within a financial institution is to hold management accountable for the assurance of information therefore, it must also assure the protection and ethical use of the information assets (Poore, 2005).
In literature there are attempts to build holistic ISG frameworks in order to simplify the variety of components and bring together the existing approaches such as (Tan et al., 2010, Trompeter and Eloff, 2001; Tudor, 2000). In this regard, wishing to further clarify the meaning of congruent terms such as CG, ITSG, ITG and ISG we use the framework as depicted in Da Veiga and Eloff (2007) (Figure 3) because it represents ISG based on four approaches namely, a) ISO 17799 (2005), b) PROTECT, c) the Capability Maturity Model, and the d) Information Security Architecture (ISA). The authors see ISG as a triangle pyramid (see Figure 3) shape consisting of three layers with distinct components.