CONCLUSION

The way Bill Gates in 2008 announced that “banking is essential, banks are not” shows the traditional bank branch is going to phase out and gradually be replaced by e-banking services which will continue to attract new users in favor of lower costs, instant accessibility and reliable customer service.

Although the majority of financial institutions recognize the importance of an ITSG program as an indispensable factor for the success of IT and corporate governance, they usually equate effec­tive governance with meeting the demands of regulators without recognizing that sound ITSG can actually boost business. In this regard, they avoid using consistent metrics to measure the ef­fectiveness of an ITSG program. New trends in measuring ITSG effectiveness include collection of metrics in a standard and automated fashion using security methods such as SCAP.

In this respect, since there is no officially accepted ITSG framework for the e-banking domain, this chapter focused on establishing a strong relationship between Risk Management in e-banking and ISG in order to govern the infor­mation security in e-banking. To achieve this, we highlighted on the concept of Risk Management in e-banking and ISG. We further examined and compared elements from the most commonly used ISG frameworks, standards and best practices to a number of objectives/criteria that satisfy a sound ITSG program. This comparison leads us to safely propose that no single approach is a “best fit” for e-banking because the state of e-banking varies depending on a number of core capabilities such as country, culture and bank’s reputation. Thereby, the main proposals for governing the information security in e-banking is to

• Develop an ITSG framework based on guidance from Figure 5 which can help banks govern information security in e-banking.

• Embrace a security strategy based on the results from Table 2 in order to fit each unique e-banking environment.

• Focus on outsourcing risk since this type of risk possesses more threat and impact for e-banking.

We summarize the chapter by supporting the argument set in the introduction that “Security is a management problem, not a technical problem” and in simple economic terms, it is cheaper and more effective to find and eliminate security problems when the system is developed rather than after have been employed (Villaroel et al, 2005).

REFERENCES

Abu-Musa, A. (2010). Information security gover­nance in Saudi organizations: An empirical study. Information Management & Computer Security, 18(4), 226-276.

Aggelis, V. G. (2005). The bible of e-banking. Athens, Greece: New Technologies Publications. (in Greek)

Akinci, S., Aksoy, S., & Atilgan, E. (2004). Adop­tion of Internet banking among sophisticated consumer segments in an advanced developing country. International Journal of Bank Marketing, 22(3), 212-232.

Angelakopoulos, G., & Mihiotis, A. (2011). E-banking: Challenges and opportunities in the Greek banking sector. Electronic Commerce Re­search, 11, 1-23.

Arshad, N. H., May-Lin, Y., Mohamed, A., & Af- fandi, S. (2007). Inherent risks in ICT outsourcing project. Proceeding of the 8th WSEAS Confer­ence, 8(4), 141 - 146. Retrieved July 20, 2011, from http://www.wseas.us/elibrary/transactions/ economics∕2007∕24-107.pdf

Basel Committee on Banking Supervision.

Basel Committee on Banking Supervision. (2005). Outsourcing in financial services. Retrieved July 20, 2011, from http://www.bis.org/publ/joint12. pdf

Baten, M. A., & Kamil, A. A. (2010). E-banking of economical prospects in Bangladesh. Journal of Internet Banking and Commerce, 15(2).

Biri, K., & Tentra, G. M. (2004). Corporate information security governance in Swiss pri­vate banking. Master’s Thesis University of Zurich, Retrieved July 20, 2011, from http:// www.isaca.ch/files/DO7_Diplomarbeiten/Dip- lom_CorporateInfSecGovernance_E.pdf

Brotby, K. (2009). Information security gover­nance: A practical development and implementa­tion approach. Wiley.

BSI-Std. BSI Standard 100-1. (2006). Information security management systems. Bonn, Germany: Bundesamt fur Sicherheit in der Information- stechnik.

Chen, X. (2009). The challenges and strategies of commercial bank in developing e-banking business. In Proceedings of the International Conference ICHCC 2009-ICTMF 2009, Sanya, Hainan Island, China, December 13-14, 2009, (pp. 68-74).

Committee of Sponsoring Organizations of the Treadway Commission. (2004). Enterprise risk management - Integrated framework. Executive Summary, September. Retrieved July 20, 2011, from http: //www.coso. org/documents/COSO_ ERM_ExecutiveSummary.pdf

Corporate Governance Task Force (CGTF). (2004). Corporate governance task force report: Information security governance - A call to action. Retrieved July 20, 2011, from http://www.cyber. st.dhs.gov/docs/Information%20Security%20 Governance-%20A%20Call%20to%20Action%20 %282004%29.pdf

Corporate Information Security Working Group (CISWG). (2004). Report of the best practices and metrics team. Retrieved July 20, 2011, from http:// net.educause.edu/ir/library/pdf/CSD3661.pdf

Da Veiga, A., & Eloff, J. H. P. (2007). An informa­tion security governance framework.

Daniel, E. (1999). Provision of electronic banking in the UK and Republic of Ireland. International Journal of Bank Marketing, 17(2), 72-83.

Dewan, R., & Seidmann, A. (2001). Current is­sues in e-banking. Communications of the ACM, 44(6), 31-329.

ENISA. (2006). Risk management: Implementa­tion principles and inventories for risk manage- ment/risk assessment method and tools. European Network and information Security Agency - Tech­nical Department Heraklion, Greece. Retrieved July 20, 2011, from http://www.enisa.europa. eu/rmra/files/D1_Inventory_of_Methods_Risk_ Management_Final.pdf

Federal Financial Institutions Examination Coun­cil (FFIEC). (2004). Outsourcing technology ser­vices. Retrieved July 20, 2011, from http://www. enpointe.com/assets/pdf/Outsourcing_Booklet. pdf

Federal Financial Institutions Examination Council (FFIEC). (2005). Authentication in an Internet banking environment. Retrieved July 20, 2011, from http://www.ffiec.gov/pdf/authentica- tion_guidance.pdf

Financial Action Task Force (FATF). (1996). The forty recommendations of thefinancial action task force on money laundering. Retrieved July 20, 2011, from http://www.fincen.gov/news_room/ rp/files/fatf_40_recommendations.pdf

Frankland, J. (2008). IT security metrics: Imple­mentation and standards compliance. Network Security, 6, 6-9.

Generally Accepted Information Security Prin­ciples, Version 3.0 (GAISP). (2003). Retrieved July 20, 2011, from http://all.net/books/standards/ GAISP-v30.pdf

Gikandi, J. W., & Bloor, C. (2010). Adoption and effectiveness of electronic banking in Kenya. Electronic Commerce Research and Applications, 9, 277-282.

Heschl, J. (2004). COBIT in relation to other international standards. Journal of Information Systems Control, 4.

Holmquist, E. (2008). Which security governance framework is the best fit? TechTarget ANZ Austra­lia. Retrieved July 20, 2011, from http://searchcio. techtarget.

Houmba, S. H., Franqueira, V. N. L., & Engum, E. A. (2010). Quantifying security risk level from CVSS estimates of frequency and impact. Journal of Systems and Software, 83, 1622-1634.

IFAC. (2004). Enterprise governance: Getting the balance right. International Federation of Ac­countants, Professional Accountants in Business Committee. Retrieved July 20, 2011, from www. ifac.org/Members/DownLoads/EnterpriseGov- ernance.pdf

Insley, R., Al-Abed, H., & Fleming, T. (2003). What is the definition of e-banking? Retrieved July 20, 2011, from http://www.bankersonline. com/technology/gurus_tech081803d.html

ISO 15489-1:2001. (2001). International stan­dard, information and documentation - Records management, part I: General. Retrieved July 20, 2011, from http://www.javeriana.edu.co/ar- chivo/07_eventos/preservaciondigital/memorias/ index_archivos/norma/iso_15489-1.pdf

ISO 15489-2:2001. (2001). Technical report, information and documentation - Records management, part 2: Guidelines. Retrieved July

20, 2011, from http://www.javeriana.edu.co/ar- chivo/07_eventos/preservaciondigital/memorias/ index_archivos/norma/iso_15489-2.pdf

ISO-Std. ISO/IEC TR 13335-1. (1996). Informa­tion technology - Guidelines for the management of IT security - Concepts and models for IT security. International Organization for Standardization (ISO), Switzerland, 1996.

ISO-Std. ISO/IEC 27001:2005(E). (2005). Infor­mation technology - Security techniques - Informa­tion security management systems - Requirements. International Organization for Standardization (ISO), Switzerland, 2005.

ISO-Std. ISO/IEC 27005:2008. (2008). Informa­tion technology - Security techniques - Informa­tion security risk management. International Organization for Standardization (ISO), Swit­zerland, 2008.

ISO/IEC 27004:2009. (2009). Introduction to ISO 27004. The ISO 27000 Directory. Retrieved July 20, 2011, from http://www.27000.org/iso- 27004.htm

ISO/IEC 38500:2008. (2008). International standard, corporate governance of informa­tion technology. Retrieved July 20, 2011, from http://webstore.iec.ch/preview/info_ isoiec38500%7Bed1.0%7Den.pdf

ISO/TC-Std. 31000:2008. (2008). Risk manage­ment- Principles and guidelines on implementation (draft). International Organization for Standardiza­tion (ISO), Switzerland, 2008.

ITGI. (2006). Information security governance: Guidance for boards of directors and executive management (2nd ed.). Rolling Meadows, IL: IT Governance Institute.

ITGI. (2007). COBIT4.1 excerpt: Executive sum­mary - Framework. Retrieved July 20, 2011, from http://www.isaca.org/KnowledgeCenter/cobit/ Documents/COBIT4.pdf

Kolondisky, J. M., Vermont, B., Hogarth, M. J., & Hilgert, M. A. (2004). The adoption of electronic banking technologies by US consumers. Interna­tional Journal of Bank Marketing, 22(4), 238-259.

Kondabagil, J. (2007). Risk management in electronic banking: Concepts and best practices. Wiley Finance.

Kouns, J., & Minoli, D. (2010). Information technology risk management in enterprise envi­ronments: A review of industry practices and a practical guide to risk management teams. Wiley.

Kritzinger, E., & von Solms, S. H. (2006). E­learning: Incorporating information security governance. Issues in Informing Science and Information Technology, 3, 319-325.

Lomas, E. (2010). Information governance: Infor­mation security and access within a UK context. Records Management Journal, 20(2), 182-198.

Long, X., Qi, Y., & Qianmu, L. (2008). Informa­tion security risk assessment based on analytic hierarchy process and fuzzy comprehensive. In Proceedings of the International Conference on Risk Management& Engineering Management, (pp. 404-409).

Lund, M. S., Solhaug, B., & St0len, K. (2010). Model-driven risk analysis: The CORAS approach. Springer.

Mellado, D., Blanco, C., Sanchez, L. E., & Fer­nandez-Medina, E. (2010). A systematic review of security requirements engineering. Computer Standards & Interfaces, 32, 153-165.

Monks, R. A. G., & Minow, N. (2004). Corporate governance (3rd ed.). Malden, MA: Blackwell.

Moreira, E., Martimiano, L. A. F., Brandao, A. J., & Bernardes, M. C. (2008). Ontologies for information security management and governance. Information Management & Computer Security, 16(2), 150-165.

Moulton, R., & Coles, R. S. (2003). Applying information security governance. Computers & Security, 22(J"), 580-584.

MSNBC. (2010). Massive bank security breach uncovered in New Jersey. Retrieved July 20, 2011, from http://www.msnbc.msn.com/id/3303539

National Institute of Standards and Technology (NIST). (2011). Special publication 800-126Rev. 1: The technical specificationfor the security con­tent automation protocol (SCAP): SCAP Version 1.1. February. Retrieved July 20, 2011, from http:// csrc.nist.gov/publications/nistpubs/800-126-rev1/ SP800-126r1.pdf/

NIST Special Publication 800-39. (2011). Manag­ing information security risk organization, mis­sion, and information system view. Retrieved July 20, 2011, from http://csrc.nist.gov/publications/ nistpubs/800-39/SP800-39-final.pdf

Nsouli, S. M., & Schaechter, A. (2002). Chal­lenges of the E-banking revolution. International Monetary Fund: Finance & Development, 39(3). Retrieved July 20, 2011, from http://www.imf.org/ external/pubs/ft/fandd/2002/09/nsouli.htm

OCTAVE. (2003). Operationally critical threat, asset, and vulnerability evaluation. Retrieved July 20, 2011, from http://www.cert.org/octave/ approach_intro.pdf

Organization for Economic Co-operation (OECD). (2004). Principles of corporate governance. Re­trieved July 20, 2011, from http://www.oecd.org/ dataoecd/32/18/31557724.pdf

PCI. (2010). About the PCIdata security standard (PCI DSS). Retrieved July 20, 2011, from https:// www.pcisecuritystandards.org/security_stan- dards/pci_dss.shtml

Peltier, T. (2004). Risk analysis and risk manage­ment. Information Systems Security, 13(4), 44-56.

Poore, R. S. (2005). Information security gover­nance. EDPACS, 33(5), 1-8.

Pretorius, E., & Solms, B. (2004). Information security governance using ISO 17799 and COBIT. Integrity and Internal Control in Information Systems, 6(140), 107-113.

Rao, H. R., Gupta, M., & Upadhyaya, S. J. (2007). Managing information assurance in financial services. Hershey, PA: IGI Publishing.

Rastogi, R., & Von Solms, R. (2006). Information security governance a re-definition. International Federationfor Information Processing, 193. Bos­ton, MA: Springer.

Reserve Bank of India. (2011). Working group on information security, electronic banking, technology risk management and cyber frauds. Retrieved June 20, 2011, from http://www. rbi.org.in/scripts/PublicationReportDetails. aspx?UrlPage=&ID=609

Rogers, E. M. (1962). Diffusion of innovations. New York, NY: The Free Press.

Saint-Gemain, R. (2005). Information security management best practice based on ISO/IEC 17799. Information Management Journal, 39(4), 60-65.

SANS Institute. (2003). Using a capability maturity model to derive security requirements. Retrieved July 20, 2011, from http://www. sans.org/reading_room/whitepapers/bestprac/ capability-maturity-model-derive-security- requirements_1005

Shah, M., & Clarke, S. (2009). E-banking manage­ment: Issues, solutions, and strategies. Hershey, PA: IGI Publishing.

Shah, M. H., & Siddiqui, F. A. (2006). Organi­sational critical success factors in adoption of e-banking at the Woolwich bank. International Journal of Information Management, 26, 442-456.

Soliman, K. (2006). Managing information in the digital economy: Issues & solutions. In Proceed­ings of the 6th International Business Information Management Association (IBIMA) Conference 19-21 June 2006, Bonn, Germany, (pp. 227- 232).

Solms, S. H., & von Solms, R. (2009). Informa­tion security governance. Springer.

Southard, P. B., & Siau, K. (2004). A survey of online e-banking retail initiatives. Communica­tions of the ACM, 47(10).

Tan, T. C. C., Ruighaver, A. B., & Ahmad, A. (2010). Information security governance: When compliance becomes more important than se­curity. In Proceedings of the 25th IFIP TC 11 International Information Security Conference, (pp. 55-67).

Tanampasidis, G. (2008). A comprehensive method for assessment of operational risk in e­banking. Information Systems Control Journal, 4.

Task Force on Financial Integrity and Economic Development. (2011). Response toFATFconsulta­tion paper: Review of the standards. Preparation for the 4th Round of Mutual Evaluations. Retrieved July 20, 2011, from http://www.financialtaskforce. org/wpcontent/uploads/2011/02/Task_Force_on_ Financial_Integrity_and_Economic_Develop- ment_Response_to_FATF_Consultation_Paper. pdf.pdf

Trompeter, C. M., & Eloff, J. H. P. (2001). A framework for the implementation of socio-ethical controls in information security. Computers & Security, 20(5), 384-391.

Tsoumas, V., & Tryfonas, T. (2004). From risk analysis to effective security management: To­wards an automated approach. Information Man­agement & Computer Security, 12(1), 91-101.

Tudor, J. K. (2000). Information security archi- tecture-An integrated approach to security in an organization. Boca Raton, FL: Auerbach.

US Department of Commerce. (2006). NIST (Draft) SP 800-80: Guide for developing perfor­mance metrics for information security.

Vachirapornpuk, S., & Broderick, A. J. (2002). Service quality in internet banking: The impor­tance of customer role. Marketing Intelligence & Planning, 20(6), 327-335.

Vijayan, J. (2010). Five indicted in cybertheft of city’s bank account. Retrieved July 20, 2011, from http:ZZwww.computerworld.com/sZar- ticle/9177409/Five_indicted_in_cybertheft_of_ city_s_bank_accounts

Villarroel, R., Fernandez-Medina, E., & Mellado, D. (2005). Secure information systems develop­ment - A survey and comparison. Computers & Security, 24, 308-321.

This work was previously published in IT Security Governance Innovations, edited by Daniel Mellado, Luis Enrique Sanchez, Eduardo Fernandez-Medina, and Mario G. Piattini, pages 13-46, copyright 2013 by Information Science Reference (an imprint of IGI Global).

282