RISK MANAGEMENT IN E-BANKING
The Risk Management is considered by some resources (SANS Institute, 2003; BSI Standard 100-1, 2006) a discipline and part of information security management. This point of view is also shared by ENISA (2006), naming that Risk Management and Risk Assessment are major components of Information Security Management.
Moreover, according to Peltier (2004), Risk Management is the process that allows balancing operational and economic costs of protective measures and achieving gains in mission capability by protecting business process that supports the business objective or mission of the enterprise. In a similar way, (Tsoumas and Tryfonas, 2004) defines Risk Management process as a framework for determining and implementing acceptable security controls. To take things from the beginning and rationalize the purpose of conducting a Risk Management approach in e-banking we must understand the elements and relationships of risk in e-banking. Therefore we explicitly refer to the definitions of risk elements in e-banking such as risk [...] the possibility of any deliberate or undesirable action that could cause and result in a negative impact in the e-banking system or the combination of the probability of an event and its consequence (Kondabagil, 2007, ISO 27005). Threat as [.] any situation or event that has potential to harm the e-banking system. Threats materialize when they exploit vulnerabilities (Kondabagil, 2007; ISO 27001). Vulnerability as [.] a weakness, which is susceptible to be used by a threat to gain unauthorized access to information or disrupt processing. Vulnerabilities can be human errors, weakness in software from the information system, system security practices and procedures, internal controls etc. (Kouns and Minoli, 2010). The threat - vulnerability pairs leads to an unwanted risk, which is subject of likelihood to be estimated or measured. This likelihood is the probability that a vulnerability will be exploited by a threat which leads to a harm or damage.Figure 8 shows a semantic net of key concepts related to the management of e-banking risks. The relationship between the likelihood of a threat materializing vulnerability determines the intensity of the risk. An asset is anything that has value to the bank and is part of the e-banking system, therefore, requires protection. Assets can be categorized as tangible such as software, hardware and intangible such as reputation, user confidence. Normally, assets with higher value will suffer greater risk and will require more protection. The existence of risk requires the satisfaction of security requirements or objectives within the e-banking system namely the availability, confidentiality, integrity, authentication, and non-repudiation (Basel Committee on Banking Supervision, 2003). As most risks cannot be controlled or mitigated fully, some residual risk is normally left. Usually the residual risk is accepted by the bank, transferred or insured. The security method is a Risk Management process able to meet the security requirements and decrease the risk to an acceptable level. Stakeholders guide the security method in terms of analysis and results and also identify possible threats to e-banking. This notion is supported by (Solms and von Solms, 2009) who support that Risk Management should involve various stakeholders (from the Chairman of the Board to the youngest worker) to consider the different security behavior towards the system.
ISO 13335-1 defines Risk Management as the total process that entail identifying, controlling, and eliminating or minimizing uncertain events that may affect IT systems. CobiT and ISO 27001 support the utilization of Risk Assessments, as part of Risk Management, to determine what risks need to be mitigated and to what extent. Also CobiT and ISO 27002 sees Risk Management as a core element of an ITSG process.
Risk Assessment in e-banking is [...] the systematic process of identifying the nature and causes of risks to which e-banking activities could be exposed and assessing the likely impact and probability of these risks occurring (Aggelis, 2005). Moreover, according to Soliman (2006) Risk Assessment is an “objective analysis of the current security controls that protect an organization’s assets and a determination of the probability of losses to those assets.”Figure 8. Relationship of key elements of risk in e-banking
ISO 27001 and ISO 27005 regard Risk Assessment as part of Risk Management with risk identification, risk analysis and risk evaluation described as Risk Assessment phases. Risk treatment is more part of a wider Risk Management approach since it follows the assessment of risks in order to manage and control the residual risks (Brotby, 2009). The risk analysis is conducted to show that a due diligence is performed. Risk analysis also requires a deep knowledge of the financial institution and its surroundings as well as a deep understanding of strategic and operational objectives (Tanampasidis, 2008). For this reason, identification of information assets is required. The risk identification consists of the identification of critical assets to be risk-managed, threats, and vulnerabilities in order to control the consequences of risk event realization. To sum up, Risk Assessment in e-banking is a distributed process that involves steps including (Shah and Siddiqu 2006, Rao et al., 2007; ISO 27005):
• Identification of risk elements in the ebanking processing environment.
• Analysis and magnitude of the risk elements in the e-banking processing environment.
• Outsourcing dependencies and country risks in offshoring.
• Business impact analysis for the BCP in the e-banking processing environment.
• Compliance requirements for the e-bank- ing processing environment.
Thereby, it within the responsibility of the Board and Executive Management to implement a comprehensive Risk Management approach. All risks that could possibly have a negative effect on the well-being of the e-banking system (if and once they materialize) are definitely the responsibility of management. Therefore, all levels of organizational management should be involved in the process of Risk Management (Tan et al., 2010). This notion is also supported by (Brotby, 2009) who suggest separate frameworks for each major category of risk in e-banking such as outsourcing risk, legal risk, operational risk etc. Therefore, an effective Risk Management framework should be built on a formal governance process, rely on individual responsibility and collective oversight, use a combination of advances analysis and be backed by comprehensive reporting and monitoring.