A Study of Risk Assessment of Information Assets in Banking Industry —A Case of the ’s Bank

Patrick S. CHEN Department of Information Management, No.40, Sec. 3, Chungshan North Road, , 104, Taiwan

Shu-Chiung LIN Department of Information Management, Tatung University No.40, Sec. 3, Chungshan North Road, Taipei, 104, Taiwan

S. H. LI Department of Information Management, Tatung University No.40, Sec. 3, Chungshan North Road, Taipei, 104, Taiwan

AND

Perry SHI Department of Information Management, Tatung University No.40, Sec. 3, Chungshan North Road, Taipei, 104, Taiwan

ABSTRACT The paper reports the results that there is one item that Computer security hacking is rampant, and there are calls for reaches medium-level risk while others stay at the low-level area proper configuration of firewalls as protective means. However, and it also suggests that enhancing security measures for all assets protection of information assets has to be taken two factors into may end up with risk degree greater or equal to 2. A limitation of account—time and cost. In other words, when it comes to risk the research is mentioned in the conclusion part but with the belief assessment, an overall protection without discriminating different that the results of the paper can be of value for academicians and security levels of the information asset is not only cost-ineffective security practitioners. but also impossible in practice. Only by dividing information Keywords : Information Assets, Information Security, Risk assets into different security levels and deciding which security Assessment, Delphi Method measure fits the security needs can we have rational risk assessment for information assets. Banking industry is apparently 1. INTRODUCTION not exceptional to this line of thinking. With the rapid development of information technology, all the Nevertheless, most research reports on risk assessment of procedures are processed by the computers, but endless troubles information assets of the banking industry are rarely made to the caused by the information security. Recently, countless number of public as a result of security policy of its financial sectors. This the fraud groups speculated on the customers’ data because of their paper selects one of Taiwanese major bank as a starting point and significant additive value [3]. It really put the customers in great seeks to evaluate the effectiveness of its security measure by danger and caused the customers and the corresponding banks a dividing its information assets into different security levels. spectacular loss if some of the customers’ data are stolen by fraud Methodologically, the Delphi method is adopted by the groups. Over all observation of the causes that damage and paper and the questionnaires are designed based on the guidelines endanger customers’ data, the careless protection and control of the of information security management of BS 7799-1: 2000, BS customers’ data by the organization system is the main reason to 7799-2: 2002 and ISO/IEC TR 13335. The paper chooses 99 attract crimes made by the interior users or outsiders. Furthermore, information assets that are subject to security concern as targets E-commercial crimes are heading to the direction of profit making for risk assessment, and has 7 experts in information security and behavior [2], such movement has caused panic and turbulence. computer auditing answer the questionnaires with respect to Under such revolutionary information technology, the current value of the assets, possible threats, vulnerability and enhancement of protection and control to the information assets is degree of risks. Risks are presented as low, medium and high level, becoming more and more important and challengeable for banking ranging over 9 degrees on risk scale. industry, herby the classification of the information assets and risk

1 assessment are the most urgent issues for the security of 1. The Importance of Risk Analysis to Enterprises:Budgen [11] customers’ data. The research first refers operation outlines in the stressed that the technique to risk analysis is the guarantees to handbook of information security and management, BS 7799-1 the smooth of excellent engineering;Groom [3] discussed that in 2000 [9], the rules of information security system, BS 7799-2 in continual improvement to the protection of the information 2002 [10], and the directory outlines in the security management of assets is necessary for the security system of information information technology, ISO/IEC TR 13335 [19], to formally technology. define the “information assets”, which hasn’t been reached a 2. The development of risk assessment model:Hoqqanvik et al. consistency among the academia, then followed by the advised [18] analyzed the ideas of risk from experts and students to improvement to the information assets with high level of risk to obtain the conceptual model of risk.;Wang [1] developed avoid the similar E-commercial crimes and hacking problems two-phases method to build up the risk assessment model for happen in the banking industries. To distinguish the results the critical information assets;Chiu [8] constructed the risk presented by this research, all the banks with over $300 billion are assessment and verification system of the information security the targeting objects and then processed by the Delphi Method to to simulate the expected loss when the system is under real collect and anal size the relevant data. The contributions of the attack. research can be summarized as the following two parts: 3. The risk analysis to the information assets in different 1. To discriminate the classes and categories of the information industries: Hsao [7] suggested that military units with assets for the targeting banks and then achieved the details of confidential secrets should enhance the rules of restrict usage the risk level. of notebooks and flash drives.;Chang [4] concluded the 2. To provide the advised improvement for the information alternatives to manage the classification of information assets with high level of risk based on the evaluation results. assets;Harris [11] proposed the pre-service management for the telecom enterprises to transfer the information assets into 2. BACKGROUND KNOWLEDGE AND LITERATURE competitive core;Zheng [5] built up the model with five steps REVIEW to evaluate the risk and summarized helpful messages for the The background of the information system for the targeting management of information security. banks The major banking industry's information environment all divides With the respect of above statement, the discussion of the into two major parts, onstage and the backstage, the onstage is security issues for the information assets has been prevalent. Also, PC’s with open system, the main core operation of onstage is the banking industry rely heavily on the information system bookkeeping, stored in the large-scale main server, the periphery of extinguish the importance of the classification of the information the onstage processes the non-bookkeeping system by the assets. BS 7799, the rules of information security system has been center/small server sharing the workload for the host server; The adopted as security rules by the International Organization for backstage for the enclosed large-scale main server by LAN Standardization, ISO. The research hereby adopted the definition primarily. It would not be certainly easy for the hackers to invade from BS 7799-1 to classify the assets into four items, such as from Internet to the large-scale main engine, and obtains the information assets, software assets, entity assets and service assets. massive information assets. Therefore for all the banks with such The risk management of information assets kind of information environment characteristic, its interior controls National Institute of Standards and Technology (NIST) [29] become the main work for the banking industry. constituted three steps of procedures in Risk Management Guide The current situation of the research and the classification of for Information Technology System. The detail of steps that the information assets manage the risk of information assets is concluded as the The banking industry is one of most important service industries in followings: the world; the information assets by rights should draw more Risk Assessment:Risk is the event with the combination of attention from the banking industry. However, the bank financial possibility and impact after it happened, and also a specific threat materials and information matter privacy and secret. At present, to the possible vulnerability. The main components of the risk for there exists no such research specially aiming at the classification information security consist of asset, vulnerability threat, and the risk assessment of the information property for banking likelihood/probability and impact/consequence. There are 9 steps industry in domestic and foreign countries. Other researches in NIST, stated as the follows: system characterization, threat related information properties mainly stress on following three identification, vulnerability identification, control analysis, aspects: likelihood determination, Impact analysis, risk determination,

2 control recommendation and results documentation. company. The research therefore combined two of the methods Risk Mitigation: Risk mitigation is the systematic way to together to systematically assess the information assets of banking reduce the negative impact to the organization from risk. There are industry, which bears the process and result with more practicable totally six steps to reach such purpose, such as risk assumption, value. By using BS 7799-2 in 2002 to control the targets and risk acceptance, risk avoidance, risk limitation, risk planning, measures from A3 to A12 as the criteria of survey questionnaire research and Acknowledgment and risk transference. for the qualitative analysis of risk, applying BS 7799-1 in 2000 to Evaluation and Assessment:The causes of risk discriminate define the information assets and adopting ISO/IEC TR 13335-3 in due to the different time and environment. Risk management is the 1998 as the model to analyze the risk and the criteria of survey continual implementation of assessment and evaluation functions questionnaire for the quantitative analysis of risk. Furthermore, the to effectively control mitigate and avoid the risk [6]. The research proposed the quantization for the risk items and the evaluation and prioritization of the risks can be distinguished into strength, weakness and vulnerability of information assets through quantitative risk analysis and qualitative risk analysis. Delphi method. After reaching consistent consensus, the risk level of the information assets then be derived from the process 3. METHODOLOGY and also present the improvement for the items with high level of A lot of researches related to the social issues and policy making risk. are done by the qualitative method. The results of the research are usually not applicable to the reality or totally useless for practice if (1) The Investigation Result for the Qualitative Analysis of the research method is not appropriate for the targeting objects [24]. Risk In the field of qualitative study, reaching consensus or the According to the investigation of the policy for information formulation of assumption are often used by the social science [16]. security management issued by the case study company, the The Delphi method is the strict procedure to integrate and collect research discovered that the statement of information security ideas from experts [25], hereby adopted by the research to study policy is clear and crystal to all the employees, but the index can and analyze the collected data. Such method together with not be quantified, thus the performance measurement is hard to anonymous survey, feedback control and statistical response can evaluate due to the size of the company. For example, the describe the findings to explore the relevant issues in the field of inadequate number of the security auditors is one weakness, and knowledge [13] [31] [27]. the careless control of the entrance is another one, causing the There are totally 7 respondents with affluent experience in the chaotic situation, should be improved immediately. In summary, practice of auditing information security selected by the research, the qualitative analysis of risk is more capable of discovering the including 2 directors from information security department, 2 risks located at the level of management, and should be improved supervisors in the office of supervision, 1 auditor from the by the adjustment to the management system of information accounting consulting firm and 2 professors teaching in the security. The research also provided suggestions and improvement graduate study of information management. The average years of following the rules and procedures described in BS 7799-1in 2000, practice in the field of information security is about 8.5 years and BS 7799-2in 2002 and ISO/IEC TR 13335. the average years of auditing experience is 6.5 years. In the process (2) The Investigation Result for the Quantitative Analysis of of interview with experts by Delphi, the most often used method is Risk statistics [14], along with subjective recognition method [30] to The conduction of the survey questionnaire started with the determine whether the experts reach consensus and consistency selection of 99 items of the information assets which are more toward the same topic [12]. The research therefore adopted the vulnerable to information security, followed by the professional subjective recognition method based on the consideration of the evaluation through two experts and summarizes 11 different research item characters. In the final, qualitative analysis of the categories which include 23 items to process of risk analysis of risk in the third section reach consistent consensus and would information assets. Table 1 shows the detailed contents to the match the consistency by the quantitative analysis of the risk in the classification of risk, but due to the consideration of the limited fifth section. space of the paper, only the first two are listed to demonstrate the 4. THE CLASSIFICATIONS OF INFORMATION ASSETS full scale of investigation result. To discriminate the differences AND RISK ASSESSMENT among the information assets, the first two categories are described The typical methods of risk analysis include qualitative and in detail as the follows: quantitative analysis of risk. The prior can fit the company with (1) Account Receivable Server: Such item is part of entity assets, larger size while the latter is suitable for the smaller size of including software/hardware and data. The security threat, in

3 addition to the breakdown of the hardware, is mainly incurred verification of identity. The best way to stay away from by the stealth from interior operator or maintenance servant. trouble is to change the access code once in a while to ensure The most venerable part of this item is the lack of the back-up the security and protect the data from being change or stored experienced technicians; therefore the total risk of such item without authorization. The total assets of risk for such item belongs to the lowest level of risk. ranked as level 1. (2) Internet Bank Server: The threat mainly focuses on the

Table 1 The table of the quantitative risk analysis for the Banking Industry Importance of Sources of Threat Vulnerability Impact Risk Information Assets Risk Level of Estimated Information Level of Threat P C I U D Vulnerability Level Value of Level Assets Influence Risk Account Receivable /Entity Assets Violation of the 1 Confidential information being contract by the 1 2 2 2 2 2 2 16 1 stolen contractors Inappropriate Inadequate training of information 1 2 2 2 2 3 2 24 1 operation by the users security Short of maintenance and Damage to Hardware 1 2 2 2 2 2 2 16 1 manpower Shortage of the Short of backup experienced 3 2 2 2 2 4 2 96 1 personnel technicians Damage to the system 1 2 2 2 2 Lack of auditing procedure 1 2 8 1 record Internet Bank Server/ Entity Assets Violation of the 1 Confidential information being contract by the 1 2 4 4 4 2 2 64 1 stolen contractors Inappropriate Inadequate training of information 1 2 4 4 4 2 2 64 1 operation by the users security Short of maintenance and Damage to Hardware 1 2 4 4 4 2 2 64 1 manpower Shortage of the Short of backup experienced 1 2 4 4 4 2 2 64 1 personnel technicians Fail to update the The alteration of environment and 1 2 4 4 4 1 2 64 1 authorization data without authorization (Note: P: possibility; C: Confidentiality; I: Integrity; U: Usability, D: Dependability)

(3) The Suggestions and Improvement by the Quantitative analysis mentioned above, host server is the only one with high Analysis of Risk level risk vulnerable to the threat and could possibly neutralize the Table 1 explains the risk level of the 23 items in the information whole operation of bank if internet breakdown. The improvement assets of the case study bank from the evaluation of experts, then measure to such risk from experts is to increase the numbers of followed by the classification of risk by the criteria of host router. The reason that prevents the information assets from quantifications, ranging from 1 to 9; the risk with the level from 1 being attack or under threats is because of the setup of the to 3 means low, the risk with the level from 4 to 6 means medium information security section. The research still process the and the risk with the level from 7 to 9 means high. There is only improvement measure to move the risk level from high to low or one items among all ranked as risk level 1; four of them with risk to mitigate the risk based on the same consideration and principle level 2 to and 3 and the rest of them with risk level 4. From the of continual improvement presented by the BS 7799-2 in 2002,

4 even though the total risk value of the information assets is not moral problem or inappropriate trading with outsiders. The best high enough to draw the attention from supervisors. Like what the way to eliminate such dead spot is to effectively enhance the table 2 shows, other than the host router, the rest of them are control of inappropriate usage of the data or the pirate problem. under threat mainly from the release of the data due to the users’

Table 2 The table of advised improvement for quantitative risk analysis Expected Risk level of Name of the Suggestions and Category Threat Weakness Value of Information Information Asset Improvement Risk Assets Host Router Entity Breakdown of Breakdown of the 300 4 Increase the numbers of Asset the internet single point routers service System Personnel of Information The leakage of The piracy of data 240 3 Transfer the data into Server Asset data by users non-original data Programmer of Information The leakage of The piracy of data 240 3 Transfer the data into Server Asset data by users non-original data Backup Disc Information The leakage of The piracy of data 200 3 Encryption of the data Asset data by users Printer Entity The leakage of Unlimited print out 240 3 The restriction to print out Asset data of the information data with Confidentiality

5. CONCLUSIONS investment rate and fortunes. To promote the cost and time effectiveness for banking industries, Based on the analysis above, most of the security issues and all the banks have the compulsory obligation to implement the information leakages are not caused by the technique problems, classification of information assets and risk assessment to but the violation of the operation rules by the interior users, prevent the significant loss because of the leakage of information. therefore, the enforcement of the personnel management and the All the protections and the control of information assets ranking encryption of the information are the most urgent options to as high level of risk must be filed and improved to resolve the protect the information assets for the banking industries. problems and phenomena incurred by the leakage of information. 6. REFERENCES The research finalized the following important results based on [1] Wang, S.W., The Assessment Model of Risk to the the investigation of the classification of information assets and Information Assets in Common Operation Environment., assessment for the banking industries. Master Thesis, Graduate Study of Information Management, (1) Even though there existed various types of assessment to the Chiao-Tung University, 2005. information security, the better way to assist managers for [2] Chen, J.C. The protection and surveillance of the electronic the comprehensive perception of the practical impact and crimes. Electronics Commercial Security 2003, pp. 168-189. risk is to adopt both qualitative and quantitative [3] Chen, J.C. & Xu, P.L. The study of the Management and methodologies, helpful for transferring the invisible Control for the Classification of Information Assets- Taking information assets into a measurable and controllable the Finance Industries as an Example, The Information model. Operation and Management of E-commerce Seminar, 2006. (2) Banking industry surely have a set of strict model to easily pp. 26. quantify the information assets and also provide alternatives [4] Chang, F.T., The Implementation of Security Management to improve and protect the security of information assets with BS7799 – The Classification and Control of the with high level of risk to reduce the possible threat that Management Information Assets, Master Thesis, Graduate possibly endangered their information property. Study of the Information Management Department, 2005, (3) Information is an important asset to banking industries. So, National Central University. the continual improvement and protection to the information [5] Zheng, N.F., The Study of the Assessment Model for the Risk security that prevent the information from being disturbed of Information Security. Master Thesis, Graduate Study of and interrupted are necessary guarantees for their stable

5 Information Management, 2004 Fu-Jen Catholic University for the management of IT Security – Part 3:Techniques for [6] Liu, J.M. The Application of BS 7799 to Develop the Index the management of IT Security,” 1998. of Risk Management for Information Security, 2004, Master [22] ISO/IEC TR 13335-4. “Information technology – Guidelines Thesis, Graduate Study of Business Administration for the management of IT Security – Part 4:Selection of Department. 2004, National Taipei University. Safeguards,” 2000. [7] Hsao, J.H. The Study of the Risk Analysis for the [23] ISO/IEC TR 13335-5. ”Information technology – Guidelines Information Security of Sensitivity Military Unit., Master for the management of IT Security – Part 5:Management Thesis, Graduate Study of the Information Management guidance on network security,” 2001. Department, 2004, Yuan-Ze University. [24] Jones, R. “Why do qualitative?” British Medical Journal [8] Chiu, H.P. The Verification System of the Assessment of (311:6996) 1995, p. 2. Information Security and Risk. Master Thesis, Graduate [25] Kuo, N.W. and Yu, Y.H. “Policy and Practice:An Evaluation Study of the Information Management Department, 2004, System for National Park Selection in Taiwan,” Journal of Shih Hsin University. Environmental Planning and Management (42:5) 1999, pp. [9] BS 7799-1. “Code of practice for information security 735-745. management,” British Standards Institution, 2000. [26] Liebowitz, J. “Key ingredients to the success of an [10] BS 7799-2. “Specification for Information Security organization’s knowledge management strategy,” Knowledge Management Systems,” British Standards Institution, 2002. and Process Management (6:1) 1999, pp. 37-40. [11] Budgen, P. J. “Why risk analysis?” Risk Analysis Methods [27] Munier, F. and Ronde, P. “The role of knowledge and Tools, Colloquium on IEEE 1992, pp. 2/1-2/4. codification in the emergence of consensus under uncertainty: [12] De Meyrick, J. “The Delphi method and health research,” Empirical analysis and policy implications,” Research Policy Health Education (103:1) 2003, pp. 7-16. (30:9) 2001, pp. 1537-1551. [13] Dhaliwal, J.S. and Tung, L.L. “Using group support systems [28] Mendoza, G.A. and Prabhu, R. “Development of a for developing knowledge-based explanation facility,” Methodology for Selecting Criteria and Indicators of International Journal of Information Management (20:2) 2000, Sustainable Forest Management : A Case Study of pp. 131-149. Participatory Assessment,” Environmental Management [14] Fink, D. “IS security issues for the 1990s: Implications for (26:6) 2000, pp. 659-673. management,” Journal of Systems Management (46:2) 1995, [29] NIST. “National Institute of Standards and Technology, Risk pp. 46-49. Management Guide for Information Technology Systems,” [15] Groom, P.D. “The IT security model,” Potentials IEEE (22:4) Special Publication (800:30) 2001. 2003, pp. 6-8. [30] Pasukeviciute, I. and Roe, M. “The politics of oil in [16] Hoddinott, P. and Pill, R. “A review of recently published Lithuania: strategies after transition,” Energy Policy (26:3) qualitative research in general practice:more methodological 2001, pp. 383-397. questions than answers?” Family Practice 1997, pp. 313-319. [31] Saunders, C.S. and Jones, J.W. “Measuring Performance of [17] Harris, S. J. “Proactive service management:leveraging the Information System Function,” Journal of Management telecom information assets for competitive advantage,” IEEE Information System 1992, (8:4), pp. 63-82. Network operations and management symposium (3:15-19) 1996, pp. 700-710. [18] Hoqqanvik, I. and Stolen, K. “Risk analysis terminology for IT-systems:does it match intuition?” Empirical Software Engineering, 2005. 2005 International Symposium on, pp. 1-10. [19] ISO/IEC TR 13335-1. “Information technology – Guidelines for the management of IT Security – Part 1:Concepts and models for IT Security,” 1996. [20] ISO/IEC TR 13335-2. “Information technology – Guidelines for the management of IT Security – Part 2:Managing and planning IT Security,” 1997. [21] ISO/IEC TR 13335-3. “Information technology – Guidelines

6