Abstract
In this paper, we provide a systematic review of the growing body of literature exploring the issues related to pervasive effects of cybersecurity risk on the financial system. As the cybersecurity risk has appeared as a significant threat to the financial sector, researchers and analysts are trying to understand this problem from different perspectives. There are plenty of documents providing conceptual discussions, technical analysis, and survey results, but empirical studies based on real data are yet limited. Besides, the international and national regulatory bodies suggest guidelines to help banks and financial institutions managing cyber risk exposure. In this paper, we synthesize relevant articles and policy documents on cybersecurity risk, focusing on the dimensions detrimental to the banking system’s vulnerability. Finally, we propose five new research avenues for consideration that may enhance our knowledge of cybersecurity risk and help practitioners develop a better cyber risk management framework.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
The systems should be designed to ensure a high degree of security and operational reliability. Also, the system should be strong enough to predict the likelihood of future cyber events and take auto protective measures in anticipation of a cyber breach.
It is because cybersecurity risk cannot be mitigated by mere application of upgraded hardware or software as no technology is perfect, and perpetrators can always break the system. Therefore, cybersecurity is now a boardroom issue. It means the corporate managers of financial institutions need to consider the amount of investment in cyber technology more rationally. Otherwise, it might adversely affect the financial performance and stability of banks.
The operational efficiency declines because of unavoidable cybersecurity hazards that often require the users to apply more complex passwords or two-stage authentication. Since complex passwords and multi-stage authorization processes are difficult to memorize, the chances of access denial to genuine users increase that has an implication of time and cost for the users.
The asymmetry of cyber knowledge (between criminals and innocent users) allows criminals to exploit the innocent users to breach the system, suggesting a positive association between faster and widespread use of cyber technology and security risk exposure (Willison and Warkentin 2013; Longstaff et al. 2020).
Bouveret (2018) proposed a broader framework of cyber risk assessment that captures the different dimension of cybersecurity hazards such as (i) security threat level, (ii) system vulnerability status, and (iii) financial consequences of a security breach.
The expert report suggests that the DDoS attack can be prevented by increasing bandwidth, creating redundancy in cyber infrastructure, configuring hardware, and deploying anti-DDoS hardware and software, using the DDoS protection appliance, move to a cloud-based DNS provider (Rubens 2018).
Without technological support, hybrid securities cannot be developed.
For example, General Data Protection Regulation 2016 (for EU), the UK Data Protection Act 2018, the Personal Data Protection Act 2010 of Malaysia.
References
Abraham, S., and P.J. Shrives. 2014. Improving the relevance of risk factor disclosure in corporate annual reports. The British accounting review 46 (1): 91–107.
ACSS. 2016. Australia’s cyber security strategy. Commonwealth of Australia, Department of the Prime Minister and Cabinet. https://cybersecuritystrategy.homeaffairs.gov.au/.
Ahmad, N., and P. Schreyer. 2016. Measuring GDP in a digitalised economy. Paris: OECD Publishing. https://doi.org/10.1787/18152031.
AIG. 2016. December. Is cyber risk systemic? New York: American International Group. https://www.aig.com/content/dam/aig/america-canada/us/documents/business/cyber/aig-cyber-risk-systemic-final.pdf.
Akhawe, D., A. Barth, P.E. Lam, J. Mitchell, and D. Song. 2010. Towards a formal foundation of web security. In 2010 23rd IEEE computer security foundations symposium, 290–304. IEEE.
Akhisar, İ., K.B. Tunay, and N. Tunay. 2015. The effects of innovations on bank performance: The case of electronic banking services. Procedia—Social and Behavioral Sciences 195: 369–375.
Aldasoro, I., L. Gambacorta, P. Giudici, and T. Leach. 2020a. Operational and cyber risks in the financial sector. BIS Working Paper No. 840. Basel, Switzerland: Bank for International Settlements.
Aldasoro, I., L. Gambacorta, P. Giudici, and T. Leach. 2020b. The drivers of cyber risk. BIS Working Paper No. 865. Basel, Switzerland: Bank for International Settlements.
Alex Johnson. 2018, May 9. Equifax breaks down just how bad last year’s data breach was. NBC News. https://www.nbcnews.com/news/us-news/equifax-breaks-down-just-how-bad-last-year-s-data-n872496.
Allen, F., and D. Gale. 2004. Competition and financial stability. Journal of Money, Credit and Banking 36 (3): 453–480.
Almansi, A.A. 2018. Financial sector’s cybersecurity: Regulations and supervision. Washington, United States of America: World Bank Group.
Almansi, A.A., Y.C. Lee, and J. Lincoln. 2017. Financial sector’s cybersecurity: A regulatory digest. World Bank. Washington: Financial Sector Advisory Center.
Ames, M., T. Schuermann, and H.S. Scott. 2015. Bank capital for operational risk: A tale of fragility and instability. Journal of Risk Management in Financial Institutions 8 (3): 227–243.
Antonescua, M., and R. Birău. 2015. Financial and non-financial implications of cybercrimes in emerging countries. Procedia Economics and Finance 32: 618–621.
Arner, D.W., J. Barberis, and R.P. Buckley. 2016. FinTech, RegTech, and the reconceptualization of financial regulation. Northwestern Journal of International Law & Business 37 (3).
Aseef, N., P. Davis, M. Mittal, K. Sedky, and A. Tolba. 2005. Cyber-criminal activity and analysis. Washington Education: White paper.
Ashford, W. 2019, July 31. Financial services top cyber attack target. Computer Weekly. https://www.computerweekly.com.
Aziz, A.S., M.A. Salama, A.E. Hassanien, and S.E.O. Hanaf. 2012. Artificial immune system inspired intrusion detection system using genetic algorithm. Informatica 36: 347–357.
Banker, R.D., R.J. Kauffman, and R.C. Morey. 1990. Measuring gains in operational efficiency from information technology: A study of the Positran deployment at Hardee’s Inc. Journal of Management Information Systems 7 (2): 29–54.
Barrett, M., E. Davidson, J. Prabhu, and S.L. Vargo. 2015. Service innovation in the digital age: Key contributions and future directions. MIS quarterly 39 (1): 135–154.
Barthelemy, J. 2001. The hidden costs of IT outsourcing: Lessons from 50 IT-outsourcing efforts show that unforeseen costs can undercut anticipated benefits. Understanding the issues can lead to better outsourcing decisions. MIT Sloan Management Review 42 (3): 60–72.
BDO. 2017. Cyber security in banking industry. India: BDO.
Beccalli, E. 2007. Does IT investment improve bank performance? Evidence from Europe. Journal of Banking & Finance 31 (7): 2205–2230.
Beitollahi, H., and G. Deconinck. 2012. Analyzing well-known countermeasures against distributed denial of service attacks. Computer Communications 35 (11): 1312–1332.
Benaroch, M., A. Chernobai, and J. Goldstein. 2012. An internal control perspective on the market value consequences of IT operational risk events. International Journal of Accounting Information Systems 13: 357–381.
Berger, A.N., and R.D. Young. 1997. Problem loans and cost efficiency in commercial banks. Journal of Banking & Finance 21 (6): 849–870.
Berkman, H., J. Jona, G. Lee, and N. Soderstrom. 2018. Cybersecurity awareness and market valuations. Journal of Accounting and Public Policy 37 (6): 508–526.
Bernik, I. 2014. Cybercrime: The cost of investments into protection. Journal of Criminal Justice and Security 16 (2): 105–116.
Biener, C., M. Eling, and J.H. Wirfs. 2015. Insurability of cyber risk: An empirical analysis. The Geneva Papers on Risk and Insurance-Issues and Practice 40 (1): 131–158.
BIS. 2004. Consolidated KYC risk management. Basel Committee on Banking Supervision. https://www.bis.org/publ/bcbs110.pdf.
BIS. 2013. The road to a more resilient banking sector. BIS. https://www.bis.org/publ/arpdf/ar2013e.htm.
BIS. 2016, June. Bank for international settlements. www.bis.org. https://www.bis.org/cpmi/publ/d146.pdf.
Boer, M., and J. Vazquez. 2017. Cyber security & financial stability: How cyber-attacks could materially impact the global financial system. Washington: The Institute of International Finance.
Böhme, R. 2010. Security Metrics and Security Investment Models. In Advances in information and computer security, ed. I. Echizen, N. Kunihiro, and R. Sasaki, 10–24. Berlin: Springer.
Böhme, R. 2012, February. Security audits revisited. in International conference on financial cryptography and data security, 129–147. Berlin: Springer.
Boin, A., and A. McConnell. 2007. Preparing for critical infrastructure breakdowns: The limits of crisis management and the need for resilience. Journal of Contingencies and Crisis Management 15 (1): 50–59.
Bouveret, A. 2018. Cyber risk for the financial sector: A framework for quantitative assessment. IMF Working Paper No. WP/18/143. International Monetary Fund.
Bouveret, A. 2019a. Cyber risk for the financial services sector. Journal of Financial Transformation 49.
Bouveret, A. 2019b. Estimation of losses due to cyber risk for financial institutions. Journal of Operational Risk, Forthcoming.
Brechbuhl, H., R. Bruce, S. Dynes, and M.E. Johnson. 2010. Protecting critical information infrastructure: Developing cybersecurity policy. Information Technology for Development 16 (1): 83–91.
Brown, C.S. 2015. Investigating and prosecuting cyber crime: Forensic dependencies and barriers to justice. International Journal of Cyber Criminology 9 (01): 55–119. https://doi.org/10.5281/zenodo.22387.
Burden, K., and C. Palmer. 2003. Internet crime: Cyber crime—A new breed of criminal? Computer Law & Security Review 19 (3): 222–227.
Cabinet Decision. 2015. Cybersecurity strategy. The Government of Japan. https://www.nisc.go.jp/eng/pdf/cs-strategy-en.pdf.
Carey, M., and R.M. Stulz. 2008. The risks of financial institutions. Journal of Contingencies and Crisis Management 16 (1): 65–66. https://doi.org/10.1111/j.1468-5973.2008.00532_2.x.
CarlColwill, 2009. Human factors in information security: The insider threat—Who can you trust these days? Information Security Technical Report 14 (4): 186–196.
Caron, F. 2015. Cyber risk management in financial market infrastructures: Elements for a holistic and risk-based approach to cyber security. Belgium: National Bank of Belgium. https://lirias.kuleuven.be/1834699?limo=0.
Carter, W.A., and D.E. Zheng. 2015. The evolution of cybersecurity requirements for the U.S. financial industry. USA: Center for Strategic and International Studies.
Caruana, J. 2009, February. Lessons of the financial crisis for future regulation of financial institutions and markets and for liquidity management. Washington, DC: IMF.
Casu, B., A. Ferrari, C. Girardone, and J.O. Wilson. 2016. Integration, productivity and technological spillovers: Evidence for eurozone banking industries. European Journal of Operational Research 255 (3): 971–983.
Cavusoglu, H., S. Raghunathan, and W. Yue. 2008. Decision-theoretic and game-theoretic approaches to IT security investment. Journal of Management Information Systems 25 (2): 281–304.
Cebula, J.J., and L.R. Young. 2010. A taxonomy of operational cyber. Carnegie-Mellon Univ Pittsburgh PA Software Engineering Inst.
Cetorelli, N., B. Hirtle, D. Morgan, S. Peristiani, and A.J. Santos. 2007. Trends in financial market concentration and their implications for market stability. Federal Reserve Bank of New York Policy Review 33–51.
Chauhan, Y., and S.B. Kumar. 2018. Do investors value the nonfinancial disclosure in emerging markets? Emerging Markets Review 37: 32–46.
Cherdantseva, Y., P. Burnap, A. Blyth, P. Eden, K. Jones, H. Soulsby, and K. Stoddart. 2016. A review of cyber security risk assessment methods for SCADA systems. Computers & Security 56: 1–27.
Choo, K.-K.R. 2011. The cyber threat landscape: Challenges and future research directions. Computers & Security 33 (8): 719–731.
Choo, K.-K.R., R.G. Smith, and R. McCusker. 2007. Future directions in technology-enabled crime: 2007–09. Canberra: Australian Institute of Criminology.
Chowdhury, A. 2003. Information technology and productivity payoff in the banking industry: Evidence from the emerging markets. Journal of International Development 15 (6): 693–708.
Clare Sullivan, E.B. 2017. “In the public interest”: The privacy implications of international business-to-business sharing of cyber-threat intelligence. Computer Law & Security Review 33: 14–29.
Committee on Payments and Market Infrastructures. 2016. Guidance on cyber resilience for financial market infrastructures. Bank for International Settlements. https://www.bis.org/cpmi/publ/d146.pdf.
Crisanto, J.C., and J. Prenio. 2017, August. Regulatory approaches to enhance banks’ cyber-security frameworks. Bank for International Settlements. https://www.bis.org/fsi/publ/insights2.pdf.
Das, S., A. Mukhopadhyay, and M. Anand. 2012. Stock market response to information security breach: A study using firm and attack characteristics. Journal of Information Privacy and Security 8 (4): 27–55.
Deloitte. 2014. Transforming cybersecurity in the Financial Services Industry. Deloitte. https://www2.deloitte.com/content/dam/Deloitte/za/Documents/risk/ZA_Transforming_Cybersecurity_05122014.pdf.
Demirgüç-Kunt, A., L. Klapper, D. Singer, S. Ansar, and J. Hess. 2018. The global findex database 2017: Measuring financial inclusion and the Fintech revolution. The World Bank.
Derek Young, J.L. 2016. A framework for incorporating insurance in critical infrastructure cyber risk strategies. International Journal of Critical Infrastructure Protection 14: 43–57.
Diamond, D.W., and P.H. Dybvig. 1983. Bank runs, deposit insurance, and liquidity. Journal of Political Economy 91 (3): 401–419.
Diamond, D.W., and P.H. Dybvig. 1986. Banking theory, deposit insurance, and bank regulation. The Journal of Business 59 (1): 55–68.
Donge, Z., F. Luo, and G. Liang. 2018. Blockchain: A secure, decentralized, trusted cyber infrastructure solution for future energy systems. Journal of Modern Power Systems and Clean Energy 1–10.
Duffie, D., and J. Younger. 2019. Cyber runs. Hutchins Center Working Paper #51. Washington, DC: The Hutchins Center on Fiscal & Monetary Policy, Brookings Institution.
Dufwenberg, M., and M.A. Dufwenberg. 2018. Lies in disguise—A theoretical analysis of cheating. Journal of Economic Theory 175: 248–264.
Duncan, N.B. 1995. Capturing flexibility of information technology infrastructure: A study of resource characteristics and their measure. Journal of Management Information Systems 12 (2): 37–57.
Duran, R.E., & P. Griffin. 2019. Smart contracts: Will Fintech be the catalyst for the next global financial crisis? Journal of Financial Regulation and Compliance (in press)
Dutta, A., and K. McCrohan. 2002. Management’s role in information security in a cyber economy. California Management Review. https://doi.org/10.2307/41166154.
Eling, M., and M. Lehmann. 2018. The impact of digitalization on the insurance value chain and the insurability of risks. The Geneva Papers on Risk and Insurance-Issues and Practice 43 (3): 359–396.
Eling, M., and J. Wirfs. 2019. What are the actual costs of cyber risk events? European Journal of Operational Research 272 (3): 1109–1119.
Embrechts, P., H. Furrer, and R. Kauffman. 2003. Quantifying regulatory capital for operational risk. Derivatives Use, Trading and Regulation 9 (3): 217–233.
EU. 2018, May. The Directive on security of network and information systems (NIS Directive). https://ec.europa.eu/digital-single-market/en/network-and-information-security-nis-directive.
Euromoney. 2017, August 1. Technology investments drive up banks’ costs. Euromoney Magazine. London.
Fed. 2017, September. Federal reserve policy on payment system risk. Washington: Federal Reserve System.
Federal Office for Information Security. 2017. The state of IT security in Germany 2017. FOIS.
Fitch. 2017, April. Cybersecurity an increasing focus for financial institutions. https://www.fitchratings.com/site/pr/1022468.
Francis, L., and V.R. Prevosto. 2010. Data and disaster: The role of data in the financial crisis. In casualty actuarial society e-forum, 62. New York: Springer.
Garg, A., J. Curtis, and H. Halper. 2003. The financial impact of IT security breaches: What do investors think? Information Systems Security 12 (1): 22–33.
Gatzlaff, K.M., and K.A. McCullough. 2010. The effect of data breaches on shareholder wealth. Risk Management and Insurance Review 13 (1): 61–83.
Gelenbe, E., and G. Loukas. 2007. A self-aware approach to denial of service defence. Computer Networks 51: 1299–1314.
Germano, J.H. 2014. Cybersecurity partnerships: A new era of public-private collaboration. New York: New York University School of Law.
Geyres, S., and M. Orozco. 2016. Think banking cybersecurity is just a technology issue? Think again. Accenture strategy. https://www.accenture.com/t20160419t004021__w__/us-en/_acnmedia/pdf-13/accenture-strategy-cybersecurity-in-banking.pdf.
Gladstone, R. 2016, March 15. Bangladesh Bank chief resigns after cyber theft of $81 million. The New York Times.
Glaessner, T., T. Kellermann, and V. McNevin. 2002. Electronic security: Risk mitigation in financial transactions—Public policy issues. The World Bank.
Goel, S., and H.A. Shawky. 2009. Estimating the market impact of security breach announcements on firm values. Information & Management 46 (7): 404–410.
Goldman, D. 2012, September 28. Major banks hit with biggest cyberattacks in history. CNN Business. Altanta.
Gommans, L., J. Vollbrecht, B.G.-D. Bruijn, and C.D. Laat. 2015. The service provider group framework a framework for arranging trust and power to facilitate authorization of network services. Future Generation Computer Systems 45: 176–192.
Goodman, S.E., and R. Ramer. 2007. Identify and mitigate the risks of global IT outsourcing. Journal of Global Information Technology Management 10 (4): 1–6.
Gopalakrishnan, R., and M. Mogato. 2016, May 19. Bangladesh Bank official’s computer was hacked to carry out $81 million heist: Diplomat. Reuters: Business News. Thomson Reuters.
Gordon, L.A., and M.P. Loeb. 2002a. The economics of information security investment. ACM Transactions on Information and Systems Security 5 (4): 438–457.
Gordon, L.A., and M.P. Loeb. 2002b. Return on information security investments, myths vs realities. Strategic Finance 84 (5): 26–31.
Gordon, L.A., M.P. Loeb, W. Lucyshyn, and T. Sohail. 2006. The impact of the Sarbanes-Oxley Act on the corporate disclosures of information security activities. Journal of Accounting and Public Policy 25 (5): 503–530.
Gracie, A. 2015. Cyber resilience: A financial stability perspective. Cyber defence and network security conference. London. https://www.bankofengland.co.uk/speech/2015/cyber-resilience-a-financial-stability-perspective.
Granåsen, M., and D. Andersson. 2016. Measuring team effectiveness in cyber-defense exercises: A cross-disciplinary case study. Cognition, Technology & Work 18 (1): 121–143.
Gupta, U.G., and A. Gupta. 2007. Outsourcing the is function: Is it necessary for your organization? Information Systems Management 9 (3): 44–47.
Gutu, L.M. 2014. The impact of Internet technology on the Romanian banks performance. In Proceedings of international academic conferences (No. 0702397). International Institute of Social and Economic Sciences.
Hall, C., R.J. Anderson, R. Clayton, E. Ouzounis, and P. Trimintzios. 2013. Resilience of the internet interconnection ecosystem. Economics of Information Security and Privacy III: 119–148.
Heeks, R. 2002. Information systems and developing countries: Failure, success, and local improvisations. The Information Society 18: 101–112.
Hemphill, T.A., and P. Longstreet. 2016. Financial data breaches in the U.S. retail economy: Restoring. Technology in Society 44: 30–38.
Herath, T., and H.R. Rao. 2009. Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support System 47 (02): 154–165.
HKMA. 2016. Enhanced competency framework on cybersecurity. Hong Kong: Hong Kong Monetary Authority. https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2016/20161219e1.pdf.
Ho, S.J., and S.K. Mallick. 2010. The impact of information technology on the banking industry. Journal of the Operational Research Society 61 (2): 211–221.
Holt, T.J., and E. Lampke. 2010. Exploring stolen data markets online: Products and market forces. Criminal Justice Studies 23 (1): 33–50.
Hon, W.K., and C. Millard. 2018. Banking in the cloud: Part 1—Banks’ use of cloud services. Computer Law & Security Review 34: 4–24.
Horne, R. 2014. The cyber threat to banking. PWC. https://www.bba.org.uk/wp-content/uploads/2014/06/BBAJ2110_Cyber_report_May_2014_WEB.pdf.
Hovav, A., and J. D’Arcy. 2004. The impact of virus attack announcements on the market value of firms. Information Systems Security 13 (3): 32–40.
Hsu, A.W.-H., H. Pourjalali, and Y.-J. Song. 2018. Fair value disclosures and crash risk. Journal of Contemporary Accounting & Economics 14 (3): 358–372.
Humayun, M., N. J. Mahmood Niazi, M. Alshayeb, and S. Mahmood. 2020. Cyber security threats and vulnerabilities: A systematic mapping study. Arabian Journal for Science and Engineering 1–19.
Hyytinen, A., and T. Takalo. 2002. Enhancing bank transparency: A re-assessment. Review of Finance 6 (3): 429–445.
IDSA. 2012. India’s cyber security challenge. New Delhi: Institute for Defence Studies and Analyses. https://idsa.in/system/files/book/book_indiacybersecurity.pdf.
IOSC. 2016. Cyber security in securities markets—An international perspective. International Organization of Securities Commissions. https://www.iosco.org/library/pubdocs/pdf/IOSCOPD528.pdf.
Ismail, N. 2018. The financial impact of data breaches is just the beginning. www.information-age.com. https://www.information-age.com/data-breaches-financial-impact-123470254/.
ITU. 2012a. Cyberwellness profile hong kong. Hong Kong: ITU. https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-SECU-2015-PDF-E.pdf.
ITU. 2012b. Cyberwellness profile poland. Poland: ITU. https://www.itu.int/en/ITU-D/Cybersecurity/Documents/Country_Profiles/Poland.pdf.
ITU. 2013. Cyberwellness profile Hungary. Hungary: ITU. https://www.itu.int/en/ITU-D/Cybersecurity/Documents/Country_Profiles/Hungary.pdf.
ITU Slovakia. 2012. Cyberwellness profile slovakia. ITU. https://www.itu.int/en/ITU-D/Cybersecurity/Documents/Country_Profiles/Slovakia.pdf.
Javaid, M.A. 2013. Cyber security: Challenges ahead. Available SSRN 2339594. http://nexusacademicpublishers.com/uploads/portals/Cyber_Security_Challenged_Ahead.pdf.
Jayawardhena, C., and P. Foley. 2000. Changes in the banking sector—The case of Internet banking in the UK. Internet Research 10 (1): 19–31.
Johnson, K.N. 2015. Managing cyber risk. Georgia Law Review 50 (2): 548–592.
Jordan, J.S., J. Peek, and E.S. Rosengren. 2000. The market reaction to the disclosure of supervisory actions: Implications for bank transparency. Journal of Financial Intermediation 9 (3): 298–319.
Juma’h, A.H., and Y. Alnsour. 2020. The effect of data breaches on company performance. International Journal of Accounting & Information Management 28 (2): 275–301.
Kamiya, S., KangJun-Koo, K. Jungmin, A. Milidonis, and R. M. Stulz. 2020. Risk management, firm reputation, and the impact of successful cyberattacks on target firms. Journal of Financial Economics
Kark, K., A. Shaikh, and C. Brown. 2017, November 28. Technology budgets: From value preservation to value creation. Deloitte Insight. London.
Kauffman, R.J., J. Liu, and D. Ma. 2015. Technology investment decision-making under uncertainty. Information Technology and Management 16 (2): 153–172.
Kayworth, T., and D. Whitten. 2012. Effective information security requires a balance of social and technology factors. MIS Quarterly Executive 9(3).
Kesswani, N., and S. Kumar. 2015. Maintaining cyber security: Implications, cost and returns. Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research. New York: Association for Computer Machinery, 161–164.
Khoury, S., and E. Rolland. 2006. Conceptual model for explaining the IT investment paradox in the banking sector. International Journal of Technology, Policy and Management 6 (3): 309–326.
King, R.G., and R. Levine. 1993. Finance, entrepreneurship, and growth. Journal of Monetary Economics 3 (32): 513–542.
Ko, M., and C. Dorantes. 2006. The impact of information security breaches on financial performance of the breached firms: An empirical investigation. Journal of Information Technology Management 17 (2): 13–22.
Koette, M., and T. Poghosyan. 2009. The identification of technology regimes in banking: Implications for the market power-fragility nexus. Journal of Banking & Finance 33 (8): 1413–1422.
Kopp, E., L. Kaffenberger, and C. Wilson. 2017. Cyber risk, market failures, and financial stability, working paper. International Monetary Fund (WP/17/185).
Kox, H. L. 2013. Cybersecurity in the perspective of Internet traffic growth. Working paper. CPB Netherlands Bureau for Economic Policy Analysis. https://mpra.ub.uni-muenchen.de/47994/.
Kröger, W. 2008. Critical infrastructures at risk: A need for a new conceptual approach and extended analytical tools. Reliability Engineering & System Safety 93 (12): 1781–1787.
Kunreuther, H., and G. Heal. 2003. Interdependent security. Journal of Risk and Uncertainty 26 (2–3): 231–249.
Kwast, M.L., and J.T. Rose. 1982. Pricing, operating efficiency, and profitability among large commercial banks. Journal of Banking & Finance 6 (2): 233–254.
Lagazio, M., N. Sherif, and A.M. Cushman. 2014. A multi-level approach to understanding the impact of cyber crime on the financial sector. Computers & Security 45: 58–74.
Lages, L.F. 2016. VCW-value creation wheel: Innovation, technology, business, and society. Journal of Business Research 69: 4849–4855.
Langton, J. 2018, June 4. Data breaches credit negative for BMO and CIBC: Moody’s. www.investmentexecutive.com: https://www.investmentexecutive.com/news/industry-news/data-breaches-credit-negative-for-bmo-and-cibc-moodys/.
Lee, D., and S. Mithas. 2014. IT investments, alignment and firm performance: Evidence from an emerging economy. ICIS Conference Proceedings. Association for Information Systems. https://aisel.aisnet.org/icis2014/proceedings/ISStrategy/29/.
Lever, K.E., and K. Kifayat. 2020. Identifying and mitigating security risks for secure and robust NGI networks. Sustainable Cities and Society 59: 102098.
Levine, R.G. 1993. Finance and growth: Schumpeter might be right. The Quarterly Journal of Economics 108 (3): 717–737.
Lewis, J.A. 2002. Assessing the risks of cyber terrorism, cyber war and other cyber threats. Washington, DC: Center for Strategic & International Studies.
Lewis, J., and S. Baker. 2013. The economic impact of cybercrime and cyber espionage. McAfee.
Li, H., W.G. No, and T. Wang. 2018. SEC’s cybersecurity disclosure guidance and disclosed cybersecurity risk factors. International Journal of Accounting Information Systems 30: 40–55.
Linsley, P.M., and P.J. Shrives. 2005. Transparency and the disclosure of risk information in the banking sector. Journal of Financial Regulation and Compliance 13 (3): 205–214.
Longstaff, T., C. Chittister, R. Pethia, and Y. Haimes. 2020. Are we forgetting the risks of information technology. Computer 33 (12): 43–51.
Low, P. 2017. Insuring against cyber-attacks. Computer Fraud & Security 2017: 18–20.
Macaulay, T. 2018. Critical infrastructure: Understanding its component parts, vulnerabilities, operating risks, and interdependencies, 1st ed. Boca Raton: Taylor and Francis Group.
Mandeville, T. 1998. An information economics perspective on innovation. International Journal of Social Economics 25 (2/3/4): 357–364.
Mayahi, A., and I. Humaid. 2016. Development of a comprehensive information security system for UAE e-Government. PhD thesis, Prifysgol Bangor University
McConnell, Patrick, and Keith Blacker. 2013. Systemic operational risk: Does it exist and if so, how do we regulate it? The Journal of Operational Risk 8 (1): 59–99.
McGraw, G. 2013. Cyber war is inevitable (unless we build security in). Journal of Strategic Studies 36 (1): 109–119. https://doi.org/10.1080/01402390.2012.742013.
MCI. 2017. Public consultation paper on the draft cybersecurity bill. The Ministry of Communications and Information (MCI) and the Cyber Security Agency of Singapore. https://www.csa.gov.sg/~/media/csa/cybersecurity_bill/consult_document.pdf.
Ministry of Digital Affairs. 2017. National framework of cybersecurity policy of Republic of Poland for 2017-22. Warsaw: Government of Poland.
Mohammed, A.-M., B. Idris, G. Saridakis, and V. Benson. 2020. Chapter 8—Information and communication technologies: A curse or blessing for SMEs?. New York: Academic Press.
Moore, T. 2010. The economics of cybersecurity: Principles and policy options. International Journal of Critical Infrastructure Protection 3 (3–4): 103–117.
Moore, T., S. Dynes, and F. Chang. 2015. Identifying how firms manage cybersecurity investment. Dallas: Southern Methodist University.
Morton, M., J. Werner, P. Kintis, K. Snow, M. Antonakakis, M. Polychronakis, and F. Monrose. 2018. Security risks in asynchronous web servers: When performance optimizations amplify the impact of data-oriented attacks. IEEE European Symposium on Security and Privacy, pp. 167–182.
Moumen, N., H.B. Othman, and K. Hussainey. 2015. The value relevance of risk disclosure in annual reports: Evidence from MENA emerging markets. Research in International Business and Finance 34: 177–204.
Mugarura, N., and E. Ssali. 2020. Intricacies of anti-money laundering and cyber-crimes regulation in a fluid global system. Journal of Money Laundering Control.
Mukhopadhyay, A., D.S. Samir Chatterjee, A. Mahanti, and A.S. Sadhukhan. 2013. Cyber-risk decision models: To insure IT or not? Decision Support Systems 56: 11–26.
NCG. 2016. 4 important cybersecurity focus areas for banks. Portland: Northcross Group. http://www.northcrossgroup.com.
NCSB. 2014. National cybersecurity strategy. Dhaka: ICT Ministry. https://sherloc.unodc.org/cld/lessons-learned/bgd/the_national_cybersecurity_strategy_of_bangladesh.html?.
NCSC. 2018. The cyber threat to UK business. UK: The National Cyber Security Centre. https://www.ncsc.gov.uk/home.
Ngonzi, T.T. 2016. Theorizing ICT-based social innovation on development in the context of developing countries of Africa. Captown: University of Cape Town.
Ni, J., X. Lin, and X. Shen. 2019. Towards edge-assisted internet of things: From security and efficiency perspectives. IEEE Network 33 (2): 50–57.
OECD. 2015. Digital security risk management for economic and social prosperity: OECD recommendation and companion document. Paris: OECD Publishing.
OFR. 2017. Cybersecurity and financial stability: Risks and resilience. Office of Financial Research. https://www.financialresearch.gov/viewpoint-papers/files/OFRvp_17-01_Cybersecurity.pdf.
Page, J., M. Kaur, and E. Waters. 2017. Directors’ liability survey: Cyber attacks and data loss—A growing concern. Journal of Data Protection & Privacy 1 (2): 173–182.
Park, I., J. Lee, H.R. Rao, and S.J. Upadhyaya. 2006. Part 2: Emerging issues for secure knowledge management-results of a Delphi study. IEEE Transactions on Systems, Man, and Cybernetics-Part A: Systems and Humans 36 (3): 421–428.
Patterson, D., A. Brown, P. Broadwell, G. Candea, and J.C. Mike Chen. 2002. Recovery oriented computing (ROC): Motivation, definition, techniques, and case studies. UC Berkeley Computer Science.
Paul, J.A., and X. Wang. 2019. Socially optimal IT investment for cybersecurity. Decision Support Systems 122: 113069.
Pavlou, P.A., H. Liang, and Y. Xue. 2007. Understanding and mitigating uncertainty in online exchange relationships: A PrincipalAgent perspective. MIS Quarterly, 105–136.
Peeters, G. 2017. Strengthening the digital Achilles heel of the European Union: Make use of ethical hackers to find vulnerabilities in information systems? Master thesis.
Peng, C., M. Xu, S. Xu, and T. Hu. 2017. Modeling and predicting extreme cyber attack rates via marked point processes. Jornal of Applied Statistics 44 (14): 2534–2563.
Pirounias, S., D. Mermigas, and C. Patsakis. 2014. The relation between information security events and firm market value, empirical evidence on recent disclosures: An extension of the GLZ study. Journal of Information Security and Applications 19 (4–5): 257–271.
Power, M. 2005. The invention of operational risk. Review of International Political Economy 12 (4): 577–599.
PWC. 2014. Threats to the Financial Services sector. PWC. https://www.pwc.com/gx/en/financial-services/publications/assets/pwc-gecs-2014-threats-to-the-financial-services-sector.pdf.
PWC. 2015. Information security breaches survey. London: The UK Government. https://www.pwc.co.uk/assets/pdf/2015-isbs-technical-report-blue-digital.pdf.
Quinn, J.B., and M.N. Baily. 1994. Information technology: Increasing productivity in services. Academy of Management Perspectives 8 (3): 28–48.
Rackof, N., C. Wiseman, and W.A. Ullrich. 1985. Information systems for competitive advantage: implementation of a planning process. MIS Quarterly, 285-294.
Ralston, P., J. Graham, and J. Hieb. 2007. Cyber security risk assessment for SCADA and DCS networks. ISA Transactions 46: 583–594.
ReedSmith. 2017. China cybersecurity law. ReedSmith. https://www.reedsmith.com/en/perspectives/2017/01/chinas-cybersecurity-law.
Reuters. 2018, June 1. Bank of Chile trading down after hackers rob millions in cyberattack. Santiago. https://www.reuters.com/article/us-chile-banks-cyberattack/bank-of-chile-trading-down-after-hackers-rob-millions-in-cyberattack-idUSKBN1J72FC.
Rezek, T., T. Szatkowski, J. Świątkowska, J. Vyskoč, and M. Ziare. 2012. V4 cooperation in ensuring cyber security—Analysis and recommendations. Poland: The Kosciuszko Institute.
Ring, T. 2014. Threat intelligence: Why people don’t share. Computer Fraud & Security. 3: 5–9.
Risk.net. 2016, Jan 20. Top 10 operational risks for 2016. www.risk.net. https://www.risk.net/risk-management/2441306/top-10-operational-risks-for-2016#risk1.
Roth, A.V., and W.E. Jackson-III. 1995. Strategic determinants of service quality and performance: Evidence from the banking industry. Management Science 41 (11): 1720–1733.
Rubens, P. 2018, June 26. How to prevent DDoS attacks: 6 tips to keep your website safe. Nashville: eSecurity Planet, TechnologyAdvice. https://www.esecurityplanet.com/network-security/how-to-prevent-ddos-attacks.html.
Schwartz, M.J. 2013, March 21. South Korea Bank hacks: 7 key facts. Dark Reading. https://www.darkreading.com.
SCM. 2016. Guidelines on management of cyber risk. Securities Commission Malaysia. https://www.sc.com.my/api/documentms/download.ashx?id=9aaddb2e-aa13-409a-a47f-8d0124afd229.
Scott, S.V., J.V. Reenen, and M. Zachariadis. 2017. The long-term effect of digital innovation on bank performance: An empirical study of SWIFT adoption in financial services. Research Policy 46 (5): 984–1004.
SecurityScoreboard. 2016. Financial industry cybersecurity report. New York: SecurityScoreboard.
Shackelford, S.J. 2012. Should your firm invest in cyber risk insurance? Business Horizons 55: 349–356.
Sharma, A., and P. Tandekar. 2018. Cyber security and business growth. IGI Global, 1208–1221.
Siegel, C.A., T.R. Sagalow, and P. Serritella. 2002. Cyber-risk management: Technical and insurance controls for enterprise-level security. Information Systems Security 11 (4): 33–49.
Skinner, D.J., and R.G. Sloan. 2002. Earnings surprises, growth expectations, and stock returns or don’t let an earnings torpedo sink your portfolio. Review of Accounting Studies 7: 289–312.
Smedinghoff, T.J. 2012. Solving the legal challenges of trustworthy online identity. Computer Law & Security Review 28: 532–541.
Solms, B.V. 2006. Information security—The fourth wave. Computers & Security 25 (3): 165–168.
Sommer, P., and I. Brown. 2011. “Future global shocks” reducing systemic cybersecurity risk. OECD/IFP: OECD.
Soomro, Z.A., M.H. Shah, and J. Ahmed. 2016. Information security management needs more holistic approach: A literature review. International Journal of Information Management 36 (2): 215–225.
Srinidhi, B., J. Yan, and G.K. Tayi. 2015. Allocation of resources to cyber-security: The effect of misalignment of interest between managers and investors. Decision Support Systems 75: 49–62.
State Bank of Pakistan. 2012. Guidelines on information technology security. The State Bank of Pakistan. http://www.sbp.org.pk/bsd/2004/Guidelines_on_IT_Security.pdf.
Stoneburner, G., A. Goguen, and A. Feringa. 2002. Risk management guide for information technology systems. Recommendations of the National Institute of Standards and Technology. Singapore: National Institute of Standards and Technology.
Teece, D.J. 2018. Profiting from innovation in the digital economy: Enabling technologies, standards, and licensing models in the wireless world. Research Policy 47 (8): 1367–1387.
Tendulkar, R. 2013. Cyber-crime, securities markets and systemic risk. CFA Digest 43 (4): 35–43.
Toivanen, H. 2015. Case study of why information security investment fail?. Master’s Thesis, 76. Jyväskylä: University of Jyväskylä.
Trautman, L.J., and K. Altenbaumer-Price. 2010. The board’s responsibility for information technology governance. John Marshall Journal of Computer and Information Law 28: 313.
Vagle, J. 2020. Cybersecurity and moral hazard. Stanford Technology Law Review 23: 71.
Veijalainen, J., V. Terziyan, and H. Tirri. 2006. Transaction management for m-commerce at a mobile terminal. Electronic Commerce Research and Applications 5: 229–245.
Watkins, B. 2014. The impact of cyber attacks on the private sector. Briefing Paper, Association for International Affair, 12.
Watters, P.A., S. McCombie, R. Layton, and J. Pieprzyk. 2012. Characterising and predicting cyber attacks using the cyber attacker model profile. Journal of Money Laundering Control 15 (4): 430–441.
Willison, R., and M. Warkentin. 2013. Beyond deterrence: An expanded view of employee computer abuse. MIS Quarterly 37 (1): 1–20.
Wright, D., S. Gutwirth, M. Friedewald, P.D. Hert, M. Langheinrich, and A. Moscibroda. 2009. Privacy, trust and policy-making: Challenges and responses. Computer Law & Security Review 25: 69–83.
Yang, S.J., S. Byers, J. Holsopple, B. Argauer, and D. Fava. 2008. Intrusion activity projection for cyber situational awareness. 2008 IEEE international conference on intelligence and security informatics, 167–172. Taiwan: IEEE.
Zephirin, M.G. 1994. Switching costs in the deposit market. The Economic Journal 104 (423): 455–461.
Acknowledgements
This paper is the first output of Taylor’s University’s flagship research project # TUFR/2017/004/05. Md Hamid Uddin led this project over the last three years. He recently moved to the University of Southampton - Malaysia Campus yet engaged with the project until completion of research outputs and obligations under the funding contract. Md Hakim Ali worked as the research scholar while Mohammad Kabir Hassan is an external collaborator who has intellectual contribution in developing this manuscript. The first version of this paper was presented at the Annual Financial Liquidity Conference 2018, Budapest, Hungary. We acknowledge the valuable suggestions received from Igor Lončarski (University of Ljubljana) and Seema Narayan (RMIT University Australia). We thank Mohammed Sawkat Hossain, who helped us at the beginning of literature searching. We appreciate the contribution of David Asirvatham Nor Shaipah Abdul Wahab and Vinitha Guptan at Taylor’s University and Sabur Mollah at Sheffield University in launching this project three years ago. We are grateful to David Asirvatham (leader of Data Analytics, Modeling and Visualization research program) and Centre for Research Management at Taylor’s University for extending full support in implementing the project.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
On behalf of all authors, the corresponding author states that there is no conflict of interest.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
This paper is the output of Taylor's University's flagship research project # TUFR/2017/004/05. Md Hamid Uddin led this project over the last three years. He recently moved to the University of Southampton – Malaysia Campus while maintaining engagement for this project until all outputs are published. Md Hakim Ali worked as the research scholar while M. Kabir Hassan is an external collaborator who has intellectual contribution in developing this manuscript. The first version of this paper was presented at the Annual Financial Liquidity Conference 2018, Budapest, Hungary. We acknowledge the valuable suggestions received from Igor Lončarski (University of Ljubljana) and Seema Narayan (RMIT University Australia). We thank Mohammed Sawkat Hossain, who helped us at the beginning of literature searching. We appreciate the contribution of David Asirvatham Nor Shaipah Abdul Wahab and Vinitha Guptan at Taylor's University and Sabur Mollah at Sheffield University in launching this project three years ago. We are grateful to David Asirvatham (leader of Data Analytics, Modeling & Visualization research program) and Centre for Research Management at Taylor's University for extending full support in implementing the project. All comments should be sent to Md Hamid Uddin at iba_hu@yahoo.com.
Appendices
Appendix 1: literatures related to cyber security and operational costs
Author(s) | Research issue | Findings | Paper type |
|---|---|---|---|
Kunreuther and Heal (2003) | Are there enough incentives for firms to invest in security protection against risk whose magnitude depends on others’ actions? | The paper develops an Interdependent Security Model (IDS) to ensure the computer security and deter online thefts. It concludes that the role of insurance, fines, subsidies, third-party inspections, regulatory and coordination mechanism are important for managing the negative effects of cyber threats | Technical Paper |
Böhme (2010) | What is the nature of relationship between the security investment model and security metrics? | Author suggests an investment model to capture the information security features for all types of strategic security budgets. | Technical Paper |
Kox (2013) | Has the internet traffic growth grown faster than the number of cybersecurity incidents? | Author documents that current surge in the cyber incidents is driven by the growth of online communications | Conceptual Paper |
Bernik (2014) | Should IT investment be more focused toward safeguarding the organization from cybercrime? | This paper explores how firms incur losses from the cybercrimes and focuses on the cyber investment mechanisms | Theoretical paper |
Watkins (2014) | Is the cyber threat unavoidable because of the growing malicious activities such malwares, phishing mails, insiders’ system abuse, and hacker attacks? | Author discusses that cybercrimes could destabilize the financial sector due to the immense financial losses resulting from the leakage of sensitive data. This problem is unavoidable without prioritizing IT security concerns in the managerial and financial decisions | Conceptual paper |
Caron (2015) | How does the cybersecurity increase the operational risks and business costs of the institutions? | Author discusses the approaches to manage the cybersecurity risks more economically | Conceptual paper |
(Moore et al. 2015) | Do the regulatory compliance and work process improvement positively affect cybersecurity? | Information security officers express high confidence in system and their ability to identify and deploy the best control to improve cybersecurity for their organization | Empirical paper (survey) |
Johnson (2015) | Do cybersecurity regulations adequately address the systemic adverse effects on the financial firms? | Author discusses on the Cybersecurity Information Sharing Act (CISA) 2015 regarding the transparency of information system, data sharing, and regulatory weaknesses | Conceptual paper |
Geyres and Orozco (2016) | How much to investment in cybersecurity system? | Author finds that inadequate invest in cyber technology is likely to put an organization’s long-term competitiveness at risk | Empirical paper (survey) |
(Ahmad and Schreyer 2016) | How substantially is the loss occurring in a digitalized economy? | Author discusses on the financial losses in the US and global economy due to the cybercrime incidences | Conceptual Paper |
Kopp et al. (2017) | Can firms achieve optimal cybersecurity through organizational restructuring? | Based on the 2016 Data Breach Investigations Report by Verizon.com (it includes 2,260 data breaches and more than 100,000 reported security incidents), Kopp et al. (2017) notice that timely incidence reporting reduces information asymmetry and inefficiency in crime detection. Furthermore, it improves cyber risk management and provides optimal cybersecurity protection | Empirical paper |
Boer and Vazquez (2017) | What kinds of losses result from the cybercrimes? | This paper explains how a firm directly and indirectly incurs both financial and non-financial losses. | Conceptual paper |
Boer and Vazquez (2017) | Does cybercrime bring any losses to the financial service institutions? | The authors document that cybercrime brings various costs such financial and non-financial, direct and indirect cost to the financial institutions | Conceptual Paper |
Kunreuther and Heal (2003) | Whether firms have enough incentives to invest in security protection while it depends on others’ actions? | The study examines the role of insurance, liability, fines and subsidies, third-party inspections, regulation and coordinating mechanism for internalizing the negative externalities features of these problems | Conceptual Paper |
Tendulkar (2013) | Phases of cyber security and cyber resilience | Discusses cybercrime from economic perspective in the context of securities market and systemic risk | Conceptual Paper |
Vagle (2020) | Cyber breaches and moral hazard | The regulators need to tackle the moral hazards in order to reduce cybersecurity vulnerability | Conceptual paper |
Eling and Wirfs (2019) | What are the actual costs of cyber incident? | The researchers collected 1579 cyber risks loss data from the SAS OpRisk Global database and examined them using the value at risk (VaR) and extreme value theory (EVT). The results show that a few extreme cyber risks pose an enormous threat to the afflicted company’s solvency, even though cyber incidences frequently occur daily. Another critical finding is that human behavior, be it criminal or not, is the primary source of cyber risk | Empirical |
Willison and Warkentin (2013) | The issue of employee computer abuse | The authors show how the thought process get influenced by the organization and affect the security control | Conceptual |
Appendix 2: literatures related to cybersecurity and institutional performance
Author(s) | Research issue | Findings | Paper type |
|---|---|---|---|
Gordon and Loeb (2002a) | What is the optimal amount of investment in cyber security system? | They show some investment in the information security system is good, but more security is not always worth the cost. Therefore, firms should spend only a small fractionation of the expected loss from the potential cyber breach. This is because security system vulnerability is unpredictable in nature | Theoretical paper |
Gordon and Loeb (2002b) | Do traditional financial analysis based on the net present value (NPV) and internal rate of return (IRR) is appropriate for investment in the cyber security system? | Based on a total of 21 rounds of simulations for different levels of investment in information security, the study has found that NPV and IRR are not appropriate tools for analysis of the investment in the security system. It is because the system breach is unpredictable, so cash flows from the investment are highly uncertain. Also, the system can become obsolete before it pays back | Empirical paper |
Hovav and D’Arcy (2004) | What is the impact of security breach on the market value of respective company? | They find that there is no significant negative impact on market value perhaps because of not much awareness in the public or market estimated the expected loss of security breaches. | Technical paper |
Das et al. (2012) | Does stock market respond to security breach? | The paper concludes that the security price of both e-commerce companies and financial institutions are also negatively affected by denial of service attack, information security attack, respectively. | Empirical paper |
Peng et al. (2017) | Is there high volatility due to the higher frequency of incidents? | This study shows the perfect prediction cyber-attack rate which increase the volatility | Technical paper |
Goel and Shawky (2009) | Do market value of the firms change due to cyber security breaches? | They find that the announcement of security breach has a negative impact on the market value of companies around the incident. | Technical paper |
Pirounias et al. (2014) | How is the impact of security breaches on the firm value? | The study shows that Technology-based firms are having more significant negative value change compared to non-technology-based firms using capital asset pricing model and Fama–French three factor model | Theoretical paper |
Lewis and Baker (2013) | The complexity of calculating the cost of cyber-attacks and the losses aren’t a modern cost of doing business. | A precise estimate for the cost of cybercrime is hardly possible due to incomplete information. Also, the estimation is based on several assumptions and biased survey. They found the indirect effect on trade, technology, and competitiveness critically matters for the estimation of losses from cyber breaches | Technical report |
Mukhopadhyaya, et al. (2013) | Cyber security breaches negatively affect profit margin, market capitalization and brand image of a firms. | Present a model to help firms decide on the utility of cyber insurance products and to what level they can use it. | Technical Paper |
Horne (2014) | Discussed how cyber-attacks can affect to the cost of financial as well as the reputational asset. | Illustrates that firms will have different cyber security strategies depending on what matters to them and need to develop long-term policies incorporating new ideas and knowledge | Theoretical paper |
PWC (2014) | Cybercrime a big threat to the financial service sector | Discusses that the loss of cybercrime, ranking cyber risk and cyber risk is not an IT risk only. | Empirical paper (survey) |
Lagazio et al. (2014) | Aims to find the impact of cybercrime on the financial sector. | Finds that tangible and intangible factors affect cybercrime cost, moreover, market positioning and competitors are important factors in determining cybercrime cost | Conceptual paper |
Gracie (2015) | Cyber-attack through the corruption, loss of data or loss of system may damage the financial infrastructure or the supply chain that support the core functions of firms. | The cyber threat is an ever present, ever evolving, the capability to identify and to respond should be key focus. Active management is essential with threat intelligent to understand likely adversaries, their motivation and ways of working | Conceptual paper |
Brown (2015) | Investing and prosecuting of cybercrime are apparently challenging | Discusses that legal loopholes and enabling technologies are facilitating the act of cybercrime. | Theoretical paper |
Antonescua and Birău (2015) | Investigating financial and non-financial consequences of cybercrime in emerging economies. | There is a significant difference between financial and non-financial implication of cybercrime attacks | Empirical paper (survey) |
Srinidhi et al. (2015) | Cyber security has been known as a crucial determinant of firm-specific financial risk. | Presents an analytical model for optimal investment allocation to general asset and cyber security asset which includes cost of security breaches, borrowing and financial distress | Technical paper |
CPMI (2016) | Whether the level of cyber resilience plays role in the operational stability of financial market institutions (FMI). | Provides guidelines for FMIs to develop governance structure that should ensure cyber resilience through developing comprehensive risk management framework and liability settlements procedure | Policy documents |
BDO (2017) | Cyber security threat is increasing in financial sector | Discusses that data breach leads to the exponential rise in cost and the cost of implementing and managing cyber security infrastructure increases the cost | Theoretical paper |
Peng et al. (2017) | Cyber-attack cause losses for both customers and business | Present a public communication model for commercial firms to share and discuss data breach events to the external party, media and the general public | Empirical paper (survey) |
Low (2017) | Revels that the cost of cybercrime is increasing day by day. | Explains that the cybercrime cost not only falls under financial cost but also associates under intangible asset i.e., damage to the reputation and brand | Theoretical paper |
OFR (2017) | How cyber security incidents threatens financial stability. | Describes that cyber incidents destroy the financial institutions offering critical services, reduce trust in firms and market, hamper the integrity of key data | Policy reports |
Boin and McConnell (2007) | How is critical infrastructure system in the modern society? | The article explores the strength and weakness of the critical system and shows the ways of organizing critical decision-making and immediate and aftermath policies for that | Conceptual paper |
Brechbuhl et al. (2010) | What are the elements of successful information security policy? | The authors recommend that shared behavior, pervasive relationship and trust are important for strong information security system and also find a network model for the interaction | Empirical paper (survey) |
Donge et al. (2018) | Is modern power system increasing for complex cyber physical system? | This paper gives a potentiality to use blockchain and cyber physical infrastructure model | Conceptual paper |
Macaulay (2018) | What are the components of critical infrastructure and its operational and economic impact? | This book discusses about the details components of critical infrastructure, vulnerabilities and operating risk | Book |
Garg et al. (2003) | What does investor think about IT security breach? | The study shows that investors react more beyond the breached company and have negative effect on the stock prices | Conceptual paper |
Skinner and Sloan (2002) | Does error in earnings expectation affect the growth in stock returns? | Based on 103,274 firm-quarter observations from the US market between 1984 and 1996 period, the study found that growth expectation of stock returns suffers due to the negative earnings surprises. | Empirical paper |
Levine (1993) | Does financial development increase economic growth? | The authors show that financial development affects economic growth positively by increasing business production | Empirical paper |
King and Levine (1993) | How does financial system affect economic growth? | The study shows the better financial system improves the innovation and thus accelerate the economic growth. | Empirical paper |
Demirgüç-Kunt et al. (2018) | Does digital technology affect financial inclusion and business growth? | Based on data from 140 countries, the study finds that digital technology (mobile phone and apps) increase financial inclusion and business growth. The findings are more robust in Sub-Saharan Africa, where 21% of adults now have a mobile money account. Also, globally, 52% of adults have sent or received digital payments in 2017 | Empirical paper |
Banker et al. (1990) | Does using technology increase the efficiency and cost? | The paper concludes that technology usage reduces the cost and increase the efficiency. | Conceptual paper |
Barrett et al. (2015) | How is the service innovation contributing to the firm growth? | The study explains that information and technology increase the service innovation to the business growth. | Conceptual paper |
Casu et al. (2016) | How does technological progress affect growth and the linkage between bank productivity growth and technological spillover? | Technological progress increases the growth and has spillover effect | Technical paper |
Reuters (2018) | How does the attack happen in the institutions? | The Newspaper describes the cyber-attack through SWIFT system | Newspaper article |
Gopalakrishnan and Mogato (2016) | How does the cyber-attack happen to Bangladesh Bank? | The author explains the cyber-attack to Bangladesh Bank because of SWIFT system loopholes | Conceptual paper |
Alex Johnson (2018) | The type of data breach | The study shows the personal data revelation | Conceptual paper |
Sharma and Tandekar (2018) | How important the Information and communication technology in this time? | The paper describes information and communication technology has been increasingly important for social, political, economic life | Conceptual paper |
Rackof et al. (1985) | How vital is information system to sustain in the competitive age? | The study shows that Information system accelerate the business to persist better in the pace of competition. | Conceptual paper |
Quinn and Baily (1994) | Does IT investment increase the payoff? | The research shows that IT investment has higher payoff without some anomaly | Conceptual Paper |
Teece (2018) | What are the issues from technological innovation? | The study recommends that enhancing technological standards, licensing model and strong patent system | Conceptual paper |
Wright et al. (2009) | Does the innovation of technology raise privacy and trust issue? | The authors explain that the privacy and trust issues pose many challenges for policy makers and stakeholders, so the past policy is not enough to address this issue therefore, there is a need for new policy | Conceptual paper |
McGraw (2013) | How strong is our critical infrastructure based on information system? | The author concludes that cyber war is inevitable unless we enhance the cyber defense system | Conceptual paper |
Cherdantseva, et al. (2016) | Are there any risk in the Supervisory Control and Data Acquisition system (SCADA)? | The authors recommend a more robust risk assessment method in the SCADA system as there are some loopholes existing there | Conceptual paper |
Glaessner et al. (2002) | What are the loopholes in the electronic finance environment? | The authors find the area to focus such as legal framework, electronic security and payment, supervision and challenges, improving accuracy, standards and training system for safe electronic security and finance system. | Conceptual paper |
Shackelford (2012) | Should firm invest more in cyber risk insurance? | This study concludes that firm need to be proactive to manage cyber security for the welfare of society rather than only for its own safeguard | Conceptual paper |
Böhme (2012) | Which security audits are most effective for cyber security risk under game theory analysis? | The study concludes that basic audits are hardly useful, however, the security audits need to be carefully tailored to the situations | Technical paper |
Juma’h and Alnsour (2020) | The impact of Data breach on performance | Based on a set of US companies affected by a cyber breach, the study shows that breach reporting with non-mandatory information gives a signal of the company’s overall performance. The research suggests that the company’s reserved funds can compensate losses associated with data breaches | Empirical |
Gatzlaff and McCullough (2010) | The effect of data breach on shareholders’ wealth | Examined the value effect of 77 data breaches between 2004 and 2006 in the US. It is found that the average cumulative returns (CARs) of sample firms’ stocks that are affected by cyber incidents were significantly negative from a day before through 39 days after the event. The regression tests found a negative association between market reaction and firms that are less forthcoming about the breach’s details | Empirical |
Kamiya et al. 2020) | The cyber-attack, risk management, reputation and performance. | Based on 1580 cyber incidences in the US involving the loss of personal information for 2005 to 2017, the study finds that cyber-attacks are likely to occur in firms that are more visible, with higher valuations, more intangible assets, without a board risk committee, and in less competitive industries. The study shows that the market reacts negatively to the announcement of a cyber breach. Based on 188 cyber-attacks reports, the study finds that investors lost 1.10% value of their shares in the breached companies | Empirical |
Appendix 3: literatures related to cybersecurity and operational risk
Author(s) | Research issue | Findings | Paper type |
|---|---|---|---|
Choo (2011) | Does cyber-attack become more common crime in the financial sector? | Writer describes the routine activity theory to mitigate increasing cyber-attack by reducing the opportunities for cybercrime | Theoretical paper |
Aseef et al. (2005) | How is the nature of cybercrime history, the impact on the economy and future trends? | The paper documents the increasing trend of cybercrime with laws and regulation as well as the breaking of operational system and customer trust in the system | Technical paper |
Choo et al. (2007) | How the cyber security risk is affecting operation of the organization and widespread harm to the community can be reduced? | The report suggests the Cybercrime act covering illegality and infringement regulatory control over data and cooperative arrangement and the development of informational and educational resources to minimize the harm | Technical report |
Javaid (2013) | Can cyber threat demolish infrastructure? | The author explains that cyber security not in physical nature can disrupt the infrastructure and operational system | Conceptual paper |
McConnell et al. (2013) | Does cyber security risk poses the attributes of systemic risk? | The authors describe cyber security as a systemic risk through the lens of operational risk and recommend the macroprudential approaches | Conceptual paper |
Veijalainen et al. (2006) | The transaction management system in Mobile terminal | The study present better and secured transaction management system for data protection, the loss of that could bring financial loss | Conceptual paper |
Smedinghoff (2012) | Whether digital identity management is important internet economy? | This research recommends identity management, and data protection for trustworthiness, operational rules and legal framework are also crucial since it assumed to be operational hazard | Conceptual paper |
Gommans et al. (2015) | How are the internet network resources playing role by maintaining trustiness? | This paper presents the necessity of network resource development and management for trustworthiness via operational avenue | Conceptual paper |
Shackelford (2012) | How is the impact of cyber-attack in the increasing digital economy? | The author recommends better investment to reduce economic impact such as operational loss and risk | Conceptual paper |
Hon and Millard (2018) | How the cloud service should be managed in order to manage data protection and data breach liability? | This study paper presents the ways financial institutions can improve cloud service for operation without the data fraud and data breach | Empirical paper (survey) |
Heeks (2002) | Information system failure, success and Improvisation | The author shows how to improve information system for better operation | Theoretical paper |
Gelenbe and Loukas (2007) | How does Denial of Service attacks affect and security strength of it for operational security? | The paper proposes more sophisticated defense framework based on authenticity test for the operation | Conceptual paper |
Beitollahi and Deconinck (2012) | How strong is the Denial of Service attack and the proper measures? | The study shows the countermeasures to prevent distributed of denial service attack | Technical paper |
Cebula and Young (2010) | How is the domain of operational cyber security risk? | The research splits the operational cybersecurity risk into four classes such as action of people, system and technology, internal process, and internal process | Conceptual paper |
Benaroch et al. (2012) | How does IT operational risk affect financial institutions? | The researchers examined 142 cyber incidences reported by the U.S. public financial firms between 1994 and 2010. The study found a negative cumulative abnormal return (CAR) over the window period from − 1 to + 3 days relative to the incidence of integrity or availability events. Integrity events damage the functioning of IT systems and corrupt their data while availability events prevent the delivery of data to intended destinations. The regression analysis shows that negative CAR is statistically significant after controlling for the growth, size, risk, and industry affiliation of sample firms | Empirical paper |
Ames et al. (2015) | Should operational risk be more focused? | The study recommends operational risk at the age of digital economy should be more concentrated with the capital requirement, disclosure, and regulatory framework | Conceptual paper |
Caruana (2009) | Do we feel the growing need of operational framework? | This paper discusses the strong operational frameworks | Conceptual paper |
Francis and Prevosto (2010) | What is the role of data for the financial crisis in 2008? | The study shows that data quality contributes significantly to the global financial crisis | Conceptual paper |
Ralston et al. (2007) | Are there enough models for estimating and reducing cyber-attack? | This paper discusses about few method, probability of cyber-attack, the impact of cyber-attack and the reduction process | Conceptual paper |
Cherdantseva, et al. (2016) | Are there available cyber security risk assessment methods in SCADA system? | The study describes the various methods in the SCADA system for various purposes of effective cybersecurity risk management | Conceptual paper |
Kröger (2008) | Does integration and interconnection pose challenges to organizations and operations | The author shows system weakness and provides modeling and simulation techniques for better cope up with the changing system | Conceptual paper |
Biener et al. (2015) | Is insurance enough for managing cyber security? | Based on 994 cyber risk incidence and loss data from the SAS OpRisk Global Database, the study analyses the insurability of cyber risk, given its distinct attributes compared to other operational risks. The study has found several problems with the insurability of cyber risk hinders the growth of the cyber insurance market. The main issues are unpredictable loss occurrence, information asymmetry and moral hazard, and scarcity data for a fair assessment of losses | Empirical paper |
Lewis (2002) | How likely is to happen cyber war and demolish the nation? | The study shows that mostly literature shows the vulnerability of critical system can put state security at a significant risk | Conceptual paper |
Patterson et al. (2002) | How could be the recovery-oriented system procedure after cyber-attack? | This paper shows hardware faults, software error, and operator error and finally concentrating mean time to repair and how to reduce recovery time | Theoretical |
Stoneburner et al. (2002) | Whether risk management should be strengthened for the IT risk? | They identify that IT risk is not only a technical and operational risk, but it has to be treated under the essential management function of the institutions | Technical paper |
Embrechts et al. (2003) | The issue of regulatory capital for operational risk | The study concludes that traditional modeling approach reach the limits for operational cyber security risk due to cybercrime because the data loss event is not in line with modeling assumptions | Empirical paper (survey) |
Power (2005) | Is increasing operational risk due to cyber risk given enough concentration? | The author recommends policies for instance, regulatory capital requirement for the growing nature of operational risk in the internet economy | Conceptual paper |
Choo (2011) | How is cyber security nature and how to reduce this risk? | The study describes the criminally motivated cybercrime and its inevitability in nature and finally discusses routine activity theory to mitigate this risk | Conceptual paper |
Burden and Palmer (2003) | What are the key areas for cyber security criminal activities? | The article summarizes the key areas for cybercrime such different types of attack, domain of attack and cyber vandalism and lastly put them in right place to deal with | Conceptual paper |
Holt and Lampke (2010) | How is the nature of data loss through the computer attack? | The paper shows different ways of data loss and policy implication for law enforcement to reduce the data loss | Empirical paper (survey) |
Diamond and Dybvig (1983) | How the liquidity issue can be arrived in the banks? | The authors interpret that investors perceived and observed risk regarding the bank can lead for liquidity risk | Conceptual paper |
Diamond and Dybvig (1986) | How to reduce the bank run due to liquidity risk? | The study concludes that deposit insurance and other policy can protect liquidity issue for not letting bank run | Conceptual paper |
Langton (2018) | Can data be manipulated by the cybercriminal? | The author concludes that customer data can be manipulated by the hacker or cybercriminal | Online article |
Deloitte (2014) | Cyber-attack on financial institutions are increasing diverse, sophisticated and wide spread | Recommends enhancing cyber preparedness, new innovative tools to reduce cyber risk, parking cyber risk in the wide risk management framework, and also warns that IT problem has become a strategic business issue | Conceptual paper |
Siegel et al. (2002) | How to minimize the cyber security risk in the organizations? | The study shows that cyber security risk and its impact can be reduced by both technical measures and the insurance policy | Conceptual paper |
Mayahi and Humaid (2016) | How to improve comprehensive security system? | The thesis concludes after analyzing many ways that offering workshops on the importance of ethical behaviors, enhancing the security alertness among the customers and end-users of the banking services can make strong security system | PhD thesis |
Committee on Payments and Market Infrastructures (2016) | The issue of providing guidance for the cyber resilience | The report does not recommend further standard but suggest providing detailed preparation and measures by the financial market institutions to enhance cyber resilience | Policy paper |
Goodman and Ramer (2007) | How does the globalized IT risk affect the people, organizations, and computers by increasing the vulnerabilities? | The authors illustrate the information security risk can disrupt the financial system and recommend the awareness, careful assessment and effective mitigation of risk | Conceptual paper |
Kopp et al. (2017) | Can firms achieve optimal cybersecurity through organizational restructuring? | Authors find that the removal of information asymmetry among the stakeholders and inefficiency in crime detection as well as cyber risk management provide optimal cybersecurity protection | Empirical paper |
Jayawardhena and Foley (2000) | Does internet facilities render more time and location invariant facilities to the customers? | The study concludes internet banking increase customer by offering more opportunities at the same time banks can reduce the cost and enhance the efficiency | Empirical paper (survey) |
Arner et al. (2016) | How is the nature of financial market, services and institutions due to the technological change? | The authors extrapolate that technology increases the more integration of financial market, more varied services and finally they conclude recommending technological regulatory requirement | Conceptual paper |
Morton et al. (2018) | How impactful could be the recent innovation? | The study concludes that the recent innovation through asynchronous web servers could pose severe damage and also discusses the mitigation approaches | Conceptual paper |
Akhawe et al. (2010) | How many sorts of loopholes existing in the websites? | The writes discuss different types of attacks and weakness in the website and system and also proposes robust testing and protecting approaches | Conceptual paper |
Herath and Rao (2009) | Is IT solution enough for information security management in the organizations? | The research shows Non-IT-based solution is very crucial alongside to reduce information security protection | Empirical paper (survey) |
Dutta and McCrohan (2002) | What does senior management can do to strengthen security management? | The study suggest that top management has many things to do reduce security risk using several policies such as biometric, training management, management level focus | Conceptual paper |
Ralston et al. (2007) | Are there enough models for estimating and reducing cyber-attack? | This paper discusses about few method, probability of cyber-attack, the impact of cyber-attack and the reduction process | Conceptual paper |
Soomro et al. (2016) | How the advancement of information technology poses risk to the organization? | This research concludes that more holistic and management approach are required to for information security and as a whole top management can play a significant role to reduce the information security risk | Conceptual paper |
Granåsen and Andersson (2016) | How effectiveness of cyber team can play role in the cyber defense exercise? | The study shows that cyber situation awareness and effective team through behavioral assessment are important | Empirical paper (survey) |
Gupta and Gupta (2007) | To outsource or not outsource the technological service is a crucial question for chief executive officers | The study warns the executives regarding the pros and cons, as well as strategies for successful outsourcing with third parties | Conceptual paper |
Solms (2006) | How to develop the information security management? | The writers recommend information security governance in addition to the technical wave, the management wave and the institutional wave | Conceptual paper |
Kayworth and Whitten (2012) | How to get effective information security system? | The study illustrates that not only IT-based but also organizational integration and social alignment are needed for effective security system | Empirical paper (survey) |
Duncan (1995) | The issue of using IT competitively | This paper discusses the IT infrastructure and its alignment of planning and human resource skill | Empirical paper (survey) |
Barthelemy (2001) | The challenges of IT hidden cost | The study shows that unforeseen IT cost can reduce the benefit and lead to better outsourcing alternative | Conceptual paper |
Yang et al. (2008) | What are the attributes of cyber-attack? | The research shows that cyber-attack is reactive and discusses the cyber threat assessment using various statistical measures and also pros and cons of using those methods | Technical paper |
Watters et al. (2012) | How tough is to estimate and predict the characteristics of cyber-attack | This study uses modeling approach to predict and show the relationship between cyber-attack and various social factors | Conceptual paper |
Lever and Kifayat (2020) | The issue of security risk for next generation internet | This paper proposes a solution to identify and mitigate vulnerabilities within multilevel systems-of-systems to enhance security without employing additional security systems at the endpoints. The simulation results show that the solution works in a dynamically by using the evolutionary algorithms and probabilistic techniques. It also optimizes the level of security in the next generation of internet environments and extends network life | Technical |
Appendix 4: literatures related to cybersecurity disclosure and governance
Author(s) | Research issue | Findings | Paper type |
|---|---|---|---|
Moore (2010) | The issue of escalating vulnerability and cybercrime, policy and legislation must allocate responsibilities and liabilities to incendivities the parties in place to fix problem | Reveals several recommendations to improve cybersecurity: mitigating malware infections via ISP, mandatory disclosure of frauds and security incidents, disclosure of system intrusion and aggregating reports of cyber espionage. Also recommends for ex ante safety regulation and ex post liability as well as a discussion of information asymmetries and externalities | Theoretical paper |
Hall et al. (2013) | The resilience of the Internet’s interconnection system is lunched by the European Network and Information Security Agency | Finds that Internet faces difficulties in keeping its interconnection systemic resilient | Conceptual paper |
Ring (2014) | Recommend the need for more information sharing on cyber-attacks | Firms need to concentrate not only on collecting and sharing intelligence, but also on their threat analysis and incident response | Theoretical paper |
Shackelford (2016) | There has been an issue of how governance of cyber peace should develop | The investment in cybersecurity should be not only in the short term but also in the long term as there are market, ethical and legal reasons to invest in cyber security best practices | Conceptual paper |
NCG (2016) | The focus to enhance cyber resilience | Need to focus on the area such as enhancing regulatory on bank cyber risk, implementing a wide cyber risk management framework, increase cyber incident response capabilities, budgeting for security and solution development | Theoretical paper |
Hemphill and Longstreet (2016) | Discuss the credit card, payment industry security system to combat cybercrime, comparing and evaluating the existing standards regime to the theory and practices | Proposition of industry self-regulation and market forces framework, and its current drawback and future technological advancement to provide more effective security protection to the customers’ personal and financial data | Empirical paper (survey) |
Crisanto and Prenio (2017) | Discuss the discrepancies prevails in the different jurisdictions for cyber risk | Proposes high-level policies; incorporating cyber risk into the wide risk management framework, requiring banks to develop effective control and response mechanism for cyber risk, considering technical standards cyber and information security, putting more cross-border collaboration to enhance cyber resilience at banks | Conceptual paper |
Peeters (2017) | Vulnerability disclosure for the resilience to the cyber ecosystem | Disclosure of vulnerabilities of the security system in a responsible and systematic way | Thesis |
Clare (2017) | aims to enhance cyber threat intelligence sharing across the cyber ecosystem | Discusses whether sharing IP addresses to be seen as cyber threat intelligence lawfully, However, the automated business to business sharing of the data might be done in the greater interest under Article 6(1) of the GDPR | Conceptual paper |
Goodman and Ramer (2007) | How does the globalized IT risk affect the people, organizations, and computers by increasing the vulnerabilities? | The authors illustrate the information security risk can disrupt the financial system and recommend the awareness, careful assessment and effective mitigation of risk | Conceptual paper |
Kopp et al. (2017) | Can firms achieve optimal cybersecurity through organizational restructuring? | Authors find that the removal of information asymmetry among the stakeholders and inefficiency in crime detection as well as cyber risk management provide optimal cybersecurity protection | Empirical paper |
Jayawardhena and Foley (2000) | Does internet facilities render more time and location invariant facilities to the customers? | The study concludes internet banking increase customer by offering more opportunities at the same time banks can reduce the cost and enhance the efficiency | Empirical paper (survey) |
Arner et al. (2016) | How is the nature of financial market, services and institutions due to the technological change? | The authors extrapolate that technology increases the more integration of financial market, more varied services and finally they conclude recommending technological regulatory requirement | Conceptual paper |
Morton et al. (2018) | How impactful could be the recent innovation? | The study concludes that the recent innovation through asynchronous web servers could pose severe damage and also discusses the mitigation approaches | Conceptual paper |
Akhawe et al. (2010) | How many sorts of loopholes existing in the websites? | The writes discuss different types of attacks and weakness in the website and system and also proposes robust testing and protecting approaches | Case study |
Herath and Rao (2009) | Is IT solution enough for information security management in the organizations? | The research shows Non-IT-based solution is very crucial alongside to reduce information security protection | Empirical paper (survey) |
Dutta and McCrohan (2002) | What does senior management can do to strengthen security management? | The study suggest that top management has many things to do reduce security risk using several policies such as biometric, training management, management level focus | Conceptual paper |
Ralston et al. (2007) | Are there enough models for estimating and reducing cyber-attack? | This paper discusses about few method, probability of cyber-attack, the impact of cyber-attack and the reduction process | Conceptual paper |
Soomro et al. (2016) | How the advancement of information technology poses risk to the organization? | This research concludes that more holistic and management approach are required to for information security and as a whole top management can play a significant role to reduce the information security risk | Conceptual paper |
Granåsen and Andersson (2016) | How effectiveness of cyber team can play role in the cyber defense exercise? | The study shows that cyber situation awareness and effective team through behavioral assessment are important | Empirical paper (survey) |
Gupta and Gupta (2007) | To outsource or not outsource the technological service is a crucial question for chief executive officers | The study warns the executives regarding the pros and cons, as well as strategies for successful outsourcing with third parties | Conceptual paper |
Solms (2006) | How to develop the information security management? | The writers recommend information security governance in addition to the technical wave, the management wave and the institutional wave | Conceptual paper |
Kayworth and Whitten (2012) | How to get effective information security system? | The study illustrates that not only IT-based but also organizational integration and social alignment are needed for effective security system | Empirical paper (survey) |
Jordan et al. (2000) | How is the reaction of the investors to the announcement of formal supervisory actions? | The study shows that the quality and timeliness of disclosure affect the stock market’s reaction | Empirical analysis |
Hyytinen and Takalo (2002) | What are advantages and disadvantages for disclosure requirements and transparency regulations? | This paper shows the direct cost of complying the disclosure requirements and also shows how transparency regulation can reduce the financial fragility | Conceptual paper |
Linsley and Shrives (2005) | Should banks as risk-taking institutions be careful about risk disclosure? | The authors analyze the comprehensive risk disclosure of banks based on Basel two pillar three so that stakeholders can asses the riskiness of the institution | Conceptual paper |
Soomro et al. (2016) | Which could lead to the further failure of the global financial system? | The report concludes that very few single cyber-related incidents can cause global shocks, but detailed preparation should be in place to withstand and recover from wide impact of cyber incident | Technical paper |
Crisanto and Prenio (2017) | Should banks focus on the initiatives for cyber security management? | The study recommends that banks need to have regulatory requirements, supervisory approaches, and high-level policy consideration for cyber security management | Technical paper |
Almansi (2018) | The issue of financial sector’s cyber security regulation and supervision | This report asks for the identification of consensus on practices to implement regulations and how to supervise the cyber security rules implementation by the financial institutions | Technical paper |
Bouveret (2018) | Is cyber security risk predictable and assessable? | Examined the direct economic losses from cyber-attacks, which are available at the ORX News database. The study found the average losses due to cyber-attacks for the countries in the sample amount to USD 97 billion or 9% of banks’ net income. The value at risk (VaR) ranges from USD 147 and 201 billion (14 to 19% of net income) while the expected shortfall between USD 187 and 281 billion. These estimates are far above the publicly reported cyber incidence losses reported by the financial institutions | Empirical paper |
Berkman et al. (2018) | The issue of Cybersecurity disclosure and market valuation | The study examines the effect of cyber risk disclosure by the FTSE Russell 3000 firms for the period 2012–2016 following the issuance of SEC disclosure guidance for cyber risk. The results show a positive association between market valuation and the disclosures related to information security. However, the finding reveals that a more negative tone in cyber disclosures is associated with lower market value | Empirical |
Li et al. (2018) | The issue of disclosure guidance and disclosing cybersecurity risk factors | Based on a sample containing 26,335 non-breached observations and 291 breached observations during the period between 2007 and 2015, the study finds that the association between the presence of cybersecurity risk disclosure and subsequently reported cybersecurity incidents becomes insignificant after the passage of the SEC’s cybersecurity disclosure guidance. Therefore, it indicates cyber incidence disclosure helps to reduce future breaches | Empirical |
Appendix 5: cybersecurity guidelines in the global perspective
Name | Summary | References |
|---|---|---|
Panel A: Guidelines of international organizations | ||
Organization for Economic Cooperation- and Development (OECD) | The OECD suggests the member countries frame policy-related guidelines for cybersecurity management at institutional levels. The guidelines should emphasize (i) creating awareness of cyber risk and its consequences, (ii) identifying the parties responsible for information system networks, (iii) determining the responsible team to detect cyber threats and prevent incidents, (iv) ensuring accountability and ethical standards of the parties involved in cybersecurity management, (v) developing security system within the norms of democracy, (vi) developing comprehensive risk assessment system to capture security threats from both technical (system vulnerability) and non-technical sources (human factors and policy weakness), (vii) adopting ‘security concern’ as the focus area in all spheres within the institution, (viii) designing a comprehensive and dynamic security management framework based on proactive and forward-looking risk assessment approach, and (ix) ensuring continuous reassessment and modification of security policies in tandem with the changing security threats and vulnerabilities | OECD (2015) |
Bank for International Settlements (BIS) | The Basel II accord recognizes the risk of data losses in IT-based banking; thus, asks for a system that can mitigate the problem. The Basel III accord elaborates the cyber risk management approaches by specifying that banks should establish and maintain data architecture and IT infrastructure to support their capability of collecting risk data and timely reporting. Moreover, the senior management needs to ensure that IT strategy includes ways to improve risk data aggregation capabilities and reporting practices. Finally, the corporate board of a bank should be responsible for determining its reporting requirements for IT-related risks | |
Financial Stability Institute (FSI) | In order to improve cybersecurity in the banking institutions, FSI researchers recommend some policy considerations, such as (a) incorporating cybersecurity risks within the framework of bank-wide risks management system, (b) developing an effective control and response framework for managing cybersecurity risks in the banks, (c) promoting cybersecurity awareness among the bank staffs and other stakeholders, (d) collaborating with the related industry partners to strengthen own cybersecurity system, and (e) ensuring cross-border cooperation to develop consistent regulatory and supervisory regime to enhance bank level cyber resilience | Crisanto and Prenio (2017) |
International Monetary Fund (IMF) | Bouveret (2018), an IMF research, proposed a cyber risk assessment framework that captures the risk elements such as (i) security threat level, (ii) system vulnerability status, and (iii) financial consequences of a security breach that could affect the stability of a financial institution. This risk assessment framework covering three cyber risks dimensions is yet to be recommended by IMF. However, it can guide the financial institutions on how to determine the level of risk exposure and financial consequence for the institution | Bouveret (2018) |
World Bank (WB) | The World Bank suggests national central banks to collect and store cybercrime information from the institutions under their jurisdiction. The institutions would report all cyber incidents to their respective central banks as soon as they can detect them. The information needs to be reported in a particular form to monitor the trend of cyber incidences within the country and institution levels. The affected institutions will react immediately to reassess and modify their security policies in line with the changes of cybersecurity susceptibilities | Almansi et al. (2017) |
International Organization of Securities Commissions (IOSC) | The IOSCO Board recognizes that cybersecurity risk is a growing and significant threat for the integrity, efficiency, and soundness of the global financial markets. Therefore, a powerful board-level coordinator should be nominated to ensure a coherent and efficient use of IOSCO resources and guide the financial institutions and market participants on the cybersecurity issues. Also, IOSCO recommends having a regular and independent cybersecurity risk management framework for addressing cyber thefts and other data losses in financial institutions. The framework of cyber risk management should focus on matters like threat identification, risk protection, system abnormality detection, incidence response, and recovery plans | IOSC (2016) |
Panel B: Guidelines of different countries | ||
USA | The Gramm-Leach-Bliley Act (GLBA) stipulates data and IT security requirements for broader financial sectors of the US. The law requires US financial firms to establish an information security plan for protecting and preventing the unauthorized disclosure of stakeholders’ data. The information security plan should include (a) designated program coordinator, (b) regular cyber risk assessments, (c) safeguard information and ensure service providers’ security, (d) establish controls to detect and prevent malicious codes, (e) regular update of the ongoing data protection plan, (f) provide proper information security training to their employees, and (g) produce annual information security reports to the corporate board | Carter and Zheng (2015) |
UK | The National Cyber Security Centre (NCSC), an organization of the United Kingdom Government, provides advice and support to the public and private sector for avoiding cybersecurity threats. To mitigate the data and security breaches, NCSC recommends three sets of guidelines for (1) protecting endpoints, (2) protecting networks, and (3) protecting information. Firstly, policies related to protecting endpoints are: (a) use up-to-date and supported operating systems and software, (b) deploy critical security patches as soon as possible, and (c) implement application whitelisting technologies to prevent malware running on hosts. Secondly, policies related to protecting the networks are: (a) use firewalls and network segregation to protect services, (b) deploy an always-on antivirus solution that scans new files, and (c) perform regular vulnerability assessments. Finally, policies related to protect information are: (a) implement a strategy of ‘least privilege’ for all devices and services, (b) use multi-factor authentication to protect sensitive information, (c) ensure that strict authentication and authorization controls protect all services, (d) provide password managers to help prevent password reuse between systems, and (e) implement a practical monitoring and alerting cybersecurity service | NCSC (2018) |
Germany | The federal office for information security in Germany suggests advancing legal, technical, and personal opportunities to shape digitalization with a secure security system. The primary guidelines are: (a) electronic communications need to be encrypted with dual authentication system, (b) avoid password entering in email-linked webpages, (c) show suspicious emails to IT administrator immediately without deleting it, (d) change password quickly on the original page if it enters to a non-trusted web page, (e) train employees to identify the fraudulent and manipulative cyber communications, (f) pass payment instructions through dual (four eyes) approval process, (g) make cryptographic protocols free of vulnerabilities, (h) configure home and office routers to prevent any unauthorized entry to the connected network devices and (i) configure connected device to require approval for the internet communication | Federal Office for Information Security (2017) |
China | The cybersecurity law of China stipulates that (i) individuals and organizations - who are responsible for their networks - shall not set up websites or communications groups for fraudulent purposes or other illegal activities, (ii) will protect the critical information infrastructure in public communications, information services, and critical cyber infrastructure, (iii) must take consent from the users while collecting their personal information | ReedSmith (2017) |
Japan | The National Security Council (NSC) of Japan - an inter-agency body coordinating national cybersecurity policies - frames broader cyber policies for Japan. These include (a) free flow of information in the cyberspace, (b) application of cyber laws to develop an interconnected and converged information society, (c) common vision of cybersecurity and responsibility sharing by all stakeholders including relevant government agencies, and (d) avoidance of political and group influence in cyberspace management | Cabinet Decision, (2015) |
Australia | The Australian Cyber Security Centre (ACSC) suggests several guidelines, such as (a) independent assessments of the targeted cyber intrusions and malicious activities, (b) develop a framework of cooperation among the institutions and related agencies dealing with cybersecurity issues, and (c) enhance capacity of the Australian Signals Directorate to conduct vulnerability assessments at the institutions level and provide them timely advice on the emerging technologies and system vulnerabilities | ACSS (2016) |
Singapore | The Cyber Security Agency (CSA) of Singapore works with public and private sector institutions to protect IT and other critical services in Singapore. The major CSA guidelines include (a) build a resilient cybersecurity infrastructure, (b) develop safer cyberspace, (c) promote a vibrant cybersecurity ecosystem, (d) strengthen international partnership and cooperation, and (e) appoint specialized technical personnel to aid investigations of the cybersecurity incidents | MCI (2017) |
Malaysia | The national cybersecurity agency of Malaysia provides guidelines and services to other authorities and institutions to develop a resilient cyber infrastructure and risk management framework for the constituent entities. For example, following the national guidelines, the Securities Commissions of Malaysia (SCM) and Bank Negara Malaysia (BNM) develop their guidelines for the listed firms and banks. The guidelines of SCM include (a) the corporate board must provide oversight and provide sufficient priority and resources to manage cybersecurity risk, as part of the overall risk management framework, (b) the board must deliberate and approve the cyber risk management policies and procedure for their institution, (c) board must oversee that the approved policies and procedure are being appropriately implemented, (d) review and revise cyber risk policies and procedure in line with the changes in the level of risk exposure, and (e) cyber risk policies should clearly focus on the prevention, detection and recovery measures | SCM (2016) |
Bangladesh | The national cybersecurity strategy of Bangladesh (NCSB) provides guidelines for cyber risk management in line with the suggestions of International Telecommunication Union (ITU). The major guidelines include (a) develop comprehensive national legislation for cybercrimes, (b) take appropriate measures to reduce system vulnerabilities, (c) raise security awareness in using IT-based services, (d) develop international cooperation on cyber threats and solutions, and (e) promote secure and resilient cyber infrastructure for the economy and society | NCSB (2018) |
India | The Information Technology and Cyber Security Act of India provides a legal framework for the national cybersecurity policies and e-commerce transactions. The law stipulates that (a) the government adopt a cybersecurity policy for urgent actions against cyber-attacks, (b) the security policy must be reviewed regularly to address the changing nature of system vulnerabilities, risks, and threats, (c) government will establish a cyber coordination center at the operational level to deal with different institutions and stakeholders, (d) the cybersecurity arrangements needs to be integrated with overall counterterrorism capabilities of the country, and (e) promote cybersecurity education, research, and development as an integral part of the national cybersecurity strategy | IDSA (2012) |
Hungary | The National Security Strategy (NSS) of Hungary recommends alignment of national cybersecurity system with those of the other European Union countries. NSS also suggests a common understanding of the cybersecurity management framework at all levels in the government and other institutions. It also emphasizes on the regular, independent, and competent assessment on the country’s road map to deal with the cybersecurity issues | |
Pakistan | The central bank of Pakistan provides the guidelines for information technology security for banks. The essential policy guidelines include (a) make the relevant department responsible for protecting cybertheft in the bank, (b) continuous assessment of cyber risk and system vulnerabilities, (c) frame strategies to reduce risk and preserve the mission of organization at the lowest cost, (d) board to approve, enforce, and monitor implementation of IT policies, (e) increase security awareness among the bank employees and customers through training and campaigns, (f) coordination between technical and non-technical departments of institutions, and (g) arrange periodic third-party cybersecurity audit | State Bank of Pakistan (2012) |
Poland | The National Framework of Cybersecurity Policy (NFCP) of Poland emphasizes on (a) engaging the main bodies of government and private sector institutions in implementation of the national framework of cybersecurity policy, (b) emphasizing on capacity building to prevent cyber incidences, (c) ensuring quick response and service restoration following cyber incidence, (d) creating cyber risk awareness through education and training, (e) promoting research and development in ICT, and (f) establishing international cooperation on cybersecurity issues | Rezek et al. (2012); ITU Poland (2012b) and Ministry of Digital Affairs (2017) |
Hongkong | The Security Bureau of Hong Kong requires (a) supervision of e-banking in line with the international regulatory body such as Basel Committee on Banking Supervision, (b) engagement of local agency responsible for implementing the national cybersecurity strategy, (c) benchmark cybersecurity development at sectoral and national level, (d) strive collaboration and liaison with relevant stakeholders, (e) continuous review of cybersecurity policy in line with the advancement of technology and global trend in cybersecurity management, and (f) reporting of cyber incidences to recognized agency | |
Slovakia | The national strategy for information security in Slovakia focuses on (a) organizing security exercises on all types of cyber threats by engaging both technical peoples and decision makers, (b) developing a framework of quick cooperation at all levels in the event of cyber incidence, (c) ensuring international cooperation to defend the critical infrastructure and to promptly restore the attacked services, and (d) arranging regular assessment of country’s preparation for dealing with the cybersecurity issues and reporting them to the stakeholders | |
Rights and permissions
About this article
Cite this article
Uddin, M.H., Ali, M.H. & Hassan, M.K. Cybersecurity hazards and financial system vulnerability: a synthesis of literature. Risk Manag 22, 239–309 (2020). https://doi.org/10.1057/s41283-020-00063-2
Published:
Issue Date:
DOI: https://doi.org/10.1057/s41283-020-00063-2