MCP: The risk modelling framework for the banking sector

Abstract

Context: The world is changing rapidly, driven by an increased focus of integrating Information Technology (IT) into everyday life. Organisations integrate IT into their products and services to provide increased convenience and efficiency, as well as to reduce costs. Banks are no exception to this trend. This increase in IT use has in turn introduced new security challenges and risks that have to be taken into account and mitigated. Objective: The goal of this research is to develop a risk modelling framework for cyber-attacks that expands on existing security concepts by including the impact and likelihood associated with these threats to determine risk. This research focuses on cyber-attacks that target banking institutions. Method: This thesis was conducted based on theory from the Design Science methodology. A thorough literature review was carried out to understand the problem context and existing theory available. This was supported by consultations with experts from the banking sector and outsiders to gain a better understanding of the practical aspects of risk and cyber-attacks, and their alignment with theory. A framework was then designed based on this information, which was validated by expert reviews. This led to modifications aimed to improve the correctness and usefulness of the framework. Results: This research produced a single artefact, a risk modelling framework. Information that was used as input for the framework was analysed and resulted in a number of findings regarding IT risk perceptions. Conclusion: The cyber-attacks analysed in this research context were not classified as high risk for a banking institution, however differs per institution. This research revealed that IT risk is difficult to model accurately due to the varying nature and complexity of factors that contribute to determining risk. More research needs to be conducted to improve risk estimation techniques and perception amongst experts.