Research and methodological framework for managing the economic security of financial intermediaries in Ukraine

The effective management of economic security of financial and banking institutions at the application level is not possible without formulating the conceptual foundations of this process in the research and methodological plane. With that, the management system should take into account the specifics of financial intermediaries, which requires the development of specific research and methodological approaches. The purpose of the study is to generalize the conceptual framework for economic security management of banking and parabanking financial institutions as an integral part of ensuring the economic security of the financial market and financial security of the state. The authors propose an algorithm for managing the system of economic security of banks and other financial institutions, and identify the features, advantages and disadvantages of models for providing economic security. It is proved that managing the economic security system should consider the type of an institution, its size, the adequate personnel availability, and financial, information and material support. Consequently, effective economic security management should ensure its high level, and, therefore, partially solve the problem of regulating banking security, the financial market security, and, as a consequence, the financial security of the country

Development of Criteria for Mobile Device Cybersecurity Threat Classification and Communication Standards (CTC&CS)

The increasing use of mobile devices and the unfettered access to cyberspace has introduced new threats to users. Mobile device users are continually being targeted for cybersecurity threats via vectors such as public information sharing on social media, user surveillance (geolocation, camera, etc.), phishing, malware, spyware, trojans, and keyloggers. Users are often uninformed about the cybersecurity threats posed by mobile devices. Users are held responsible for the security of their device that includes taking precautions against cybersecurity threats. In recent years, financial institutions are passing the costs associated with fraud to the users because of the lack of security. The purpose of this study was to design, develop, and empirically test new criteria for a Cybersecurity Threats Classification and Communication Standard (CTC&CS) for mobile devices. The conceptual foundation is based on the philosophy behind the United States Occupational Safety and Health Administration (OSHA)’s Hazard Communication Standard (HCS) of Labels and Pictograms that is mainly focused on chemical substances. This study extended the HCS framework as a model to support new criteria for cybersecurity classification and communication standards. This study involved three phases. The first phase conducted two rounds of the Delphi technique and collected quantitative data from 26 Subject Matter Experts (SMEs) in round one and 22 SMEs in round two through an anonymous online survey. Results of Phase 1 emerged with six threats categories and 62 cybersecurity threats. Phase 2 operationalized the elicited and validated criteria into pictograms, labels, and safety data sheets. Using the results of phase one as a foundation, two to three pictograms, labels, and safety data sheets (SDSs) from each of the categories identified in phase one were developed, and quantitative data were collected in two rounds of the Delphi technique from 24 and 19 SMEs respectively through an online survey and analyzed. Phase 3, the main data collection phase, empirically evaluated the developed and validated pictograms, labels, and safety data sheets for their perceived effectiveness as well as performed an analysis of covariance (ANCOVA) with 208 non-IT professional mobile device users. The results of this study showed that pictograms were highly effective; this means the participants were satisfied with the characteristics of the pictograms such as color, shapes, visual complexity, and found these characteristics valuable. On the other hand, labels and Safety Data Sheets (SDS) did not show to be effective, meaning the participants were not satisfied or lacked to identify importance with the characteristics of labels and SDS. Furthermore, the ANCOVA results showed significant differences in perceived effectiveness with SDSs with education and a marginal significance level with labels when controlled for the number of years of mobile device use. Based on the results, future research implications can observe discrepancies of pictogram effectiveness between different educational levels and reading levels. Also, research should focus on identifying the most effective designs for pictograms within the cybersecurity context. Finally, longitudinal studies should be performed to understand the aspects that affect the effectiveness of pictograms

Managing Information Security Investments Under Uncertainty: Optimal Policies for Technology Investment and Information Sharing

Information systems are an integral part of today\u27s business environment. Businesses, government organizations, and the society rely on these systems for various transactions, most of which have huge financial implications. Hence, attacks that breach information systems result in interruption of operations, loss of data and customer confidence, constituting a significant threat to firms. The losses due to attacks on information systems can be mitigated through investments in information security technologies and services. In this thesis we study three practical problems related to information system security investment management: (1) Optimal policies for technology investment in information system security; (2) Optimal policies for information sharing in information system security; and (3) Asymmetric information sharing in information system security. We believe that firms can benefit from this work either through direct implementation for specific guidance, or through indirect use of several policy results obtained. An important characteristic of this studies is that we build this models by using real-world data through survey to information system security practitioners. As one of the few studies on information system security investment management through operations management approaches, this work also set the first step for futures studies on related topics that can be explored by researchers in the field of management science

Mixed structural models for decision making under uncertainty using stochastic system simulation and experimental economic methods: application to information security control choice

This research is concerned with whether and to what extent information security managers may be biased in their evaluation of and decision making over the quantifiable risks posed by information management systems where the circumstances may be characterized by uncertainty in both the risk inputs (e.g. system threat and vulnerability factors) and outcomes (actual efficacy of the selected security controls and the resulting system performance and associated business impacts). Although ‘quantified security’ and any associated risk management remains problematic from both a theoretical and empirical perspective (Anderson 2001; Verendel 2009; Appari 2010), professional practitioners in the field of information security continue to advocate the consideration of quantitative models for risk analysis and management wherever possible because those models permit a reliable economic determination of optimal operational control decisions (Littlewood, Brocklehurst et al. 1993; Nicol, Sanders et al. 2004; Anderson and Moore 2006; Beautement, Coles et al. 2009; Anderson 2010; Beresnevichiene, Pym et al. 2010; Wolter and Reinecke 2010; Li, Parker et al. 2011) The main contribution of this thesis is to bring current quantitative economic methods and experimental choice models to the field of information security risk management to examine the potential for biased decision making by security practitioners, under conditions where information may be relatively objective or subjective and to demonstrate the potential for informing decision makers about these biases when making control decisions in a security context. No single quantitative security approach appears to have formally incorporated three key features of the security risk management problem addressed in this research: 1) the inherently stochastic nature of the information system inputs and outputs which contribute directly to decisional uncertainty (Conrad 2005; Wang, Chaudhury et al. 2008; Winkelvos, Rudolph et al. 2011); 2) the endogenous estimation of a decision maker’s risk attitude using models which otherwise typically assume risk neutrality or an inherent degree of risk aversion (Danielsson 2002; Harrison, Johnson et al. 2003); and 3) the application of structural modelling which allows for the possible combination and weighting between multiple latent models of choice (Harrison and Rutström 2009). The identification, decomposition and tractability of these decisional factors is of crucial importance to understanding the economic trade-offs inherent in security control choice under conditions of both risk and uncertainty, particularly where established psychological decisional biases such as ambiguity aversion (Ellsberg 1961) or loss aversion (Kahneman and Tversky 1984) may be assumed to be endemic to, if not magnified by, the institutional setting in which these decisions take place. Minimally, risk averse managers may simply be overspending on controls, overcompensating for anticipated losses that do not actually occur with the frequency or impact they imagine. On the other hand, risk-seeking managers, where they may exist (practitioners call them ‘cowboys’ – they are a familiar player in equally risky financial markets) may be simply gambling against ultimately losing odds, putting the entire firm at risk of potentially catastrophic security losses. Identifying and correcting for these scenarios would seem to be increasingly important for now universally networked business computing infrastructures. From a research design perspective, the field of behavioural economics has made significant and recent contributions to the empirical evaluation of psychological theories of decision making under uncertainty (Andersen, Harrison et al. 2007) and provides salient examples of lab experiments which can be used to elicit and isolate a range of latent decision-making behaviours for choice under risk and uncertainty within relatively controlled conditions versus those which might be obtainable in the field (Harrison and Rutström 2008). My research builds on recent work in the domain of information security control choice by 1) undertaking a series of lab experiments incorporating a stochastic model of a simulated information management system at risk which supports the generation of observational data derived from a range of security control choice decisions under both risk and uncertainty (Baldwin, Beres et al. 2011); and 2) modeling the resulting decisional biases using structural models of choice under risk and uncertainty (ElGamal and Grether 1995; Harrison and Rutström 2009; Keane 2010). The research contribution consists of the novel integration of a model of stochastic system risk and domain relevant structural utility modeling using a mixed model specification for estimation of the latent decision making behaviour. It is anticipated that the research results can be applied to the real world problem of ‘tuning’ quantitative information security risk management models to the decisional biases and characteristics of the decision maker (Abdellaoui and Munier 1998