Perceptions of online fraud and the impact on the countermeasures for the control of online fraud in Saudi Arabian financial institutions

This thesis was submitted for the award of Doctor of Philosophy and was awarded by Brunel University LondonThis study addresses the impact of countermeasures in the control and prevention of online fraud in Saudi Arabia and the influence of the environmental context. Combatting online fraud is facilitated when the public is fully educated and is aware of its types and of the prevention methods available. People are reliant on the Internet; the possibility of being breached by hackers and fraudsters is growing, especially as socialising, online shopping and banking are carried out through personal computers or mobile devices. Online fraud has been described as an epidemic that has spread to most online activities. Its prevalence has been noted to be in regions where there is high adoption of e-commerce, and, along with it, large online financial transactions. The argument is therefore the measures taken are either are inadequate or have failed to effectively address all the issues because of the organisational and environmental context of the country. This research aims to examine online fraud perceptions and the countermeasures designed and used by financial institutions in Saudi Arabia to control and prevent online fraud in its environmental context, to examine the effectiveness/impact of the countermeasures and to examine the factors that may affect/influence the impact of the countermeasures. The qualitative method approach was chosen to ensure balanced coverage of the subject matter. The nature of the research requires a broader, in-depth, examination of the experiences of the participants from their own perspective. Meanwhile levels of awareness are low, because of lack of knowledge and training, a lack of government sensitisation and the religious inclinations of the population. The findings also confirm the efforts of organisations to put in place countermeasures using various technological means, coupled with procedural controls and checks. The measures create obstacles to most customers, who find it cumbersome to engage in online activities because of those procedures and checks. The findings also show two types of regulations: government and organisational rules, with different foci and purposes, which are mostly centred on the monitoring of Internet operations and operational guidelines. The enforcement of rules in the light of prosecuting offenders has also been minimal and passive. The countermeasures of most banks/organisations mostly focus on prevention and detection. However, the findings suggest that the activities in each component and their interrelationships have a collective impact on combatting online fraud. The success of any effort or approach to combat fraudulent activities therefore depends on the activities of the four countermeasure components

A digitalized society in front of the cyberwar - are we prepared? A case study of four Norwegian organizations

Masteroppgave i økonomistyring (MSc) 201

The role of government in the Nigerian mobile telecommunications industry: a focus on cybercrime and mobile broadband policies

A research report submitted to the Faculty of Commerce, Law and Management, University of the Witwatersrand, Johannesburg, in fulfilment of the requirements for the degree of Masters of Management by Dissertation (MM-D). October, 2016The role played by a governing authority is crucial to the long term survival and development of its governed unit, irrespective of the size and function of the said unit. In the event that a government fails to protect the interests of its governed, a state of wide-spread dissatisfaction and palpable frustration becomes inevitable. Through the application of an Interpretive Research Paradigm, this study assessed the role of the Nigerian government in one of the country’s most promising industries; The Mobile Telecommunications Industry. The study aimed to expose the predominant role of the Nigerian government in this industry with a focus on the relevant issues of Cybercrime and Mobile Broadband. This research enquiry applied the Qualitative Research Approach. As such, the researcher analyzed relevant policy documents on telecommunications and elicited the expert opinions of key industry players. In all, 18 industry representatives were questioned about the happenings in the Mobile Telecommunications Industry. The interview respondents for this research study included representatives of the Ministry of Communications, individuals within the Nigerian Communications Commission, and Mobile Telecommunications service providers/operators. To further validate the information gathered from these individuals, various industry reports were also examined. After a thorough analysis of the research data gathered from multiple sources, the conclusion drawn by this study was that the Nigerian government has failed to do what is necessary to ensure the long-term growth and development of the country’s Mobile Telecommunications Industry. The study proved that the government has constantly taken a somewhat lackadaisical stance with regard to the implementation of the policies and initiatives governing the industry and has subsequently given no explanations or justifications for its actions, or more appropriately, inactions. Conclusively, this research study recommended that the governing environment of the Nigerian Mobile Telecommunications Industry be restructured to include a government that not only formulates telecoms development strategies and expansion initiatives, but also executes these plans whilst maintaining an unwavering accountability for its actions and decisions.MT 201

The effect of cyberattacks on European financial institutions: an event study approach

openCyber risk has been a widely debated issue in recent years. The financial world could prove particularly vulnerable when it comes to cyberattacks, given the high level of interconnection between all of the sector’s players. This paper uses the event study methodology to assess the reaction of 15 European financial institutions’ share prices to direct cyberattacks. The same methodology is used for testing the reaction of a sample of 22 financial institutions, based in the Eurozone, to a series of systemic cyberattacks with potential worldwide repercussions. Our research represents an original contribution to the literature in two ways. Firstly, to the best of our knowledge, no authors have previously applied the event study methodology to a sample of shares pertaining exclusively to financial institutions. Even less so to financial institutions exclusively based in the Eurozone. Secondly, to the best of our knowledge, no existing research applied our subdivision between direct and systemic cybersecurity events in a single study. Overall, our study provides empirical evidence on the effect of 14 direct and 3 systemic cyberattacks. These attacks were announced by newspapers between October 2014 and August 2023. This represents an opportunity to update the results of the older event study cybersecurity literature, as well as an opportunity to test the results by more recent studies. The results can also be useful in the interpretation and anticipation of current and future European legislation on cybersecurity. In the case of direct cyberattacks, which explicitly target banks, insurance companies or electronic money institutions, we find that stock prices exhibit negative and significant cumulative abnormal returns. Furthermore, these negative effects become more relevant when considering larger event windows after the attack date. We also divide, in accordance with other studies, direct events between ones that compromise the confidentiality of information and ones that do not. We interestingly find that attacks that do not reveal confidential information have a significant negative effect on their targets. Conversely, cyberattacks that do reveal confidential information held by financial institutions do not have a significant effect on stock prices. Regarding the three systemic events, we find contrasting but interesting results. The breach of a major US bank has an overall negative and significant effect on European companies, in particular the ones based in Italy and Spain. On the other hand, when SolarWinds was discovered to be the vector of a cyberattack on the US Government, no such negative effect was observed. Lastly in the case of the WannaCry ransomware epidemic, we find empirical evidence of negative abnormal returns only for companies based in Germany and Spain.Cyber risk has been a widely debated issue in recent years. The financial world could prove particularly vulnerable when it comes to cyberattacks, given the high level of interconnection between all of the sector’s players. This paper uses the event study methodology to assess the reaction of 15 European financial institutions’ share prices to direct cyberattacks. The same methodology is used for testing the reaction of a sample of 22 financial institutions, based in the Eurozone, to a series of systemic cyberattacks with potential worldwide repercussions. Our research represents an original contribution to the literature in two ways. Firstly, to the best of our knowledge, no authors have previously applied the event study methodology to a sample of shares pertaining exclusively to financial institutions. Even less so to financial institutions exclusively based in the Eurozone. Secondly, to the best of our knowledge, no existing research applied our subdivision between direct and systemic cybersecurity events in a single study. Overall, our study provides empirical evidence on the effect of 14 direct and 3 systemic cyberattacks. These attacks were announced by newspapers between October 2014 and August 2023. This represents an opportunity to update the results of the older event study cybersecurity literature, as well as an opportunity to test the results by more recent studies. The results can also be useful in the interpretation and anticipation of current and future European legislation on cybersecurity. In the case of direct cyberattacks, which explicitly target banks, insurance companies or electronic money institutions, we find that stock prices exhibit negative and significant cumulative abnormal returns. Furthermore, these negative effects become more relevant when considering larger event windows after the attack date. We also divide, in accordance with other studies, direct events between ones that compromise the confidentiality of information and ones that do not. We interestingly find that attacks that do not reveal confidential information have a significant negative effect on their targets. Conversely, cyberattacks that do reveal confidential information held by financial institutions do not have a significant effect on stock prices. Regarding the three systemic events, we find contrasting but interesting results. The breach of a major US bank has an overall negative and significant effect on European companies, in particular the ones based in Italy and Spain. On the other hand, when SolarWinds was discovered to be the vector of a cyberattack on the US Government, no such negative effect was observed. Lastly in the case of the WannaCry ransomware epidemic, we find empirical evidence of negative abnormal returns only for companies based in Germany and Spain

Analysis of cybercrime activity: perceptions from a South African financial bank

Research report submitted to the School of Economic and Business Sciences, University of the Witwatersrand in partial fulfilment of the requirements for the degree of Master of Commerce (Information Systems) by coursework and research. Johannesburg, 28 February 2017.This study is informed by very little empirical research in the field of cybercrime and specifically in the context of South African banks. The study bridges this gap in knowledge by analyzing the cybercrime phenomenon from the perspective of a South African bank. It also provides a sound basis for conducting future studies using a different perspective. In order to achieve this, an interpretive research approach was adopted using a case study in one of the biggest banks in South Africa where cybercrime is currently a topical issue and one that is receiving attention from senior management. Cohen and Felson (1979) Routine Activity Theory was used as a theoretical lens to formulate a conceptual framework which informed the data collection, analysis and synthesis of cybercrime in the selected bank. Primary data was obtained via semistructured interviews. Secondary data was also obtained which allowed for data triangulation. From the perspective of a South African bank, the study concluded that weak security and access controls, poor awareness and user education, prevalent use of the internet, low conviction rates and perceived material gain are the major factors that lead to cybercriminal activity. In order to curb the ever increasing rate of cybercrime, South African banking institutions should consider implementing stronger security and access controls to safeguard customer information, increase user awareness and education, implement effective systems and processes and actively participate in industry wide focus groups. The transnational nature of cybercrime places an onus on all banks in South Africa and other countries to collaborate and define a joint effort to combat the increasing exposure to cybercriminal activity. The use of the Routine Activity Theory provided an avenue to study the cybercrime phenomenon through a different theoretical lens and aided a holistic understanding of the trends and the behavioral attributes contributing to cybercriminal activity that can help South African banks model practical solutions to proactively combat the splurge of cybercrime. Keywords: Cybercrime, internet, crime, computer networks, Routine Activity Theory, South African banks.GR201

Protecting critical infrastructure in the EU: CEPS task force report

2sìCritical infrastructures such as energy, communications, banking, transportation, public government services, information technology etc., are more vital to industrialized economies and now than ever before. At the same time, these infrastructures are becoming increasingly dependent on each other, such that failure of one of them can often propagate and result in domino effects. The emerging challenge of Critical (information) Infrastructure Protection (C(I)IP) has been recognized by nearly all member states of the European Union: politicians are increasingly aware of the threats posed by radical political movements and terrorist attacks, as well as the need to develop better response capacity in case of natural disasters. Responses to these facts have been in line with the available resources and possibilities of each country, so that certain countries are already quite advanced in translating the C(I)IP challenge into measures, whereas others are lagging behind. In the international arena of this policy domain, Europe is still in search of a role to play. Recently, CIIP policy has been integrated in the EU Digital Agenda, which testifies to the growing importance of securing resilient infrastructures for the future. This important and most topical Task Force Report is the result of in-depth discussions between experts from different backgrounds and offers a number of observations and recommendations for a more effective and joined-up European policy response to the protection of critical infrastructure.openopenAndrea Renda; Bernhard HaemmerliRenda, Andrea; Bernhard, Haemmerl

A strategic framework for e-government security: the case in Nigeria

A thesis submitted to the University of Bedfordshire in partial fulfilment of the requirements for the degree of Doctor of PhilosophyCountries across the globe are striving towards full-scale implementation of e-government. One of the issues arising with the efforts to this realization is the assurance of secure transactions while upholding high privacy standards. In order to engage citizens in the process, there must be transparency and confidence that the e-government systems they are using are reliable and will deliver the services with integrity, confidentiality and accountability. Different systems require different levels of security according to the services they provide to their users. This research presents an investigation into reasons why e-government security frameworks developed by researchers with the claim that it is one-size-fits-all issue may not hold true, particularly in the case of Nigeria, based on certain identified realities. The claim of a generalized framework appears very challenging because there seem to be much diversity across different governments. Countries differ in one or more of the following characteristics: political systems, legal systems, economic situation, available technological infrastructure, Internet and PC penetration, availability of skills and human resources, literacy levels, computer literacy levels, level of poverty, leadership, and ethnic diversities in terms of norms, languages, and expertise. Security measures implemented in e-government projects in some developed countries, beginning with more established e-government systems around the world, were evaluated and a strategic framework for e-government security proposed which considers both technical and non-technical factors that involve people, processes and technologies. The framework is proposed to advance the rapid adoption of practices that will guarantee e-government security. It seeks to provide a flexible, repeatable and cost-effective approach to implementing e-government security. This research examines the issues of enclosure in the implementation of e-government from the perspective of security and ultimately survivability