Factors Influencing the Implementation of Information Security Risk Management : A case study of Nigerian Commercial Banks

Aghaunor, Gabriel, Okojie, Bukky E

January 2022

The banking industry is one of the critical infrastructures in any economy. The services rendered by banks are systematically based on innovation, products, and technology to leverage their services. Several associated risks come along with the rendering of these banking services. The protection of critical information assets of any banking organization should be a top priority of the management. They must ensure that adequate provision is made to develop a strong strategy to control, reduce, and mitigate tasks, such as fraud, cyber-attacks, and other forms of cybersecurity exploitations.  Risk management is a series of actions to identify, assess and control threats and vulnerabilities in an organization's capital investment and revenue. These potential risks arise from diverse sources like credit risk, liquidity risk, financial uncertainties, legal actions, technology failures, business strategic management errors, accidental occurrences, and natural disasters.  This research study aimed to investigate the factors influencing the implementation of information security risk management in Nigerian Commercial Banks, using a social-technical system framework to address a fundamental human risk factor, which contributes predominately to the failure in information security risk management. These research was motivated by the fact that Nigerian banking sector is facing serious threats' threat emanate from cyber-attacks. Evidenced by the ever-increasing cyber-attacks, as demonstrated by a total of 1,612 complaints from consumers of financial services over banking fraud and aggressive charges received between July and December 2018 of which 99.38% of these incidences were against the commercial banks. The banks are faced with a lot of vulnerabilities and cybersecurity threats, and most of the attacks that happened within the banking sector are focused on the customers, and employees through phishing and social engineering. These showed weaknesses in information security management within the Nigerian banking industry.  However, the study was guided by the social-technical theory that advocates for overall training to the stakeholders that helps in changing their beliefs and norms about organization of IS security. In order to find out the factors influencing the implementation of information security risks management in respect of Nigerian Commercial Banks, this study evaluated the influence of management support, technical experts support, funding and users’ security awareness to curb the cyber-attacks in Nigerian financial sector. The contribution of this research is expected to lead to the improvement in the financial system, and organizations, where cybersecurity and information security risk management processes are taken seriously, to reduce the high level of information security risk, threats, and vulnerabilities. Nigeria is a developing country, and at the same time fighting to develop a more conducive business investment environment to attract both national and international investors.  A mixed approach research (qualitative and quantitative) method was used to validate this research study. Data collection tools used included interviews and questionnaires. Data analysis was done using the SPSS and logistic regression model.

Information Security Risk Assessment

Qualitative

Quantitative

Management Support

Funding

Technical Experts’ Support

Cyber Security

Banking

ATM

Information Systems

Actions to enhance and support the informationsecurity risk assessment process in corporations / Åtgärder för att förbättra och stödja informationssäkerhetsriskbedömningsprocessen på företag

Karlsson, Karolin

January 2019

Information security is growing in importance as the world becomes more digital, at the same time the importance of usability implementation in software development is also growing. In this study, an evaluation was done on what affects usability and how important usability is in a reporting tool handling information security risk assessment (ISRA). The research question from which the study is based on: What actions can enhance and support the information security risk assessment process in corporations? In order to investigate the research question a study was organized consisting of a survey (N=30) and a think-aloud usability test (N=7). As a part of the analysis process a usability heuristic analysis was performed. According to this study, the ISRA process is complicated and creating a well-functioning supporting tool for it is complex. In order for the tool to facilitate for the users work, usability is an important aspect and should be taken in consideration early in the development process of a tool. Based on the findings in this study actions that can contribute to enhanced usability were discussed. The recommended actions are: 1) Include all types of roles in the ISRA process to determine the purpose of the tool and what it should support. 2) Implement clear guiding information in all parts of the tool, all people involved in the ISRA process should be able to understand the tool. 3) Keep an intuitive flow throughout the tool, the user should intuitively always know what the next step is and what to expect. 4) Have a search function that supports all aspects in the tool. / Informationssäkerheten växer i betydelse i takt med att världen blir mer digital, samtidigt så ökar även betydelsen av implementering av användbarhet i mjukvaruutveckling. I denna studie gjordes en utvärdering av vad som påverkar användbarheten och hur viktigt användbarheten är i ett rapporteringsverktyg som hanterar informationssäkerhetsriskbedömning (ISRB). Den forskningsfråga som studien bygger på: Vilka åtgärder kan förbättra och stödja informationssäkerhetsriskbedömningsprocessen i företag? För att undersöka forskningsfrågan organiserades en studie bestående av en enkätundersökning (N = 30) och ett användbarhetstest med ”Think-Aloud” (N = 7). Som en del av analysprocessen utfördes en användbarhets heuristisks analys. Enligt denna studie är ISRB-processen komplicerad och att skapa ett välfungerande stödjande verktyg för att det är komplext. För att verktyget ska underlätta för användarnas arbete är användbarheten en viktig aspekt och bör tas i beaktning tidigt i utvecklingsprocessen för ett verktyg. Baserat på resultaten i dessa studie så diskuterades åtgärder som kan bidra till ökad användbarhet. De rekommenderade åtgärderna är: 1) Inkludera alla typer av roller i ISRB-processen för att bestämma syftet med verktyget och vad det ska stödja. 2) Implementera tydlig guidande information i alla delar av verktyget, alla personer som är involverade i ISRB-processen ska kunna förstå och använda verktyget. 3) Ha ett intuitivt flöde genom alla delar i verktyget, användaren bör intuitivt alltid veta vad nästa steg är och vad de kan förvänta sig. 4) Har en sökfunktion som stöder alla aspekter i verktyget

Computer and Information Sciences

Data- och informationsvetenskap