D.Comm. (Auditing) / Organisations today are critically dependent on IT to enable business operations and ensure competitiveness in a growing international marketplace. At the same time, IT also introduces significant risks, such as hacking. The board of directors is ultimately responsible for mitigating IT risk as a component of business risk. This task is included in its corporate governance responsibilities, which, in the South African context, is underpinned by the King Code of Corporate Governance. The board of directors also plays a key role in identifying and enabling the most appropriate responses to IT risk, including hacking. This inevitably necessitates greater focus on and understanding of risks such as hacking. The determined and elusive nature of hackers makes them a significant threat to organisations today. Not only are hackers characterised by various profiles and motives, but they are also exceptionally skilled in exploiting weak security practices and software vulnerabilities, with attack techniques which range from non-technical social engineering to advanced technical attacks and exploits. Hackers are role-players in cybercrime and cyber warfare, as is evident from the media and information security survey results explored in this thesis, in particular within the banking sector, which is the financial backbone of the country. It is for this reason that the South African banking sector has been selected as the target population for this study. This study considers the meaning and nature of hacking, viewing it as either a risk or an event, which requires preventative or detective responses. The effect of hacking on business risks is explored next by identifying common business risks and common IT risks themes, where after the fundamental links between hacking and the IT risk themes are established. This study further argues that business risks are increased by IT risks, which implies that, by indirect association, business risks are increased by hacking. A response to this threat is required, in particular from a governance perspective, with the board of directors playing a fundamental role in supporting the appropriate responses. This study explores the advantages and disadvantages of various responses to hacking, highlighting the point that most traditional responses are not effective enough in fully mitigating the hacking threat. It is argued that ethical hacking is an effective response to the threat of hacking. The nature of ethical hacking is explored, including its objectives, motivation, advantages and disadvantages. The multi-faceted nature of the ethical hacking response is also considered. In order to explore the risks and responses to hacking in the banking sector in South Africa, an analysis of annual reports was conducted and two questionnaires were administered. The analysis of the annual reports of the 16 locally registered banks in South Africa highlighted differences in disclosure practices around IT risk, IT governance and hacking. This was followed by empirical testing in the local banking sector, by using a mixed-method approach in order to solicit mostly quantitative, but also qualitative, responses from company secretaries and individuals responsible for IT at the 16 locally registered banks. The results of the questionnaires indicated that the board of directors is not fully embracing its IT governance responsibilities and that IT matters are mostly dealt with by risk management committees at board level or IT steering committees at executive management level. The effect of IT risks on business risks such as human resource risk and physical risk is underestimated. Respondents were unclear about the effect of hacking on IT risks, such as IT human resource risk and lack of software development. The local banking sector is not fully aware of how hacking can affect organisations, and banks are not making enough use of ethical hacking as a response to the hacker threat. This is the first study of its kind to explore ethical hacking in the context of governance responses. The study breaks new ground by providing a unique in-depth analysis of the link between business risk, IT risk and hacking. It is also the first study into the various responses to hacking in the SA banking sector and will assist not only the banking industry but business at large in defining appropriate preventative and detective responses to hacking.
| Identifer | oai:union.ndltd.org:netd.ac.za/oai:union.ndltd.org:uj/uj:7752 |
| Date | 20 November 2013 |
| Creators | Roos, Christiaan J. |
| Source Sets | South African National ETD Portal |
| Detected Language | English |
| Type | Thesis |
| Rights | University of Johannesburg |
Page generated in 0.002 seconds