Full Text

1. Introduction

Modern economies are highly reliant on the banking industry, a fact that is amply demonstrated by the 2008 worldwide financial crash, so the importance of maintaining effective information security in banks is critical. Indeed, Raytheon/Websence (2015) concludes that a cyber-crisis at one or more banks could result in financial catastrophe, not only to customers and banks but also to a country’s financial system as a whole.

Consequently, a bank which fails to protect its information systems not only loses its competitive advantage but also threatens its existence (Von Solms et al., 2011). Ultimately, the success of a bank can depend on its ability to manage its information security and provide secure services (Ula et al., 2011), and it is hardly surprising, therefore, that 80 per cent of leaders in the financial services sector cite cyber risks as a top concern (Travelers, 2015).

Moreover, the threats that banks face are amplified by customers’ expectations. Customers want to interact easily, yet securely with their bank in real time through an increasing range of mobile services. The expansion of these services increases the attack surface and consequent security threats, the number and complexity of attacks and the resultant losses are increasing rapidly. In 2012, between £48 million and £1.5 billion was stolen from thousands of bank accounts across Europe, the USA and Latin America (Wilson, 2013). Kaspersky Lab (2015) revealed cyber-attackers targeted up to 100 banks, e-payment systems and other financial institutions in around 30 countries stealing $1 billion within two years. A sophisticated cyber-attack on JPMorgan Chase & Co compromised information of 76 million households and 7 million small businesses (Weise, 2014). Banks (and their customers) are a prime target for cyber-criminals, one UK bank reports over 1,000 attacks per day[1], and most significantly, Raytheon/Websence (2015) reports that financial services companies encounter security incidents 300 per cent more frequently than other industries.

It is, therefore, essential to understand the risks in this industry, and implement effective controls. The ISO27000 series of International Standards represent current “best practice” for defining, auditing and managing an Information security management system (ISMS) in a systematic way. It relies on a top-down approach, identifying assets, risks to those assets and suitable controls. Whilst this mechanistic approach can certainly...