Managing Information Security Risks in Global Financial Institutions - Research Proposal Example

Managing information security risks in global financial institutions 1-abstract: Objective: The research objectives are the identification of the information security threat to contemporary global financial organisations. This is a multi-layered threat that can have both direct (e.g. operational) and indirect (e.g. reputed) impact. This analysis can bring into light the significance of the establishment of a management framework. An analysis and comparison of the existing framework and potential synergies will follow, in order to showcase what are the tools readily available for corporations to use in managing the risk. Regulatory requirements that have appeared over the last few years have complicated the risk management effort, since these regulations did not stem directly from Information Security but rather from other areas interacting with IT like finances, legal etc. The information security requirements that these frameworks have is going to be researched and an attempt to assign it to the general categories of information security risks will be made, in order to facilitate an easier management Methods: We performed multiple literature searches on several areas of pertinent research and undertaken interviews and survey questionnaire in order to get the most relevant and up to date information. Results: “Achieving information security is extremely complicated and requires the combination of technical resources and management procedures. A specific balance needs to be achieved, which will provide the required protection to counter the various risks facing any online financial institutions and, in general, any Internet-based businesses venture. (Chaturvedi et al.) 2- introduction: With the passing time the importance of information security is increasing multi-fold especially for the financial Institutions. In order to respond to the increasing concerns regarding the information security the regulatory bodies, all over the world are preparing various regulatory initiatives and set of rules. The financial institutions are required to solve the problem at both the fronts of potential security threats and regulations regarding the information securities. With the increasing awareness and concerns from the customers the financial institutions are required to disclose information at higher scale at the same time the security of information is an important concern. Most of the companies are off shoring their operations in order to reduce costs. This not only increases the concerns of the consumer but also increase the need of information provision by the financial institutions in order to open themselves up to customers and partners for revenue growth. The study will provide the suggestion how does an organisation balance its stakeholder demands while managing the cost of security solutions to prevent IT attacks? It is not very easy to find the solution for stated problems. This study is an attempt for the financial institutions all over the world, the findings and results may not match the current trend of the financial information security practices but some practical suggestions will be presented. I hope that the readers and the concerned people will find this information useful and that it helps establish organisational direction for a very complex issue. 3- relation to previous research: In setting up a Web server and connecting it to Internet, a company runs the risk of eavesdropping, intrusion, theft of data, even alteration of data. Full responsibility for controlling these threats falls on the company. Compounding the problem is that the culture of the Internet openness, ease of access, lack of controls so easily penetrates the companies connected to Internet (Stallings & Slyke, 1998). According to Stallings & Slyke (1998) the requirements of security are best assessed by examining the various security threats faced by an organisation. These threats can be divided into two main categories. Passive threats include the attempts by an attacker to obtain information relating to a communication. The other category of threats includes a variety of active threats. These involve some modifications of the transmitted data or the creation of false transmissions. In his article Wilson (2003) addresses the technical issues. The technical standards address access, authentication, authorisation, auditing, integrity and the transmission of sensitive data. According to him following questions need to be taken into consideration: Who gets access to data? How do you know that those with access are who they say they are? Do they have the appropriate level of authorisation? Are you keeping track of who does what and when? Do you have assurance of data integrity? When you transmit data over an electronic communications network, can anyone else get access to it? Are other parties (partners and other health organisations with which you share information) in compliance? (Wilson, 2003) Researchers at Purdue University have suggested that when a new security policy is put into action, this is not the final stage. Management should assess it, scrutinise it and make sure that every new control has been put into place to ensure that the organisation can react appropriately to any possible unexpected incidents or illegal intrusions. And this assessment should be constantly repeated and the security policy updated in order to maintain protection. (Chaturvedi at el.) The question need to be answered while undertaking the study will be as follows: What is Information security risk? What are the regulatory requirements for global financial institutions? How does Information security risk affect financial institutions? What are the Confidentiality risks? What are the Availability risks? What are the Integrity risks? Regulatory requirements and their impact on information security risk and control for global financial institutions: How can information security risks be managed? What are the available Information security risk management frameworks? What are the enablers of using some of the established frameworks? How does a global financial institution select a framework? What are the main difficulties faced by a global? Study of information security management framework implementations: What implementation techniques can be applied? How can an organisation align its business as usual processes to processes that are information security risk averse? 4-proposed methods: The methodology of this study will be based upon the interviews and questionnaires obtained by the author from being able to contact the employees at different financial institutions. First step is to identify the necessary variables that would make up the study. Locale of the Study: The study would be mainly based upon the accessibility of the Internet sites that are available for visiting through the web. In this regard, it would be reasonable enough to refer to the cyber space as the main domain of the study. The web sites providing information regarding the management of information security in financial institutions is the ones to be used for the completion of this research study. Respondents: The respondents for this study are the employees from different financial companies designated at different posts. To be able to reach the respondents, the author of this paper will try to create e-mail messages that will first prompt the providers of the Internet information. The electronic interview forms will be send to the employees and the managers of the financial institutions. The names of the interviewees will be kept hidden for the sake of secrecy and confidentiality. Sampling Procedure: Since the results of the study are merely based upon the results given through e-mail response, the sampling procedure is simply dependent upon the ones who would be able to comply with the survey requirements. Hence, the only sample population involved in this manner are the manager representative. This way the author is able to narrow down the results easier than handling the sample population from a bigger scope of computations. The results are merely based upon the journals done by other researchers and their comparison with the results of this study’s completion. The Variables: The questionnaires shall be expected to give exact results regarding the satisfaction that the consumers or the clients receive from the provided services. This way, the variables which includes the satisfaction level of the client and the performance capabilities of the online financial institutions providing the services are to be evaluated through the questionnaire and interview results. Research Design: The design to be used for this research as mentioned earlier would be the utilisation of the survey and interview questions in an electronic form which were sent to the respondents a couple of days before the formal computation of the results. We will conduct cross-sectional design which “entails the collection of data on more than one case and at a single point in time in order to collect a body of quantitative or quantifiable data in connection with two or more variables”(Bryman & Bell 2003:48). The said design of research is indeed applicable for this study and would be able to provide the necessary details for the completion of the research. The reason behind this is the fact that the respondents themselves are capable of giving the necessary answer for the needed data in this case. Hence, the results of the study are expected to give accurate details for the research procedure. Research Instruments: The Questionnaire will include different questions regarding the perceptions of employees for the importance of management of information security in improving the reputation and creditability of financial institutions. 5-reflections: Lack of literature done so far concerning the disclosure of risk in annual reports might represents a major obstacle. Another limitation might be lack of time. The researcher will follow a hybrid approach in data collection, which will include interviews and questionnaires. Collecting data through these methods, analysing and demonstrating them is time consuming and the researcher does not have much time. There might be challenges in convincing to gain access to the relevant information required within the companies I intend to research. Confidentiality has been a barrier before researchers. It is required to reassure the firm that all data and information collected will be treated in the strictest confidence. In order to increase the response rate, personalised covering letter, reminders and some incentives would be used (Yvonne McGivern 2006). Two kinds of errors are generally associated with sampling, a sampling error and a non-sampling error. The sampling error measures the precision of a sample result. It refers to how closely we can reproduce from a sample the results which would be obtained if we had a complete count or a census, using the same method of measurement, questionnaire, interview procedures, type of enumerators, supervision, etc. In other words the sampling error is the difference between a population value (parameter) and the corresponding sample value (statistic). The non-sampling error arises due to faulty questionnaire, error in measurement, confused interviewing, inefficient supervision etc. this error is not measurable but can be controlled by careful design of questionnaire, proper training of interviewers and vigilant supervision. There are other factors that have to be taken into account, for example, the email addresses of the target population; some technical issues like, firewall set up, bandwidth, and operating system. We also have to ensure the layout of the questionnaires, which should look good and be easy to fill in and be easy to be downloaded. 6-conclusion: The proposed study is to examine the role different factors play in managing the information security at financial institutions. The research will underline the overall effects of regulatory bodies policies at the information security of financial institutions. It will also provide analysis of the factors, which lead to the successful implementation of information security at financial institutions. Evidence of decrease in the profit margin of the company and the increased operating costs due to the regulations will also be examined. The study will also present a brief discussion of the financial industry. The risk associated with undertaking transactions on Internet will also be underlined. Importance of a security policy will also be discussed while keeping in consideration the critical factors of security policy implementation. Although the research is in its initial stages in terms of development and testing, the study will be an important contribution towards Information security studies undertaken so far as it will evaluate the information security policies at financial institutions from both regulatory and changing business environment perceptions. time table: The research will be finished in three months starting on 1st April and ending on 1st July. In the following month, you would carry out the plan and you hope that some improvement would be made on Christmas holiday in particular. We think that the earlier the research finishes the better, so that you could take action earlier. Time table Week Tasks 1 Project start meeting , identification of research problem 2 Research design 3 Interview preparation 4 Start interview 5 Interview in process 6 design and agree questionnaires 7 Identify respondents email addresses and send questionnaires 8-9 Analysis of interview data and write up 10-11 Questionnaires analysis 12-13 Prepare final report, informal discussion of findings 13-14 Delivery of summary report and presentation, Follow-up queries references: Bryman A., and Bell. E., (2003) business research methods 1st ed. OXFORD Donald r. Chaturvedi, A., Gupta, M., Mehta, S., Valeri, L., Fighting the Wily Hacker: Modeling Information Security Issues for Online Financial Institutions Using the SEAS Environment, available at http://www.isoc.org/inet2000/cdproceedings/7a/7a_4.htm#s2 McGivern Yvonne, (2006). The Practice of Market and Social Research. 2nd ed. Prentice Hall. Stallings, W. & Slyke, Richard, V., (1998). Business Data Communications. 3rd ed. Prentice Hall Wilson, Marcia J. (2003). How to ensure security compliance with HIPAA, Computerworld, May 01, 2003, available at http://www.computerworld.com/securitytopics/security/story/0,10801,80812,00.html Read More