The Value of Information Security to European Banking Institutions

superfluitysmackoverSecurity

Feb 23, 2014 (4 years and 16 days ago)

82 views



1

/
35

Zuri







The Value of
Information Security
to European Banking
Institutions




Study:
The Value of I
nformation Security to European Banking Institution
s



2

/
35





















































No part of this publication may be copied, reproduced or distributed in any form without express
written permission from Detecon (Schweiz) AG.


Published by Deteco
n (Schweiz) AG, Löwenstrasse 1, CH
-
8001 Zurich.



Study:
The Value of I
nformation Security to European Banking Institution
s



3

/
35

Table of Contents


INTRODUCTION

................................
................................
................................
................................
.......................

4

MANAGEMENT SUMMARY

................................
................................
................................
................................
...

5

THEORETICAL BACKGROU
ND: THE IFCS/EFCS TH
EORY

................................
................................
.........

7

METHODOLOGY

................................
................................
................................
................................
......................

8

O
NLINE
C
USTOMER
S
URVEY

................................
................................
................................
................................
.....

8

I
NTERVIEWS WITH
E
UROPEAN
B
ANKING
I
NSTITUTIONS

................................
................................
...........................

10

TEN KEY FINDINGS AND

RESULTS: PERSPECTIVE
S OF ONLINE BANKING
CUSTOMERS AND
BANKING INSTIT
UTIONS

................................
................................
................................
................................
....

11

RECOMMENDATIONS ON H
OW TO CREATE VALUE T
HROUGH INFORMATION S
ECURITY FOR
EUROPEAN BANKING INS
TITUTIONS

................................
................................
................................
.............

25

G
ENERAL
R
ECOMME
NDATIONS FOR
E
UROPEAN
B
ANKING
I
NSTITUTIONS

................................
...............................

25

Discourse 1: "Security Expectations of eBanking Users"

................................
................................
..................

25

Discourse 2: "Who's Respon
sible? The Paradox of Control and Responsibility for

Internet Banking Security"

................................
................................
................................
................................
................................
............

27

Discourse 3: "
Concepts Addressing Current Threats on European eBanking
"

................................
.................

28

D
IFFERENCES AMONG
E
UROPEAN
C
OUNTRIES AND
C
OUNTRY
-
S
PECIFIC
R
ECOMMENDATIONS

...............................

31

AUTHORS

................................
................................
................................
................................
................................
.

32

LITERATURE

................................
................................
................................
................................
...........................

34













Study:
The Value of I
nformation Security to European Banking Institution
s



4

/
35

Introduction


In recent years, the overwhelming possibilities of the internet have become increasingly
interesting for banks as it
opened up
a new
customer
interface. At the same time, the
potential of
the internet

does not

seem to have been fully exploited yet.
1

The use of the internet is in many
cases a possibility to offer modern and customer
-
oriented banking services and to save costs.
Nevertheless, its successful usage is also a question of competitiveness.


N
e
w threats have emerged with this new technology and the broad use of it.
2

If banking
institutions want to profit from
its

high potential, they have to meet the challenges of these new
security threats.
3

We see a new class of fraudsters with a broad spectru
m of fraudulent methods
and ideas. The banking sector is therefore in need of new security strategies and measures.


Not the bank alone but also its customers who want to profit from online banking
services
are
forced to cope with these security threats.
Specifically on client PCs the bank has little to no
possibilities for measures to enforce its standards. Our study deals with the question, whether
the customer accepts responsibility for his
/her

client PC and how this responsibility is related to
his/her

willingness to pay for a higher security level.
Recently, l
egislation has started

to embrace
the issue of responsibility and to

enforce responsibility on the customer.
4

If such responsibility is
accepted by the customers, it is important to investigate wh
at
risks
customers perceiv
e

in online
banking and to address and invest in appropriate services and products.


The study examines key questions on customer trust, reputational damage, responsibility and
the potential of security products on the market in a

unique study set
-
up
. This study

provid
es

banking institutions with the customer perspective of five European countries
,

analysed by an
international expert panel of three research partners.


Our analysis and recommendations address senior managers in Euro
pean banking institutions
.
It provides
valuable information and insights into online banking security products for customers
in the retail and private banking sector.


Special thanks go to the participating organisations and our interview partners for prov
iding us
with their specific insights and experience. We appreciate that our request has sparked the
interest
among
banking institutions and we believe that this study is of high relevance for
them
and
their customers.


We would also like to thank our rese
arch partners Dr Jonathan Liebenau and Patrik Kärrberg
from the London School of Economics, Prof Dr Bernhard Hämmerli from the Lucern
e University
of Applied Science

and Prof Dr Rei
nhard Posch from the Graz University of Technology
. Their
expertise, academi
c perspective and
great efforts were

of essential value
to

this study.


Laura Georg & Christian Frefel

Detecon (Schweiz) AG




1

Cf. Curtis, Jeffrey et al.,
Quantifying the financial impact of IT security breaches
, 2003, p. 74. According
to data by the
Schweizer
isches

Bundesamt für Statistik (Federal Statistic Office Switzerland)

in 200
7
, only
35% of all Swiss internet users are using online banking (cf. the survey
Internetnutzung Schweiz 2007
).

2

Cf. Bundesamt für Sicherheit in der Informationstechnik,
Lagebericht 2008
, 2008, p. 2.

3

Cf. Liebenau, Jonathan and Kärrberg, Patrik,
Internat
ional Perspectives on Information Security
Practices
, 2006, p. 4.

4

According to a
court decision in December 2007 by the Higher Regional Court of Köln, an average
banking customer using online banking has to make sure that a firewall and an updated anti v
irus program
is installed on his/her PC. Cf.
<http://www.justiz.nrw.de/nrwe/lgs/koeln/lg_koeln/j2007/9_S_195_07urteil20071205.html>, visited on
October 27, 2009.



Study:
The Value of I
nformation Security to European Banking Institution
s



5

/
35



Management Summary


Methodology


The survey was carried out among 384 banking customers to investigate the customer
perspective on

online banking security. In addition, we matched these results with 18 interviews
among senior security managers at European banking institutions originating from Austria,
France, Germany, Switzerland, the Netherlands and the United Kingdom.


We differen
tiated the

groups of survey participants
by focussing on country
-
specific
particularities, but we
also
addressed the issue
s

of gender differences, differences by age and
particularities of private banking customers where they
were

significant and relevant.


When discussing the major study findings, we match the customers


view with the findings of the
expert interviews taking the view of the bank
ing institutions

into account. Overall, the interviews
were a valuable indicator for us showing which issues in t
he bank
-
customer relationship are of
interest to the banking business.


Ten
Key Findings




Finding 1
: Security considerations are a significant factor in the decision making process for
the

choice of bank by customers.


Finding 2
: A considerable number o
f European banking customers see a medium to high
risk that an unauthorised person can access their bank account.


Finding 3:

In case of major security accidents 76% of customers
declared

to switch their
bank account to another banking institution.


Findin
g 4:

Customers want to be (better) informed about security measures taken by the
bank and awareness will
further

increase according to banking security professionals.


Finding 5:

Most customers consider internal fraud as unlikely, but distrust technology u
sed
for online banking.


Finding 6:
Security concerns are a central argument for not using online banking.



Finding 7:

A large majority of banking customers perceive security to be within their own
responsibility
.

They expect their bank to compensate loss
es due to security breaches only
(
if
these

are not caused by their own carelessness
)
.


Finding 8:

Regarding security products:



Biometric authentication methods polarise,



mobile TAN



where launched on the market



is a preferred solution and is
considered

safer than others and



safeguarding sensitive customer data at the bank was found to be an interesting
option for an innovative security product.


Finding 9:

Customers consider as most important to be able to use all online banking
services offered,
enabli
ng ubiquitous
online banking

access
. Transaction limits are accepted


Study:
The Value of I
nformation Security to European Banking Institution
s



6

/
35

by the banking customers and were found to be part of a major trend towards

more

flexible
contracts
,

according to expert interviews.


Finding 10:

In contrast to
answers of our banking int
erview partners, customers perceive
online banking to have become more secure in the past five years.
E
xperts
refer to an
ongoing
trend of
professionalization among internet criminals.


General Recommendations

for Banking Institutions


General Recommendati
on 1
: Be aware that security has an impact on customer retention
and satisfaction; hence it is a value adding factor for your organisation.


General Recommendation 2
:
Consider your customers’ willingness to care for security and
their

need for information:

Customers feel responsible for their device and are willing to
investigate and invest into security. A majority of banking customers consider online banking
as insecure because of a perceived lack of technical knowledge.


General Recommendation 3
:
Regardi
ng security products, check possibilities of offering
products and services using biometric solutions. The customer survey results show that
these would be interesting optional products for your offering portfolio. Finally, use the bank

s
image as a protec
tive institution. The storage of sensitive customer data can be a profitable
innovative product.



Study:
The Value of I
nformation Security to European Banking Institution
s



7

/
35

Theoretical Background: The IFCS/EFCS Theory


The quantitative analysis is based on a former qualitative study developing the theory of an
internal and an ext
ernal function of corporate security (IFCS/EFCS theory).
5

The theory adds a
new dimension to previous studies on information security governance
6

describ
ing

the need for
a differentiation between a traditional internal function of information security whic
h is focused on
information legally owned by the organisation and an external function which deals with
customer data available through a technical interface between the customers and the
organisation. Investigations show that persons in charge
of

security

care primarily for current
technical possibilities and future technical innovations. The extern
al
perspective showed to be of
much lower importance for them. However, further research results provided evidence that
customers who feel responsible for their

technical devices are willing to take efforts in order to
improve information security when using for exampl
e the internet for e
-
services. In its projects
Detecon could consult

organisation
s how to add value and increase its competitiveness when

offer
ing

security products especially designed for its customers, in this area of the external
function of corporate security.













5

Cf.
Georg, Laura,
The Function of Corporate Security within Large Organisations


The Interr
elationship
between Information Security and Business Strategy
, Université de
Genève, Geneva, 2007.

6

Cf. Coles, Robert and Moulton, Rolf
,
Operationalizing IT risk management
, 2003, p. 491, cf. Birchall,
David et al.,
Information assurance: Strategic align
ment and competitive advantage
, 2004, pp. 3.

Investors
-
Corporate
Responsibility
-
Integrity of
Information
External Corporate Environment
Customers
-
Data privacy
-
Availability of
E
-
Services
Risk
Management
-
Risk Assessment
-
Cost/Benefit Analysis
-
Risk Mitigation
IT
&
Behavior
-
Implementation &
enforcement of
functional, technical
&procedural security
measures
-
Formal & in
-
formal measures
(e.g. Security Policy,
trainings)
Compliance/
Standardization/
Certification
-
Systematic
assurance of the
confidentiality,
integrity, availability
of Information
-
Automation of
assurance processes
Strategic Alignment
Internal Corporate Environment
Figure
1:
The
IFCS/EFCS
model
.


Study:
The Value of I
nformation Security to European Banking Institution
s



8

/
35

Methodology


Online Customer Survey


384 banking customers from Austria, Germany, France, Switzerl
and, the United Kingdom and
the Netherlands participated in the study. The questionnaire was developed by Detecon
(
Schweiz
)

AG

in conjunction with researchers from the Lucern
e University of Applied Science
,
the

Graz University of Technology

and the London
School of Economics. The questionnaire was
online for 6 weeks from November until December 2008.
It consisted of 35 questions, of which a
maximum of 29 questions had to be answered by every participant.

In order to take specific
market particularities into

a
ccount, there were some country
-
specific questions (e.g. regarding
the fact that
a

one
-
factor authentication

for online banking
7

is rarely used in Switzerland but quite
frequently in other European countries).



Sample: Demographic Factors













































7

A one
-
factor method uses only a password to identify the online banking user.

6%
24%
24%
Austria
46%
Germany
Switzerland
Other
countries
Figure 2: Distribution by country.
Austria
Germany
Switzerland
Other
countries
Average
Over
65
50
-
65
35
-
50
20
-
35
Under
20
Figure 3: Distribution by age.


Study:
The Value of I
nformation Security to European Banking Institution
s



9

/
35

















Analysing the distribution of age, gender and income, our sample is a good approximation to the
overall distribution of internet users.
8


We calculated quantitatively significant numbers (dependent on the resp
ective sub
-
group in
focus) beforehand in order to ensure the quality of answers and statements given.
9

The
se

calculation
s

were

based on results by Bartlett et al. (2001). In our study the respective critical
number
s

could be achieved for those groups we pr
ovide an analysis of research results and
recommendations for.


Statements about specific groups were found to be significant and the influence of all other
known variables was statistically controlled.


Furthermore c
ross
-
checks were conducted
,

in order to

as
sure the reliability of results.

Example:


Question 16: Do you expect your bank to compensate a loss,
which occurred A) due to a missing updated antivirus program on
the user’s PC or B) due to a phishing* attack?



I expect
full
compen
sation.

I expect
compensation, but the
compensation’s amount should
depend on the measures taken by
the bank and the customer’s degree
of carefulness.

No

I don’t
know/Not
applicable

Question 21: If you access
the internet via a public
wireless network, e.g. at an
airport,

a railroad station or
in an internet café, you are
often exposed to higher
security risks. Do you expect
your bank to compensate
losses that were facilitated
due to such higher risks?

Yes

15%

16%

1%

0%

No

7%

31%

16
%

1%

I don't
know/
Not
applic
able

3%

7%

2%

1%





8

Cf. the respective data for Switzerland

by Net
-
Metrix

AG and the
Schweizer
isches

Bundesamt für
Statistik (Federal Statistic Offic
e Switzerland
)

(
Net
-
Metrix
-
Base 2008
-
I
). We expect that this distribu
tion
can be generalized across

other

involved countries, without significant bias.

9

Cf. Bartlett, James E. et al,

Organizational Research: Determining Appropriate Sample Size in Survey
R
esearch
,
Information Technology, Learning, and Performance Journal
, Vol. 19, No. 1, 2001, pp. 43
-
50.




This example
shows
that
par
ticipants
answered
independent

questions

consistently.

Figure 4: Distribution by income.
13%
Don

t
know/Not
available
6%
More than
£
7500 / 10000
Euro /
CHF15000
45%
Less than
£
3000
/ 4000 Euro /
CHF6000
22%
£
3000
-
5000 /
4000
-
6500
Euro / CHF6000
-
10000
14%
£
5000
-
7500 /
6500
-
10000
Euro /
CHF10000
-
15000


Study:
The Value of I
nformation Security to European Banking Institution
s



10

/
35

Interviews with European Banking Institutions



1
7

semi
-
structured interviews with representatives of banking institutions and one interview with
a representative of an organisation providing online banking systems

for several regional and
loca
l banking institutions

were conducted. Matching the questions developed for online banking

customers
, a catalogue of questions
with our research partners
was developed in order to create
an inside
-
out and outside
-
in perspective for the participating bankin
g institutions in our study.























All of our interview partners were in a leading position in the area of information security

at their
institution
.

S
ome

of our interview partners from

smaller banks were
responsible

for the overall IT
dep
artment, whereas in larger banks the
responsibility for
information security
is

often highly
diversified

and

divided in regionally or functionally organised units. There were often two experts
taking part, one interviewee being in charge for information se
curity and
the other

being in a
position directly related to online banking

business
.














In case of questions on specific research data, the question catalogue or the methodology
please don’t hesitate to contact us calling under +41 43 888 650
0 or sending us an e
-
mail to
information.security@detecon.com.


4
Austria
2
Germany
9
Switzerland
1
France
United Kingdom
1
Netherlands
1
Figure 5: The chart shows where the
participating
organisations
are based in.


Study:
The Value of I
nformation Security to European Banking Institution
s



11

/
35

Ten
Key

Findings and Results:
Perspectives of

Online Banking
Customers and Banking Institutions



Finding 1: Security considerations are a significant factor in the decision making process
fo
r the choice of bank by customers.


Information security is an important factor
in the customer’s choice of a banking institution
:
Overall, almost half of the

online survey

participants said that security considerations with
respect to online banking play
a “very important” or “rather important” role in their choice of a
bank (
F
igure
6
).


Analysing participant sub
-
groups, the survey showed that these considerations are a particular
competitive factor among participants who are more than 50 years old. 60%

o
f t
his group

chose
“very important” or “rather important”
.




















Matching this result with the answers of

our interview partners at European banking institutions

revealed a difference in perception. The questioned information security profes
sionals
stated
that
they believe

most customers
do not differentiate between security performance and services
of the banking institutes,
as long as security is not an issue in the media or public discussion.
However, the results of our survey among online

banking customers show that they take a better
performance in security and hence better reputation into account. Even if discussions about
security breaches were not public, a banking institute could consequently profit from improving
the visibility of se
curity measures to the customer.


24%
33%
19%
Very
important
24%
Rather
important
Rather
less
important
Not
important
Figure 6: Importance of security for the selection of a
certain bank over another.


Study:
The Value of I
nformation Security to European Banking Institution
s



12

/
35

Finding 2: A considerable number of European banking customers see a medium to high
risk that an unauthorised person can access their bank account.


In total
,

46%
of study

participants judge the probability that an unauth
orised person can view
their online banking data to
be
“medium”, “high” or even “very high” (
F
igure
7
).


Divided by countries, more than half of Swiss and German banking customers consider
the risk
that an unauthorised person can view their data as likely
. Only 3
3
% of the participants living in
Austria stated to have similar concerns.


Overall, fewer customers stated that the probability that an unauthorised person can actually
manipulate their data is as likely. Here, almost half of the participants livi
ng in Austria answered
this question with “very low”.






























Analysing
Figure
7
, banking institutions seem to face a sceptical customer basis.
Banks should
therefore address this
issue, not only because of security being an important

part of the bank’s
overall image but also due to the fact that

not every customer has confidence in the current

security

level
.

Facing such mistrust, banking institutions will

fin
d it difficult to tolerate such
opinions

or the reputation of
having an inse
cure online banking system
. Hence, the status quo is
clearly not seen as optimal from a bank’s point of view leaving some space for banks to act on
th
e uncertainty
of their customers.

34%
32%
22%
Very
low
Low
Medium
9%
High
Very
high
3%
Figure 7: Perceived probability that an
unauthorised
person can view a customer

s account information
(the account balance, the receipts and outgoings) due
to security deficits of the online banking system.
Overall
15%
33%
38%
10%
4%
28%
39%
26%
6%
1%
28%
21%
39%
9%
3%
22%
28%
36%
10%
4%
D
A
CH
Other
countries


Study:
The Value of I
nformation Security to European Banking Institution
s



13

/
35

Finding 3: In case of major security accidents 76% of custo
mers declar
ed

to switch their
bank account to another banking institution.


Although interview partners from banking institutions expressed their belief that customers avoid
efforts of changing banks, customers showed a clear reaction on the reputational damage and
p
otential hassle connected to security breaches (e.g. publication of their account balance etc.).
Three
-
quarter of the

survey

participants
declared

they would switch
to another

bank, if they
heard about frequent problems concerning the confidentiality of th
eir data.


Analysing again the sub
-
groups of our study, t
his

distribution

is true for participants in all
involved countries
. Differences could be noticed among

customers older than 50 years

who

are
more likely to
switch to another

bank than customers tha
t are younger than 36 years (87% vs.
73% in
F
igure
8
).


This result is consistent with
F
inding 1, i.e. the fact that the topic of security has significant
influence on the customers’ decision for or against a
certain banking institute
, even if no visible
s
ecurity breaches occur.
These two findings

indicate that the topic of security can strongly
influence the customer behaviour.

















Figure 8: Intention of changing the bank in cases of security
breaches (lacking confidentiality).
8%
73%
9%
I
don

t
know/Not
applicable
76%
5%
11%
Would
change
the
bank
87%
Would
not
change
the
bank
15%
16%
Participants
younger
than
36
years
Participants
older
than
50
years
All
participants


Study:
The Value of I
nformation Security to European Banking Institution
s



14

/
35

Finding 4: Customers want to be (better) informed about security measures taken by the
bank and awareness will ev
en increase
further
according to banking security
professionals.


How can a bank improve customer satisfaction regarding security and how should it

deal with
security breaches? As

mentioned before (cp. Findi
ng 1) banks could profit from

improving the
visib
ility of
their security measures: Communication can be an important factor.


Overall
,

57% of the participants want to be better informed about security measures taken
by the
bank and 59% are

interested in security rankings among banks carried out e.g. by a

scientific
journal.


This is especially true for




customers older than 50 years (80%)

and



customers who stated that security considerations were “very important” or “important” in
their decision for their bank over another (70%)

(
F
igure
9
).


In compari
son significant less interest for security rankings among banks, was found in
the
group of participants having an account at a private bank (
F
igure
9
). According to results from
our interviews with private banks, this might be a result of a more stable cus
tomer relationship
management in this segment.































Moving away from the customer’s interest, we analysed customer preference for information
methods.
47% of the ones who want to be better informed about security measures stated t
hat
All
participants
Participants
older
than
50
years
Participants
with
a private
bank
account
0%
100%
20%
40%
60%
80%
0%
100%
20%
40%
60%
80%
Want to
be
better
informed
about
security
measures
Are
interested
in
security
rankings
among
banks
Figure
9:
Interest
in
information
about
security
measures
and
security
rankings
among
banking
institutions
.
The
size
of
the
circle
indicates
the
size
of
the
customer
segment
.
Participants
who
consider
security
to
be
a "
very
important
"
or
"
important
"
factor
in
their
decision
for
their
bank
over
another
.
Participants
who
consider
security
to
be
a "
very
important
"
or
"
important
"
factor
in
their
decision
for
their
bank
over
another
.


Study:
The Value of I
nformation Security to European Banking Institution
s



15

/
35

they would like to receive free periodic e
-
mails from their bank with security information.
However, since this is not a majority, banks might find better ways, such as publishing
information on their website, to approach this specific customer group.


73% of participants are interested in security guidelines demanded by their bank by law, out of
which 26% are additionally interested in further guidelines implemented by their bank on a
voluntary basis.


Since all interview partners expect the security a
wareness of
their

customers to increase in the
next years,
a growing

need for information on this topic can be expected.
Discourse 1 (cp. page
29) analyses this finding when discussing an increase of awareness in connection with

the
current financial crisi
s.





Study:
The Value of I
nformation Security to European Banking Institution
s



16

/
35

Finding 5: Most customers consider internal fraud as unlikely, but distrust technology
used for online banking.


Wha
t threats should security

“measures” address in the eyes of the customer?


Asked about the biggest threat when using online banking, t
wo groups of customers were
identified:



For
45%

of participants their lack of technical knowledge and
their
carelessness is the
biggest threat in online banking. Error
-
prone technology was ranked second in this
group.



In a second group of study participa
nts (26%)

the lacking

technical knowledge and
carelessness were judged to be least likely but concerns

about technology itself

to be
most important.

This led to the overall result of
technical failures

as being perceived on
average to be the biggest
infor
mation security threat (
F
igure
10
).






























Going into further detail, we analysed the customers’ concerns about online banking technology.
E
ncryption
, thus the transporting of online data,

was

not

found to be critical
.

94% of the

participants said that they “trust” or “rather trust” the data encryption used.

Authentication
methods as the second source for technical insecurity will be discussed in Finding 8.


A geographical analysis put the focus on customers living in the United
Kingdom:

70% of this
group named internal fraud as the biggest or second biggest threat in online banking.




0,0
0,5
1,0
1,5
2,0
2,5
3,0
34%
45%
2,87
Error
-
prone
technology
2,72
Own
lack of
knowledge
or
carelessness
2,41
Misconfiguration
of
the
bank

s
internal
processes
1,97
Inattentive
or
fraudulent
behaviour
of
the
bank

s
employees
Average
ranking
value
10%
20%
30%
70%
40%
0
50%
14%
60%
11%
Chosen as

biggest
threat

Figure
10: Ranking of
perceived
securiy
threats
.
The
higher
the

average
ranking
value

is
,
the
bigger
is
the
perceived
threat
.
11%
45%


Study:
The Value of I
nformation Security to European Banking Institution
s



17

/
35

Finding 6: Security concerns are
a central

argument

for not using online banking.


Among all participants who don’t use online banking, a large m
ajority of 82% stated that security
concerns were a reason for it. Asked
about their reasons for not using online banking


I
nsufficient technical security measures taken by the bank” were named most, followed by
concerns about security breaches caused by b
ank employees (2
nd
) and concerns about
the
customer’s own careless behaviour

causing a security breach

came last

(3
rd
) (
F
igure
11
).
















A difference in security concerns to online banking users (cp. Finding 5) has its origins in a
higher mistr
ust in the banking institution’s ability to safeguard the customer’s data through
technical security measures but also breaches caused by the bank’s employees. Own careless
behaviour comes surprisingly last.
Analysing these answers and in order to meet cus
tomers’
expectations, banking institutions need to address these concerns.
Given that the percentage of
online banking accounts was lower than 50% in all interviewed banking institutions, a successful
increase of this

percentage could hence create an added

value for the bank.

























Figure 11: Reasons for the security concerns.
43%
20%
21%
4%
15%
23%
9%
44%
34%
31%
25%
31%
Does
not
apply
Rather
does
not
apply
Rather
applies
Applies
Concerns about insufficient technical
security measures taken by the bank
Concerns about security breaches caused by
bank employees
Concerns
about
the
own
careless
behavior


Study:
The Value of I
nformation Security to European Banking Institution
s



18

/
35

Finding 7: A large majority of banking customers perceive security to be within their own
responsibility. They expect their bank to compensate losses due to security breaches
only (if these are not caused by the
ir own carelessness
)
.


Customers share the responsibility for security with the bank:

Three quarters of all participants
said that they feel “primarily” responsible

for the
customer

PC’s security regarding online
banking or that the responsibility is rathe
r on their own than on the bank’s side. Only a small
minority said that it is “primarily the bank” that is responsible for the security of
the customer
’s
PC
.



We noticed significant differences to the average results for p
articipants living in the UK: 42%

of
this group stated that “primarily the bank” or “rather the bank” is responsible for the customers’
PCs’ security (
F
igure
12
).


























Analysing customer groups sorted by their answers given, the following interesting findings
emerged.



Those participants who perceive security primarily to be within their own responsibility are
significantly less likely to ask their bank to compensate losses due to a phishing a
ttack or a
missing updated anti
-
virus program than those who perceive securi
ty to be primarily within the
bank’s responsibility. Most participants

of this

f
irst

group expect compensation depending on the
bank’s judgement on the customer’s degree of carefulness and one third expects no
compensation at all.


The analysis of a
relat
ed

question
10

confirmed this observed correlation between perceived
responsibility and expected compensation of losses: If someone feels
responsible for security,



10

Question 21: “
If you access the internet via a public wireless network, e.g. at an airport, a railroad
station or in an internet café, you are often e
xposed to higher security risks. Do you expect your bank to
compensate losses that were facilitated due to such higher risks?




Study:
The Value of I
nformation Security to European Banking Institution
s



19

/
35

he/she

will rather acknowledge

that

the higher risk of using a public wireless network leads t
o an
increased risk. He/she would then not expect compensation due to the acceptance of that risk
(
F
igure
13
).











































When analysing

demographic factors, differences between genders could be observed
a
mong
those who don’
t expect compensation at all
regarding

the phishing attack/missing anti
-
virus
program case: 23% of the male participants answered that they don’t expect compensation,
whereas only 8% of female participants answered the question equally.


These findings can

be of assistance, if specific customer groups shall be addressed by the
banking institution, particularly when communicating information on security compensations,
responsibility or restrictions.






Study:
The Value of I
nformation Security to European Banking Institution
s



20

/
35

Finding 8: Regarding security products: Biometric authe
ntication methods polarise,

mobile TAN



where launched on the market


is a preferred solution and

safeguarding
sensitive customer data at the bank was found to be an interesting option for an
innovative security product.


In our questions to our intervie
w partners at European banking institutions as well as in our
questionnaire to European banking customers
, we compared several authentication methods
with each other.
11

From a customer’s point of view, o
verall the smart card method with
PIN

is the
most popu
lar method

(cp.
F
igure
14
) with the highest percentage of participants saying that they
prefer this method the “most” and only 3% saying that they prefer it the “least”. This statement is
true among participants of all involved countries and especially for

younger people. The smart
card method is followed by the TAN method (in its conventional form)
12

and the biometric
method with PIN
13

which are almost equally well liked.


Fewer people prefer

mobile TAN

(
mTAN
)
14
, except in Austria where this method seems to
be
more popular than biometric methods and almost

equally well liked as the otherwise favoured
smart
card

method.





Biometric methods polarise by being at the same time the most and the least preferred
authentication methods:




11

Three of these methods, namely PIN/smart card, PIN/TAN and PIN/mTAN are actually in use by
European banking institutions. Very
few offer the PIN/biometric method, no established bank is using a
solution without PIN.

12

A
transaction authentication number

(TAN)

is used
as a

single use

one
-
time password to authorize
financial transactions
.

These passwords are in its conventional form

available for the customer listed on
paper.

13

A personal identification number (PIN) is a numeric password which is used in the online banking
system to identify the user.

14

“mobile TAN (mTAN)” is referring to transaction authentication numbers which are

delivered per SMS.



Study:
The Value of I
nformation Security to European Banking Institution
s



21

/
35





















A

sign
ificant

(Pearson) correlation of 0.5 led to the conclusion that a study participant who rated
the biometric method with PIN as most
/
least preferred, rated with a high probability the other
biometric
solution

relatively high/low too
. This is also true for t
he smart card methods.

This
correlation shows that one third of participants clearly prefer a biometric method, whereas
another customer group clearly opposes biometric solutions.


Online Banking and Mobile Phone


The mTAN method is more established in Aus
tria than in the other
researched
European
countries. 25% of the participants living in Austria already use their mobile phone for online
banking

vs. 7% of the remaining participants
. At the same time those who use mTAN already
seem to be satisfied with th
is solution: 72% of this group of banking customers chose the mTAN
method as the “most preferred” and 77% consider using a mTAN solution as “safer” or “much
safer”.


However, the
low

overall

popularity of the connection of online banking with mobile phone
shows
itself by 72% of
all
participants being “not interested to use a mobile phone to conduct banking
business”. This is due to a large decline of this method by customers over the age of 50 years
among who 90% are not interested in using a mobile phone.
Nevertheless even more than half
of participants younger than 36 years were also not interested in using their phone for online
banking.


Referring to the group of customers who are interested in using a mobile phone for online
banking, this group is
much more likely to expect the bank to compensate losses which could
occur due to the higher risks that have been taken by using public WLAN (51% of this group vs.
32% in average). We interpret th
is demonstrated

interest in using a mobile phone partly as a
n
expression of a desire for higher mobility and we therefore assume that these participants want
the bank to take
responsibility

for

the assumed higher risk probability
.







10%
35,3%
38,9%
Biometric
methods
0%
Chosen as

least
preferred

Chosen as

most
preferred

19,1%
15%
30,1%
20%
25%
30%
Smart
card
methods
35%
40%
5%
Figure 15: Popularity of smart card vs. biometric methods.


Study:
The Value of I
nformation Security to European Banking Institution
s



22

/
35


Federated
I
dentity


In our interviews with information security managers, we d
iscovered the concept of
f
ederated
i
dentity as one major trend in the field of online banking security products for the future.
15

According to this concept, products used for online banking could then serve for example in e
-
government services (and vice ver
sa). Such efforts have already been made in Austria where a
product named “Bürgerkarte” (
citizen card
) exists
16
.

It is a centrally administrated identity which
can be used in the context of e
-
government but also for the online banking systems of some
Austri
an banks. 7 out of the 18 experts

(39%)

mentioned
f
ederated
i
dentity as a major trend for
the next years.

The interviews revealed no country
-
specific particularities regarding this
question.
There may still be some concerns (e.g. regarding the administrati
on of such
“identities”) but one can assume that other European
will implement
pilot projects on this topic

too
, sooner or later. Interestingly the greatest interest for this solution was found among banking
customers living in Switzerland, where such a st
andard does not exist yet (
F
igure
16
).














Storage of Sensitive Data


To our surprise,
overall 39% of

study

participants show
ed

interest in using an online banking
service to store sensitive data
, such as personal information, electronic document
s etc
.
The

great
est

interest in this prod
uct was found among

customers living in Switzerland
. Much fewer
participants in Germany
answered
this question
positively

(
F
igure
17
). One possibility to explain
this difference is the (lack of) trust of customers i
n their banking institution’s ability to safeguard
data against any unauthorized access.

Taking answers from Swiss banking institutions into
account we concluded that

the image of the bank as an essentially protective institution is more
established in Swi
tzerland than in Germany.















15

This trend is also visible in
Detecon security projects in the financial service industry, where strategies
for customer oriented security products often include requests for federated identity solutions.

16

A similar system is used i
n Sweden, called
BankID, see <
http://www.bankid.com/en/What
-
is
-
BankID/
>,
visited on February 9, 2009.

10%
6%
3%
52%
45%
Austria
57%
Switzerland
54%
37%
36%
Average
Not
interested
in Federated
Identity
Interested
in Federated
Identity
Figure
16:
Interest
in Federated
Identity
.
Don

t
know/Not
applicable
5%
2%
48%
50%
Switzerland
62%
33%
Germany
3%
58%
39%
Average
Not
interested
Interested
Figure
17:
Interest
in
using
an online
banking
service
to
storage
sensitive
data
.
Don

t
know/Not
applicable


Study:
The Value of I
nformation Security to European Banking Institution
s



23

/
35

Finding 9: Customers consider as most important to be able to use all online banking
services offered, enabling ubiquitous online banking access. Transaction limits are
accepted by the banking customers and were found
to be part of a major trend towards
more flexible contracts, according to expert interviews.


After analysing possible security products and services, we want to investigate the importance of
the availability of products and services. Many of our interview

partners emphasized the
importance of convenience when introducing new security measures, products or services. But
what are the most and least important issues for European banking customers?


For

61% of all participants

online payments and conduct
ing

st
ock exchange transactions

rate as
the most important feature
.
It is almost equally important for online banking customers t
o use
online banking without being forced to ins
tall a special software (60%)
. For 47% of European
bank customers the possibility of
worldwide access is particularly relevant.


T
he possibility of making very large transactions

is of relatively low importance, i.e.

customers
accept

a limit to a certain transaction amount
per month or year
. As a significant number of
banks already have su
ch limitations in place or have plans to implement transaction limits on a
voluntary basis, our results show that this approach matches
the expectations of
online
customers. Furthermore, several interview partners mentioned intentions of increasingly flexi
ble
banking contracts,
including for example

voluntary transaction limits, as a major trend in the next
years, which would even increase customer satisfaction in this aspect.


Finally,
only a small percentage of customers mind having to use an additional d
evice (e.g.
mobile phone, smart card reader etc.) for online banking

(23%)

and automatic log
-
outs

(14%)
(
F
igure 1
8
).



























1; 61,20%
2; 59,60%
3; 45,60%
4; 31,20%
5; 23,20%
6; 13,50%
Question
31:

What
is
or
would
be
important
for
you
concerning
online
banking
?

Possible
answers
:

1:
That
I can pay bills or
place orders at the stock exchange besides
being able to view my account information
online.
2: That I can use online banking without
being forced to install a special program on
the computer.
3:
That
I have access to my bank account
worldwide (a given limitation to certain
regions could potentially reduce the risk of
fraud).
4:
That I can freely decide on the
transaction

s volume that can be conducted
via online banking (a limitation could reduce
the damage in case of a security breach).
5:
That
I
can use online banking without
having to carry a smart card, my mobile
phone or the like with me.
6:
That there is no automatic log
-
out (e.g.
10 min after my last action, i.e. mouse
click).

Relative
importance
for
customers
Figure
18:
Importance
of
possible
online
banking
features
.
Ranking of online
banking
features
No
importance
High
importance


Study:
The Value of I
nformation Security to European Banking Institution
s



24

/
35

Finding 10:
In contrast to

answers of our banking interview partners, customers perceive
online banking to have
become more secure in the past five years. Experts speak of
ongoing professionalization among internet criminals over the last years.


Finally, our intention was to match the banking institutions insider view with the customers view
on the level of securit
y over time.
As shown in
F
igure 1
9
, a great

majority of customer
s

consider
online banking today as more secure than five years ago
. One

fifth
believe

the security situation
has not changed and only a very small percentage believes that online banking has b
ecome less
secure in the last five years. Particularly low concerns exist among Austrian participants

and
participants younger than 36 years
: 0% of the former and only 2% of the latter believe

that
security

has decreased
. In comparison, 11% of the particip
ants living in Switzerland and 13% of
participants older than 50 years share the opinion that online banking has become less secure.


This trend opposes the expert opinion of our interview partners in European banking institutions.
The majority of profess
ionals emphasized that in the beginning of online banking no serious
threats existed. In the meantime also phishing attacks have lost in importance, but are followed
by the steadily rising threat of organised crime.



10%
5%
68%
Online
banking
is
more
secure
today
.
17%
The
security
situation
has
not
changed
.
Online
banking
is
less
secure
today
.
I
don

t
know/Not
applicable
Figure 19: The customers

view on the
development of the online banking security
situation in the last five years.


25

/
35

Recommendations on
h
ow to
C
reate
V
al
ue through Information
Security f
or European

Banking Institution
s



Drawing upon the ten findings discussed in previous section, we derived recommendations to
meet the apparent
challenges in online
information
security management
. These
recommendations pro
vide firstly general conclusions for European banking institutions on how to
invest into security products and services. Secondly they aim at country
-
specific
recommendations and information.


The three general recommendations will be discussed by Prof Dr

Posch,
Mr.

Kärrberg,
Dr. Dr
Jonathan Lieb
enau and Prof Dr

Hämmerli
in additional

academic
discourses. Their discourses
connect the achieved results to the wider context of information security research.


General Rec
ommendations for European Banking Institu
tions



General Recommendation 1: Be aware that security has an impact on customer
retention and satisfaction; hence it is a value adding factor for your organisation.


The study results show that security breaches have a significant influence on customer
retention
at your bank (cp.
F
inding 3). Frequent security problems cause mistrust and additional work in
terms of phone calls, check
-
ups etc. for customers and leave them frustrated with the bank’s
professionalism and service.

Furthermore, security shows
to be a competitive factor in the customer’s decision for one bank
over another (cp. Finding 1). Banks cannot rely on long lasting customer relations but have to be
careful, up
-
to
-
date and respond to customers’ needs.

Our i
nterview partners at European
ban
king institutions expressed that they expect security threats to rise within the next years.
Your customers rely in this aspect on you and express
ed

interest in your actions and regulatory
obligations.


Discourse 1:
"
Security Expectations of eBanking User
s
"



B
y Prof Dr Reinhard Posch


Security of eBanking systems is a widely discussed matter. However, as this is a typical
appl
i
cation that addresses non professionals, the professional provider which is the bank by its
n
a
ture has no interest in open discuss
ion and for users mostly only the private effect matters.
B
e
sides from getting alert users will often be satisfied when they feel no damage which also can
be achieved by compensation.


Is this intuitive perception correct? Are there more long
-
term and prof
ound security effects? To
shed some light on this the empir
i
cal study revealed a series of interesting results.

Users feel
unsafe and even guilty about their behaviour. Unlike experts the average user tends to associate
faults with his env
i
ronment and hims
elf. While this situation, where users do not have the
perception that in a majority of faults internal failure plays a role, could be seen as an advantage
for the reputation of banks it
make
s users alert and users increasingly look for di
f
ferent solutions

and banking relations.


In case of major security accidents 76% of customers would
switch

their bank account to
a
n
other bank. As this is not directly related to the t
y
pe of accident and together with the fact that


Study:
The Value of I
nformation Security to European Banking Institution
s



26

/
35

users primarily associate responsibility

for the security of their d
e
vices with themselves
,

we face
a situation where the security i
n
cluding the security of the users’ environment must be in the
prime focus of banks to keep their clients.


Trust and security and especially security expectations
greatly i
n
fluence the business case of
banks. Perception of trust not only affects the customer relation, as previously stated
,

it is also
the prime reason not t
o use eBanking. Over 80% of non
-
users of eBanking decide so for sec
u
rity
reasons. For those app
reciating eBanking this is evidently one of the prime selection crit
e
rions
for banking relations. Even if looking at ‘normal’ users, nearly half of them will view this as a
rather important selection criterion when choosing a bank.


Security awareness is h
ighly influenced by incidents and their r
e
porting in the media. With the
present finance crisis we face higher attention by the general public and with this also higher
general alert. This augmented general alert has quite an influence on the security perc
eption of
the banking sector

among citizens
.
Since

customer mobility as a result of perceived security
wea
k
nesses is high already
,

banks will be well advised to take measures against any
further
erosion
of trust.


As a summary the study shows that th
ere is a big need for educ
a
tion and proper awareness. As
the potential for changing bank shows, advertisement will not replace security education as the
result will still be a customer loss for the bank. Also we see from take
-
up of smart cards that
comfort

comes first. In all cases banks will greatly profit from objectively increasing the minimum
level of security as well as
increasing
knowledge about security.



Prof

Dr Reinhard Posch

Graz University of Technology

Vienna, January,
2009



Study:
The Value of I
nformation Security to European Banking Institution
s



27

/
35

General Recommenda
ti
on 2: Consider you
r customers’ willingnes
s to care for
security and their

need for information: Customers feel responsible for their
device and are willing to investigate and invest into security. A majority of
banking customers consider online banking a
s insecure because of a perceived
lack of technical knowledge
.


A majority
of

customers feel responsible for their personal hardware when conducting online
banking (cp.
F
inding 7). Based on our research
f
indings this majority is willing to accept losses
du
e to security breaches which occurred in a situation where particular
ly

high risks were
deliberately taken by the customer. By analysing questions on responsibility, compensation and
products, a correlation between these factors was found showing that cust
omers who feel
responsible for their device also accept paying for security products and services.


Finding 10 emphasises the view of clients that Internet banking is becoming more secure over
time, whereas error
-
prone technology (Finding 5) is still the
greatest threat.
The data shows that
banking customers want to be better informed and not (only) because of curiosity but because
they are concerned about their lack of
(security)
knowledge (cp. Finding 4 and Finding 5).

The
consensus among clients and ban
ks of the need of more security related “education”, provides
an opportunity for Internet banking to support intensified and relevant customer interaction.


Discourse 2: "Who's Responsible? The Paradox of Control and
Responsibility for

Internet Banking Se
curity"


By Patrik Kärrberg
and

Dr Jonathan Liebenau


This study shines light on the paradox of control and responsibility, aiming at providing more
common ground for practical action within the field of information security governance. The gap
between th
eory and practise has never been greater in information security management calling
for successful banks to deploy leadership in communicating how risks occur.


The corporate tool to bridge control and responsibilities is often referred to as “corporate
g
overnance”, residing with the board. “IT governance” and “information security governance” are
subsets of this responsibility. The study points to no consensus among bank professional to the
question “Who’s responsible” for information security management.

On the contrary, we argue
that politics of security forums and standards jeopardise the bridge between control and
responsibility, leaving security managers in the dust and without clear direction.


A previous study by undersigned in 2006 among internatio
nal security officers indicated
reputational loss converts into the highest business cost. “Careless” Internet customers and
outsource partners losing sensitive data were conceived as main perpetrators, rather than the
bank’s own technical infrastructure.
However, customers in the current study seem not to trust
the technology itself, and consider insufficient security measures by the bank as main reasons
for not using Internet banking. Customer responses confirm the highest risk for banks is
reputational l
oss, as a majority of users claim they would change bank faced with a major
security breach: A clear gap in perception of risk to be bridged between bank professionals and
customers!


Banks can
control

a mix of capabilities (technical and organisational) a
nd to some extent the
legal boundaries within they act. However, banks are also
responsible

for a mix of legal
guidelines/laws and their proprietary view on duty of care. The challenge for banks is the
paradox of not being able to control what customers ex
pect them to be responsible for (safe
access to accounts outside the

physical premises of the bank). In spite being masters of
hedging, banks struggle with the information security risks, due to lack of a reliable customer as
hedging partner. It takes two
to tango…



Study:
The Value of I
nformation Security to European Banking Institution
s



28

/
35


The socio
-
technical nature of information means security risks cannot fully be controlled by the
board (corporate governance). Division of responsibility is further hampered by difficulties in
mapping fluid information onto technical architectur
es (IT governance) often leaving information
security officers (not seldom embodied by CIOs) trying to bridge these dire straits of control and
responsibility on their own. Part of successful information security governance is leadership. The
regulator is
unlikely to define the boundaries of responsibility within the near future (even though
early signs are reported from Germany in this study). Banks should convert top
-
management
sponsored leadership into customer interest for interaction. Controlling the b
ank
-
customer
interaction would decrease the risk of being victimised by external events and trends, such as
security breaches among other banks.


Ease of use is clearly important to customers in the survey and the main reason to use Internet
banking in t
he first place. By clearly communicating where information risks occur, blurry
boundaries of responsibility could be managed to improve ease of use. This would unlock
customer value. However, being a bank and communicating risks might be just another
parad
ox…


Patrik Kärrberg,
Dr
Jonathan Liebenau

London School of Economics, Dpt of Management, Information Systems and Innovation Group

London, February, 2009



General Recommendation 3: Regarding security products, check possibilities of
offering products and

services using biometric solutions. The customer survey
results show that these would be interesting optional products for your offering
portfolio. Finally, use the bank

s image as a protective institution. The storage of
sensitive customer data can be a
profitable innovative product.


None of the involved banks use a biometric method for online banking authentication, and most
interview partners said that this
is
neither a realistic option for the future. The relatively high
popularity of
the biometric

me
thod in our survey should lead to a rethinking when evaluating this
product.


The storage of sensitive digital data within the online banking system is an innovative service
that so far is not offered by any of the participating banks. 39% of study partic
ipants imagine this
as an interesting service (cp.
F
inding 8). First mover advantages can be realized here.



Discourse
3:
"
Concepts Addressing Current Threats on European
eBanking
"


By Prof Dr Bernhard Hämmerli


Many technology driven efforts in improving

security have failed. The alignment with the
business processes and needs


as studied here


are key factors in generating an end
-
to
-
end
security being resilient to attacks.

Recently, two main threats have caused losses in eBanking and facilitated attac
ks to customer
information and assets:


1. Drive
-
by download: Any visit on a web page can cause a hidden download of infected code
such as Trojan horses. Unlike in earlier times, such infected code is today placed on vulnerable
unsuspicious web servers, wh
ich are used by everyone.

2. E
-
mail attachments: Just a normal Word document sent by peers, supervisors or as an
application to the human resource department may have additional infected code in it. The


Study:
The Value of I
nformation Security to European Banking Institution
s



29

/
35

Trojan horse will be used for intercepting eBanking t
ransfers in the browser before the data will
be encrypted for secure transportation. We learn that these attacks are avoided neither by
encryption nor identification methods

using only one channel
.

In addition to the results of the study key findings, an o
utlook to these pending issues will be
given according inside knowledge of the
EU research coordination action “
Parsifal’
17

on methods
of verifying transaction:


-

Biometric ID: A major advantage of using biometry for single identification is its security
aga
inst faking. However, modern attacks circumvent the identification process

if it is not
based on a second channel,

with the effect that the higher degree of security becomes
useless.

-

Federated ID: Nowadays each bank produces its own electronic ID in a more

or less
costly manner. Multi
-
part IDs would result in significant saving to companies admitting
such identities. However, the trust in the issuing party will be the key decision point to
enable such usage, besides customer pressure on multi
-
company single

sign
-
on and
business process integration. As a first step the question “Who could be the issuer of a
European ID system with credentials of multiple business parties?” must be addressed.

-

Mobile Transaction Authentication Numbers (mTAN) and other forms ena
bling the
verification of identify on a separate channel such as special hardware devices are
already able today to discover the above described fraud. Quite many of the major Swiss
banks are under way testing such verification methods, leaving choices for

biometric,
mTAN or federated identity solutions with an independent second verification method.

For both, the banks and the customers, secure eBanking is important to avoid financial losses.
Looking at the various EU member states, the financial losses ar
e quite different because of
diverse security controls in eBanking resulting in diverse average security levels. One option
-

the conclusion of this discourse is
-

would be transnational harmonization.


Prof Dr Bernhard M. Hämmerli, Vice President
of the I
nformation Security Society Switzerland



Acris GmbH & University of Applied Sciences Lucerne

Lucerne, February, 2009



























17

Cf. <
http://
www.parsifal.project.eu
>, visited on February 9, 2009.



Study:
The Value of I
nformation Security to European Banking Institution
s



30

/
35






Study:
The Value of I
nformation Security to European Banking Institution
s



31

/
35

Differences among European
Countries and Country
-
Specific Recommendations



Austria:

Germany:

-

mTAN where not i
mplemented could be
an interesting option: Users of mTAN
prefer this method and feel significantly
more secure because of the possibility to
control transactions per mobile phone.


-

49% of Austrian participants consider the
probability that an unauthorised
person
can manipulate their account information
as “very low”, this is a relatively high
percentage compared to e.g. Germany
(26%). Austrian banks should use this
trust to their advantage.


-

Be aware of a general mistrust
of

banking
institutions: One third
of the participants
living in Germany said that they consider
the probability that an unauthorised
person can manipulate their account
balance as medium or higher.


-

Although
33%

of the German participants
showed interest
, the service of
safeguarding sensit
ive data achieved the
lowest popularity in Germany compared
to other European countries.

Increasing
the trust and reputation of online banking
security increases the acceptance of
online banking products and services.


Switzerland

Other countries:

-

Consid
er selling security products in
connection with online banking as an
option to create value:

Switzerland achieves the highest
percentage with 48% of participants
being willing to pay for anti virus
programs, for technical packages (30%
said that they woul
d order a package
consisting of the desired authentication
method and a secure web browser at

the
price of CHF
50) and 21% for personal
security advisements

(CHF60)
.


-


Be aware of the customers’ high
demands: Significantly more customers
in Switzerland d
emand full compensa
tion
in case

of losses due to security
breaches (48% in Switzerland vs. 25%
on average) and they are more likely
than participants in other countries to
switch to another

bank
,

if security
breaches occur frequently.


-

Be aware of mistrus
t in the data
encryption used in online banking: More
than half of study participants living in the
UK, France or the Netherlands stated that
they do “rather not” or “not” trust the
encryption in use for online banking.


-

Federated
i
dentity solutions could
be
attractive options: 55% of these
participants are interested in such a
product.


-

The offer of insurances could be an
option: One fifth of the participants living
in the UK are interested in an insurance
for £10 a month which would oblige the
bank to com
pensate losses that occurred
due to e.g. a missing firewall on the
customer’s PC.











32

/
35

Authors


Dr Laura Georg

Detecon (Schweiz) AG

Team Head Information Security Management


Dr Laura Georg is responsible for topics relating to information security ma
nagement at Detecon
(Switzerland) AG and is a key member of the Information and Communication Technology
Group. The focus of her PhD research was the interrelationship between information security
and business strategy. At Detecon Laura specializes in addi
ng value to organizations through
customer oriented information security management.



Christian Frefel

Detecon (Schweiz) AG

Team Member Information Security Management


Christian Frefel studies philosophy and economics at the University of Zurich. He has

wide
experience in the consulting area in general and particular in the implementation of the ISO
27001 information security standard.



Prof Dr Bernhard Hämmerli

Hochschule Luzern

Professor for Information Security and Data Networks, CEO of Acris GmbH


Prof

Dr Hämmerli is vice
-
president and chair of scientific and interna
tional affairs of the ISSS
(
Information Security Society Switzerland) and works as an expert in various commissions,
especially for the building up of the Swiss Information Sharing Centr
e MELANI. He teaches an
information security course at the Lucerne University of Applied Sciences

(Hochschule Luzern)
.



Dr Jonathan Liebenau

London School of Economics

Reader

in the Information Systems and Innovation Group
(Department of Management)


Dr J
onathan Liebenau is the author or editor of several books and over 70 other major
publications and has provided consultancy services to leading companies and strategic
government agencies. He specializes in two areas: fundamental concepts of information, a
nd
the problems and prospects of information and communication technology in economic
development.



Patrik Kärrberg

London School of Economics

Researcher
Information Systems and Innovation Group: Centre for Economic Performance


Patrik Kärrberg is an engi
neer and expert on innovation in mobile communications, the

software
industry, and

its business models. He lived in Japan for 5 years, and

has

held senior
management

positions in Japan

and Europe
both within large companies and in

start
-
ups.

He is
finalizi
ng his PhD in service delivery innovation.



Prof Dr Reinhard Posch

Technische Universität Graz



Study:
The Value of I
nformation Security to European Banking Institution
s



33

/
35

Professor for Applied Information Processing and Communications, CIO for the Government of
Austria


As the CIO for the Government of Austria, Reinhard Posch h
eads the Austrian
e
-
g
overnment

platform “DIGITAL AUSTRIA”, the coordination body for ICT in public administration
and
e
-
g
overnment in Austria. Prior to become federal

CIO in 2001 he was

appointed coordinator
for the electronic citizen card,

a signature

bas
ed smart card, by

the Austrian government.





Study:
The Value of I
nformation Security to European Banking Institution
s



34

/
35

Literature





Bartlett, James E. et al
.
,

Organizational Research: Determining Appropriate Sample Size in
Survey Research
,
Information Technology, Learning, and Performance Journal
, Vol. 19,
No. 1, 2001, pp. 43
-
5
0.




Birchall, David et al.
,
Information assurance: Strategic alignment and competitive
advantage
, Henley Management College and QinetiQ, Grist, London, 2004, pp. 73.





Bundesamt für Sicherheit in der Informationstechnik
, Lagebericht 2008
, 2008,

pp. 24.




Co
les, Robert and Moulton, Rolf,
Operationalizing IT risk management
, Computers &
Security 22, No. 6, 2003, Elsevier, pp. 487
-
493.




Curtis, Jeffrey et al.
,
Quantifying the financial impact of IT security breaches
, Information
Management & Computer Security 1
1, No. 2, MCB Press, 2003, pp. 74
-
83.




Financial ID
-
Technology,
BankID
,
<http://www.bankid.com/en/What
-
is
-
BankID/>, visited on
February 9, 2009.




Georg, Laura,
The Function of Corporate Security within Large Organisations


The
Interrelationship between In
formation Security and Business Strategy
,

Université de
Genève, Geneva, 2007
, pp. 321
.




Higher
Regional Court
of Köln
,
Court Decision 9 S 195/07
,
<http://www.justiz.nrw.de/nrwe/lgs/koeln/lg_koeln/j2007/9_S_195_07urteil20071205.html>,
visited on
October 27,

2009
.




Liebenau, Jonathan and

Kärrberg, Patrik,
International Perspectives on Information
Security Practices: Opinions, Preferences and Tools in the Financial Services Industry
,
London School of Economics and Political Sciences, 2006, pp. 51.




Net
-
Metrix
AG and the Schweizerisches Bundesamt für Statistik (Federal Statistic Office
Switzerland
)
,
Net
-
Metrix
-
Base 2008
-
I
, 2008.




Parsifal Project,
<http://
www.parsifal.project.eu
>, visited on February 9, 2009.




Schw
eizerisches Bundesamt für Statistik
(Federal Statistic Office Switzerland
)
,
Internetnutzung 2007
, 2007.


















Study:
The Value of I
nformation Security to European Banking Institution
s



35

/
35




















































Publication rights:

Detecon (Schweiz) AG.
(LOGO)

This publication can be ordered at D
etecon (Schweiz) AG at a price of CHF 370,
-
.