• General and reference techniques ➝Evaluation

All over the world, the development and growth of the economy is majorly dependent on the financial systems, as they happen to be the major users of information and communication technology. The level of development of this financial systems and efficiency in performing their roles, depends largely on the introduction and effectiveness of new technological media, which would aid customer satisfaction and convenience. [ 1 ].

The introduction of information and communication technology in efficient service delivery in the banking and financial sector is known as electronic banking (e-banking). Information and communication technology is the mechanization of steps, processes, actions, and information gathering using the computer, telecommunication machines, special purpose software and supporting devices such as Point of Sales (POS) machines and credit cards.

The competitiveness and complexity of the banking sector environment in the 21st century, can be characterized by unpredictable, epileptic and changing economic climate of the world. [ 2 ] Established that, business competitiveness can only be sustained, when banks and financial systems change from the traditional and old modelled way of operation, which is likened to “bricks and mortar” or “paper and biro” into a more advanced and technological approach, likened to “clicks and portal” or “computers and internet” Information and communication technology (ICT) is at the middle of this grand turning point of banking and financial sector in the World and Nigeria today. Banks and financial systems at home and abroad have adopted electronic banking (e-banking) due to the progression in information and communication technology methods, and a means of remaining abreast in this information age which also aids efficient customer service. [ 3 ].

The banking sector all over the world and Nigeria banks are also adapting new innovations in information technology such as ebanking and e-banking puts an end to endless queue in the banking halls, and encourages electronic transfer of funds, this done one internet enable devices and e-banking activated accounts, this done between individuals and financial institutions, the exchange of cash and keeping of large sums of money at home has totally been discouraged, cheques and other negotiable items are also rarely encouraged. In the world today, Point of Sales Machines (POS), Automated Teller Machine (ATM), credit and debit cards, with passwords, biometric scanners and personal identification numbers (PIN) are now means of paying for goods and services or transfer of funds, whenever and wherever the need arises.

The new advancements in the Nigerian Banking sector cannot be done without the use of computers, networks and internet and hence the need to protect the organization’s computer and network from unwanted users and malicious attacks becomes very important. Cybercrime and other unintended use which makes it easy to steal a kobo from millions of bank accounts than traditional or conventional bank robbery is becoming predominant despite the positive impact of the advancement in information and communication technology has on the society. [ 4 ] Technology has progressed so much that it would be of no surprise if your computers are hacked and you are completely unaware of the reasons for it. Any organization should monitor its system for potential unauthorized access and several kinds of attacks, in other to safeguard sensitive information. [ 5 ].

Banking sector is a trust-based institution, that requires an absolute trust from her customers, upon this the banking sector should take security issues as a special concern to continually earn the trust of their customers, The need to tighten-up security and proper management channels that could give opportunities for fraud and malicious attacks such as: breach of privacy of customer data, distributed denial of service attacks, and technological letdowns created on electronic banking platforms becomes expedient. Insecurity has been a major concern in the world’s most prominent sector (finance), bank accounts, transactions and funds transfer are tampered with as a result of this insecurity, which is constantly being faced by operators of the banking sector. These experiences have become totally unfavorable, which have made the total adoption of technologies in the banking sector difficult. The insecurity issue has been caused by the ripple effects malicious attacks and threats like State-sponsored espionage, Distributed denial of service (DDoS) attacks, password management, insider threat, privacy laws and viruses among others [ 6 ]. Thus, this research is aimed at evaluating the computer and network security strategies employed by Nigerian banks. The following objectives that were used to achieve the aim were: the determination and identification of the security strategies which are being implemented by banks in Nigeria, ascertaining the impact of various integrated banking system on the total security of the banking sector, to assess the security strategies employed by Nigerian banks and also evaluate its effectiveness.

An Important factor in an organization’s computer and network system is security, because the computer connects to other networks through the internet. An attack on the organization’s computer can be possible from outside of the organization. Therefore computer network security is important to prevent and protect the organization from internal and external attacks. [ 7 ] Computer and Network security is generally handled by the system administrator or network administrator who implements some security policies, software and hardware needed to protect the entire computer system and its resources from any unauthorized or unwanted access and usage and the system administrator also ensure ensures accessibility to the resources for authorized usage. The security system is based on layers of protection and consist of multiple components consisting of monitoring, security software, hardware and appliances. The security is the quality of state, when a computer system is secure it means it is free from potential danger. [ 8 ].

The following are the security strategies being focused on and implemented by Nigerian banks; A firewall is a defined as a perimeter fencing which serves a border or control mechanism. Blocking or stopping traffic from entering into a computer system is the main purpose of a firewall, traffic inside the computer could also be blocked by firewall as well. Firewall serves as the first form of mechanism set up to control intruder activity on the computer. Unauthorized or malicious access in a computer network system can be prevented by firewall. The implementation of firewalls is done on the hardware or the software, or on both. [ 9 ] The need for antivirus software is prompted by the wide spread of malware on computer systems. [ 10 ] The presence of malware in a computer system is detected by an antivirus installed in the computer system, the purpose of the antivirus is to identify the nature of the malware, and also remove the malware, which is also a means of preventing the host from future infections from any or similar malware and also dis-harming the host from malware. The minimization of false positives (false alarms) and false negatives (missed malware) is encouraged during the stage of detecting malware in the system.

Malicious activities that are targeted at computer network systems can be identified and responded to by a process called Intrusion detection system (IDS). From this definition, intrusion detection can be seen as a process, which involves a system, individuals, and tools. [ 11 ] To reduce the risk of attacks precautionary measures needs to be put in place. Preventing all attacks seems practically impossible but could be achieved with the right measures put in place. Malicious activities can be easily identified and diagnosed with a process which works similar to a burglar alarm, Intrusion detection. Intrusion detection combines three activities majorly to monitor, analyze, and respond. [ 12 ].

Intrusion Prevention System (IPS) is a defense system that is primarily network based, it properly combines the proactive technique of IDS with that of firewall as a result of increasing global network. The proactive technique of the system is to prevent malicious attacks before they enter into the system, it verifies and examines various information records. The offending data is blocked and logged when an attack is identified on such data. [ 13 ]. Encryption scrambles data thereby making the data very hard to find useful by the intruder, the interpretation of a scrambled data is meaningless if the intruder does not know how the scrambling was done. Encryption or scrambling is indeed an essential tool in providing computer and network security [ 14 ]. Encryption clearly addresses the importance of data confidentiality. Additionally, encryption makes it difficult to easily alter or change data, because it has been scrambled this makes it generally hard to read or understand thereby ensuring data integrity. [ 14 ].

Passwords have become the only barrier between just any user and one’s personal information and they most common and widely used form of authentication. Several programs are available for easy download, which makes it easier for attackers to “guess” or “crack” a password, a very good password and keeping the password confidential makes very difficult for an unauthorized person to gain access to your information. [ 15 ].

Banking applications generally known as Core Banking System (CBS) are believed to have a level of security incorporated in them, which helps militate against attacks on the applications and several servers attached, to this effect the need to review banking system application security becomes very important. [ 16 ] Application security helps put stringent measures and controls in place on an organization’s applications, which reduce the risk from intruders using the application and the risk associated with the authorized user using it.

In a secure Core Banking System proper management of information security is required and this can only be delivered a vendor organization that manages information. Implementation of Information Security Management System (ISMS) on core banking systems makes the work easier for organization as specific areas and processes have been covered within the organization [ 16 ].

The population of study is limited to computer security experts and information technology department staff in Nigerian banks. Eleven (11) commercial banks and one (1) mortgage bank randomly filled the online questionnaire with a total of 30 respondents. The banks are: Ecobank, Guaranty Trust Bank, Skye Bank Nigeria PLC, Sterling Bank, Firstbank Bank, Fidelity Bank, Access Bank, Keystone Bank, Wema Bank, Zenith Bank, Diamond Bank and Haggai Mortgage Bank, while two (2) respondents did not provide the name of their banks.

Three factors were considered when choosing the sample. The first was that, the respondent must be an IT/ICT staff of a Nigerian bank, the second was to have an idea of the bank’s computer security strategies and the third was the willingness of the respondents to cooperate, because some of the staff do not readily have interest in filling the online questionnaires.

An online questionnaire (http://bit.ly/1J6baWS) was administered for data collection which was designed for computer security experts and information technology department staff in Nigerian banks. An online questionnaire was preferred and chosen because the questionnaire was targeted at bank officials, who are very mobile and they always have access to the internet, and with the help of social media campaigns a wider number of respondents could be easily be reached.

Section A which contained the personal data of the staff, such as; age, bank type. It provided the background information needed in answering the research questions. It also contained questions based on the years of experience in the banking sector, years of experience with current bank and name of bank. Section B which contained achievement test items. The questions were twelve multiple choice items in computer security.

The criteria that were used to compare Avast, McAfee and Webroot antivirus were: On-demand scan refers to a manual scan which is being initiated by the user on the entire or certain segments of the computer system, here the user initiates the scan and decides what part of the system should be scanned or if the entire system should be scanned.

On-access scan refers to an automatically initiated scan which the product itself initiates without any external interference, it scans every file whenever it is created and/or whenever it is modified, and here the antivirus initiates a scan immediately a new file is created on the system.

CloudAV gives an efficient automatically initiated scan that is performed on the cloud storage, and this happens frequently. Email Security gives our emails the desired security from viruses and malware, thereby preventing penetration, through our email.

This section is focused on the presentation and discussion of result obtained during the course of this research. The data was collected with particular reference to the questions raised earlier on. The purpose of this study was to evaluate how effective computer and network strategies put in place by Nigeria banks. This study strives to provide answers to the under-listed research questions: i. What banks do the respondents work for? ii. What are the years of experience of the respondents? iii. What Computer security strategies are implemented? iv. Why is a particular anti-virus preferred to other antivirus software? v. How often has the bank suffered malicious attacks? vi. Why is a particular integrated banking system (Core

Banking System) preferred to other CBS software? How effective are the computer strategies implemented?

Figure 1 showed the number of respondents that filled the questionnaire from each bank. It was presented in Figure 1 showed that Ecobank and Wema Bank for a larger percentage of the banks of respondent, while other percentages were spread across ten different banks while three respondents did not mention the names of their banks. There are about nineteen (19) commercial banks in Nigeria as at November 2015, eleven (11) commercial banks participated in this survey, and this indicates that over 50% of Nigerian commercial banks was involved in this research. oN… liityFed itrsFaB… tsyeKo…

… ykSe iaoDm sscceA

Figure 2 summarizes the findings on years of experience of the respondents in the banking, and this ascertains that most of the respondents are either newly recruited staff or they have not stayed too long in the banking sector. This indicates that there level of knowledge of the bank’s security strategies implemented could be limited as they have not spent so much time in that particular bank and this could also be a determinant of the level of management of the organization’s implemented security strategies, this also shows that the respondents with not very long experience in a particular bank might not be aware of the malicious attacks experienced by the bank in the past.

Years of Experience 50 0 1 -4 yrs 5 - 9 yrs 10 - 14yrs

Figure 3 shows that over 50% of the respondents implemented Intrusion Detection and Prevention in their company, 60% implemented Encryption, 76.6% Firewall, while almost 100% were using Passwords and Antivirus. It can then be deduced that since all the percentages of yes of respondents on each of the five security strategies in Figure 3 are at an average of 75.33%, while average percentage of No and Not sure are 10 % and 14.67% respectively, we could then conclude that Nigerian banks implement all five security strategies.

Security Stragies Implemented % 3 3 . 3

Figure 4 showed the type of antivirus each Nigerian bank uses and it revealed Avast and MacAfee antivirus are predominantly used while a small percentage of usage are spread sparsely across all other antivirus. Thus, the need to compare why Avast and MacAfee antivirus is preferred over the other and while some have less patronage, which would in turn answer our research question four that is; Why is a particular anti-virus preferred to other antivirus software? The comparison of why Avast and McAfee are the most preferred and Webroot, the least patronized is showed in Table 2 from Figure 4. The comparison tools ranged from on-demand scan, CloudAV, on-access scan, boot-time scan, firewall, Email security, Intrusion Detection System (IDS), Intrusion Prevention System (IPS), Anti-spam and web protection.

It can then be deduced from the result presented in Table 2 that Avast and McAfee was chosen over the Webroot antivirus, seeing that the free versions of the Avast still has some security features already integrated in them and the Premier version of the Avast antivirus has almost all security features integrated in it except for the intrusion prevention system and the AntiSpam. McAfee on the other hand, for it McAfee Antivirus does not have CloudAV, firewalls, IDS, IPS, AntiSpam and web protection which still gives it a fair chance of usage but the McAfee Internet security has all security features integrated into them which might not even require user to install other security strategies.

Webroot, that happens to be the least on the chart in Figure 4 which was also compared alongside with Avast and McAfee, happens not to have not too many security features integrated into it secure anywhere antivirus other than on-demand scan and onaccess scan, this shows the very reason why Webroot antivirus happened to be in the bottom section of Figure 4.

We would then conclude based on the comparison of different antivirus software on Table 2 it shows that Avast Antivirus software has a high level of in-built security, which could be the reason why it is the most preferred by Nigerian bank

The result of how often the bank suffers from malicious attack was presented and analysed in Table 2. It showed that on the average, 47% of the respondents from Nigerian banks have never experienced any malicious attacks of any form on their equipment or personal accounts, and just 37% only experienced malicious attacks less often, while only about 15% say that their banks often experience malicious attacks on their equipment. This indicates that the security strategies implemented could be effective since malicious attacks where not very often.

Figure 6 below depicts that computer and network security strategies which is currently deployed by Nigerian Banks are effective. Based on the facts there have been no instances of malicious activities and absolutely no cases of it in most banks of the respondents, it was cited by 65% of the valid responses that the security strategies have been effective, hence the highest response being on effective.

This research evaluated the effectiveness of computer and network security strategies being used by banks in Nigeria. And the following conclusions were drawn, from the results presented earlier. First, computer and network security strategies implemented in Nigerian banks are; passwords, encryption, firewalls, intrusion detection system and intrusion prevention system and about half of the respondents were not sure if they use intrusion detection and prevention system. Secondly, from our research the evaluation, proved that almost all Nigerian banks are fully and effectively implementing the computer and network security strategies. However, only about 15.33% of the respondents from Nigerian banks experience malicious attacks of any form in the bank’s system and about 84.66% asserts that they never or rarely experience malicious attacks of any form. Finally, from our presented results, we then conclude that Nigerian banks are using effective computer and network strategies after, implementing almost all security strategies and they rarely experience malicious attacks of any form.