Copyright © 2019 for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0) Approaches to measuring the risk of cyberattacks in remote banking services of Russia Alexander A. Berdyugin Pavel V. Revenkov Department of Information Security Department of Information Security Financial University under the Government Financial University under the Government Moscow, Russian Federation Moscow, Russian Federation brdgn@bk.ru pavel.revenkov@mail.ru Abstract— Purpose. Due to the use of technology in banks interaction between the bank and the client in the conditions of their risks of information security breach are rising significantly. application of RBS is carried out in a virtual environment or, in In the context of active introduction of remote banking systems other words, in cyberspace. (RBS) in banking business of Russia, additional study of issues of assessing the risk of cyberattacks on banking automated systems The concepts of “cyberspace” and “cybersecurity” are was required. Methods. The methods of financial management, currently absent in the legislation of the Russian Federation. probability theory, system analysis of scientific literature on The terms “information space” and “information security” are fundamental and applied research, and a method of graphical traditionally used. The concepts of “cyberspace” and interpretation of analyzed phenomena are used. The paper gives “cybersecurity” can be found in a number of international and a detailed analysis of the concepts of “cyberspace” and national standards related to ensuring information security. “cybersecurity”. Remote banking is considered from the point of Further on we will use these terms. If we combine different view of financial management. Attention is drawn to the factors approaches to the definition of these concepts, then cyberspace of work in cyberspace that increase the levels of banking risks. is most often understood as an environment of information The relationship of cyberattacks on banking automated systems interaction and data exchange implemented in computer and possible consequences for the bank is analyzed. Novelty. communication networks and networks, where the elements of Given the wide spread of social engineering methods when cyberspace are servers, computers, telecommunication committing fraudulent activities on the Internet the measures to equipment, communication channels, information and increase the cyber literacy of population are needed. The method telecommunication networks, and cybersecurity is maintaining for assessing the risk of cyberattacks on RBS for use by risk department specialists and employees of internal control services the confidentiality, integrity and availability of information in is developed. As a result, considering innovative systems and cyberspace. For the analysis of approaches to the definition of technologies that await us in the future, the effectiveness of risk the concepts of “cyberspace” and “cybersecurity” we used [1, assessment for solving current challenges is increased. Results. 2, 3], as well as [4, 5]. Attempts are made to formulate the mathematical model of the The banking business began to use cyberspace, first of all, probabilistic analysis of information security incidents to due to significant cost savings for operating activities (there is optimize the algorithm for responding to incidents. Calculations no need to maintain banking offices, and the client himself based on the proposed model made it possible to determine the performs the functions of the operator from his computer, duration of exploitation of vulnerability of RBS, when the probability of preventing an incident exceeds probability of its tablet or smartphone) [6, 17]. realization. The findings may be useful for scientific research on We add that the daily increase in the number of cellular the risks of information security breach in RBS. subscribers and users of the global Internet network contributes to the spread of RBS in various parts of the world (including Keywords— cyberspace, risk of cyberattacks, RBS, both developed and developing countries) [7, 18]. cybersecurity, risk assessment, information security incident, banking Additional income comes from the increase the value of cash flows due to the increase in commission fees and/or I. INTRODUCTION reducing expenses due to growth in operating efficiency. Consider the impact of scientific and technological progress on The latest achievements in the field of information and return on equity ( ROE ): telecommunication technologies have significantly changed the process of conducting the banking business and have become the basis for the active implementation of remote banking  ROE  ROA  EM  PM  AU  EM   systems (RBS). The most common remote banking options are: Internet banking (managing bank accounts and cards via the where PM is the profit margin; AU – asset turnover Internet and an on-line web browser) and mobile banking ratio (asset utilization); EM – the value of the equity (managing bank accounts and cards from tablet computers, multiplier. The main variable in the formula (1) is PM – net smartphones and other smart devices). The process of 6 profit to total revenue ratio and AU – the ratio of total revenue banking risks and to develop new (applicable in practice in the to asset value. Return on equity ratio represents the amount of credit and financial sphere) approaches to assessing RCa, due the bank’s income per monetary unit of equity: to which possible to improve significantly the quality of ensuring cybersecurity in organizations of the financial sector. ROE  NP E , where NP is net profit (the difference between income and II. EXPANDING PROFILES OF TYPICAL BANKING RISKS DUE expenses), and E is the average equity. TO COMPUTER ATTACKS Investments in RBS increasing PM by minimizing costs Consider the main types of cyberattacks on BAS noted in and AU by increasing the bank's commission income, the annual reports of FinCERT of the Bank of Russia and the company's Group-IB: attacks on AWP CBR, AWP SWIFT, therefore ROA and ROE will increase. If the expansion of AWP RBS and attacks on self-service devices (Automated market share and the increase in the asset base as a result of Teller Machines – ATMs), where AWP CBR is an automated innovations exceed the growth of capital, then the resulting workstation of a client of the Bank of Russia, AWP SWIFT is financial leverage (a higher EM value) will advance ROE . an automated workstation of a client of the Society for For the banks with excess capital relative to the minimum, Worldwide Interbank Financial Telecommunications, AWP which regulators require, it is necessary to invest in RBS and RBS is an automated workstation of a client of RBS. other innovations. To implement all of these attacks, first one needs to However, in addition to the obvious advantages, work in download malicious software (malware) into the local area cyberspace is accompanied by several factors that can increase network (LAN) of the credit institution. To do that, an attacker levels of banking risks: sends an e-mail to a credit institution containing malware, - remote banking operations are mostly “virtual” in nature which is not detected by antivirus tools. After malware (in fact the client after the invoice and registration a contract infection, using SMB requests, a scan of the LAN segment for the provision of services using RBS has no direct contact accessible to the infected machine is performed to infect new with the bank). This type of interaction places increased workstations. demands on customer identification (including the The main reason why the above attacks are “successful” is implementation of the “Know your customer” principle). the human factor, which manifests itself in the form of a Otherwise, an attacker may initiate operations on behalf of the negligent attitude of bank employees to the established client; algorithm for preparing, storing, processing and transmitting - the availability of “open” telecommunication systems (the electronic customer orders. According to the Group-IB’s report availability of the global Internet and cellular communications for 2018 year, in Russia 1-2 banks were subjected to computer in the absence of proper control over these types of robberies every month. The damage from one theft on average communications complicates the control over actual users of is 132 million rubles ($2 million). these types of communications); The development of the digital economy in Russia and the - extremely high speed of transactions (the speed of minimization of the level of RCa are associated with an banking operations performed using RBS is limited to seconds, increase in the level of cyberliteracy of the population of our which also imposes increased control requirements); country [9]. Particular attention should be paid to the understanding by all users of the global Internet that they work - the global nature of inter-network operational interaction often in a “trusted environment”. Therefore, knowledge of the (since with RBS operations are performed not only in the main types of cyber-fraud can significantly reduce the number country in which the client is located, but also beyond its of hacker attacks. The development of computer discipline and borders, then additional sources of risks arise due to the the prevention of uncontrolled development of cyberspace [2] peculiarities of the legislation in each individual country can be facilitated by the studying of “blind” typing with ten through which clients pay) [8, 19]; fingers. The authors of this paper propose introducing the - the possibility of using RBS for illicit activities (due to method of “blind” typing with ten fingers into the education insufficient control by regulators, speed of execution of the system in Russia, as the development of fine motor skills of the operations themselves and the ability to hide some of the data hands contributes to the activation of the frontal lobes of the of the real perpetrators, etc.). brain. Proper finger positioning on a keyboard is analogic to complying with traffic signs when traveling. In this paper (applicable in practice in the credit and financial sphere), the authors use the term “risk of Work in cyberspace, first of all, increases role of the cyberattacks” (RCa), which is understood as a measure of the technical components of all typical banking risks (Fig. 1), increase in typical banking risks (including financial losses) among which operational, legal, strategic, reputational and arising from realization of a cyberattacks on banking liquidity risks can be highlighted (full list of typical banking automated systems (BAS). The term RCa has already been risks is given in the Letter of the Bank of Russia dated June 23, used by authors in scientific papers, for example, [7] and [8]. 2004 “On Typical Banking Risks” No. 70-T) [10, 21, 23]. Thus, the aim of the study is to analyze cause-effect relationships under the influence of computer attacks on typical 7 Fig. 1. Interconnection of cyberattacks on hardware and software (H&S) of BAS and possible consequences for the bank Underestimation of the possible consequences of where RRL is the effect of reducing risk (the method is cyberattacks can seriously affect the stability of a commercial applicable when RRL  1 ); bank. In this regard, the assessment of RCa manifestations by specialists of risk divisions should be carried out in a timely RE before and RE after – exposure to RCa before and manner, followed by notification to the management of the after application of the response method; credit organization so that the management of the credit RRC – costs associated with the application of a particular organization can take preventive measures in a timely manner. response method. In the risk-divisions of credit institutions the specially trained professionals should be able to assess the quality of the Of course, the calculation by the formula (2) of vulnerability of different areas of digital circuit technology compensation costs can be ignored in the presence of minor bank, formed in each individual credit institution (including in consequences of the implementation of the RCa. There is terms of increasing RCa). In order to understand the features of enough reserve for RCa in the budget plan [14, 22], as the functioning of distributed computing systems and have a described below. clear understanding of the construction of information circuits The consequences of cyber-risks are one of the components of banking electronic services via the Internet and mobile of an organization’s operational risk. The Basel Committee on communications, risk department specialists must have a Banking Supervision (BCBS) recommends using this approach technical education in addition to humanitarian (economic or to risk assessment. In accordance with the recommendations of legal) education. the committee, commercial banks should create a reserve for Modern cybersecurity systems must be well automated for operational risk (OpR), considering the active use of digital timely response on emerging incidents. The immediate start-up technologies. The assessment of capital, which is reserved for of the response process should occur from virtually any signal OpR, is carried out using the basic indicative method: of information security monitoring systems. The effectiveness of the response method can be checked by the formula: 1 3  K OpR      GI i   3 i 1 REbefore  REafter  RRL    RRC 8 where K OpR is amount of capital allocated to cover OpR, Thus, the ratio of formulas (3) and (4) allows us to determine the size of the reserve for cyber-risk in the 1 3   GI i is average gross income for 3 years with the composition of the OpR, that is RCa  K OpR ef . 3 i 1 condition that GI i  0 ,   15 % – factor established by the The use of this relationship for the management of the Basel Committee on the basis of empirical research and continuity of credit institution activities may become the basis influenced by the banking community, which includes mainly for estimates of reserved capital for the RCa in the RBS. commercial banks in Europe. The average gross income of a A significant part of the space-time continuum must be commercial bank for the past 3 years is calculated according to scientifically investigated if one wishes to obtain reliable the financial statements of the bank (See in detail in the articles results. In the opposite case, one might arrive to false [8, 13]). conclusions [15, 20]. The mathematical representation of the However, European standards are not always the RCa can be represented in the form of a model that underlies benchmark for Russian's conditions. This requires developing a the classical “task of meeting” of probability theory (in our method adapted to the characteristics of credit organizations of case, meet cybercriminals and anti-hacker in the network). the Russian Federation. Opponents act in cyberspace independently at any time period, their presence in the network is discrete due to the human factor. Let's say III. FORMALIZATION OF THE RCA ASSESSMENT MODEL IN THE RBS S1 – event 1 (the penetration of hacker into the LAN); For the most objective assessment of the violation’s results, S 2 – event 2 (exploiting of RBS vulnerability); the possible consequences of realization of the RCa for banks and their customers should be considered. Authors propose a S 3 – event 3 (the implementation of a computer incident method of quantitative account of the consequences, and theft of money). considering such parameters as: An event S1 means a signal from cybersecurity system and 1) an increase in the amount of damage incurred as a result of realization of the RCa in the RBS, – conventional monetary the start of a response process. The time moments of the above units n  ; persons in the network are denoted as a and b , respectively, and depicted on the axis aOb (Fig. 2). 2) an increase in the intelligence coefficient of cybercriminals (i.e., the smarter the hacker, the more damage and opportunities to go unnoticed), is a dimensionless quantity IQ zlo  ; 3) an increase in the period spent on restoring the continuity of banking activity after realization of the RCa, – hours r  ; 4) reduction the time required for the manufacture and use of cyber-weapons for realization of the RCa (Hacking Services), – hours t  0 ; 5) reduction in the cost of production (acquisition) of H&S for the implementation of cyberattacks, – conventional monetary units d  ; 6) reduction in the amount of overhead costs for using H&S for cybersecurity breach (Hacking Services), – conventional monetary units v  . Cyber-weapons is the generalized term proposed by the authors includes a set of measures aimed at minimizing the possible consequences of the manifestation of the RCa. Determining the effectiveness of cyber-weapons ef  is as follows: n  IQzlo  r  ef    d  v t Fig. 2. Representation of the task in the Cartesian coordinate system 9 From conditions of the task, double inequalities follow: From this, we can determine the value S 2 when the implementation and prevention of the RCa are equally 0  a  S 3 and 0  b  S 3  possible, i.e. PCIP  PRCa  0,5 : The coordinates of any point in the square S1 S 3 AS 3 x  2  90  x  correspond to these inequalities.  0,5 90 2 Denote this square by a figure F . The points of the figure  180 x  x 2  0,5  90 2   F have coordinates corresponding to the values of the stay of the cybercriminal and the anti-hacker online. A computer x  180 x  4050  0 2 incident can be prevented as long as the difference between presence of opponents on the network is less than S 2 , i.e. The roots of this equation are x1  153,6 and x2  26,4 . But the value x1  153,6 does not satisfy the condition of the task, because it exceeds S3  90 . Therefore, if the vulnerability b  a  S 2 if b  a of the RBS is exploited no longer than S 2  26,4 minutes,     a  b  S 2 if a  b then the probability of the incident prevention exceeds the probability of its realization. In other words, the longer the By the property of the absolute value of a number, the vulnerability in BAS (including RBS) remains, the greater the system (5) is equivalent to the inequality: chance for the theft of money through its use. Thus, the RCa assessment methodology proposed by the a  b  S2  authors makes it possible to analyze information security incidents that happened earlier to determine their relative frequency, with further forecasting of incident response and The coordinates of the meeting points of the opponents fall optimization of the response algorithm. Thank to its into the figure S1 S 2 BACS 2 . Let’s denote this hexagon by a implementation in the risk assessment methodologies used by figure f . Then the probability of realization of the RCa is the cybersecurity units, it is possible to significantly increase equal to the effectiveness of measures aimed at minimizing the possible consequences of realization of the RCa. S 2  S 3  S 2  S  2S 3  S 2  2 area of f IV. CONCLUSION  PRCa   3  2   area of F S 32 S 32 - new challenges and cybersecurity issues, which arise due to credit and financial institution and their customers Accordingly, the probability of the opposite event using RBS, require continuous improvement of solutions and (computer incident prevention – CIP) is equal to often a substantial revision of the risk-management procedures, which include the internal control procedures in cyberspace. It also requires the mastering of measures to  PCIP  1  PRCa   increase cyber-literacy and prevent the uncontrolled development of cyberspace (for example, financial literacy Let’s consider, how this model acts “in numbers”. For and method of “blind” typing with ten fingers); example, the credit organization determined by its information - implementation of RBS allows credit organizations to security (or cybersecurity) policy that the maximum response significantly reduce the cost of operating expenses, but the time to an information security incident is no more than 90 work of the bank in cyberspace is associated with additional minutes. Based on this S 3  90 . Let’s compute the values of sources of typical banking risks, which include: operational PRCa and PCIP by the formulas (6) and (7) for different values and legal risk, strategically and liquidity risk, as well as the risk S 2 (Table 1). of loss of business reputation; TABLE I. DETERMINING THE RESPONSE TO A COMPUTER ATTACK S2 2 45 85 2  2  90  2  45  2  90  45  85  2  90  85  PRCa  0,044  0,75  0,997 90 2 90 2 90 2 PCIP 0,956 0,25 0,003 10 - accounting and evaluation of RCa on a risk-based Computer Law & Security Review, vol. 33, iss. 2, pp. 193-210, April approach should imply that each reason for the implementation 2017. DOI: https://doi.org/10.1016/j.clsr.2016.11.014. of RCa has a potential impact on the bank (associated with [10] V.B. Gisin and E.S. Volkova, “Internal rate of return of investment projects with fuzzy interactive payments”. Proceedings of 2017 XX disruption in the continuity of banking activities, reduced IEEE international conference on soft computing and measurements quality of RBS, financial losses, etc.) [16]. Nevertheless, for a (SCM), pp. 731-733, 2017. DOI: 10.1109/SCM.2017.7970705. bank the size of the consequences of the destructive nature of [11] B.B. Slavin and A.B. Slavin, “Organizing the net-wide public expert the losses is more important, rather than the reasons for the loss evaluation based on collective intelligence technologies”. Management of money (non-repayment of the loan, hacker attempt on the Sciences, vol 8, no. 2, 2018, pp. 106-114. DOI: 10.26794/2404- security system, etc.). 022X‑ 2018-8-2-106-114 (in Russian). [12] O.I. Dolganova and E.A. Deeva, “Company readiness for digital - the risk divisions of credit and financial organizations transformations: problems and diagnosis”. Biznes-informatika = should include specialists who are able to assess cyberrisks, Business Informatics, vol. 13, no. 2, pp. 59-72, 2019. DOI: and the methodological support used to audit and resolve issues 10.17323/1998-0663.2019.2.59.72 (in Russian). of leveling the possible consequences of realization of the RCa [13] V.V. Maslennikov, D.I. Korovin and O.N. Afanasyeva, “Refinancing as an element of control over inflation”. Entrepreneurship and on the H&S BAS must be updated in a timely manner; Sustainability Issues, vol. 7, no. 1, pp. 438-453, 2019. DOI: - the scientific research and developments should be one of 10.9770/jesi.2019.7.1(31). the “pillars” of the RCa’s management structure at the RBS. [14] A.N. Biryukov, “How can an IT organization earn its customers’ trust: A practical approach”. Biznes-informatika = Business Informatics, vol. 13, The models proposed in this paper (assessing the capital no. 3, pp. 67-77, 2019. DOI: 10.17323/1998-0663.2019.3.67.77 (in reserved for RCa and the task of meeting a cybercriminal and Russian). an antihacker in the network) are aimed at increasing the [15] Christina Y. Jeong, Sang-Yong Tom Lee and Jee-Hae Lim, “Information effectiveness of RCa management in the RBS. security breaches and IT security investments: Impacts on competitors”. Information & Management, vol. 56, iss. 5, pp. 681-695, 2019. DOI: https://doi.org/10.1016/j.im.2018.11.003. REFERENCES [16] S.I. Koz'minykh, “Modelling the Provision of Information Security of [1] M.A. Eskindarov, M.A. Abramova, V.V. Maslennikov and etc. “The the Object of the Credit and Financial Sphere”. Finansy: teoriya i Directions of FinTech Development in Russia: Expert Opinion of the praktika = Finance: theory and practice, vol. 22, no. 5 (107), pp. 105- Financial University”. Mir novoy ekonomiki = World of new economy, 121, 2018. DOI: 10.26794/2587-5671-2018-22-5-105-121 (in Russian). vol. 12, no. 2, pp. 6-23, 2018. DOI: 10.26794/2220-6469-2018-12-2-6- [17] S.V. Konyavskaya, “Fundamentals of scientific research for information 23 (in Russian). security specialists: on the approach to the textbook”. Bezopasnost' [2] Yu.A. Zelenkov, “Agility of enterprise information systems: a informatsionnykh tekhnologiy = IT Security, vol. 25, no. 3, pp. 6-15, conceptual model, design principles and quantitative measurement”. 2018. DOI: http://dx.doi.org/10.26583/bit.2018.3.01 (in Russian). Biznes-informatika = Business Informatics, no. 2 (44), pp. 30-44, 2018. [18] A.D. Gvishiani, F.S. Roberts and I.A. Sheremet, “On the assessment of DOI: 10.17323/1998-0663.2018.2.30.44 (in Russian). sustainability of distributed sociotechnical systems to natural disasters”. [3] T.M. Kanner, “Features of advanced training of specialists in ensuring Russian Journal of Earth Sciences, vol. 18, no 4, pp. ES4004. 2018. safety of significant objects of critical information infrastructure”. DOI: 10.2205/2018ES000627. Bezopasnost' informatsionnykh tekhnologiy = IT Security, vol. 26, no. 3, [19] N.I. Kasperskaya, V.V. Kuzmenko, D.A. Manannikov, R.N. pp. 22-31, 2019. DOI: http://dx.doi.org/10.26583/bit.2019.3.02 (in Khairetdinov and A.Yu. Shcherbakov, “To the problem of assessing and Russian). ensuring the correctness of business processes”. Bezopasnost' [4] Dazhong Wu, Anqi Ren, Wenhui Zhang, Feifei Fan and Janis Terpenny, informatsionnykh tekhnologiy = IT Security, vol. 26, no. 3, pp. 8-21, “Cybersecurity for digital manufacturing”. Journal of Manufacturing 2019. DOI: http://dx.doi.org/10.26583/bit.2019.3.01 (in Russian). Systems, vol. 48, pp. 3-12, 2018. DOI: [20] Barabanov A.V., Markov A.S., Tsirlov V.L. Statistics of Software https://doi.org/10.1016/j.jmsy.2018.03.006. Vulnerability Detection in Certification Testing. Journal of Physics: [5] D.A. Melnikov, A.P. Durakovsky, S.V. Dvoryankin and V.S. Gorbatov, Conference Series. 2018. V. 1015. P. 042033. DOI :10.1088/1742- “Concept for Increasing Security of National Information Technology 6596/1015/4/042033. Infrastructure and Private Clouds”. Proceedings – 2017 IEEE 5th [21] S.V. Krivoruchko, V.E. Ponomarenko, V.A. Lopatin, M.V. Mamuta, International Conference on Future Internet of Things and Cloud A.V. Emelin, V.L. Dostov, T.R. Maklakova, T.S. Bragina and P.M. (FiCloud), pp. 155-160, 2017. DOI: 10.1109/FiCloud.2017.11. Shust. Increasing the availability of payment services through the [6] Peterson K. Ozili, “Impact of digital finance on financial inclusion and development of user identification systems, Moscow: Scientific and stability”. Borsa Istanbul Review, vol. 18, iss. 4, pp. 329-340, December Publishing Center INFRA-M, 157 p., 2019. DOI: 2018. DOI: https://doi.org/10.1016/j.bir.2017.12.003. 10.12737/monography_5bc4668ec191f5.05741010 (in Russian). [7] P.V. Revenkov, “Internal control in banks: Assessing the risk of cyber [22] Yun Zhang, Qingxiong Weng and Nan Zhu, “The relationships between attacks”. Finansy i kredit = Finance and Credit, vol. 25, no. 3 (783), pp. electronic banking adoption and its antecedents: A meta-analytic study 500-513, 2019. DOI: 10.24891/fc.24.11.2471 (in Russian). of the role of national culture”. International Journal of Information [8] A.A. Berdyugin, “Development of algorithm for assessment risk of Management, vol. 40, pp. 76-87, June 2018. DOI: cyber attacks in electronic banking”. Bezopasnost' informatsionnykh https://doi.org/10.1016/j.ijinfomgt.2018.01.015 tekhnologiy = IT Security, vol. 26, no. 2, pp. 86-94, 2019. DOI: [23] Probabilistic Modeling in System Engineering / By ed. A. Kostogryzov http://dx.doi.org/10.26583/bit.2019.2.06 (in Russian). – London: IntechOpen, 2018. 278 p. DOI: 10.5772/intechopen.71396. [9] A.Savelyev, “Legal aspects of ownership in modified open source software and its impact on Russian software import substitution policy”. 11