A multi-level approach to understanding the impact of cyber crime on the financial sector
Introduction
Human dependency on digital communication and other networked technologies for tasks ranging from simple web browsing for information to far more important and critical tasks, such as monetary transactions and power grid control and operation, has steadily increased since the initiation of the Internet. This dependency has translated into a growing emphasis on the strategic importance of cyberspace to enable achieving fundamental objectives in contemporary societies: innovation, collaboration, productivity, competitiveness and leadership (Sharma, 2010). The expansion of cyber functionalities has, however, also opened up new opportunities for people to carry out criminal activities online, and/or to use the Internet as a medium for their criminal objectives. The advantages of the Internet come with risks. While organisations and individuals are exploiting its business benefits they may not realise that cyberspace confers the same benefits on those who wish to attack them. Hacker groups, criminal organisations and espionage units worldwide have access to powerful, evolving capabilities, which they use to identify, target and attack their victims. They even have well-developed market places for buying and selling the tools and expertise used to target and execute cyber attacks. These attacks do not only represent technological threats. If we accept the argument that modern, economically developed societies are increasingly becoming ‘information societies’, then, it follows that threats to information can be seen as threats to the core of these societies (Eriksson and Giacomello, 2006).
Although nobody disputes the importance of protecting cyberspace from criminal activities, our understanding of cyber crime and its consequences, both economical and social, is still limited. The literature on cyber crime is vast, but still theoretically thin and underdeveloped. This is because there are still many different perspectives and a lack of consensus on many fundamental aspects of cyber crime. Thus lack of consensus extends to definitions, classifications, economic implications, security standards and solutions. Furthermore, among the factors undermining our appreciation of cyber crime and its impact are intangible pre-conditions, such as lack of awareness, general fears and feelings of insecurity as well as perceptions of trust, risks and ‘the virtual world’1 These intangible pre-conditions can themselves have significant consequences.
Experience of cyber crime can also be fragmented. Experience might be spread across the different levels of the value network2 and of society. The different actors involved each holding only part of the overall ‘puzzle’, might often be unable or unwilling to share their knowledge for fear of perceived consequences. Because of this fragmentation, and given the existence of the intangible pre-conditions referred to above, more flexible and multi-level approaches are needed in order to appreciate the complexity of cyber crime activities and their consequences.
As part of the emerging debate about the need to embrace more complex and interactive models for assessing the impact of cyber crime (Anderson et al., 2008) this article suggests a multi-level approach aimed at mapping and at shedding further light on the interaction of both interdependent and differentiated factors, which together can facilitate or deter cyber crime, while increasing and/or decreasing its economic and social costs. This approach makes use of system dynamics (Forrester, 1958) methodologies. Although system dynamics models are neither a panacea nor always appropriate, we demonstrate they provide a useful methodology that has not been sufficiently exploited in the context of cyber crime analyses. In this article we analyse cyber crime in the financial sector by adopting a multi-level approach, based on system dynamics theory. We have selected this sector because financial services and products, notably card payments, are a major target of cyber criminals (Trustwave, 2012).
The structure of this article is as follows:
- -
Section 2 briefly reviews the existing debate and research on the consequences of cyber crime, while identifying existing research challenges and gaps.
- -
Section 3 introduces the system dynamic approach and briefly discusses the definitions, the data for the model and model development.
- -
Section 4 presents some of the results and insights on the impact of cyber crime on the financial sector as emerging from the developed multi-level model.
Many of the issues covered in this article are still under development and are the subject of continuing dispute among specialists. Our aim is to contribute to the debate on, and examination of, these issues rather than provide conclusive answers.
Section snippets
The impact of cyber crime: state of the play and challenges
The notion of cyber crime, referring to “criminal acts committed using electronic communications networks and information systems or against such networks and systems” (European Commission, 2007, p2)3
A system dynamic framework to assess the impact of cyber crime on the financial sector
This section considers why a system dynamics approach is suitable for studying the impact of cyber crime and briefly discusses the system dynamics method, the definitions and data used, and the model development phase.
Model results
We now discuss the final results of our SD model, implementing a CLD approach. We have developed our model in Vensim PLE6 and focused on all the types of cyber crime from the taxonomy that are relevant to the financial sector (as discussed in Section 3.5 above). As underlined in Section 3.5, the causal relationships and feedback loops built into the model are all taken from the integration of insights emerging from the survey and
Conclusions
In this article, we have described a SD framework, based on the CLD approach. It aims to understand the impact of cyber crime on the financial sector. Our results show that shifts in strategic priorities, having the protection of customer trust and/or loyalty as a key objective, together with considerations related to market positioning vis-à-vis competitors, are very important factors in determining the cost of cyber crime. Most of these costs are not driven by the number of cyber crime
Acknowledgements
The paper draws on research performed for the European Commission under Grant Agreement numbers: SEC-2011.6.3-1 and SEC-2013.2.5-2. The authors prepared the paper based on research on behalf of Trilateral Research & Consulting LLP in collaboration with the London School of Economics. The authors also acknowledge discussion of elements in this paper with David Wright and Kush Wadhwa and editing comments from Andrew Neish.
Monica Lagazio is a partner at Trilateral Research & Consulting. Her work focuses on security and resilience, risk and foresight, data and information strategy, and policy development and evaluation. Before joining Trilateral, she held senior executive positions as EMEA Head of Analysis and Insights at PayPal, Lead for Consumer Insights at Mouchel and UK and Ireland Lead for Strategic Analytics and Insights at Accenture working on innovation, risk management, consumer insights and data strategy.
References (39)
Pattern of global cyber war and crime: a conceptual framework
J Int Manag
(2005)Why information security is hard. an economic perspective
- et al.
Security economics and European policy
- et al.
Measuring the Cost of Cyber crime
- et al.
ITU study on the financial aspects of network security: malware and spam
(2008) - et al.
The ‘moment of truth’ in customer service
(February 2006) Crime and punishment: an economic approach
J Political Econ
(1968)- et al.
Visible thinking: unlocking causal mapping for practical business results
(2004) The cost of cybercrime
(2011)- et al.
The information revolution, security, and international relations: (IR)relevant theory?
Int Political Sci Rev
(July 2006)
Towards a general policy on the fight against cyber crime
Special Eurobarometer 390 Cyber security
Industrial dynamics: a major breakthrough for decision makers
Harv Bus Rev
Counterintuitive behaviour of social systems
Technol Rev
Strategic cyber security
Managing cybersecurity resources: a cost-benefit analysis
Sex, lies and cyber crime surveys
Cyber security strategy
Cited by (0)
Monica Lagazio is a partner at Trilateral Research & Consulting. Her work focuses on security and resilience, risk and foresight, data and information strategy, and policy development and evaluation. Before joining Trilateral, she held senior executive positions as EMEA Head of Analysis and Insights at PayPal, Lead for Consumer Insights at Mouchel and UK and Ireland Lead for Strategic Analytics and Insights at Accenture working on innovation, risk management, consumer insights and data strategy.
Nazneen Sherif is an Associate Technical Editor at Incisive Media. Her work focuses on risk analysis and risk management. Before joining Incisive Media, she worked as Associate Analyst in the risk strategy function of HSBC Global Technology in India. Nazneen holds a MSc in Decision Science from LSE (London School of Economics and Political Science) and a Bachelor of Technology (B.Tech.) from the National Institute of Technology Karnataka.
Mike Cushman is a Research Fellow and Information and Communication Manager within the Department of Management at the LSE (London School of Economics and Political Science). His current research is into how ICTs can exacerbate or mitigate social exclusion. He also maintains an interest in the application of problem structuring methods to novel situations. He has developed the use of PSMs in a number of areas, including: for learning from project experience; for the re-organization of children's health services; for understanding perceptions of community services; and for the re-routing of the Notting Hill Carnival.