Analysing information security in a bank using soft systems methodology

Damenu Temesgen Kitaw, Chris Beaumont

Research output: Contribution to journalArticle

29 Downloads (Pure)

Abstract

Purpose –This paper explores the use of Soft Systems Methodology (SSM) to analyse the socio-technical information security issues in a major bank. Design/methodology/approach – Case study research was conducted on a major bank. Semi-structured interviews with a purposive sample of key stakeholders in the business, comprising senior managers, security professionals and branch employees were conducted. Findings – SSM was particularly useful for exploring the holistic information security issues, enabling models to be constructed which were valuable analytical tools and easily understood by stakeholders, which increased the receptiveness of the bank, and assisted with member validation. Significant risks were apparent from internal sources with weaknesses in aspects of governance and security culture. Research limitations/implications – This research uses a single case study and whilst it cannot be generalised, it identifies potential security issues others may face and solutions they may apply. Practical implications - Information security is complex and addresses technical, governance, management and cultural risks. Banking attacks are changing, with greater focus on employees and customers. A systemic approach is required for full consideration. SSM is a suitable approach for such analysis within large organisations. Originality/value – Demonstrates how important benefits can be obtained by using SSM alongside traditional risk assessment approaches to identify holistic security issues. A holistic approach is particularly important given the increasing complexity of the security threat surface. Banking was selected as a case study since it is both critical to society and is a prime target for attack. Furthermore, developing economies are under-represented in information security research, this paper adds to the evidence base. Since global finance is highly interconnected, it is important that banks in such economies do not comprise a weak link and hence results from this case have value for the industry as a whole.
Original languageEnglish
Pages (from-to)240-258
JournalInformation and Computer Security
Volume25
Issue number3
Early online date31 Jul 2017
DOIs
Publication statusE-pub ahead of print - 31 Jul 2017

Fingerprint

Security of data
Personnel
Finance
Risk assessment
Industry
Managers
Soft systems methodology
Security issues
Information security
Attack
Stakeholders
Banking
Governance
Employees

Keywords

  • Information Security Management System (ISMS)
  • Soft Systems Methodology (SSM)
  • Socio-technical Risks
  • Banking Security
  • Security Governance
  • Information Security Culture.

Cite this

Temesgen Kitaw, Damenu ; Beaumont, Chris. / Analysing information security in a bank using soft systems methodology. In: Information and Computer Security. 2017 ; Vol. 25, No. 3. pp. 240-258.
@article{3d505c03244a4e6bacfa8da866e52c24,
title = "Analysing information security in a bank using soft systems methodology",
abstract = "Purpose –This paper explores the use of Soft Systems Methodology (SSM) to analyse the socio-technical information security issues in a major bank. Design/methodology/approach – Case study research was conducted on a major bank. Semi-structured interviews with a purposive sample of key stakeholders in the business, comprising senior managers, security professionals and branch employees were conducted. Findings – SSM was particularly useful for exploring the holistic information security issues, enabling models to be constructed which were valuable analytical tools and easily understood by stakeholders, which increased the receptiveness of the bank, and assisted with member validation. Significant risks were apparent from internal sources with weaknesses in aspects of governance and security culture. Research limitations/implications – This research uses a single case study and whilst it cannot be generalised, it identifies potential security issues others may face and solutions they may apply. Practical implications - Information security is complex and addresses technical, governance, management and cultural risks. Banking attacks are changing, with greater focus on employees and customers. A systemic approach is required for full consideration. SSM is a suitable approach for such analysis within large organisations. Originality/value – Demonstrates how important benefits can be obtained by using SSM alongside traditional risk assessment approaches to identify holistic security issues. A holistic approach is particularly important given the increasing complexity of the security threat surface. Banking was selected as a case study since it is both critical to society and is a prime target for attack. Furthermore, developing economies are under-represented in information security research, this paper adds to the evidence base. Since global finance is highly interconnected, it is important that banks in such economies do not comprise a weak link and hence results from this case have value for the industry as a whole.",
keywords = "Information Security Management System (ISMS), Soft Systems Methodology (SSM), Socio-technical Risks, Banking Security, Security Governance, Information Security Culture.",
author = "{Temesgen Kitaw}, Damenu and Chris Beaumont",
year = "2017",
month = "7",
day = "31",
doi = "10.1108/ICS-07-2016-0053",
language = "English",
volume = "25",
pages = "240--258",
journal = "Information and Computer Security",
issn = "2056-4961",
publisher = "Emerald",
number = "3",

}

Analysing information security in a bank using soft systems methodology. / Temesgen Kitaw, Damenu; Beaumont, Chris.

In: Information and Computer Security, Vol. 25, No. 3, 31.07.2017, p. 240-258.

Research output: Contribution to journalArticle

TY - JOUR

T1 - Analysing information security in a bank using soft systems methodology

AU - Temesgen Kitaw, Damenu

AU - Beaumont, Chris

PY - 2017/7/31

Y1 - 2017/7/31

N2 - Purpose –This paper explores the use of Soft Systems Methodology (SSM) to analyse the socio-technical information security issues in a major bank. Design/methodology/approach – Case study research was conducted on a major bank. Semi-structured interviews with a purposive sample of key stakeholders in the business, comprising senior managers, security professionals and branch employees were conducted. Findings – SSM was particularly useful for exploring the holistic information security issues, enabling models to be constructed which were valuable analytical tools and easily understood by stakeholders, which increased the receptiveness of the bank, and assisted with member validation. Significant risks were apparent from internal sources with weaknesses in aspects of governance and security culture. Research limitations/implications – This research uses a single case study and whilst it cannot be generalised, it identifies potential security issues others may face and solutions they may apply. Practical implications - Information security is complex and addresses technical, governance, management and cultural risks. Banking attacks are changing, with greater focus on employees and customers. A systemic approach is required for full consideration. SSM is a suitable approach for such analysis within large organisations. Originality/value – Demonstrates how important benefits can be obtained by using SSM alongside traditional risk assessment approaches to identify holistic security issues. A holistic approach is particularly important given the increasing complexity of the security threat surface. Banking was selected as a case study since it is both critical to society and is a prime target for attack. Furthermore, developing economies are under-represented in information security research, this paper adds to the evidence base. Since global finance is highly interconnected, it is important that banks in such economies do not comprise a weak link and hence results from this case have value for the industry as a whole.

AB - Purpose –This paper explores the use of Soft Systems Methodology (SSM) to analyse the socio-technical information security issues in a major bank. Design/methodology/approach – Case study research was conducted on a major bank. Semi-structured interviews with a purposive sample of key stakeholders in the business, comprising senior managers, security professionals and branch employees were conducted. Findings – SSM was particularly useful for exploring the holistic information security issues, enabling models to be constructed which were valuable analytical tools and easily understood by stakeholders, which increased the receptiveness of the bank, and assisted with member validation. Significant risks were apparent from internal sources with weaknesses in aspects of governance and security culture. Research limitations/implications – This research uses a single case study and whilst it cannot be generalised, it identifies potential security issues others may face and solutions they may apply. Practical implications - Information security is complex and addresses technical, governance, management and cultural risks. Banking attacks are changing, with greater focus on employees and customers. A systemic approach is required for full consideration. SSM is a suitable approach for such analysis within large organisations. Originality/value – Demonstrates how important benefits can be obtained by using SSM alongside traditional risk assessment approaches to identify holistic security issues. A holistic approach is particularly important given the increasing complexity of the security threat surface. Banking was selected as a case study since it is both critical to society and is a prime target for attack. Furthermore, developing economies are under-represented in information security research, this paper adds to the evidence base. Since global finance is highly interconnected, it is important that banks in such economies do not comprise a weak link and hence results from this case have value for the industry as a whole.

KW - Information Security Management System (ISMS)

KW - Soft Systems Methodology (SSM)

KW - Socio-technical Risks

KW - Banking Security

KW - Security Governance

KW - Information Security Culture.

U2 - 10.1108/ICS-07-2016-0053

DO - 10.1108/ICS-07-2016-0053

M3 - Article

VL - 25

SP - 240

EP - 258

JO - Information and Computer Security

JF - Information and Computer Security

SN - 2056-4961

IS - 3

ER -