Research Agenda for the Banking and Finance Sector
Full Title of Reference
Research Agenda for the Banking and Finance Sector
Full Citation
Fin. Servs. Sector Coordinating Council for Critical Infrastructure Prot. and Homeland Sec., Research Agenda for the Banking and Finance Sector (2008). Web
Categorization
- Overview: Independent Reports
- Threats and Actors: Financial Institutions and Networks
- Issues: Metrics; Risk Management and Investment
Key Words
Cyber Crime, Patching, Research & Development, Software Vulnerability, Transparency,
Synopsis
The Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security (FSSCC) supports research and development initiatives to protect the physical and electronic infrastructure of the Banking and Finance Sector, and to protect its customers by enhancing the Sector’s resilience and integrity. The FSSCC established the Research and Development Committee (”R&D Committee”) in 2004 as a standing committee to identify priorities for research, promote development initiatives to significantly improve the resiliency of the Financial Services Sector, engage stakeholders (including academic institutions and government agencies), and coordinate these activities on behalf of the Banking and Finance Sector. This research agenda is intended as a “living” document and has been updated to reflect advances in technology and the changing threat environment. The R&D Committee revised the priorities paper in early 2008 by consolidating nine research and development challenges into seven, re-evaluating the priority order, and seeking input from experts in academia, government, financial services and information technology communities.
The following are the top priorities identified by the Research and Development Committee of the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security:
Advancing the State of the Art in Designing and Testing Secure Applications
Software applications are complex and often insecure and thus introduce vulnerabilities. Historically, acquisition requirements have favored functionality over security which has led to a state of software development that often does not emphasize security. Financial institutions have begun demanding more secure application development. Because financial institutions often cannot be sure that their applications are secure, they must develop and implement costly and inefficient compensating controls. Financial institutions need a robust, effective, affordable, and timely security testing methodology, and practice to gain the confidence required to deploy application software into sometimes-hostile environments for purposes of practical and appropriate risk management. Research is needed to develop effective procurement standards, software developer education, and testing guidelines. In addition, research is needed to develop tools for producing, measuring and testing secure application software.
More Secure and Resilient Financial Transaction Systems
The Financial Services industry is dependent upon information technology infrastructure, much of which is owned and operated by third parties outside the financial services industry. This infrastructure is constantly under attack by hackers and identity thieves who seek to exploit vulnerabilities in networks, devices and applications for financial gain. Research is needed to better understand these threats, improve the security and resiliency of the financial transaction infrastructure, enhance the protections available to prevent the increasingly common downloads of malware by criminal elements that bypass existing defenses such as anti-virus and anti-spyware, and to develop metrics to evaluate the resiliency of the information technology infrastructure.
Enrollment and Identity Credential Management
The financial services industry depends on the ability of financial institutions to identify, authenticate and authorize customers before accessing information and conducting transactions through remote channels where direct human interaction is not possible. Inadequate controls can leave financial institutions and their customers vulnerable to attacks. Research is needed to study how to make the identity management process better and less susceptible to social engineering attacks. Understanding the Human Insider Threat. Financial institutions must trust employees who have access to sensitive personal and financial information. Current strategies for identifying trustworthy candidates rely upon historical methods such as background and credit history checks as well as identity confirmation. Such methods often do not sufficiently identify insider-fraud perpetrators ahead of time and can be costly to maintain. Research is needed to develop holistic solutions to the insider-authentication problem, including the development of a data frame to predict the likelihood of insider attacks based on differing scenarios, or the development of continuous, unobtrusive monitoring to reduce the risks posed by insiders.
Data Centric Protection Strategies
To maintain trust and the integrity of data, financial institutions must protect sensitive data but also share it with third parties, such as merchants and processors. Increasingly, devices and networks are vulnerable to malicious code or data breaches. Research is needed to develop secure data file and document tagging technologies to classify information, and to enforce rules on access so that sensitive information is protected as intended by its original owner, regardless of where it traverses.
Better Measures of the Value of Security Investments
Traditionally, investment decisions surrounding security implementations have followed a “Return on Investment” (ROI) decision making process. The ROI model does not always fit well into the security space because it can be difficult to quantify hypothetical losses averted through increased security. The creation of cost-benefit models for security spending might be more appropriate because they would take into account intangible benefits such as increased customer confidence and decreased brand exposure. Research is needed to quantify the costs and benefits of security investments using models that are understood by financial risk managers. Development of Practical Standards. The financial services industry relies on numerous standards and practices but has not succeeded in developing quantifiable measures for how these standards and practices reduce risk and enhance resiliency of critical infrastructures. Research is needed to measure the impact of standards and practices.
Additional Notes and Highlights
Expertise Required: None