Content uploaded by Adel Ismail Al-Alawi
Author content
All content in this area was uploaded by Adel Ismail Al-Alawi on Mar 18, 2021
Content may be subject to copyright.
Content uploaded by Adel Ismail Al-Alawi
Author content
All content in this area was uploaded by Adel Ismail Al-Alawi on Aug 03, 2020
Content may be subject to copyright.
Content uploaded by Adel Ismail Al-Alawi
Author content
All content in this area was uploaded by Adel Ismail Al-Alawi on Aug 03, 2020
Content may be subject to copyright.
The Significance of Cybersecurity System in Helping
Managing Risk in Banking and Financial Sector
Prof. Adel Ismail AL-ALAWI*
University of Bahrain, College of Business Administration,
Department of Management and Marketing
P.O. Box 32038,
Kingdom of Bahrain
*Corresponding Author
Ms. Sara Abdulrahman AL-BASSAM
Arabian Gulf University, College of Graduate Studies,
Department of Innovation & Technology Management
Arabian Gulf University,
P.O. Box 26671, Kingdom of Bahrain
Abstract:
The purpose of this study is to demonstrate the significant effect and the benefits of applying cybersecurity in the
organization's systems, focusing on the banking sector. Also, this study aims to encourage the application of
cybersecurity in order to maintain information safely as well as managing information risk effectively. However,
many banking and financial organizations are still conservative regarding the application and use of cybersecurity. In
fact, these financial institutions may be unaware of the benefits associated with cybersecurity. Additionally, the
increased costs of its application could be a reason for its rejection. Accordingly, several questions were raised to
determine the level of knowledge and skills related to cybersecurity in these banks.
Methodology - To answer the research questions, an online questionnaire was distributed to 100 bankers in 26 banks
and only 35 respondents from Conventional banks, Islamic Banks, Insurance Companies, Investment Banks, and
Capital Market. They were advised to forward the survey hyperlink to their coworkers and colleagues in the same
and different banking and finance sectors. The majority, almost 87%, were from Conventional and Islamic
banks. Subsequently, results were obtained and analyzed using Google Forms.
Findings - The questionnaire aimed to identify the types of risks that have affected financial institutions in Bahrain
and the frequency of occurrence. Respondents stated that banks are exposed to three main risks, which are online
identified theft, deliberately damaging computers’ systems, and hacking. In addition, banks are facing cyber-attacks
frequently. About 26% of financial institutions encountered online identified theft, while 23% experienced
intentional damages to computer systems, and 11% faced hacking attempts. This variety of cyber threats is evidence
that cybersecurity is escalating and evolving, at least quarterly, to the extent that it is disrupting operations. The
questionnaire was targeted to investigate the role of the board of directors and other executive directors in eliminating
the threats of cyber-attacks. Consistently, the results showed that cyber-attacks are immediately reported to the board
of directors to take further actions. The respondents also agreed that the board of directors expresses its deep concern
about these attacks and puts forward different attempts to reduce cybersecurity risks. The study shows that the
enforcement of security policies, providing security with appropriate funding and mandating security awareness
training is among the most utilized methods by the board of directors and executive managers to reduce cyber
risks. An important factor to determine the effectiveness of the cybersecurity method adopted is the knowledge and
skills of the team of employees that deal with cyber attempts. Furthermore, the result shows that the significant skills
gap that the organization sees in its employees is the lack of the essential technical skills that all employees should
have to respond to the various cyber-attacks. Also, the results revealed that communication is another skill that the
employees lack. Without these two critical skills, the organization will face difficulties in responding to complex or
even simple issues.
Recommendations - As cybersecurity issues continue to evolve, they are now the core focus of financial institutions
boards of directors (BOD). Consequently, a variety of recommendations were proposed for banks, including the need
to enhance the awareness of cybersecurity as well as improving employees’ technical skills.
Research limitations - A number of limitations were faced by this study; the main restriction was the limited number
of responses and the amount of feedback collected from the questionnaire, as more responses would have added a
higher value for this study.
Research value - Despite the limitations, the study enhanced our understanding of cybersecurity and its importance
for institutions of the banking sector, as they can use these results as guidelines for improving their employees’ skills
in detecting various cyber-attacks. In addition, these findings are of significant importance in extending the
Journal of Xidian University
VOLUME 14, ISSUE 7, 2020
ISSN No:1001-2400
http://xadzkjdx.cn/
https://doi.org/10.37896/jxu14.7/174
1523
knowledge of cybersecurity and its impact on these financial institutions. Furthermore, banks can be assisted by this
study as it provides beneficial recommendations regarding cybersecurity.
Keywords: Cyber Security, Risk, Security, Cyber-attacks, Banking and Financial Sector, Cyber threats, Bahrain
Introduction
With the rapid growth in the technological environment nowadays, many organizations, whether large or small, have
full reliance on the use of information systems in their daily operations, which creates a need for the organization to
take into consideration effective strategies regarding information security in order to protect the institution’s sensitive
and valuable databases from being stolen or attacked by cybercriminals.
The global banking system has faced significant changes within the last few years in terms of processes, transactions,
and operations, which are influenced by technology and its innovations within recent trends. However, there are
specific concerns within systemic operations and information technology innovation. Banks are depending on third-
party systems to offer several digital services. Thus they depend on systems that are out of their control. This has
raised the awareness of hackers and criminals of technological threats and weaknesses that would allow them to hack
banking systems and steal valuable information and funds. Cyber threats and attacks are challenging due to the rapid
change in technologies. Banks should take into consideration cyber-attacks in order to protect their clients; the study
will provide a base for future studies in terms of threats and strategies against cyber-attacks and to examine protection
strategies implemented by banks, and awareness that banks and clients are familiar with in terms of cyber threats and
security.
Cybersecurity is a process designed to defend the computers, servers, networks, and digital data from unauthorized
access and destruction or attack in cyberspace. Organizations must be concerned about the safeguarding of their
financial data, intellectual properties, and their reputation as a crucial part of their business strategy. The goals of
businesses and governments in their use of the cybersecurity component are not only to protect their confidential
information but also to ensure the availability of the information and maintain its integrity.
As information security is part of the national security of any country, many countries try to develop a comprehensive
strategy to ensure information security in cyberspace. Many countries have realized that the technological boom leads
to security challenges for the nation and citizens, so they must work to ensure the security of information through
cybersecurity, which depends on the means of technical and legal resistance to the illegal use of information.
According to a study, the Cyber Security Centre of UK Government (2017) stated that nearly 50% of UK companies
were affected by cyber breaches or attacks in the last year. Despite this’, the UK Government has promised to put in
$2.5 billion to defend the country from cyber-attacks to help prepare and make the UK the securest area to live in and
to conduct business online. Institutions must take the initiative to secure digital consumer data. They are providing
aware cyber programs, e-Training, foundation cyber courses, and free consultations.
However, the government expert in the Kingdom of Bahrain has noted that the phenomenon of cybersecurity tasking
will be soon undertaken in the Kingdom; moreover, the country has already started a cybersecurity awareness
campaign within the government as well as organizations to explain how cybersecurity is needed as a protection
against any online risk or threats, and about the need for the right infrastructure in order to protect the government
and organizations from data breaches. Nonetheless, the government stated that it may take around four years to hire
this IT -security as well as to train their staff to build them up with a good cybersecurity knowledge.
Despite the prominent role of the government in working on the application of this strategy in Bahrain over recent
years through active participation in regional conferences and raising awareness among citizens (Al-Alawi, 2005), the
successful implementation requires concerted efforts and cooperation of all parties, whether government
organizations, private sector or international parties.
Nevertheless, cybersecurity is a key concept to introduce in many organizations due to the increased reliance on
technology in conducting business. Thus, firms across the world need to be aware of the significance and application
of cybersecurity. One of the main objectives of cybersecurity is to protect the data and information from illegal theft
and damages as these acts have increased widely in recent years. Some of the advantages of cybersecurity are to
facilitate the work of the organization, increase customer satisfaction, reduce paperwork, and to improve cash flow,
safety, and security. At the same time, the disadvantages are such as fraud risk, legal risk, and technical risk.
According to ISACA (2017), the phrases ―cybersecurity‖ and ―information security‖ are frequently used
interchangeably, but in actuality, cybersecurity is a part of information security. In particular, the phrase
cybersecurity practice’ as an alternative expression for IT security and information risk management. Nevertheless,
Journal of Xidian University
VOLUME 14, ISSUE 7, 2020
ISSN No:1001-2400
http://xadzkjdx.cn/
https://doi.org/10.37896/jxu14.7/174
1524
cybersecurity is referred to as part of information technology security, and it primarily focuses on the protection of
computers, programs, and digital data and assets from unauthorized access or destruction. Usually, cybersecurity
signifies what might be anticipated to preserve and safeguard institutions and people from planned ―attacks, breaches,
incidents and consequences‖.
Nowadays, the study of cybersecurity is of great significance as it is known that the government, corporations, and
financial institutions deal with confidential information via information technology and at times transfer data
across networks to other computers. So the data needs to be safeguarded. To deal with this at first, every
organization should have a process for identifying cybersecurity risks which can be identified through
classified information, tools to measure risk, communicate risk and identify threats.
After the identification of risks, the firm must take an overview of the capability of protecting and
maintaining the systems and devices. However , evolving risks of cyber-attacks and new fraud patterns are
met with the new and evolving ways of meeting consumer demands.
The purpose of this study is to demonstrate the significant effect and the benefits of applying cybersecurity in the
organization’s systems, focusing on the banking sector. Also, this study aims to encourage the application of
cybersecurity in order to maintain information safely as well as managing information risk effectively. However,
many organizations are still conservative regarding the application and use of cybersecurity. In fact, these
organizations may be unaware of the benefits associated with cybersecurity. Additionally, the increased costs of its
application could be a reason for its rejection.
Financial institutions hold valuable information about their clients and huge amounts of funds; this creates threats due
to the rise of technical abilities within banking transactions and operations. Criminals and hackers are aware of these
threats. They can use technological processes to attack the cybersecurity of the financial institutions and steal clients’
information and funds in cases of breaching. Cyber threats are considered to be a massive issue within the banking
sector, and thus banks should be up to date with new technological trends to protect their data. There is a lack of
knowledge skills, top management support, and cybersecurity workers’ skills of professionalism in the field.
This study raises the following questions:
To what extent are banks confident of their cybersecurity knowledge and skills?
How does the organization’s executive team in the banking sector support the implementation of
cybersecurity?
What are the crucial skills of cybersecurity professionals?
How do these organizations develop the required skills for cybersecurity in their employees?
To what extent is cybersecurity able to detect threats?
In order to answer the previous questions, a questionnaire is distributed to 26 financial institutions classified as
Conventional banks, Islamic Banks, Insurance Companies, Investment Banks, Capital Market and Specialized Banks
located in the Kingdom of Bahrain, to be filled by their managers and employees. Subsequently, data collected is
analyzed to enhance the significance of this study as well as answering the proposed questions.
This study is mainly limited by the constraints of time. Additional time would have enabled the research to go into
more detail. Moreover, the limited number of studies conducted in this field formed a restriction on the amount of
available data considering cybersecurity. Furthermore, the amount of feedback obtained from the questionnaire
formed a limitation for this study.
The present study comprises five sections. Following this introduction is the review of related literature, with the
methodology in the third section, results and discussion in the fourth section, and finally, recommendations and
conclusion in the fifth section.
Literature Review
Introduction
Over the past decades, the primary concern of a financial institution’s security system was to secure its physical data
and its buildings. Today, in contrast, the continuously evolving technology has played a significant role in
transforming the classical business functions to be highly innovative and facilitate the bank’s operations. However, a
high technology oriented institution may encounter various challenges, many of which can lead to information
breaches and hackers’ attempts to destroy valuable assets. As a result, financial institutions are required to be
Journal of Xidian University
VOLUME 14, ISSUE 7, 2020
ISSN No:1001-2400
http://xadzkjdx.cn/
https://doi.org/10.37896/jxu14.7/174
1525
cautious and observant of such threats through the adoption of cybersecurity systems to manage and control these
risks.
The Status of Cybersecurity in Banking
BBA and PWC (2014) stated that cyber threat has spread across the world, and thus strategies should be implemented
in order to overcome the threats. Banks’ cyber responsibilities are divided within its various departments, which
could cause some difficulties in figuring out and prioritizing threats as well as which procedures should be taken to
respond to threats (Al-Alawi, Al-Bassam & Mehrotra, 2020). Furthermore, intrusion into the banking system is
considered to be the highest attack because it can steal, modify, and delete the bank’s data. Hackers can control the
banking network by taking advantage of the hardware, software, and human vulnerabilities, thus resulting in
catastrophic consequences. The effect of security attacks on the bank includes damages to the bank’s reputation,
affecting the stability of the financial market and influencing share prices.
Summerfield (2014) argued that digital technology has a significant impact on the banking sector. Financial
institutions depend heavily on third parties in terms of technological and digital solutions to carry out transactions and
operations. Therefore, banks had upgraded to technological aspects to raise their efficiency. Regardless of the
positive effects of technology within the banking sector, there are a number of negative effects of technology,
including cyber-crimes, which have been increasing recently. Summerfield (2014) added that the world’s top 50
banks’ websites had been attacked, which has caused losses equal to $1 billion annually. Cybersecurity can be a
competitive advantage to banks, and thus, banks should increase security measures to protect their data and gain
customers’ trust.
Cawley (2017) explained that the banking sector is fighting to keep pace with high trends of technological
innovations, especially with regulations related to operations of the banking system. The technological inheritance is
an inconvenience to clients and has key security risks for banks and their clients. Cawley stated that two-factor
authentication, for instance, is a security implementation against cyber-attacks to protect the bank accounts of clients.
Banks would send codes to clients’ mobiles prior to log-in; in this case, attackers would need to access to the mobile
and the computer to access to the account information and financial transactions. Regardless of the effectiveness of
the procedure, several financial institutions are not using two-factor authentication in order to secure the banking
accounts and information of their clients. He explained the situation in a Bangladeshi bank, which has vulnerabilities
within the computer system of the bank. They detected malware in the customer computer system; attackers use this
malware to bypass risk controls and start the process of transferring funds. Kuepper (2017) argued that clients
experience low losses from banking cyber-attacks because they would quickly respond to missing funds by informing
the bank. In the USA, the law requires banks to refund the client in the case of theft of funds from their account
without their authorization, in the case where the client has notified the bank of the loss within 60 days of the
transaction.
McGoogan (2017) indicated in The Telegraph that the fraud of financial Cyber-attacks against banking and financial
services institution cost end-users more than $10.5bn in 2016, and it increased by 122% from the previous year.
Online transactions increased by 10% for the same period. Therefore the online creditors are under intensifying stress
to implement stronger and smarter authentication mechanisms to accelerate authentic and proper loans and terminate
fraud. Table-1 illustrates the ten most common cyber-crimes in the UK, with several cases reported in the year to
June 2016 by McGoogan, (2017)
1
1
Office for National Statistics https://www.ons.gov.uk
Journal of Xidian University
VOLUME 14, ISSUE 7, 2020
ISSN No:1001-2400
http://xadzkjdx.cn/
https://doi.org/10.37896/jxu14.7/174
1526
Table 1: The Ten Most Common Cyber-crimes in the UK based on the actual data from the Office for National
Statistics
No
Common Cyber-Crime
No of Reported Cases
Remarks
1
Bank account fraud
2,356,000
25% of customers opened ―Phishing‖ emails.
2
Non-investment fraud
1, 280,000
A Ponzi scheme is a fake investing scam
guaranteeing huge percentage of return with
barely any risk to investors. The Ponzi
scheme generates high returns for earlier
investors by securing new investors and will
eventually collapse as a result.
3
Computer virus
1,340,000
Unauthorized software such as Ransomware
which asks for ransom to recover your system
again.
4
Hacking
681,000
Hacking is unauthorized accessing to
information systems resources. Hackers are
criminals who abuse security weakness to
illegally access to the network to steal
sensitive information and send spam.
5
Advance fee fraud
117,000
The victim is ensured access to a significant
share of a huge amount of money, in return
for a small straightforward payment.
6
Other fraud
116,000
One of these examples is ―Solicitor Scam‖
where the hackers hack a lawyer webpage and
ask the client to transfer or redirect a huge
amount of money into the criminals’ bank
account.
7
Harassment and stalking
18,826
This is the use of the Internet to stalk or harass
persons, groups, or corporations. These might
encompass phony indictment, offence, abuse,
insult and smear. It may also include
observing, identity theft, threats, harm,
damage incitation for sex, or collecting data
and information that could be used to
intimidate, embarrass, humiliate, discomfit or
bully.
8
Obscene publications
6,292
―Pornography that meets the definition of the
Obscene Publications Act, thus generally
involving some form of physical abuse‖.
9
Child sexual offences
4,189
―Assault, grooming, indecent communication,
coercing a child to witness a sex act. These
crimes may be being under-reported‖
10
Blackmail
2,028
This is an act of cybercrime that involve false
and unwarranted threats to generate, obtain or
initiate harm to others unless a demand is
fulfilled
The growing importance of cybersecurity in the financial sector
According to a survey conducted by Cuomo & Lawsky (2014) that aims to evaluate the efforts of various financial
institutions in preventing and managing cybersecurity risks, the results showed that most institutions experience
different attempts of breaching and hacking into their IT systems, independent of their size and experience.
Journal of Xidian University
VOLUME 14, ISSUE 7, 2020
ISSN No:1001-2400
http://xadzkjdx.cn/
https://doi.org/10.37896/jxu14.7/174
1527
Moreover, almost all institutions claimed that they adopt a type of information security program and software and
employ communication officers to respond to various inquiries when a cyber-attack occurs.
Accordingly, ―Large investments in technology and training are required to mitigate against each of these risks‖
(VanBankers, 2016, p.10) and suggested that it is crucial for customers to be cooperative and knowledgeable about
the various cyber risks and to maintain privacy in security procedures. Financial institutions should measure and
control cyber-risk just as it ensures any other business risk. This issue is not straightforwardly the responsibility of
those teams in the server room, but rather a business-wide scheme involving all workers. Indeed, the increasing
cyber-attacks and breaches in recent years have emphasized the need to treat this type of risk like any other business
risks and to scan the market for signs of changes and threats continuously.
The Impact of Technological Advancement on Cybersecurity
Many organizations worldwide are being exposed to the unfavorable threat of electronic information violation,
making it difficult to manage risks and maintain safe data effectively. Hence, the significance of cybersecurity is
widely increasing.
Due to the vital ongoing improvements in information technology, many new criminal acts have arisen which are
difficult to cover under the regulations of cybercrimes as they fall outside the community’s morality, society, laws,
and politics (Al-Alawi, 2006, Al-Alawi, 2014, Spalević, 2014, Al-Alawi, Mehrotra, & Al-Bassam, 2020).
Accordingly, Spalević (2014) stated that cybercrime deals with the electronic environment as it can be defined as any
illegal actions taken against the computer information systems. Therefore, there is a need for implementing
cybersecurity to maintain safe information. Thus, various studies conducted by different researchers attempted to
enhance the understanding and importance of such a concept. One of the encouragements to undertake further
research is the terrible violation of data that occurred in 2013, where over 740 million records were illegally exposed
(Online Trust Alliance, 2014).
Risk approach for taking the risk out of’ cybersecurity
There is a need to identify the errors and, if needed, for an intervention, by firstly looking at the failure in the market
with respect to social and economic requirements within the financial sector which should be scrutinised properly as
well as analysed. Secondly, the need for the government to intervene in relevant cases of the financial sector should
be considered, while keeping in mind other feasible interventions as well as the outcome should also be
predetermined after the interventions are taken.
Some other challenges faced by the IT department are the technological changes and the security required to maintain
updated. Another aspect to be considered is the need for the proper human resource management which looks after
the skilled staff who find the right people for the right job, which is one of the significant challenges. And moreover
there are many companies who do not consider taking care of cybersecurity as one of the risk factors or as any threat
to the industry. They should be involved in early IT projects by making some early plans and to design the required
stages. All the technical skills need to be explained to the people not aware of the IT technical matters (Al-Bassam,
2018).
The National Institute of Standards and Technology (NIST) framework for cybersecurity is rising need for the
protection and the critical infrastructure (ISACA, 2017). This framework is based on the risk approach for taking the
risk out of cybersecurity. This framework provides sector stakeholders with the ability to:
Understand and use the framework to assess and improve their cyber resilience;
Assess their current- and target-cybersecurity posture;
Identify gaps in their existing cybersecurity risk management programs; and
Identify current, sector-specific tools and resources that map to the framework.
Nevertheless, to ensure the cybersecurity functions, a framework by the National Institute of Standards and
Technology (NIST) and the European Union Agency for Network and Information Security (ENISA) was developed
to establish five key functions crucial to protect the digital assets. ISACA (2017) indicated that these functions
synchronize with ―incident management methodologies and include the following activities:
• Identify: Use organizational understanding to minimize risk to systems, assets, data, and capabilities.
• Protect: Design safeguards to limit the impact of potential events on critical services and infrastructure.
• Detect: Implement activities to identify the occurrence of a cybersecurity event.
• Respond: Take appropriate action after learning of a security event.
• Recover: Plan for resilience and the timely repair of compromised capabilities and services.‖
Journal of Xidian University
VOLUME 14, ISSUE 7, 2020
ISSN No:1001-2400
http://xadzkjdx.cn/
https://doi.org/10.37896/jxu14.7/174
1528
There is a need to look after the policy objectives. Firstly, all the policy objectives should be clearly explained for the
framework of financial regulation and governmental interventions. Secondly, all the policies taken into the
framework should be based on improvement and potentially benefit rather than loss incurring or being a failure.
Thirdly, the objectives should be prioritized appropriately concerning the financial sector’s stability, with priorities
given in respect to their systemic risks.
Techniques to achieve cybersecurity
Today, several methods can be used to ensure the safety of organizations’ data. Arlitsch and Edelman (2014)
suggested that one of the crucial techniques leading to the achievement of cybersecurity is the proper management of
devices through the continuous applications of required updates. However, discovering an illegal breach is often
difficult. A study conducted by professionals indicated that the likelihood of identifying a small data violation is only
51%, while the possibility of discovering massive breaches of data is 68% (Öğüt, Raghunathan & Menon, 2011).
Consequently, these results suggest the need to conduct further research regarding cybersecurity as managers need to
be aware of such concepts.
Information is the most valuable resource in the company; for that reason, it must be kept safe, and organizations
must have a secure database to save such information from theft or damages. Damaging information would be
harmful to the organization, and this is the most dangerous thing that would happen to it. So, companies must
consider any attacks or theft of information while managing their risk. Cybersecurity was introduced for that reason;
an organization might consider and manage the risk well, but sometimes gaps will take place (Newman, 2006; Al-
Alawi, 2014).
Organizations nowadays must pay to have this important technology, especially banks and the finance sector, who
are facing cyber-attacks frequently. ―Cyber-attacks against financial services institutions are becoming more
frequent, more sophisticated, and more widespread. Although large-scale denial-of-service attacks against major
financial institutions generate the most headlines, community and regional banks, credit unions, money transmitters,
and third-party service providers (such as credit card and payment processors) have experienced attempted breaches
in recent years.‖ (Cuomo & Lawsky 2014, p: 1).
The role of cybersecurity in risk management
Cybersecurity plays a significant role in managing a corporation’s risk, but senior managers tend to dedicate less
attention to cyber-attacks. Instead, they are waiting for the government to introduce some policies to solve
cybersecurity problems. Accordingly, Scully (2014) stated that organizations’ success is affected by cyber-attacks,
and CEOs must understand the problem and the concept of cybersecurity well and discuss this issue with their
technical staff regularly to detect and communicate between them any risks that would harm the organization.
Another article by Vande Putte and Verhelst (2014) discusses a critical and threatening concept, which is cyber-
crime. They said that managing risk and managing cyber-crime is not easy and is challenging; the effect of such risk
is increasing over time as technology increases. Therefore, it is essential to detect this dangerous risk as it leads not
only to losing information but also to losing confidence, and this can lead to bankruptcy.
Banks have a great deal of confidential information about their clients and their financial position, which should be
kept in a place safe from outsiders. Almost all enterprises around the globe today use the Internet to carry out
business, to promote and sell, to publicize, to discover new markets, buyers and workers, to communicate with
customers and suppliers, and to execute financial transactions. The Internet generates massive business gateways and
profits. Nonetheless, it also yields risks. There are daily attacks on the information technology systems by hacking,
damaging, accessing accounts, stealing information and money, or disrupting the business operations.
The cybersecurity issue requires a shift from the zone of the information systems professional to that of the top
management and board of directors (BOD), to ensure that suitable attention is paid to the scale of the risks involved.
The conventional method of considering cybersecurity in terms of building huge barriers and firewalls is, while still
necessary, no longer adequate. A holistic method to cybersecurity risk management – across the institution, its
network, supply chains, and the bigger ecosystem – is needed. Nevertheless, according to cybersecurity risk
management, outsiders should not know anything about the way the company protects its information.
Role of government and other bodies
Recently, many governments and other bodies have expressed their concern regarding this subject and initiate orders
and statements concerning the control of cyber-attacks and direct these institutions. According to McKendry (2015),
governments and organizational bodies in the USA order all financial institutions to supervise, utilize different
programs and software and ensure a high level of awareness of cyber threats to respond to them effectively.
Journal of Xidian University
VOLUME 14, ISSUE 7, 2020
ISSN No:1001-2400
http://xadzkjdx.cn/
https://doi.org/10.37896/jxu14.7/174
1529
Methodology
After studying the theoretical part of cybersecurity in the financial sector, quantitative data were collected from 26
financial institutions in the Kingdom of Bahrain. An online questionnaire was distributed to 100 managers and their
employees by email. They were advised to forward the survey hyperlink to their coworkers and colleagues in the
same and different banking and finance sector organizations. The survey was available online and accessible to
them using Google Forms for four weeks. The data was collected from 35 respondents from Conventional banks,
Islamic Banks, Insurance Companies, Investment Banks, Capital Market, and Specialized Banks who responded to
the questionnaire. The majority, almost 90%, were from conventional and Islamic banks. The questionnaire contains
demographic, multiple-choice, opinion questions, and open-ended questions. Data was analyzed to show the
percentages of every question that has been explained in the survey. Subsequently, results were obtained and
analyzed using Google Forms.
In order to answer the previous questions, a questionnaire was distributed to 26 financial institutions classified as
conventional banks, Islamic banks, insurance companies, investment banks, capital markets and specialized located in
the Kingdom of Bahrain to be filled by their managers and employees. Subsequently, data collected was analyzed to
enhance the significance of this study as well as answering the proposed questions.
The Study Findings
This section shows the data collection and data analysis process. It discusses the result—the first part of the
questionnaire comprised demographic questions to determine the characteristics of the selected population.
As illustrated in Figure-1, half of the respondents were employees of conventional banks, while the other half
belonged to Islamic banks. To comply with the research purpose, the population selected consisted of employees
from the IT and Accounting departments that have cybersecurity job responsibilities.
Figure 1: The types of financial institutions
The second part of the questionnaire was addressed to identify the types of risks that have affected financial
institutions in Bahrain and the frequency of occurrence. According to Figure-2 and Figure-3, about 26% of financial
institutions in Bahrain encountered online identity theft, while 23% experienced intentional damages to computer
systems, and 11% faced hacking attempts. This variety of cyberthreats is evidence that cybersecurity is escalating and
evolving, at least every quarter, to the extent that they are disturbing the operations of organizations and their ability
to achieve their objectives.
Journal of Xidian University
VOLUME 14, ISSUE 7, 2020
ISSN No:1001-2400
http://xadzkjdx.cn/
https://doi.org/10.37896/jxu14.7/174
1530
Figure 2: Type of malicious activities that have affected the organizations.
Figure 3: The likely occurrence of malicious activities.
As cybersecurity issues continue to evolve, it is now the core focus of organizations’ board of directors (BOD).
Therefore, the third part of the questionnaire was targeted to investigate the role of boards of directors and other
executive directors to eliminate the threats of cyber-attacks. Consistently, according to Figure-4, the results showed
that cyber-attacks are immediately reported to the board of directors to take further actions. The respondents also
agreed that boards of directors express their deep concern about these attacks and put forward different attempts to
reduce cybersecurity risks. Figure-5 shows that the enforcement of security policies, providing security with
appropriate funding and mandating security awareness training, is among the most utilized methods by boards of
directors and executive managers to reduce cyber risks.
Journal of Xidian University
VOLUME 14, ISSUE 7, 2020
ISSN No:1001-2400
http://xadzkjdx.cn/
https://doi.org/10.37896/jxu14.7/174
1531
Figure 4: Reporting of cybersecurity attacks within the organization
Figure-5 shows that the enforcement of security policies, providing security with appropriate funding and mandating
security awareness training, is among the most utilized methods by boards of directors and executive managers to
reduce cyber risks.
Figure 5: The ways BOD and executive managers demonstrate to support cybersecurity risk mitigation.
A critical factor to determine the effectiveness of the cybersecurity method adopted is the knowledge and skills of
the team of employees that deal with cyber attempts. Therefore, the fourth part of the questionnaire was directed
towards the major skills that the employees lack in doing their job.
According to Figure-6, it was clear that the major skills gap that the organization sees among its employees is the
lack of technical skills, which is an essential skill that all employees should have to respond to the various cyber-
attacks. Also, the results revealed that communication is another skill gap that the employees lack. Without these
two critical skills, the organization will face difficulties in responding to complex or even simple issues. However,
these organizations are initiating different programs to develop the essential skills required to ensure the
effectiveness and strong performance of various tasks.
Journal of Xidian University
VOLUME 14, ISSUE 7, 2020
ISSN No:1001-2400
http://xadzkjdx.cn/
https://doi.org/10.37896/jxu14.7/174
1532
Figure 6: The significant skill gaps that an organization sees among its cybersecurity employees
Figure-7 demonstrates the different ways that organizations implement to develop critical technical skills. Most
organizations seem to prefer various training methods for employees, such as on-the-job training, the use of technical
training centers, third-party training providers, and certifications.
Figure 7: The various technical skills organizations are seeking to develop among their employee's education.
Moreover, according to Figure-8, the majority of respondents declared that they are confident about the security
team’s ability to detect and respond to incidents but only for simple cases. Therefore, these organizations should
attempt to employ further methods to enhance their employees’ skills and abilities to respond to different levels of
threats.
Figure 8: The extent to which the organization is confident with its employee's abilities and skills.
As cyber-attack methods evolve over the years, the level of their complexity and sophistication increases as well.
Organizations today face more than one type of security breaches and attacks. Therefore, the fourth part of the
questionnaire was addressed to determine the various cyber-attacks that imposed threats on organizations’ security
and the extent to which cybersecurity assisted in detecting these threats.
According to Figure-9, the data demonstrate that the main threats that attack the financial institutions' security are
hackers, cybercriminals and non-malicious insiders. On the other hand, 31% of the organizations were exploited by
Journal of Xidian University
VOLUME 14, ISSUE 7, 2020
ISSN No:1001-2400
http://xadzkjdx.cn/
https://doi.org/10.37896/jxu14.7/174
1533
hackers, while 17% were exploited by social engineering and 14% of malware and insider theft equally.
Consequently, the financial institutions declared that cybersecurity assisted in detecting 75% of these threats (Figure-
10). Moreover, organizations did not fully agree on the likelihood that organizations would experience cyber-attacks
in the future.
Figure 9: The various threats that exploited the organization
Figure 10: The extent to which cybersecurity assists in detecting the various risks.
Figure-11 shows that organizations have opposing views on this matter, as 37% of respondents believe that their
organizations are likely to experience cyber-attacks in the future, and 31% believe that it is unlikely that their
organizations would experience cyber-attacks. The latter assumption may be as a result of cybersecurity
advancements and enhancement of the employees’ skills and abilities.
Figure 11: The extent to which an organization expects to experience cyber-attacks in the future.
Journal of Xidian University
VOLUME 14, ISSUE 7, 2020
ISSN No:1001-2400
http://xadzkjdx.cn/
https://doi.org/10.37896/jxu14.7/174
1534
Conclusion
The importance of cybersecurity and threats has risen recently due to the rise in technological usage within the
banking sector through the dependence on online banking and e-banking features. This has increased the cyber-
attacks by hackers and criminals in order to steal financial institutions’ valuable data and funds.
After analyzing the significant findings of this study, it can be concluded that among the various types of malicious
activities, financial institutions in Bahrain are mostly exposed to three types of risks. These risks are online identity
theft, deliberately damaging computer systems, and also dealing with hacking issues. In fact, more than half of these
financial institutions are facing these issues at least once every three months, which indicates a growing threat of
cyber-attacks. Therefore, banks report these attacks immediately to the board of directors to notify them or to the
auditing segment of the institution to avoid such threats.
Furthermore, the findings obtained provided the answers to the study’s questions. In response to the first question, it
seems that half of these banks are confident in their skills and knowledge, but this confidence is limited to simple
cases. In answer to the second question, the banking sector’s executive teams are supporting the cybersecurity
through enforcing security policy, supplying their organizations with security and its appropriate funding as well as
mandating security awareness training. In answer to the third question, it is agreed that the key skill to be able to
detect cyber-attacks is the technical skills, which can be enhanced by the appropriate training as decided by the
majority, which answers the fourth question. Finally, in answer to the fifth question, it seems that cybersecurity can
detect 75% of the risks facing banks.
In conclusion, the results indicated that the primary incentive behind the cyber-attacks is the financial gains, which
makes it obvious that financial institutions in Bahrain are being exposed to this significant risk.
Several limitations restrict this study. A significant one is the amount of feedback collected from the questionnaire, as
more responses would have added a higher value for this study. Despite the above limitations, the results obtained in
this study are significant for institutions of the banking and financial sector in Bahrain, as they can use these results as
guidelines for improving their employees’ skills regarding detecting various cyber-attacks. In addition, these findings
are of significant importance in extending the knowledge of cybersecurity and its impact on these financial
institutions.
References
Al-Alawi, A. I. (2005), Adoption and Awareness of Online Banking Issue among Mature Users. Asian Journal of
Information Technology, 4(9) pp. 856-860.
Al-Alawi, A. I., & Abdelgadir, M. F. (2006). An empirical study of attitudes and opinions of computer crimes: A
comparative study between UK and the Kingdom of Bahrain. Journal of Computer Science, 2(3), pp. 229-235.
Al-Alawi, A.I. (2014). Cybercrimes, Computer Forensics and their Impact in Business Climate: Bahrain Status.
Research Journal of Business Management, 8: 139-156. [Online],
http://www.scialert.net/qredirect.php?doi=rjbm.2014.139.156&linkid=pdf
Al-Alawi, A. I., Mehrotra, A. A., & Al-Bassam, S. A. (2020). Cybersecurity: Cybercrime Prevention in Higher
Learning Institutions. In Implementing Computational Intelligence Techniques for Security Systems Design (pp. 255-
274). IGI Global.
Al-Alawi, A. I., Al-Bassam, S. A., & Mehrotra, A. A. (2020). Critical Cybersecurity Threats: Frontline Issues Faced
by Bahraini Organizations. In Implementing Computational Intelligence Techniques for Security Systems Design (pp.
210-229). IGI Global.
Al-Bassam, A.M (2018), Investigating the Factors related to Cybersecurity Awareness in Bahraini Banking Sector,
(Master theses, Arabian Gulf University (AGU), Salmanya, Kingdom of Bahrain) and supervised by Prof. Adel
Ismail Al-Alawi. Unpublished dissertation, available from AGU Library.
Arlitsch, K., & Edelman, A. (2014). Staying Safe: Cyber Security for People and Organizations. Journal of Library
Administration, 54(1), pp. 46-56.
BBA and PWC (2014). The cyber threat to banking: A global industry challenge, [online], [Retrieved April 22, 2017]
https://www.bba.org.uk/wpcontent/uploads/2014/06/BBAJ2110_Cyber_report_May_2014_WEB.pdf
Journal of Xidian University
VOLUME 14, ISSUE 7, 2020
ISSN No:1001-2400
http://xadzkjdx.cn/
https://doi.org/10.37896/jxu14.7/174
1535
Cawley, J. (2017). The Impact of Cyber Attacks on the Banking System. [Online] [Retrieved December 22, 2017]
https://wall-street.com/impact-cyber-attacks-banking-industry/
Cuomo, A. M., & Lawsky, B. M. Report on Cyber Security in the Banking Sector, New York State Dept. of Financial
Services, 2014. [Online], [Retrieved May, 22, 2017]
https://cybersecuritylawandpolicy.files.wordpress.com/2014/05/new-york-state-department-of-financial-services-
report-on-cyber-security-in-the-banking-sector.pdf
ISACA (2017), CSX Cybersecurity Fundamentals Study Guide 2nd Edition– January 1, 2017 [online] [Retrieved
April, 22, 2017] https://cybersecurity.isaca.org/csx-resources/cybersecurity-fundamentals-study-guide
McGoogan, C. (2017), Cyber Attacks against Financial Services Cost Consumers 8bn, [online], [Retrieved April 22,
2017]
http://www.telegraph.co.uk/technology/2017/02/27/cyber-attacks-against-financial-services-cost-consumers-8bn/
McKendry, I., (2015). With New Tool, Agencies Close In on Formal Cyber Standards. American Banker, APR 9,
2015. [Online] [Retrieved March, 12, 2017]
http://www.cbaofga.com/uploads/4/1/3/7/41371065/with_new_tool,_agencies_close_in_on_formal_cyber_standards_
__american_banker.pdf
Kuepper, J (2017) Cyber Attacks and Bank Failures: Risks You Should Know, 21-01-2017, available at: Countering
Terrorist Activities in Cyberspace, Z. Minchev & M. Bangladesh (eds)
Newman, R. C. (2006, September). Cybercrime, identity theft, and fraud: practicing safe internet-network security
threats and vulnerabilities. In Proceedings of the 3rd annual conference on Information security curriculum
development, ACM, pp. 68-78.
Öğüt, H., Raghunathan, S., & Menon, N. (2011). Cyber Security Risk Management: Public Policy Implications of
Correlated Risk, Imperfect Ability to Prove Loss, and Observability of Self‐Protection. Risk Analysis, 31(3), pp. 497-
512.
Online Trust Alliance (2014), 2014 Data Protection & Breach Reading Guide, [online], [Retrieved April, 11, 2017]
https://otalliance.org/system/files/files/bestpractices/documents/2014otadatabreachguide4.pdf
Scully, T. (2014). The cyber security threat stops in the boardroom. Journal of business continuity & emergency
planning, 7(2), pp. 138-148
Spalević, Ž. (2014). Cyber Security as a Global Challenge of the Modern Era. Sinteza 2014-Impact of the Internet on
Business Activities in Serbia and Worldwide, pp. 687-692.
Summerfield, R (2014). Banking system faces cyber threat. Financier Worldwide Magazine, August 2014 Issue.
[Online], [Retrieved April, 22, 2018] https://www.financierworldwide.com/banking-system-faces-cyber-
threat#.W7dKcHszZdg
UK Government (2017), Almost half of UK firms hit by cyber breach or attack in the past year
Nearly seven in ten large companies identified a breach or attack, new Government statistics reveal, Press release,
[Online], [Retrieved April 22, 2019] https://www.gov.uk/government/news/almost-half-of-uk-firms-hit-by-cyber-
breach-or-attack-in-the-past-year
VanBankers (2016). Cybersecurity in Banking. [Online], [Retrieved April, 22, 2017]
www.vabankers.org/LiteratureRetrieve.aspx?ID=155390
Vande Putte, D., & Verhelst, M. (2014). Cyber crime: Can a standard risk analysis help in the challenges facing
business continuity managers?. Journal of business continuity & emergency planning, 7(2), pp. 126-137.
Journal of Xidian University
VOLUME 14, ISSUE 7, 2020
ISSN No:1001-2400
http://xadzkjdx.cn/
https://doi.org/10.37896/jxu14.7/174
1536