Journal of Operational Risk

Risk.net

Cyber risk assessment model for information assets: a tailored approach for the financial and banking sector

Amir Schreiber and Israel Waismel-Manor

  • Managing cybersecurity amidst limited resources is increasingly challenging. Updated regulations now mandate institutions to assess their information assets and their associated cyber risks.
  • While various methodologies for asset identification, risk quantification, and analysis have been introduced, none of them have been tailored to address the requirements and attributes of the financial and banking sector.
  • This paper presents an efficient, systemic, and easy-to-use adaptive model designed to assess information assets and their associated cyber risks, specifically tailored to meet these distinctive requirements.
  • This model affirms its effectiveness through a case study in a financial institution, aiming to address these shortcomings.

Modern technological advancements have significantly impacted how financial institutions operate. At the same time the intensity and scale of cyber threats have escalated, and they are now capable of increasingly diverse and sophisticated attacks. With limited resources, it is increasingly difficult to effectively manage cyber security and discern which information assets (IAs) need protection. Updated regulations demand effective methodologies for identifying and classifying IAs. Current methods, however, without tailoring to the financial sector’s specific needs, often neglect IA evaluation, are one-dimensional, struggle with large inventories and focus solely on technical aspects. We present a systematic, reliable, holistic and user-friendly adaptive model specifically designed for assessing IAs and their cyber risk in the financial and banking sector. Through a detailed case study involving the application of our model to a substantial asset repository (N = 798), we demonstrate a powerful reduction mechanism. Post application, only 13% of IAs out of the total inventory were classified as high or very high risk. This approach effectively identifies IAs that necessitate resource allocation for significantly enhanced resilience against cyber attacks, underscoring the model’s efficiency and practicality in prioritizing cyber security efforts. It thus contributes to the wider benefit of society by safeguarding sensitive financial data, which is essential for both individual security and economic stability.

Sorry, our subscription options are not loading right now

Please try again later. Get in touch with our customer services team if this issue persists.

New to Risk.net? View our subscription options

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here