Internal bank threats are those risks that emanate from within the bank or within the network of the bank that could compromise systems or information. External bank threat, on the other hand, are those originating outside of the bank and attempt to access, maliciously, the systems to manipulate, destroy, or render systems and information unusable. Banks are predominantly concerned with mitigating risks and therefore must perform risk assessment process and risk assessment analysis to understand and identify all of the risks that might affect the bank and its functioning.
In general, the risks that affect a bank are those specific concerns that would impair the bank’s ability to deliver on their objectives or function as an ongoing concern. Among the variety of specific adverse risks affecting banks are loss of corporate image, financial loss, loss of customer trust (which could cause a run on the bank), loss of shareholder trust (resulting in a sell-off of stock), inaccurate customer or bank information, and legal liability. As part of the risk assessment process, banks must be concerned with the risks and the controls relative to three risk attributes: assets, threats, and impacts.
1. Assets
Assets represent the myriad of tangible and intangible items of value that a bank possesses that could be adversely affected by a threat to its utility. Assets range from a variety of things including, but not limited to, information, physical technical devices, brick-and-mortar buildings, and equipment.
2.Threats
Threats are potential sources of harm, which could cause an impact to one or more of the bank’s assets. Major bank threat categories include the following:
Technical.
Technical threats are those sources of harm that are precipitated by the utilization of some form of technology. The most prevalent of these are computer viruses. Computer attacks and “hacking” are among the major concerns of any bank that has an Internet presence and conducts business or presents information about the bank through a Web interface. These threats are voluminous and occur with a high degree of frequency. As a result, it is imperative that safeguards be instituted to prevent penetration and preclude an effect on bank assets.
Human.
Human threats generally emanate from four predominant sources: outsiders (terrorists), customers, partners, and insiders. These threats can vary in type; however, their common feature is direct human involvement that affects a bank’s assets in some way. This could be through sabotage and espionage (both internal and external), as well as through partners who may be privy to information and other assets, which could constitute a risk. Terrorist activities, similar to the events involving the World Trade Center, are the most obvious of the human threats. With this recent example, the risk from human threats has grown tremendously in importance and focus for banks and other organizations alike. Customers, as well, can impact a bank’s assets through physical access and exposure to information and other assets.
Natural.
The final category of threats affecting banks is composed of those that occur naturally. Tornados, storms, fires, snow, and ice all constitute likely threats to bank assets. Although these events can and do occur randomly in the environment, they nevertheless must be addressed to avoid affecting key bank assets.
3.Impacts
Impacts represent the outcomes or the consequences of a particular threat. Because a threat (any of those identified) will affect a bank’s assets in some way, one or more of the following will occur as a result:
Unauthorized disclosure of information. Banks are always concerned with the disclosure of sensitive bank or client information to other parties not authorized to view it and who could be in a position to use that information in ways to cause harm. This can occur through negligence or outright attempts at obtaining information.
Unauthorized modification of information. Once information is accessed by unauthorized sources, the information may be subject to modification in some way, which could result in negative consequences to the customer or bank. Examples of modification include manipulation of monetary amounts or displayed information to cause harm, to create advantage, or simply to disrupt.
Unauthorized destruction of information. In some cases information is accessed by unauthorized sources with the sole intent of destroying it or rendering it unavailable to authorized individuals. This impact is severe, greatly exposes the bank to legal liability, and can threaten the bank’s existence.
Unauthorized use of information or systems. This impact is more subtle but equally as dangerous, if not more so, than the others. In this case, information that is accessed by unauthorized sources is used in ways to create advantage where none existed, to discredit, or simply for the purposes of theft, such as in the case of identity theft. The unauthorized use of the information, in this regard, would appear to be appropriate and normal on the surface; however, the user of the information is not.
Improper use of information or systems. This refers to gaining unauthorized control of information and/or systems in such a way as to use them for unintended purposes. Taking control of a Web site and displaying information or messages not intended by the bank is a good example of this.
Unavailable systems. Natural threats and human threats (terrorist activities) are probably the most obvious sources that could render systems unavailable. Tornados and fires, for example, could destroy servers or central computers, which could cause the loss of data, affecting customers and the bank. Terrorist activities could be as blatant as the destruction of a physical site or as subtle as a computer virus that renders the computer unusable. In any situation, the net result is the inability to use a system that was previously relied upon. All of these relate to the broad categories of integrity, confidentiality, and availability of information previously discussed. The purpose of risk assessment analysis is to understand where threats may come from (sources), the effect on the bank (unauthorized disclosure, modification, or destruction of information), and to determine the appropriate controls necessary to mitigate these risks (authentication controls, password controls, etc.).
