Information and Cyber Security Risk Assessment Framework for the Banking Sector in Ethiopia

Abstract

In the modern banking industry information technology is playing a great role to facilitate the service and to make it competent. The competencies between banks stared on the advancement of information technology. The more implementing Information Technology the more to be vulnerable to attacks from inside or outside of the organization. The main objective of this research work is to assess the banks information security risk and developing a risk assessment framework. The researcher has sampled six private and public banks in Ethiopia to survey their information security culture and assessing the risk the banks confronted and facing currently. The methodologies used in this research are both quantitative and qualitative methodologies. Through distributing questionnaire and interviewing to Information Technology top managers, security officials, and system and network administrators’ huge amount of data has been collected. These data has been further complemented by making site surveys. Risk Management studio was used to assess the risk and to identify threats. After assessing the banks risk conclusion are drawn that are used as inputs for the new framework. The proposed framework was designed and developed from the findings of literature review and survey methods. The framework has eleven components such as: - identify the scope of the system asset identification, parameter identification, threat identification, relating threat with vulnerability, vulnerability analysis, possibility study, impact study, risk prioritization, evaluation, communication, and documentation stages