Approaches to measuring the risk of cyberattacks in remote banking services of Russia

— Purpose. Due to the use of technology in banks their risks of information security breach are rising significantly. In the context of active introduction of remote banking systems (RBS) in banking business of Russia, additional study of issues of assessing the risk of cyberattacks on banking automated systems was required. Methods. The methods of financial management, probability theory, system analysis of scientific literature on fundamental and applied research, and a method of graphical interpretation of analyzed phenomena are used. The paper gives a detailed analysis of the concepts of “cyberspace” and “cybersecurity”. Remote banking is considered from the point of view of financial management. Attention is drawn to the factors of work in cyberspace that increase the levels of banking risks. The relationship of cyberattacks on banking automated systems and possible consequences for the bank is analyzed. Novelty. Given the wide spread of social engineering methods when committing fraudulent activities on the Internet the measures to increase the cyber literacy of population are needed. The method for assessing the risk of cyberattacks on RBS for use by risk department specialists and employees of internal control services is developed. As a result, considering innovative systems and technologies that await us in the future, the effectiveness of risk assessment for solving current challenges is increased. Results. Attempts are made to formulate the mathematical model of the probabilistic analysis of information security incidents to optimize the algorithm for responding to incidents. Calculations based on the proposed model made it possible to determine the duration of exploitation of vulnerability of RBS, when the probability of preventing an incident exceeds probability of its realization. The findings may be useful for scientific research on the risks of information security breach in RBS.


INTRODUCTION
The latest achievements in the field of information and telecommunication technologies have significantly changed the process of conducting the banking business and have become the basis for the active implementation of remote banking systems (RBS). The most common remote banking options are: Internet banking (managing bank accounts and cards via the Internet and an on-line web browser) and mobile banking (managing bank accounts and cards from tablet computers, smartphones and other smart devices). The process of interaction between the bank and the client in the conditions of application of RBS is carried out in a virtual environment or, in other words, in cyberspace.
The concepts of "cyberspace" and "cybersecurity" are currently absent in the legislation of the Russian Federation. The terms "information space" and "information security" are traditionally used. The concepts of "cyberspace" and "cybersecurity" can be found in a number of international and national standards related to ensuring information security. Further on we will use these terms. If we combine different approaches to the definition of these concepts, then cyberspace is most often understood as an environment of information interaction and data exchange implemented in computer communication networks and networks, where the elements of cyberspace are servers, computers, telecommunication equipment, communication channels, information and telecommunication networks, and cybersecurity is maintaining the confidentiality, integrity and availability of information in cyberspace. For the analysis of approaches to the definition of the concepts of "cyberspace" and "cybersecurity" we used [1,2,3], as well as [4,5].
The banking business began to use cyberspace, first of all, due to significant cost savings for operating activities (there is no need to maintain banking offices, and the client himself performs the functions of the operator from his computer, tablet or smartphone) [6,17].
We add that the daily increase in the number of cellular subscribers and users of the global Internet network contributes to the spread of RBS in various parts of the world (including both developed and developing countries) [7,18].
Additional income comes from the increase the value of cash flows due to the increase in commission fees and/or reducing expenses due to growth in operating efficiency. Consider the impact of scientific and technological progress on return on equity ( ROE ): 7 profit to total revenue ratio and AUthe ratio of total revenue to asset value. Return on equity ratio represents the amount of the bank's income per monetary unit of equity: where NP is net profit (the difference between income and expenses), and E is the average equity. Investments in RBS increasing PM by minimizing costs and AU by increasing the bank's commission income, therefore ROA and ROE will increase. If the expansion of market share and the increase in the asset base as a result of innovations exceed the growth of capital, then the resulting financial leverage (a higher EM value) will advance ROE .
For the banks with excess capital relative to the minimum, which regulators require, it is necessary to invest in RBS and other innovations.
However, in addition to the obvious advantages, work in cyberspace is accompanied by several factors that can increase levels of banking risks: remote banking operations are mostly "virtual" in nature (in fact the client after the invoice and registration a contract for the provision of services using RBS has no direct contact with the bank). This type of interaction places increased demands on customer identification (including the implementation of the "Know your customer" principle). Otherwise, an attacker may initiate operations on behalf of the client; -the availability of "open" telecommunication systems (the availability of the global Internet and cellular communications in the absence of proper control over these types of communications complicates the control over actual users of these types of communications); -extremely high speed of transactions (the speed of banking operations performed using RBS is limited to seconds, which also imposes increased control requirements); -the global nature of inter-network operational interaction (since with RBS operations are performed not only in the country in which the client is located, but also beyond its borders, then additional sources of risks arise due to the peculiarities of the legislation in each individual country through which clients pay) [8,19]; -the possibility of using RBS for illicit activities (due to insufficient control by regulators, speed of execution of the operations themselves and the ability to hide some of the data of the real perpetrators, etc.).
In this paper (applicable in practice in the credit and financial sphere), the authors use the term "risk of cyberattacks" (RCa), which is understood as a measure of the increase in typical banking risks (including financial losses) arising from realization of a cyberattacks on banking automated systems (BAS). The term RCa has already been used by authors in scientific papers, for example, [7] and [8].
Thus, the aim of the study is to analyze cause-effect relationships under the influence of computer attacks on typical banking risks and to develop new (applicable in practice in the credit and financial sphere) approaches to assessing RCa, due to which possible to improve significantly the quality of ensuring cybersecurity in organizations of the financial sector.

II. EXPANDING PROFILES OF TYPICAL BANKING RISKS DUE TO COMPUTER ATTACKS
Consider the main types of cyberattacks on BAS noted in the annual reports of FinCERT of the Bank of Russia and the company's Group-IB: attacks on AWP CBR, AWP SWIFT, AWP RBS and attacks on self-service devices (Automated Teller Machines -ATMs), where AWP CBR is an automated workstation of a client of the Bank of Russia, AWP SWIFT is an automated workstation of a client of the Society for Worldwide Interbank Financial Telecommunications, AWP RBS is an automated workstation of a client of RBS.
To implement all of these attacks, first one needs to download malicious software (malware) into the local area network (LAN) of the credit institution. To do that, an attacker sends an e-mail to a credit institution containing malware, which is not detected by antivirus tools. After malware infection, using SMB requests, a scan of the LAN segment accessible to the infected machine is performed to infect new workstations.
The main reason why the above attacks are "successful" is the human factor, which manifests itself in the form of a negligent attitude of bank employees to the established algorithm for preparing, storing, processing and transmitting electronic customer orders. According to the Group-IB's report for 2018 year, in Russia 1-2 banks were subjected to computer robberies every month. The damage from one theft on average is 132 million rubles ($2 million).
The development of the digital economy in Russia and the minimization of the level of RCa are associated with an increase in the level of cyberliteracy of the population of our country [9]. Particular attention should be paid to the understanding by all users of the global Internet that they work often in a "trusted environment". Therefore, knowledge of the main types of cyber-fraud can significantly reduce the number of hacker attacks. The development of computer discipline and the prevention of uncontrolled development of cyberspace [2] can be facilitated by the studying of "blind" typing with ten fingers. The authors of this paper propose introducing the method of "blind" typing with ten fingers into the education system in Russia, as the development of fine motor skills of the hands contributes to the activation of the frontal lobes of the brain. Proper finger positioning on a keyboard is analogic to complying with traffic signs when traveling.
Work in cyberspace, first of all, increases role of the technical components of all typical banking risks (Fig. 1), among which operational, legal, strategic, reputational and liquidity risks can be highlighted (full list of typical banking risks is given in the Letter of the Bank of Russia dated June 23, 2004 "On Typical Banking Risks" No. 70-T) [10,21,23].

Fig. 1. Interconnection of cyberattacks on hardware and software (H&S) of BAS and possible consequences for the bank
Underestimation of the possible consequences of cyberattacks can seriously affect the stability of a commercial bank. In this regard, the assessment of RCa manifestations by specialists of risk divisions should be carried out in a timely manner, followed by notification to the management of the credit organization so that the management of the credit organization can take preventive measures in a timely manner.
In the risk-divisions of credit institutions the specially trained professionals should be able to assess the quality of the vulnerability of different areas of digital circuit technology bank, formed in each individual credit institution (including in terms of increasing RCa). In order to understand the features of the functioning of distributed computing systems and have a clear understanding of the construction of information circuits of banking electronic services via the Internet and mobile communications, risk department specialists must have a technical education in addition to humanitarian (economic or legal) education.
Modern cybersecurity systems must be well automated for timely response on emerging incidents. The immediate start-up of the response process should occur from virtually any signal of information security monitoring systems. The effectiveness of the response method can be checked by the formula: where RRL is the effect of reducing risk (the method is applicable when 1  RRL ); before RE and after RE exposure to RCa before and after application of the response method; RRCcosts associated with the application of a particular response method.
Of course, the calculation by the formula (2) of compensation costs can be ignored in the presence of minor consequences of the implementation of the RCa. There is enough reserve for RCa in the budget plan [14,22], as described below.
The consequences of cyber-risks are one of the components of an organization's operational risk. The Basel Committee on Banking Supervision (BCBS) recommends using this approach to risk assessment. In accordance with the recommendations of the committee, commercial banks should create a reserve for operational risk (OpR), considering the active use of digital technologies. The assessment of capital, which is reserved for OpR, is carried out using the basic indicative method: where OpR K is amount of capital allocated to cover OpR, Determining the effectiveness of cyber-weapons   ef is as follows: Thus, the ratio of formulas (3) and (4) allows us to determine the size of the reserve for cyber-risk in the composition of the OpR, that is The use of this relationship for the management of the continuity of credit institution activities may become the basis for estimates of reserved capital for the RCa in the RBS. A significant part of the space-time continuum must be scientifically investigated if one wishes to obtain reliable results. In the opposite case, one might arrive to false conclusions [15,20]. The mathematical representation of the RCa can be represented in the form of a model that underlies the classical "task of meeting" of probability theory (in our case, meet cybercriminals and anti-hacker in the network). Opponents act in cyberspace independently at any time period, their presence in the network is discrete due to the human factor. Let's say S means a signal from cybersecurity system and the start of a response process. The time moments of the above persons in the network are denoted as a and b , respectively, and depicted on the axis aOb (Fig. 2).
By the property of the absolute value of a number, the system (5) is equivalent to the inequality: The coordinates of the meeting points of the opponents fall into the figure Accordingly, the probability of the opposite event (computer incident prevention -CIP) is equal to Let's consider, how this model acts "in numbers". For example, the credit organization determined by its information security (or cybersecurity) policy that the maximum response time to an information security incident is no more than 90 minutes. Based on this 90 3 

S
. Let's compute the values of RCa P and CIP P by the formulas (6) and (7) for different values 2 S (Table 1).

S
. Therefore, if the vulnerability of the RBS is exploited no longer than 4 , 26 2  S minutes, then the probability of the incident prevention exceeds the probability of its realization. In other words, the longer the vulnerability in BAS (including RBS) remains, the greater the chance for the theft of money through its use.
Thus, the RCa assessment methodology proposed by the authors makes it possible to analyze information security incidents that happened earlier to determine their relative frequency, with further forecasting of incident response and optimization of the response algorithm. Thank to its implementation in the risk assessment methodologies used by the cybersecurity units, it is possible to significantly increase the effectiveness of measures aimed at minimizing the possible consequences of realization of the RCa.

IV. CONCLUSION
-new challenges and cybersecurity issues, which arise due to credit and financial institution and their customers using RBS, require continuous improvement of solutions and often a substantial revision of the risk-management procedures, which include the internal control procedures in cyberspace. It also requires the mastering of measures to increase cyber-literacy and prevent the uncontrolled development of cyberspace (for example, financial literacy and method of "blind" typing with ten fingers); -implementation of RBS allows credit organizations to significantly reduce the cost of operating expenses, but the work of the bank in cyberspace is associated with additional sources of typical banking risks, which include: operational and legal risk, strategically and liquidity risk, as well as the risk of loss of business reputation; -accounting and evaluation of RCa on a risk-based approach should imply that each reason for the implementation of RCa has a potential impact on the bank (associated with disruption in the continuity of banking activities, reduced quality of RBS, financial losses, etc.) [16]. Nevertheless, for a bank the size of the consequences of the destructive nature of the losses is more important, rather than the reasons for the loss of money (non-repayment of the loan, hacker attempt on the security system, etc.).
-the risk divisions of credit and financial organizations should include specialists who are able to assess cyberrisks, and the methodological support used to audit and resolve issues of leveling the possible consequences of realization of the RCa on the H&S BAS must be updated in a timely manner; -the scientific research and developments should be one of the "pillars" of the RCa's management structure at the RBS. The models proposed in this paper (assessing the capital reserved for RCa and the task of meeting a cybercriminal and an antihacker in the network) are aimed at increasing the effectiveness of RCa management in the RBS.