IT Operational Risk Awareness Building in Banking Organizations

Today’s banking organizations are faced with an increased frequency of IT-related security incidents with critical consequences, including financial and non-financial losses. A substantial proportion of these security incidents originate from inside the bank due to individual undesirable behaviors potentially jeopardizing critical information systems and assets of the organization. To mitigate these IT operational risks, the development of appropriate IT security awareness programs is a primary concern of banking organizations.
A research project aims to better understand banking employees’ behavior in relation to IT risks and to improve risk mitigation based on effective security awareness programs in the organizational context of banking. IT risk cultures and internal IT controls are also being investigated as further contributing factors. The two-stage project draws on multiple research methods, including exploratory case studies, design theory, and quantitative field surveys. In a first exploratory stage, the project outlines how an international banking organization plans and implements security awareness programs, campaigns and delivery methods to increase employees’ IT security awareness. Moreover, the roles of internal control systems and intercultural differences are considered across multiple sites in Central and Eastern Europe. The project highlights not only a portfolio of IT security awareness delivery methods currently applied in practice, but also designs and tests new methods, such as viral videos. Findings suggest utilizing a tool mix supporting both horizontal and vertical communication of IT security guidelines and best practices. The second research stage is based on quantitative field surveys focusing on current predictors of desirable security behavior and the success of awareness building methods in minimizing IT risks. Thereby the project aims to determine whether desirable or undesirable behavior is a function of individual attitudes, subjective norms, or the perceived capacity to act as desired. Additionally, the models applied will provide a new integrated analysis which accounts for the negative effects of the temporary neutralization of personal values.