FAIR Analysis



Frequencyand Magnitude of Future Loss associated with Online BankingApplication through Smartphones


Intoday’s dynamic and competitive environment, new and improvedtechnology and innovations tend to shape our business and socialenvironment. As the fast and emerging technological advancementscontinue to grow, it remains to pose a significant amount of riskswhen deployed to businesses and organizations. Impaired IT controlscan have significant effects on the organizations` performance andprofitability. Companies are now tasked to employ the latest andmodest technologies, or they risk losing business and market share.Similarly, consumers are not left to chance with the innovations.With the ease of access to the internet and mobile phones,individuals can now use these platforms and tools for making utilitypayments, banking, shopping and even budgeting. Given the increasingpace of expansion in the mobile finance sector, it will be possiblefor individuals to conduct online banking applications through theirsmartphones. However, the rapid developments of these tools, devices,and their functionality concerning introducing m-commerce supportingtechnologies, will create newer risks, including cyber criminalactivities which are increasing by the day and made worse by theeconomic challenges.

Tohelp control and manage these IT exposures, Freund &amp Jones (2015)developed a FAIR approach to aid businesses to measure and controlinformation risks. The FAIR analysis, which stands for FactorAnalysis of Information Risk, is an international standardquantitative method for handling operational risks and cybersecurity. This technique is mostly used to identify, understand,assess and measure information risk in meaningful financial context(Freund &amp Jones, 2015). It creates a basis for establishing anaccurate model to information risk management. The power of FAIR isrelatively massive as it helps risk professionals to foster clarityand generate viable decisions from the ambiguous risky environmentone was exposed to and basing judgment on useful measurements thatyield quantifiable and defensible outcomes. The objective of thispaper is to analyze the frequencies and magnitude of present andfuture losses associated with online banking systems applications.

Lossscenario, threat agent, and risk question identified

Weare shifting from the paper-based banking environment that has beenin existence for a very long time to a digital trading platform thatis still in its early stages but seeks to provide real-timeprocessing and convenience. Internet development has become thecommon source of communication across the globe and is rapidly beingused by all banks as a network for offering products and services tocustomers and receiving instructions (CMFS, 2016). Differentfinancial institutions employ various mechanisms for providingservices over the internet. Today, most people do not need to use acomputer to facilitate transactions and manage accounts, instead,widespread of mobile phones with banking applications has made itpossible for people to transfer funds, make payments and keep trackof finances (Lyne, 2014). But the questions that mirror in our mindsare, are these banking apps safe? Is it the safest way to manageaccounts? Numerous threat agents consist of the malicious software,malware attacks through the internet and intranet, hacking, phishing,viruses and worms that may infect systems and mobile phones. Theseattacks and infections are deemed to be more enhanced and may be ofhigher threats in the coming years.

Below,is a chart illustrating the usage of mobile phone transactions bybrand.

Figure1: Source: www.federalreserve.gov

Mostfinancial institutions allow their smartphones users’ customers tolog into their internet banking websites while others offer bankingapplication systems that enable customers to keep track of theirmoney using their mobile phones. With new and rapid improvements onAndroid Trojan infections, worms and virus problems may exist inmobile phones with multiple applications such as the iPhone 5 whichmay pose a high threat when users use them to access their bankaccounts. This is so, since, with several running programs there aregreater risks that malicious software may be running without theuser’s knowledge (Martin, 2016). But do the users have antivirusfor their phone and do they need one if they don’t? Additionalprograms in mobile phones may attack protected information as well asthe communication channels with internal control systems mechanisms.Also, text updates services send notifications of an accounts balanceor mini statements in the form of text messages. There is alikelihood of enormous risks as they do not provide direct access toone’s account (Lyne, 2014). This prompts the question, are theseupdates safe?

Anotherchallenge is associated with hackers and scammers. There have beencases where customers check their account balances online and canclaim that there are funds, however, when they make a transaction,their debit cards are declined due to insufficient funds. Are suchcases, incidences of scammers? We might say it`s an online trap. Tosome, it may never be easy to check account balances, but we try thisevery time on our mobile phones, and the text message displayportrays false sense on customers. On the other hand, businesses tooare at high risks of losing vital and confidential data, ERPintegration challenges, identity and security problems andapplication development issues. Threats to internal control systemsemanate from attacks which can cause immense damages to ICS (Lyne,2014).

Currentstate FAIR analysis to estimate current loss

Informationtechnology developments are rarely protected, and privacy is notentirely guaranteed. Given numerous surveys, research, data breachedreports, the cost of information breached, facts and statistics,there exists too much of information and inadequacy of significantand useful data. For this reason, FAIR approach was developed toquantify and manage information risk of any scope and intricacy(Freund &amp Jones, 2015). For banking institutions, the FAIRanalysis will serve as a risk management improvement tool. Keysecurity firms that identify and investigate incidences and reportsby various clients have issued estimates of loss suffered byindividuals and businesses annually. If the effects of the threats toonline banking and related platforms are extended to public andgovernment enterprises as well as the population, it is relativelyeasy to estimate that the number of damages increases to billions offunds (Martin, 2016).

Mostof the online banking threats and cybercrime activities are assumedto originate in some form of planned activities. The act is becomingmore of a business opportunity for individuals driven by personalgains (CMFS, 2016). A recent primary concern is where an unknownsource has been luring customers to accidentally show their bankaccount details. In such cases, emails were sent to clients statingthat their account details required renewing and thus, they were tofollow certain procedures their accounts would be renewed (Lyne,2014). Given that most customers were unaware that such scams couldever happen, they were able to reveal their login details, passwordsand account information to the criminals. FAIR approach seeks toteach consumers on how to use modern internet security solutions thatmay protect their devices against malicious software and relatedthreats. Likewise, bank clients are required to update mobile phonesprograms and applications regularly, use complex passwords, protectpersonal information, and be aware of the scareware attacks.

Apparently,numerous security options are being looked at systematically andenhanced. The FAIR analysis stands to provide the best practicesintended to strengthen the security mechanisms within mobile phonesand banks ICS component. For businesses, the information securitymanagement system for the internal control systems operations must beunderstood as a crucial element of a superior management system of abank. The system will also take into consideration the risks andoffer strategies to prevent, conduct checks, maintain and to improvethe ICS. As part of the FAIR analysis, the approach will aid banks toset up security functions. This serves to define the roles andresponsibilities for the safety of the ICS components. Similarly,they should facilitate establishment and maintenance ofdocumentations. Information and records regarding the security of theICS functions should be developed, maintained and protected fromunauthorized access. Another vital aspect is the risk managementhere, every function and resource of an internal control systemshould be carefully considered, properly examined and assessed. Asthreats continue to change and grow, continuous countermeasures areneeded to keep off possible attacks.

Policyimprovement proposal

Thereis an increased need for banks to safeguard the security of theircustomers. This can be effected through passwords, server, andfirewall security as well as encryption (Infosec Institute, 2013).Use of passwords and usernames are one of the important aspects forimproving online security as they assure that those authorized haveaccess to their own accounts (Martin, 2016). Needless to say,scammers and hackers have sophisticated ways to capture PINs andusernames during transmission and use them to access their victim`saccounts. As such, there is a need to facilitate secure and efficientauthentication models since trust issues, and security breaches havegained new dimensions in financial services. Numerous new modelsincluding policy identification, server analysis and network analysistechniques to detect and control fraudulent activities should bedeveloped, and the existing models should be improved for use in theonline banking landscapes.

Postpolicy implementation of FAIR analysis

TheFAIR approach seeks to provide avenues for individuals and banks toquantify and manage risks. At the same time, it gives properguidelines for implementing policies deployed. Where securitypolicies prevail, the designers must assess to see whether this willinfluence the design of the solution. The developer needs to evaluateif the policy developed can identify those assets that need adequateprotection and also identify the possible scammers and hackers thisprovides an insight into the magnitude of trust given to the internaland external users (Infosec Institute, 2013). The results of theimplementation process will aid to evaluate the policies` accuracyand broadness. Also, the designers are capable of recognizingpotential policy improvements that can be amended and modified.

Costsand benefits of the policy

Tobalance the costs and benefits of the various countermeasures is initself an act of risk analysis. This helps to identify and evaluatethose assets, threats to the properties, the potential loss that theentities and individuals have been exposed to and how the losses havebeen managed. Banks must be able to assess the values to theirassets. These values are usually based on the cost of replacing theasset when addressing a hardware problem, or the recovery costs whendealing with a software issue. The assessor must also consider howthese assets are being utilized, for instance, there may be damagesto two computers where one is used by a salesperson to store lessvaluable information while the other is employed by an accountant tostore valuable and confidential data. Banks should also take intoconsideration the outcomes of breach of security on customer goodwillas well as the brand`s image. The costs that materialize should helpin providing an idea of the amounts spent to fend off these threats.Evaluating risks and developing appropriate countermeasures iscrucial to the lifecycle of assets protection. In the end, it is ofsignificant benefits to the organization and the customers as theywill derive improved brand image, increased customer goodwill, andtrust.

Normativeanalysis and position argued

Muchof what is being conducted in our daily lives is being trailed anddocumented in the online platforms. While there may exist aninformation and activities that are not distributed online, infuture, this is likely to diminish. The new and improved Androidtools and applications comprise a huge number of entry points. Assuch, there are increased opportunities to compromise these devicesthrough sophisticated ways (Martin, 2016). In recent times, mobilephones risks and threats are mostly targeted at individuals ratherthan organizations. These attacks are predicted to take advantage ofthe mobile phone platforms today and in the years to come. Smartphoneusers are less aware of the possible dangers and threats they areexposed to. As such, they are strongly recommended to use antivirusprograms on their devices (Lyne, 2014) as the banks and otherorganization are establishing ways to develop and implement policiesto curb online risks, promote and support online security educationand raising awareness for users which will be of significant benefitsto the customers.

Rationalebehind each FAIR element

Mostof these risk and threats are facilitated by internet hacking,improper use of company assets and network and devicevulnerabilities. An understanding and awareness of the variousweaknesses and exposures is crucial for the success of networkfunctions. Identification policies and procedures will aid eliminatepotential risks. This helps by recognizing and certifying authorizedusers from attackers. Person and entities are identified by usingcategories e.g. customers of a particular organization, employees,and business partners. This ensures that the policymakers haveformulated all possible risks and threats and have not passed over onvital threats. To develop high levels of security assurance, banksmust deploy viable and robust mechanisms to eliminate points offailure (Infosec Institute, 2013). For this reason, securityprofessionals and designers of policies must work with banks toexamine how much investment in resources and security measure isacceptable for assets that need to be safeguarded. Implementing thesecontrols is essential as it will influence mutual support and producefavorable results.

Organizationsmay establish best practices and tools and training necessary tosafeguard network functions. They may employ software devices fromCisco e.g. AutoSecure, other third party platforms e.g. router audittool and various website resources. These tools steer fastimplementation of security policies and processes to facilitatesecure networking function. Similarly, banks can identify the role ofeach server to enable generate informed decisions on the steps thatwill be enforced to secure host systems. A network may have multipleusers and workstations that will require being critically assessedfrom the inside and external to the network. Those applications andservices that are still running on servers must be identified andnetwork functions and ports that are unnecessary need to be blocked.Antivirus software programs must be installed and regularly updated,and hosts should be continuously observed for any signs ofmischievous and criminal activities.


Technologicaladvancement comes with both advantages and shortcomings. In the questto enhance ease of transactions in the banking sector through the useof mobile phones, it is essential to recognize the risks associatedwith it. It is evident that online banking is growing at a fast rateand this poses security threats to the global economy. Strategiesmust be formulated to guarantee the safety of online banking. Asmentioned earlier, regulations should be put in place to ensure thatthreats are identified earlier and be addressed. The use of securephone applications is essential for safe online transactions. Malwarethat affects the functionality of phones and Trojan programs intendedto steal confidential information of users are some of the biggestthreats in online banking. The use of malware protection smartphoneprograms should be encouraged to prevent any form of cyber attack.


CMFS.(2016). Consumer and Mobile Financial Services 2016.

Freund,J., &amp Jones, J. (2015). Measuringand managing information risk: A FAIR approach.Oxford, UK: Butterworth-Heinemann.

InfosecInstitute. (2013). 2013 – The Impact of Cybercrime. Retrieved fromhttp://resources.infosecinstitute.com/2013-impact-cybercrime/

Lyne,J. (2014). BBC Consumer. Are mobile banking apps safe? Retrieved fromhttp://www.bbc.co.uk/consumer/25953741

Martin.(2016). Money. Current account guides. Is banking on your smart phonesafe? Retrieved fromhttp://www.money.co.uk/current-accounts/is-banking-on-your-smart-phone-safe.htm