TMXBank Case

Semester Case Part #2 – Assessments

The illustration above contextualizes unauthorized access to customer data, insider threats to critical business processes, malware infection causing data loss, ransomware attack causing system downtime, and denial of service attack causing website outage as moderate risks. They are internal risks under IT infrastructure and customer data. From an operational point of view, technology is at the core of the risk assessment discussion. TMXBank must ensure a successful integration of the legacy system with the core banking infrastructure to create a seamless flow of services. Poor technology integration would slow services at the bank and its branches. System failures will cost the company over $189,000 used on the serve project and disaster recovery. The latter is a recurrent expenditure, which should generate revenue, but technological hitches might affect the company’s ability to achieve successful disaster recovery.

Equipment failure causing business disruption, loss of sensitive data during transfer, and business disruption due to third-party service outage are high-risk investments that might require more attention from the IT department. The IT staff works to assist the bank with regulation compliance and achieve accountability, which must be handled sensitively to avoid an entire projects failure.

Physical theft of equipment and social engineering attack against employees are low risks, although they can cause business failure if TMXBank managers ignore the threats.

Quantitative Risk Assessment

1. SLE = asset value × exposure factor

In this context, the asset value is approximately $1.2 billion while the risk of exposure is the sum of the number of times the business faced a risk

Therefore, TMXBank’s SLE= 1.2*10=12

The SLE IS 12B

2. Annualized Rate of Occurrence refers to the number of incidents annually (Kim and Solomon n.p). In TMXBank’s case, it is impossible to generate the ARO since some incidents are recorded as ‘multiple.’ The best way to conclude is that the ARO is above 5
3. ALE = SLE × ARO

The average ALE in this context is 12*5=60

Therefore, the ALE is above 60B

Risk Prioritization

1. Equipment failure causing business disruption
2. Loss of sensitive data during transfer
3. Business disruption due to third-party service outage
4. Unauthorized access to customer data
5. Insider threats to critical business processes
6. Malware infection causing data loss
7. Ransomware attack causing system downtime
8. Denial of service attack causing website outage
9. Physical theft of equipment
10. Social engineering attack against employees

From the risk register, Equipment failure causing business disruption, loss of sensitive data during transfer, and business disruption due to third-party service outage are on the extreme end, which means it is catastrophic and certain.

Malware infection causing data loss, ransomware attack causing system downtime, denial of service attack causing website outage, unauthorized access to customer data, and insider threats to critical business processes are moderate risks that are sometimes rare or occasional.

Physical theft of equipment and social engineering attack against employees are low risks. The risk levels associated with the two are ‘rare and insignificant.’ 

Semester Case Part #3 – Summary, CBA, and Recommendations

Executive Summary

The bank’s critical assets include customer data, financial information, physical assets such as buildings and equipment, and IT infrastructure. These critical assets support the bank’s core business functions and revenue generation. As a result, any compromise of these assets can lead to significant financial losses, legal liabilities, and damage to the bank’s reputation. 

Several vulnerabilities exist that might expose the bank’s critical assets. These include outdated software, weak passwords, insufficient access controls, and inadequate physical security measures. Internal and external threats, including cybercriminals, insider threats, and natural disasters, can exploit these vulnerabilities.

The top three risks for the bank are:

1.      Cybersecurity breaches resulting in data theft or loss: This risk is high as the bank relies heavily on technology to conduct its operations and cyberattacks are becoming more sophisticated and frequent.

2.      Operational disruptions due to natural disasters or system failures: This risk is moderate but can significantly impact the bank’s ability to serve its customers and generate revenue.

3.      Regulatory non-compliance leading to legal and financial penalties: This risk is moderate but can have severe consequences for the bank’s reputation and financial stability.

If any of the top three risks are realized, it could cost the bank millions of dollars in financial losses, legal liabilities, and reputational damage. For example, a cybersecurity breach resulting in customer data theft can lead to class-action lawsuits, regulatory fines, and loss of business.

To mitigate these risks, the bank should implement a comprehensive risk management program that includes regular risk assessments, security awareness training, incident response planning, and disaster recovery procedures. The bank should also invest in cybersecurity technologies such as intrusion detection and prevention systems, network segmentation, and endpoint protection. Additionally, the bank should establish partnerships with third-party vendors and service providers with strong security controls and risk management practices.

Cost Benefit Analysis

IT Infrastructure

            IT infrastructure is the most critical of the top three. It involves hardware and software systems that support banking operations. According to the company’s VP, TMXBank spent $64,000 to segregate its network nodes, $125,000 on annual disaster recover if the $4 million banking app suite and other IT-related features fail. The company spent another $4,800 each on three servers that are less than 3 years old alongside a separate system that cost $132, 000. The numbers are essential and reveal why the IT infrastructure is the most significant of other assets.

            Vulnerabilities associated with it include unsecured Wi-Fi networks that allow unauthorized access to the banking system and outdated software versions that are susceptible to exploits and attacks. Other concerns include lack of encryption and unpatched vulnerabilities. Such risks culminate into data encryption challenges that increase the vulnerability of frequent incidents of unauthorized access, as Williams reinforces (105). Cybercriminals can exploit unpatched vulnerabilities in software and operating systems. TMXBank must conceal all loopholes that might increase the IT infrastructure risk.

Intellectual Property

            Intellectual Property is a legal issue involving patents, trademarks, and copyrights. It is the second most essential asset because the company is focused on using its IT staff to maintain regulatory compliance. Weak passwords present the most significant vulnerability for Intellectual Property because it involves access to sensitive data by authorized personnel. Employees may use weak passwords that are readily cracked, giving third parties access to bank systems and critical information (Yıldırım and Ian 743). If any information of such nature leaks, the company should contact the IT staff first. An additional vulnerability are physical because the lack of appropriate implementation of physical security measures permits illegal access to bank information and networks.

Physical Assets

Physical assets are management functions concerned with property acquisition and the management of physical infrastructure. TMXBank is a profit firm with over $1.2 billion controlled assets in different parts of the U.S. The company pursues continuous growth by acquiring additional banks. Outdated software since attacks and vulnerabilities can be more easily used against older software versions. Data breaches and other security risks could result from it. data breaches and the presentation of security threats. An additional vulnerability is the possibility of a malware attack that might cause data loss, although the company has a firewall system to address the vulnerability. This would give unfair advantage to competitors, which means TXMBank should exercise extra precaution during the strategy’s implementation.

Ranking

            I ranked the three threats based on how much the company spent on security systems against attacks. For instance, the IT infrastructure is one of the costliest in terms of implementation and maintenance. TXMBank has a very secure system with servers and firewall to protect its intellectual property and information on physical assets. Therefore, the significance of the threat to the TXMBank and the budget used to facilitate its implementation informed my approach to prioritization.

Impacts

The IT infrastructure presents a significant risk if the vulnerabilities are left unaddressed. For instance, business rivals might access sensitive information such as the company’s initial struggles with compliance to cause reputational damage. In addition, unsolicited parties could access trade secrets and use the information to TMXBank’s disadvantage. The company has already invested over $300,000 on the infrastructure and should not lose it to rivals. TMXBank has invested in IT infrastructure and human resources, as well as a disaster recovery activity to secure its systems because it knows the dangers of an attack. On a cost benefit analysis, the company will lose over $1.2 billion, which is its worth because of malicious attacks. By putting more resources to the IT infrastructure, the company gains more compared to investing in other assets. Moreover, the IT function has the most threats, which means it deserves additional protection. Once the IT system is secure, Intellection Property and physical assets will enjoy protection. From a business point of view, the best investment happens when there is minimal risk and significant gain (Sabivor et al. 1967). The IT system might seem costly but since it covers other assets, its protection is integral to the entire organization’s security. Arguably, a cost benefit analysis of the two other priority areas relies on the success of the IT infrastructure. For instance, if the company pursues a further expansion, through physical assets, it will risk losing more money in case systems are not aligned to protect company data.  

Impact Analysis

The cumulative frequency for the IT infrastructure is 1 while IP and physical assets record multiple incidents. TMBank should consider putting more resources to intellectual property management because anything can happen if the IT department remains the custodian of regulatory compliance. Already, the employees are overstretched and the overwhelming feeling might cause negligence, which will sabotage TMXBank. The bank must also focus more on reputation and cash reserves, which report multiple incidences of security attacks.

Work Cited

Kim, David, and Solomon, Michael G.. Fundamentals of Information Systems Security. N.p., Jones & Bartlett Learning, 2021.

Sabirov, Oybek Shavkatbekovich, et al. “Improving Ways to Increase the Attitude of the Investment Environment.” Revista Geintec-Gestao Inovacao E Tecnologias 11.2 (2021): 1961-1975.

Yıldırım, M., and Ian Mackie. “Encouraging users to improve password security and memorability.” International Journal of Information Security 18 (2019): 741-759.