Sunteți pe pagina 1din 27

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

The Status and Threats of Information Security in the Banking Sector of Bangladesh: Policies Required

Muhammad Saifuddin Khan *

Suborna Barua


Information has been the greatest assets in this competitive age for any business. The success of financial institutions largely depends on the reputation in the market as these are fully service oriented institutions through protection of institutional and customer information. Especially for banks, to remain competitive and accelerate growth, adoption of new, up to date IT infrastructure is a must. Bangladesh, has witnessed a rapid expansion in the adoption of IT infrastructure with innovative tech-oriented financial products and services, and thus rapid growth in the banking industry with increased competition. Therefore, banking industry in Bangladesh is now considered as one of the fundamental industries. This paper tries to explore the state of information security, challenges in ensuring this, and suggests some policy options. The study finds that banking sector in Bangladesh are sufficiently vulnerable of different information security threats as they are already using many IT based platforms in regular business. Although almost every bank has its own ICT risk management guideline formulated by the Bangladesh Bank, yet these are not implemented with care in most cases. The sector perceives itself as vulnerable in terms of information insecurity due to varying nature of problems, and thus seeks for primarily government role to initiate a wide information security movement.


Organizational performance can be enhanced in sustainable way investing and utilizing in

information resources. The same is true at individual level where corporations allow

employees receive appropriate information in time (Chaffey & Wood, 2004). Adequate,

accurate and appropriate, timely dissemination of information is possible only when

corporations have efficient and effective information systems. Information systems must be

aligned with organization goals and strategies to maintain, process and disseminate

information that can be used for decision making by different stakeholders of the

organization. Lack of a strong information system fundamentally increases the cost of

organizations while trying to manage information in an unstructured, ad hoc ways (Petrides,

* Muhammad Saifuddin Khan, Lecturer, Department of Finance, University of Dhaka, Dhaka-1000, Bangladesh. E-mail:

Suborna Barua, Lecturer, School of Business, United International University, Dhaka-1209, Bangladesh. E-mail:

*** Both authors have equally contributed to the article.


ElectronicElectronic copycopy availableavailable at:at:

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

2004). And financial institutions are not an exception. One of the biggest challenges for a

financial institution is the large bulk of customer and transaction information they preserve,

and increasing networks everyday that enables the institutions to create innovative and useful

services (Watanabe Y., and et al., 1998). Thus, a strong information system is far more

crucial for banking institutions than others (Petroni, 2004). Inevitably, a dynamic

management with its timely principles utilize the information technology and systems to

promote new products and manage new business (Nagaoka, Ukai, and Takemura, 2006). It is

extremely crucial because information security enables to gain competitive advantage, and

creates new business opportunities (Horton. R. T and et al.). As a reference, in the U.S.A. the

cost of credit card and different other chargeable cards fraud was around $985 million in

2000 burdened on both the customers and the companies (Kevin Coffee, 2003). Also internal

flawed information security system also is considered as a big threat. In USA, National

Institute of Standards and Technology (NIST) reported that faulty security systems cost the

US economy $59.5 billion annually in the form of breakdowns and repairs (NIST, 2002).

Bangladesh is in such a condition where banks must remove any gap available in ensuring the

information security. With a good number of local and foreign banks, Bangladesh – a country

with 150 million population, is experiencing in a rapidly expanding banking sector. Banks are

widely introducing new products based on information technology to survive and remain

competitive in the intensly competitive market. Therefore, the wide range of IT based

financinal products available in Bangladesh certainly calls for efforts to understand the

dynamics of required security of the information assets.

The study is divided mainly in six sections. Section one discusses the background

information, section two illustrates the literature review, section three outlines the research

objectives and methodology, section four presents the current scenario of the information

technology based products and services along with the state of information security in

Bangladesh banking sector. The fifth section discusses in detail the in depth analysis of

survey and study findings, and finally section five identifies the challenges and solutions,

recommendations and conclusions to the paper.



ElectronicElectronic copycopy availableavailable at:at:

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

The worldwide Information Security market was worth $6.7 billion in 2000. With a

Cumulative Annual Growth Rate (CAGR) of 25.5 percent, this market is projected to more

than triple to $21 billion by the end of 2005 (Network Magazine, 2003). Information security

is basically comprised of ensuring five key terms – confidentiality, integrity, network

security, application security, and host security (Usher A., 2006). “Information security

means administrative and technical actions to ensure that information can be accessed only

by authorized persons, information cannot be changed by unauthorized persons and

information systems are available to authorized persons” (Finnish Act on the Protection of

Privacy in Electronic Communications, Sähköisen viestinnän tietosuojalaki, 16.6.2004/516)

(Holappa J., et al., 2005).

In the UK, financial institutions perceives data breaches (any form of frauds/concealment) as

a major reputational risk that would create a direct financial loss through regulatory fines,

recovery costs and loss of business (Logica, 2008). In Australia, Consumers’

Telecommunication Network 2006 report stated that a vast majority of consumers have

experienced many e-security threats despite using a range of security products. Banks

generally uses digital security to maintain competitive advantage, build brand image, and

meet statutory regulations (Rai, 2008).

An Atlanta ARMA meeting in May 20, 2008 shows the trends and observations on threats to

information security in 7 broad categories that include: a) strong and enhanced hacking b)

existing unfixed vulnerabilities, c) increasing number of strong malwares d) web browser

exploitation by users, e) uncontrolled liberal use of wireless internet at the niche level, f)

deliberate remote access connectivity via virtual private networks (VPN), and finally, and g)

increased phishing leveraging readily available personal data and common file attachments.

The danger of niche level massive wireless usage and remote access is that a single insider

can cause extensive financial damage or irreparable damage to an organization’s data,

systems, business operations, or reputation (Keeney M, et al., 2005).

Usmani K. (2008) identifies the threats to information security in four broad categories:

malware, attack through e-mail, spam associated threats, and phishing. Malware threats

reduce system, network and workstation performance thereby employee performance. These


Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

threats include stolen user ID and passwords, unauthorized access to confidential

information, Loss of intellectual property, remote access of company’s PC, and theft of

customer data. Threats to email include loss of confidentiality, lack of data origin

authentication, lack of non-repudiation, and lack of notification of receipt. The other category

spam generated threats include dangerous viruses, worms, trojans, and spywar. The last

category of security threat is phishing causing hacking of credit card information, system

information, and account information. Apart from hacking this also includes use of lucrative

email messages and web pages that provoke users into submitting personal, financial or

password data.

These results also reconfirmed by a statistical study of internet security threats by James G.

D. (2007) stating the rate of infections in 2006 in USA – spam (75% with productivity loss of

$21.6b per year), trojan viruses (31%), and spyware/malware (89%), phishing and hackers. In

November 2006, the attempt rate of hacking and stealing information in UK banking brands

was 11% while 75% of false banking sites targeted clients of US banks. (James G. D., 2007).

Globally, the UK hosted 2% and US hosted 63% of phishing sites globally (RSA Stats,


Researchers and practitioners have examined the factors behind managing the information

security critically. For different threats, they have shown different measures how to deal with

the threats to information security. To protect the increasing threats, in the life, savings and

investment, and pension sector, all the companies reported that their security budgets had

increased significantly over the last one-to-three years, while two companies say that they

will double security spending in 2008-09 (Logica, 2008). The Logica (2008) report also

stated “In the UK, the real cost of a data breach might be nearer the American level of £3.3

million ($6.3 million) per incident including the average cost of a data breach was more than

£1.4 million in 28 data breaches across eight industry sectors of which financial services

industry was 17 per cent higher”. According to Usmani K. (2008) to fight malware; good user

education, keeping the operating system up to date by installing operating system security

fixes and program patches, using firewall protection, using anti-spyware softwares, using

monitor logs for unusual traffic. For email security securing the server to client connections

and the end-to-end email delivery is crucial, beware of emails from unknown parties

(unsolicited emails), not to open suspicious attachments and spams, and avoid registering in


Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

external mailing list. Usmani K. (2008) also suggested a must use of updated antivirus, anti

Spyware, and spam filters to avid phishing. To ensure highest level of information security,

the State Bank of India manages their information security based on six pillars – security

governance, consulting, compliance, incident control, monitoring, and security awareness for

its stakeholders (Kishore. P., 2008).

It is important to note that the future is obviously will be harder as the information

technology advances than what it is today, and will need very concentrated effort.

Information security threats and attacks are becoming exponentially sophisticated,

communicable, and threatening (The Business Edition, 2006). Libicki (2008) shows some

ways how the future problems may be. According to Libicki (2008), use of learning system

or neural nets may result in massive destruction if the base on which it works is wrong, and

badly designed agents, servers cycling forever for an answer, mutually destructive server-to-

server communication, or and malevolent agents looking for certain outgoing mail, fast

growing hi tech hacking. Moreover vulnerable wireless security protocols, increasing attacks

through cross-site scripting (XSS), cross-site request forgery (XSRF), generating malicious

softwares that can bypass most (if not all) of the current signature-based antivirus products by

hackers using simple commands, attacks through websurfing in corporations, and a

possibility of fall in training budget (Strand J., 2009).

The Georgia Tech Information Security Centre (GTISC), on October 2, 2007, predicted for

2008 a number of cyber threats that may be dangerous for information security such as client-

side attacks, and targeted messaging attacks. On the other hand another IBM's X Force report

for security and trend statistics has evaluated the various classes of threats, including an in

depth analysis of 410,000 new malware samples that shows that gaining unauthorised access

(50%) followed by denial of service (13.8%), data manipulation (11.2%), obtaining

information (9.3%), bypassing security (6.5%), gaining privileges (5.7%) and file

manipulations (1.3%) are going to be the biggest information security challenges in the near

future (Anand V., 2008). Other than the popularly known threats such as hijacking websites

poisoning Domain Name System (DNS), difficulties in tracing parties storing and transferring

data in complex and huge corporate network, extensive and liberal use of Social Networking

Sites (SNS) may become a dangerous area for data privacy and security as the industry

experts in UK commented (Heath N., 2009).


Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

Usher A. (2006) identified traditional threats such as hacker activity, worms & viruses, spam,

spyware, and phishing where network security strategies do nothing to protect against devices

connected inside the enterprise network (widespread use of wireless technologies and

secondary storage). For protection from the threats Usher A. (2006) suggested five points -

assessing technology environment regularly, adapting updated security policy, having a

rigorous and effective user awareness plan, putting policies and procedures into action

effectively, and finally assess effectiveness and revising policies if needed. Threats to

information security are increasing day by day. These dynamics are changing and taking

extremely difficult-to-prevent shape. Therefore, this generation information security wave is

about Security Audit and Certification. This covers not just technology, but also people and

processes. Enterprises will approach security from the attacker's end and safeguard against

new risks like social engineering and dumpster diving.


Financial institutions in the globe have many different forms for example central banks,

commercial banks, securities brokers, and life insurance companies. Despite the increased

and expanded networking, banks have to analyze transaction data for any given customer so

that it can offer customers better personalized service (Watanabe Y., et al., 1998). Evidently,

a study on nationalized banks of the Florida state empirically proves the positive role and

contribution of information systems to a bank’s efficiency (Gupta U. G. and Collins W.,

1997). The Federal Financial Institution Examination Centre and Federal Deposit Insurance

Corporation have laid out different policies, regulations and guidelines to ensure secured

information system in Banks. The rapid expansion and global reach of financial institutions,

especially who offer products and services to clients worldwide online are in greater danger.

Evidently, the National Criminal Intelligence Service has shown an exponential growth of

computer crime in the United Kingdom (NCIS, 1999). Thus an integrated system for finance,

management, marketing and other functional areas have to be built in financial institutions.

Realizing the need for study in this area, the objectives of the proposed study are framed in

the following terms in the context of Bangladesh:


Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

(i) To identify the different dynamics, quality and areas of use of information

techonology in the banks.

(ii) To Identify and investigate problems relating to information security and threat in the

banking sector.

(iii)To identify critical success factors for effective information security with particular

reference to the banking sector.

(iv) To discuss the future of information security and threat in the banking sector, with

the growing consciousness of information security.


The study uses both primary and secondary data. Secondary data has been obtained from

different online and physical sources. The major strength of the study is the primary data it

has used. A four page questionnaire with 40 questions has been used to accumulate primary

data. The questionnaire was sent to a total of 15 banks but 11 of them responded. The study is

designed and enriched in detail analysis of all the data and information acquired from the

filled in questionnaire of the 11 banks. This list of 11 banks is shown in Appendix-4 of this

study. The study is divided mainly in three sections. Section one discusses the preliminary

issues, literature review and background information, section two details the state of

information security and the in depth analysis of survey findings, and finally section three

identifies the challenges and solution approaches in ensuring information security in

Bangladesh followed by a concluding paragraph.


Although many banks in Bangladesh are providing electronic services to their customers the

level of involvement of electronic methods is yet to be in full fledge in delivering and

managing the business. Because they offer some of the functionalities of the complete

electronic banking like intra-bank transactions, Letter of Credit (LC) and foreign exchange

etc. In case of inter-bank transactions, central bank authority handles the procedure. Banks as

well as employees are benefited implementing information technology in Bank because this

system has some advantages over traditional system. Advantages are as follows: faster

information handling and processing, to accomplish audit, government officials need to go to

every bank. After IT implementation they do not need to go to banks rather they can collect


Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

the same information through network and audit report can be generated within few minutes.

In traditional system it is time dependent to transfer money from city to remote area and also

a matter of some investment. During the transfer time the money is idle so it’s a great loss for

the bank as well as customers. Electronic system can be used to transfer money within a few

seconds (Intra-bank).


Bangladesh has realized that information security is an important business accelerator. For

example, the policy makers feel it as an urgent need to develop a cyber crime legislation that

will ensure cyber security or information security through internet. Policy makers of the

country are currently in the process of including privacy policies, trust marks and other self-

regulatory measures for the development of products and provision of services and the

implementation of the necessary measures for establishing consumer confidence more

importantly in the banking sector. Survey shows that only 11% of banks have inter-branch

connectivity through CT network (WAN). Some 70% of solution providers for WAN are of

local origin. At the head office level some 95% of banks use banking software. Currently

around 24 types of banking software are available in banks (Raihan, 2001).


As almost all the Banking service providers thinks that certain information is at risk, 66%

Banks have access control over customer information system and 95% have a physical

security program which defines and restricts access to information assets as well as protects

against destruction, loss or damage of customer information. As a result 95% Bank’s strategic

planning process incorporate information security, 80% of those have employee security

awareness training program and possess policies/procedures for the proper disposal of

customer and consumer information. Again survey shows that 75% Banks in this industry are

serving as a merchant issuer for credit card activity, all of those hold written

policies/procedures that address approval/termination, underwriting, fraud and credit

monitoring, password tracking, security of credit card information. They also possess wire

transfer policies/procedures which address responsibilities and authorizations, separation of

duties, funds availability/credit limits, information security, business continuity plans,

insurance protections and vendor management.


Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

Because of highly competitive market environment training up of employees within the

organizations is inevitable for long run sustainability and profitability now days. For keeping

the employees up-to-date banking services providers arranges various training programs. In

case of providing training 66% of them hire trainers from out side. Both On the Job Training

(learing by doing as an employee while in a job) and Off the Job Training (training from

formal training instiutites) are commonly in practice. A few (20%) have their own trainers. In

case of providing training, Bangladesh Institute of Bank Management (BIBM) & Bangladesh

University of Engineering and Technology (BUET) has been playing the pioneer role.

Though providing training to the employees depend upon need for technology

implementation raised by the situation, the Bank Ultimus, PC banking training courses, Basic

trainings on Stayler, Trainings on Money-Gram System, and Trainings on Tair-Drill etc. are

common among organizations.

Trojan virus, Spy ware/malware, Spam, Hacking and stealing information, Dishonest insider,

Phishing, Worms, Web browser exploitation by users, Deliberate remote access connectivity,

stolen user ID and Password, Modification of data etc. these are now the most common name

in the world of online threat. In Bangladesh more or less they had already introduced their

enough vulnerability to Banking Industry. Some 40% of the Banking service providers are

aware enough about Trojan virus and Spam because they have to face it with a very high

frequency along with a low intensity of information losses by them. But the amount of

recovery is very high. Another 40% are frequently facing spy ware/malware but in such case

20% of these victims face it with high frequency causing a very low intensity of information

loss and rest other victims faces it with a rare frequency. Other online threats are rarely faced

with a very low level of information loosing intensity.


The rapid development and inclusion of information technology has both aided the

development of the banking industry in Bangladesh and also has created riskier environment

for information pass away in Bangladesh. The rapid advancement in IT tools have given the

banking system in Bangladesh an accelerated pace in service expansion and product

diversification with higher quality. As the sector is yet to get the maximum utilization of the

state of the art technology, banks are rapidly applying available and suitable tools to increase


Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

their power in the highly competitive environment. The survey conducted for this study

explores the different dynamics of the practicing technology and thereby preparedness to

ensure information security in the banking sector of Bangladesh. The major IT platforms used

by around 90% banks in Bangladesh are detailed below:

Automatic Teller Machine (ATM): All surveyed banks have own or shared ATM networks

where ATM services are widely available for more than 70 percent of the banks operating in

Bangladesh. Dutch Bangla Bank Limited has leverage of the largest ATM networks of more

than 200 ATM booths throughout the country’s almost every part. As on October 2007,

Bangladesh has 438 ATMs (Daily Star, 2008), 10,526 POS, 7.7 lakh debit and 30,000 credit

cards issued by all banks in the country. The volume of transaction using ATMs has

increased substantially during the last few years due to the availability of booths and the

benefit of non-cash money.

Online Banking: Online banking allows bank transactions to be conducted within closed or

open networks. Online banking is considered to be a segment of e-business to the extent that

banks are involved in the conduct of business transactions via electronic media especially

through internet. Currently full fledged online banking service is offered by top banks in

Bangladesh including Standard Chartered Bank, Eastern Bank, Dutch Bangla Bank Limited,

Southeast Bank Limited. Services in online banking in Bangladesh include online balance

checking, instruction delivery, account monitoring etc. While conducting study on the online

banking, we observed that only eight private commercial banks started truly online banking

but no nationalized banks yet to introduce online banking in a sense. All the Foreign

commercial banks are operating their banking through online procedures. It has been noticed

that almost fifty percent of the private commercial banks started computerized banking which

actually do not serve the purpose of online banking.

Virtual Private Network: Almost 50% of the surveyed banks have virtual private network

in the form of wireless intranet – intra organization networking. Using the intranet employees

inside the banks exchange data and information with each other. In major cases banks have

no restriction or control on employees in sharing information inside the organization though



Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

Wide Area Network or Local Area Network (WAN or LAN): Some 95% banks reportedly

have either WAN or LAN or both. In most cases, banks in Bangladesh have LAN which is

created inside the organization that is accessible from different branches in different locations

within the city. The nature is similar to MAN or Metropolitan Area Network.

Network Server: A network server is a mass storage or a designated computer used to the

process of storing, delivering, managing data for the users over a local area network or the

internet. Such as Web servers, proxy servers, and FTP servers. In over all sequence a network

server is designed to manage network traffic. Almost every banking institution of Bangladesh

has its own network server, where as every authorized employees has access in that network

server. They have specific server space, names and IDs. They generally use this space for

storing data, financial analysis and backing up account information.

Wireless networking: Networking without wire is very popular in Bangladesh. Wireless

network is one of the common mean of Remote Information Transmission (RIT) through

telecommunications network, electromagnetic wave and mostly by radio wave. In previous

period the top most telecommunication companies only have the authority to use and provide

wireless internet opportunities to the customers. But now institutions like banks or

Multinational Companies (MNCs) have the authority to serve these opportunities to the

customers and use in internal operations. Bluetooth devices, WLAN, WiFi, WiMAX and

Fixed Wireless Data are some of the best used means of wireless network.

Modem or modem pool: A modem is a kind of device which transfers digital data through

analog wave. In recent age people almost use motherboard with inboard modem under built-

in technology. Corporate companies like banking institutions have a great use of modem

under a host server. They are pooling their modem through 56 to 128 kbps speed. In order to

ensure rapid expansion of services and accelerated increase in internet penetration much and

more people are getting opportunities to use modem and modem pools.

Portable devices (PDAs, Laptops, Cell phone etc.) : Potable devices are the powerful

devices of data transformation which is easy to carry out .The banking institutions have a

standard security protocols in using the portable devices in the office. The use of PDAs,


Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

laptops and cell phone are seen greatly in these institutions. Almost every middle and top

class executives are using portable devices frequently with the permission of their institution.


The information security survey on Bangladesh banking sector and detail examination on this

sector’s information security concerns have yielded the following critical findings.

5.1 Level of Use and Access of IT Platforms

Apart from the traditional manual banking products, a broad spectrum of electronic banking

services is available in Bangladesh with different degree of penetration. Credit card service is

provided by 23.1 percent of banks (PCBs and FCBs). As the survey result shows, the credit

card service is from VISA, MasterCard and VANIK are more popular and expanding.

Table-1: Available IT Based Products of Banks

Product Name

% of Banks offering

Credit card service




Electronic fund transfer


Online corporate banking


Electronic debit card


Merchant account services and internet banking


Source: Information Security Survey on Bangladeshi Banks, 2009

Tele-banking is second most penetrated e-banking service in Bangladesh. ATM is gradually

becoming popular in major cities. Some foreign banks provide electronic fund transfer

services. A group of local banks have introduced shared ATM network which has increased

availability of this type of electronic banking service. At present 7 (seven) private and foreign

banks namely Southeast Bank Ltd, Dhaka Bank Ltd, Al-Baraka Bank (Bangladesh) Ltd.,

National Bank Ltd., Islami Bank Bangladesh Ltd., and National Credit and Commerce Bank

Limited are providing full fledged internet and online banking facilities. The Network will

gradually be extended through out the country. Credit card is also a very popular service in

Bangladesh; during last five years the growth of credit card market is almost 100 percent.

Table-2 illustrates the percentages of the above features on the basis of their level of access

within the regular working environment of Banks in Bangladesh. According to the use of

these features by both internal and external parties, internal parties enjoy 100% access to


Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

these facilities where external parties possess almost 80% access. Table-2 illustrates the level

of access of both of these parties to these facilities.

Table-2: Level of Access and Use of these features by both of the parties (%)


Level of use by External Parties out of 80% access

Level of use by Internal Parties out of 100% access

Features (Level of Use)
















Online banking







Network server







Phone banking





Wireless network: LAN WAN













Modem of modem pools







Security devices







Source: Information Security Survey on Bangladeshi Banks, 2009

Information of the bank is kept much secured by providing a limited access to the employee

according to their positions and also according to the requirement of business policies.

Without proper authorization employees are not allowed to use any kind of flash drives or

any kind of mass storage devices. Generally employees are allowed to check mails only for

visualization of their instructions or understanding the situation. They can not edit or use it

for any other means. Even employees have strict restrictions on using their provided PCs.

They are not expected to move any where without shutting it down, but accidentally if some

one, by the built-in-system the PC will shutdown itself within 3 minutes. And the person

responsible will have to go through a penalization procedure. In many cases, the unauthorized

100% access to all the platforms by dishonest insiders also may cause a great loss, and thus

expose the organizations to greater degree of risk. Therefore, from that perspective the 80%

access level by externals also seems to be pretty high. These all are because there are a

clearly stated policies, procedures and guidelines for securing, maintaining and monitoring

the system in one’s own IT environment. Table-3 in the policy section illustrates the

percentages of Bank’s written policies, procedures and guidelines for securing, maintaining

and monitoring the following system or platform under their own Information Security



Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

5.2 Quality of Technology Used in Information Management

This is obvious that the quality of the technology used to manage and protect the information

is a very important aspect. This is because an underdeveloped or old aged technology may

case severe cost financially or any other way when banks face large physical damage of

hardwares (such as storage devices, machine breakdown or inability to create data and

information backup). Poor quality technology also creates vulnerability as it may not prevent

unauthorised access and sharing of information because of its incompatibility with updated

security protection tools. Interesting findings were there regarding the quality of technologies

used by the banks while working with different identified platforms. Table-3 illustrates the

findings form the survey.

Table-3: Quality of Technology Used

Available Features

(%) Very High

(%) High






Online banking




Virtual Private Network




Network server




Wireless network: LAN








Modem or modem pools




Security devices




Other remote access connectivity




Portable devices




Source: Information Security Survey on Bangladeshi Banks, 2009

The quality of technologies is alarming in case of ATMs which are widely and popularly

used by daily customers. Even though this has been on of the very important tool to remain

competitive in customer service delivery, only 20% of the banks have reported that they use

very recent, high end technology in providing ATM services. Some 40% were reported their

technology used in ATM services as low. This is quite an important indication that ATMs as

serves as information storage, processing, and transferring, any damage to the low end or low

quality technology may cause in severe damage in goodwill and thus significant loss in

business. The highest quality is used in Wide Area Networking and Local Area Networking

that allows the employees to access, share and transfer data and information through wireless

and wired technology respective. This finding substantially validates the faster deliver tech-

oriented products and services by the Bangladeshi banks. Another major observation is the


Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

use of high end technology in monitoring and controlling data transfer that protects the

information to be secured. Some 90% of the banks use at least high end secured technology

posing the rest 10% banks into risk of unauthorized data and information transfer beyond the

poor security technology.

5.3 Risk Analysis

Survey tried to find out the perceived degree of risk form the responding banks. Some 34%

banks perceive the current situation of information security is not enough to prevent any

virtual or physical damage of information management system. Therefore, around 60% of the

surveyed banks believe they are in high or very high degree of risk of information loss at any

moment. Reasons to this perception despite having ICT policy in every bank were interesting.

Table-5: Degree of Information Security Risk Perceived by Banks

Degree of Perceived Risk

% of All Banks

Very High








Very Low


Source: Information Security Survey on Bangladeshi Banks, 2009

Table-6: Why Banks Perceive Riskier Information Environment

Reasons for Perceived Risk

% of All Banks

Lack of adequate knowledge


Lack of Training


Do not have quick response ability


Not Updated with the high end solutions regularly (time lag exists)


Source: Information Security Survey on Bangladeshi Banks, 2009

The major causes found why the banks feel themselves posed to greater degree of risk are

shown in Table-6. Essentially proved that the employees in banks are almost in all cases do

not have proper training on the importance and process of securing information. Lack of

training initiatives, resource persons, under prioritizing the training need are causing banks

not to train their manpower. This also leads to lack of adequate knowledge on information

security management that has been responded by 47% banks as a cause of their perceived

risk. The top management or the directors are also in many cases observed not to be aware of

the issue. The inadequate resource availability and prepared is essentially making banks

stagnant and thus not prepared to respond instantly to any sudden damage takes place. Some


Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

49% banks think this as a major reason for their perceived risk. And the other major reason is

the irregular and infrequent update to the up to date technology, software, and information

security threats (24%). This is also due to probably the under-prioritizing the issue of need for

better information technology.

5.4 Policies Used By Banks in Bangladesh

The banking industry has changed in the way they provide service to their customers and

process information in recent years. Information Technology has brought about this

momentous transformation. IT Management must ensure that the IT functions are efficiently

and effectively managed. They should be aware of the capabilities of IT and be able to

appreciate and recognize opportunities and the risk of possible abuses. They have to ensure

maintenance of appropriate systems documentations, particularly for systems, which support

financial reporting. They have to participate in IT planning to ensure that resources are

allocated consistent with business objectives. They have to ensure that sufficient properly

qualified technical staff is employed so that continuance of the IT operation area is unlikely

to be seriously at risk at all times. IT Management deals with IT policy documentation,

Internal IT Audit, Training and Insurance. There is a specific guideline detailed by the

Bangladesh Bank which every bank follows. Therefore the banking industry has developed

own information management policies based on the given guideline.

Table-4: % of Banks Having Policies Regarding Information Sharing Platforms

Systems or platforms covered by the policy

No. of Banks possess such policies



Network server


Online banking


Virtual private network


Payment system (including ware transfer and ACH)


Portable devices such as PDAs, laptops, cell phones etc


Remote deposit capture


Wireless network


Modems or modem pools


Security devices such as firewall(s) and proxy devices


Source: Information Security Survey on Bangladeshi Banks, 2009

Statistics in Table-4 shows quite a good status. Banks having different IT platforms for

information processing, sharing, and transferring have separate written policy documents.


Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

Some 70% to 80% of the surveyed banks have documents that guide the use of the ATM,

online banking facility, network server, and virtual private networks. This is a very good sign

because apart form the ATM, all other platforms are very important channels of information

access, sharing, and transferring. Therefore, having documents to shape the use of these

platforms certainly prevents unauthorized access at least to a minimum degree. But

alarmingly, more than 50% of the banks are using wireless network, firewall and proxy

security tools, and remote access without any written policy guideline or code of use that

poses these banks to extreme degree of risk. It is because all of these platforms in this current

age are considered as the most likely channel through which people can try to have

unauthorized information access and sharing.

Bangladesh Bank on October, 2005 outlined a common ICT risk management guideline titled

“Guideline on Information & Communication Technology for Scheduled Banks and

Financial Institutions” to ensure security of information and information systems that covers

all electronically generated, received, stored, printed, scanned, and typed information, and

has been made mandatory for all banks and non-banking financial institutions. The guideline

is formulated presenting the minimum preparation of the institutions regarding all activities

and operations required to ensure data security including facility design, physical security,

network security, disaster recovery and business continuity planning, use of hardware and

software, data disposal, and protection of copyrights and other intellectual property rights.

The guideline clearly outlines the policies for IT Operation Management, Physical Security

(Tier-1, Tier-2, Tier-3), Information Security Standard and Service Provider Management.

5.5 Government Regulations on Information Security

Every bank having IT systems must have an ‘IT POLICY’ which must fully comply with this

IT Guideline and be approved by the Board of the bank. For foreign banks the document

must also be in conformity with their global policy document. This document will provide the

policy for Information & Communication Technology and ensures its secured use for the

banks. It establishes general requirements and responsibilities for protecting ICT systems.

The policy covers such common technologies such as computers & peripherals, data and

network, web system, and other specialized IT resources. The bank’s delivery of services


Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

depends on availability, reliability and integrity of its information technology system.

Therefore each bank must adopt appropriate methods to protect its technology system. The

policy will require regular updates to cope with the evolving changes in the IT environment

both within the bank and overall industry. The senior management of the bank must express a

commitment to IT security by continuously upgrading awareness and ensuring training of the

banks staff.

The Bangladeshi government is working to make a law to check computer hacking in the

country with punishment of 10 years prison term or fine of 1 million taka (14, 300 U.S.

dollars) or both to the hackers. The law named "Ministry of Information and Communication

Technology Act 2006" will have provisions of establishing cyber- tribunal. Under the law,

those who give obscene information or do things which are defamatory to others, disclose

secrets through computer will also be punished. The law will have provisions against

committing crime using computers.

5.6 Challenges in Ensuring Information Security

The problem is that Nationalized Commercial Banks (NCBs) are the unique market player

with more than 50 percent of market share, so ICT penetration is more crucial for this

category of banks. Some midrange and mainframe computer systems are available in the

banking sector. Some 95 percent of the surveyed banks in have Management Information

Systems. But only 38 percent MIS are integrated to the Transaction Processing System

(TPS). Moreover, the absence of adequate physical resources (e.g. computer hardware and

software) and weakness in course contents in the training institution will adversely affect the

quality of output from the institutions” (Chowdhury, 2001).

Table-7: Challenges to Ensure Better Information Security


% of All Banks

Lack of adequate knowledge


Lack of Proper Training


Do not have quick response ability


Lack of Active Government Responses to the need


Not Updated with the high end solutions regularly (time lag exists)


Human Resource Constraint


Source: Information Security Survey on Bangladeshi Banks, 2009


Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

The survey findings on major challenges identified by the institutions are detailed below:

Lack of adequate knowledge: As explained in the earlier sections the top management and

the employees at different levels in the banks are not really aware on the danger and

importance of addressing the issue. Therefore, in many banks, as opined by the bank

respondents, the issue of information security is not taken into consideration as prioritized.

Therefore, this creates opportunity for the dishonest people or hackers pass out information at

any moment due to the lack of awareness. Some 67% of the banks have agreed on this point.

Lack of Training: Employees even in many cases the top management of the banks are not

equipped with adequate and up to date training on making secured environment for

information management. Some 56% banks feel that they have no or insufficient training for

all employees. Therefore, the strategic importance of information security is once again

undermined by the employees at all level in the banks and thus deliberately or unknowingly

creates opportunities for information loss through information loss or physical damage. Lack

of specialized training centers is also a pivotal cause behind this.

No Adequate Preparedness: Adequate preparedness at the time of accident or damage

enables banks to recover the information, business or financial losses. But unfortunately some

55% of the banks believe they are not prepared enough and thus ensuring a better secured

environment to manage and contain information has become very risky.

Under-prioritization by the Government: Bangladesh as a developing country is

encountered with hundreds of problems she is facing every day. Information security has

been treated not as a priority issue yet that may create a strong and secured environment for

information management very immediately although some recent developments have been

observed. Some 44% banks believe this as a major challenge as the development of such an

environment must be ruled and initiated through the national and international experts by the


Not Updating Security System Regularly: Some 17% banks believe that banking sector in

Bangladesh is yet to have pace in regular updating the software and up to date security tools

such as antivirus, firewall, proxy settings to prevent Malware, spyware, Trojans etc. There are


Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

many banks which do not spend much time and pay less attention in updating their hardware

and software. This is also another proof of under-prioritizing the issue.

Human Resource Constraint: Some 7% banks believe that there are not much expert

human resources in the country who can supervise the whole industry in creating an enabling

environment in the banks to secure information. Lack of national expertise or consultation is

creating drawbacks in the process of developing a knowledge base and the infrastructure on

information security.


Table – 8 below lists the major suggestions accumulated from the surveyed banks on the

issue of how to create a better environment to protect information.

Table -8: Suggestions to Ensure Better Information Security

Challenges to Ensure Better Information Security

% of All Banks

Active Government Initiative Putting Priority


Making Training Programs Mandatory


Central Monitoring by the Central Bank


Establishing Specialized Training Centers


Creating Awareness on Information Security


Source: Information Security Survey on Bangladeshi Banks, 2009

Active Role of Government: In developing the information security infrastructure,

government should play the leading role – as much as 83% of the respondents believe.

Government should facilitate and impose if necessary, conditions to develop this

infrastructure through the Ministry of Finance, and Bangladesh Bank. Therefore strategic

priority should be given to this issue by the government while developing development


Mandatory In-house or Outsourced Training Programs: Some 58% banks opined that

Bangladesh Bank – the central bank of Bangladesh must make the in-house or outsourcing of

training for all employees of every bank. This policy direction would make the banks more

proactive in creating conscious human resource pool that would contribute in preventing

unauthorized access to information.


Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

Central Monitoring by the Bangladesh Bank: Bangladesh Bank as the facilitator and

monitor of the whole banking industry should have separate monitoring and supervision

division dedicated to monitor the information flow and preparedness of banks in mitigating

information insecurity. Some 54% respondents believe this would help the whole industry to

be more efficient in information management. This would require the Bangladesh Bank

develop its own strong and up to date infrastructure. The Bangladesh Bank also should

oversee that ICT policy proposed by itself is implemented effectively.

Establishing Specialized Training Centres: As information management and ensuring

information security requires some degree of technical and ethical education, it is necessary

to establish specialized training houses on this issue (46%). Moreover, banks also must have

a separate training division or regular training programs to train their fresh employees. Banks

which already have training centres or divisions may include the information security issues

in the course curriculum.

Creating Awareness on Information Security: A very important strategy is creating

awareness (suggested by 41% of the surveyed banks). This is especially important since

protection of information requires a highly ethical environment. To create awareness,

awareness programs can be introduced regularly or occasionally nationwide by banks

individually or by the Bangladesh Association of Bankers or the Government itself.

Apart form the survey findings; the study identifies some very important points that might

serve as valuable starting points for ensuring information security.

Integrated Efforts of Associations: Alike NASSCOM in India, Bangladesh has two

associations that deal and facilitate the information technology sector of Bangladesh –

Bangladesh Association of Software and Information Services (BASIS) and Bangladesh

Computer Society (BCS). This is evident that NASSCOM has been excellently facilitating

the skill development offering a number of programs and also helping the government to

reduce the information security vulnerability. Specifically for the banking industry, BASIS

and BCS should work together with the government of Bangladesh to update regularly the

ICT policy, provide regular training to the old and fresh employees within the organization,


Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

establish large scale and nationwide central training and monitoring centres, facilitate banks

with adequate expertise etc.

Making Mandatory Compliance with International Standards: The Bangladesh Bank

may require every bank in the industry to comply with the international information security

laws and standards such as BS 7799 or ISO 17799. Not only ensuring the compliance

Bangladesh Bank must have to regularly oversee whether any update in the international

standards are complied immediately in effect.

Making Use of Licensed Products Mandatory: As a developing country, Bangladesh many

corporations are still using unauthorised, pirated software products that are not licensed that

create a great risk of losing information or data (at least if a software becomes inoperative or

corrupt suddenly). The piracy prevention programs must have seriously conducted to identify

such practices.

Survey of Information Security Status: Regulatory authorities in Bangladesh should be

conducting surveys on practices and challenges on the banking industry to understand the

quality of the information security policies. Bangladesh Bank in coordination with BASIS or

BCS may help every bank to develop internal comprehensive information security guideline.

Concentration of IT Education: There are 15 science and technology universities in

Bangladesh producing thousands of IT graduates every year. This has been observed that the

best graduates usually leave Bangladesh as there is less number of very good opportunities.

Information security infrastructure can create an excellent platform for these graduates for a

very good career. Moreover, around 50 percent of these universities are not really producing

graduates of international standards. Therefore, two things the Bangladesh government

should ensure as China has done: incorporating a comprehensive updated coursework in the

curriculum of IT education, and then creating a national information security platform to

accommodate these graduates.

The corporate sector of Bangladesh has not yet felt the pinch of information security

vulnerability much. Every industry in the country is still rising and therefore their strength

and resources are also still developing. There are some industries such as the Banking, Non-


Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

Banking Financial Institutions, Telecommunication etc. which deal with millions of customer

and institutional information everyday. Especially the performance and reputation of banks

are largely sensitive to the information security. Some banks have already faced some

security threats and thus have born a good amount financial and reputation loss (such as

National Bank Limited). Lack of awareness, training of employees, unavailability of proper

expertise, guidelines and consultation has resulted in such loss. But the situation as expected

the respondents of the survey may deteriorate in the coming days. Banking sector in

Bangladesh has been rapidly expanding. Therefore there is a sheer need and importance of

information security. The study shows that banks in Bangladesh have different platforms of

information processing, sharing, and transferring. Many of these banks are facing physical

and online information damages regularly. Although many banks have their own ICT risk

management policy, lack of proper implementation of the policy is exposing more banks to

greater degree of insecurity of their institutional information, and also the information of

huge number of customers. The sensitivity of the issue is always quite high. Therefore, the

government and the Bangladesh Bank should take the lead in paving the way for ensuring

information security. As a bank’s success largely depends on its reputation in this competitive

age, an unprecedented event may lead to huge business loss. Therefore, the banking industry

as a whole should be aware enough to accommodate the issue of information security in its

own strategic policies.


Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka



Anand, V., 2008, Future Security Threats Outlook, PC Quest, Available at:

force_report_, April 05.


Chaffey. D and Wood. S., 2005 Business Information Management: Improving

Performance Using Information Systems”, First Edition, Prentice Hall.


Chowdhury, J. R., 2001, “Information Technology in Bangladesh” Observer

Magazine, June 1, Bangladesh


Coffey, K., 2003, Crooks Who Use Your ATM Card As A Passport To Your

Account, Available at:


Corbin. T., 2008, Letter sent to E-security Review Team, Attorney-General’s

Department, Consumers' Telecommunications Network, October 18.





Federal Bureau of Investigation, April 3, 2003, Testimony by James E. Farnan,

Deputy Assistant Director, Cyber Division, Federal Bureau of Investigation,

before the House Financial Services Committee, Subcommittees on Financial

Institutions and Consumer Credit, and Oversight and Investigations, published on

FBI website, Available from:


Financial Services Authority, November, 2004, Countering Financial Crime Risks

in Information Security, Financial Crime Sector Report.


Georgia Tech Information Security Center, 2007, Emerging Cyber Threats Report

for 2008, Leading technology experts share thoughts on top emerging Internet

threats for 2008, October 2, Available from:


Gupta, G. U. and Collins, W., 1997, The impact of information systems on the

efficiency of banks: an empirical investigation, Journal of Industrial Management

& Data Systems, Volume 97, Issue 1, Page 10 – 16.


Heath, N., 2009, The five biggest security threats facing businesses today: From

the poison pharms to the cloud's evil lining, February 04, Available from:


Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka



Holappa, J., Ahonen, P., Eronen, J., Kajava, J., Kaksonen, T., Karjalainen, K.,

Pekka, J., Koivisto, Kuusela, E., Ville, Ollikainen, Rapeli, M., Sademies, A. &

Savola, R.,2005, Information Security Threats and Solutions in Digital Television:

The Service Developer's Perspective, VTT Electronics Research Notes 2306.


James, G. D., 2007, Statistical Analysis of Internet Security Threats, March 25,

Available from:



Joiner, B. ,2008, Information Security Update: Threats & Opportunities,

Presented at the Atlanta ARMA Meeting, Federal Reserve Bank of Atlanta


Keeney, M., Kowalski, E. National Threat Assessment Center, United States

Secret Service of Washington DC and Cappelli, D., Moore, A., Shimeall, T.,

Rogers, S. of CERT® Program, Software Engineering Institute, Carnegie Mellon

University, Pittsburgh, PA, May 2005, Insider Threat Study: Computer System

Sabotage in Critical Infrastructure Sectors, Software Engineering Institute,

Carnegie Mellon University, Pittsburgh, PA.


Kishore, P. , 2008, Experience in Implementing Security Measures at SBI –

A Case Study, The State Bank of India.


Kun M. L., 2004, Emerging Technologies and Innovation in Banking: Drivers for

Growth, Gartner Inc., Miami.


Laudon.J. and Laudon. K. “Management Information Systems- Managing the

digital firms”, 8 th Edition, 2004-2005, Prentice Hall of India Private Ltd.


Libicki, M., 2002, The future of information security, Institute for National

Strategic Studies, Washington, D.C.


Libicki, M., 2008, The Future of Information Security, Available from:


Logica, 2008, Information security in the UK life, savings & investment and

pensions sector: A Logica snapshot survey, May 20.

(xxi) Merkow,M & Brelthaupt, J., “Information Security Principles and Practices”


Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka


Nagaoka, H., Ukai, Y. and Takemura, T., 2006, Economic Analysis of

Information System Investment in Banking Industry: Chapter-Information System

Strategy of Nationwide Banks, Springer Tokyo, Pages 29-52


Network Magazine, 2003, Information Security: A new approach, Cover Story-



Norén G, 2006, India and China from an Information Security Perspective,

Confederation of Swedish Enterprise.


Petroni, A., 1999, Managing information systems’ contingencies in banks: a case

study, Journal on Disaster Prevention and Management, Volume: 8, Issue: 2,

Page: 101 – 110.


Pterides,L.A., 2004, knowledge Management, Information Systems, and

Organizations, Institute for the Study of Knowledge Management in Education,

Educause Centre for Applied Research, Colorado.


Rai, A., 2008, Keeping A Digital Vigil, Available from:,

July 28.

(xxviii)Raihan, A., 2001, Computerization and IT in the Banking Sector of Bangladesh:

Hindrances and Remedies. A paper presented in the National Seminar organized

by BIBM, June 09, Bangladesh


Smith, N. G. and Oppenheim, C., 1994, The role of information systems and

technology (IS/IT) in investment banks, Journal of Information Science, Vol. 20,

No. 5, 323-333.


Smullen, J., 1995, Financial management information and analysis for retail

banks, Woodhead Publishing Limited, October.


Strand, J., 2009, Future security threats: Enterprise attacks of 2009, Jan 12,



Usher, A., 2006, Essential Strategies for Protecting Against the New Wave Of

Information Security Threats, Sharp Ideas LLC.

(xxxiii)Usmani,K.,2008, Information Security Threats and Measures, (CERT-MU)-

National Computer Board, Workshop on the adoption of Information Security

Standards, Ebene Cyber Tower Conference Hall, Available from:


Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka


(xxxiv)Watanabe, Y., Mizuno, Y., Yamada, K. and Inoue, S., 1998, New Financial

Information System for the Network Computing Era, Hitachi Review Vol. 47, No.