Academic Tutorial Answers

QUESTION 1

a) Security risk management consists of four phases:

i) Risk Assessment
Organization evaluates their security risks by determining their assets, the
vulnerabilities of their system, and the potential threats to these
vulnerabilities. One way to evaluate vulnerabilities is use the services of a
consultant to study the types of attacks the site is facing, or secondly use a
honeynet.

ii) Planning
The goal of this phase is to arrive at a set of policies defining which threats
are tolerable and which are not. Also, define general measures to be taken
against those threats that are intolerable.

iii) Implementation
Particular technologies are chosen to counter high-priority threats. The
selection of particular technologies is based on the general guidelines
established in the planning phase.

iv) Monitoring
This is an ongoing process that is used to determine which measures are
successful, which measures are unsuccessful and need modification,
whether there are any new types of threats, etc.

b) (i) Auditing
The process of collecting information about attempts to access particular resources, use
particular privileges, or perform other security actions. A log file keeps information for
every attempt to access a web page, data in a database. Audits provide a means to
reconstruct any action that were taken, and identify the author.
Academic Tutorial Answers

(ii) Data Confidentiality

Keeping private or sensitive information from being disclosed to unauthorised individuals,
entities, or computer software processes. It is intertwined with the notion of data privacy,
which is now a regulatory issue in many countries. Confidentiality is usually ensured with
encryption.

Example of confidential information:

Credit card numbers, business plans, who as visited which web site.

(iii) Non Repudiation

The ability to limit parties from refuting that a legitimate transaction took place. (usually by
means of a signature) .
If an order is made through a mail-order catalogue and pays by check, then it is difficult to
dispute the veracity of the order. Similarly if the same item is ordered using the companies
website and pays by credit card, the person can always claim he did not place the order.

c) Denial-of-Service Attack:
An attack on a Web site or online service in which an attacker uses specialized software
to send a flood of data packets to the target computer with the aim of overloading its
resources. Hence, the online service is no longer available.

d) Possible technologies: firewall, packet-filtering router, Application-level proxy,

gateways.

• Firewall
A network node consisting of both hardware and software that isolates a private
network from a public network.

:
Academic Tutorial Answers

QUESTION 2:

a) Operational risk is defined as the risk of loss resulting from inadequate or failed internal
processes, people and systems, or from external events. Although the risks apply to any
organisation in business it is of particular relevance to the banking sector. Any unanticipated
events resulting in the institution’s inability to deliver products or services. The risk exist in
each product and services offered.

b) (Any two of the following examples: fraud, system failures, terrorism and employee
compensation claims.)

A typical answer:
• System failures
System failures could be the results of applications which have bugs. This will result
in the system to make inherent errors in the processing. Example: the date format. In
Mauritius we use the following format: dd-mm-yyyy, and systems can be based on
the American standard mm-dd-yyyy. This type of bug can result in disastrous failures.
Secondly, employees who lack training can misuse the application functionalities,
once more resulting into operational failures.
Academic Tutorial Answers

• Terrorism
Events such as the September 11 terrorist attacks, rogue trading losses at Barings,
AIB and National Australia Bank. Terrorism can cause system failures and fraud
which are all directly related to operational risks.

c) The level of transaction risk is affected by the following:

The structure of the institution’s processing environment, including the types of services
offered and the complexity of the processes and supporting technology.

E-banking activities will increase (in most instances):

− The complexity of the institution’s activities.

− The quantity of its transaction/operations risk, especially if the institution is

offering innovative services that have not been standardised.

Financial institutions should ensure their e-banking infrastructures contain sufficient capacity
and redundancy to ensure reliable service availability.

d) Controlling transaction risk lies in adapting effective polices, procedures, and controls to
meet the new risk exposures introduced by e-banking:

• Basic internal controls including segregation of duties, dual controls, and reconcilements

• Information security controls become more significant requiring additional processes,

tools, expertise, and testing.

• Institutions should determine the appropriate level of security controls abased on their
assessment of the sensitivity of the information to the customer and to the institution and
on the institution’s established risk tolerance level.
Academic Tutorial Answers

QUESTION 3:

a) In any e-payment method, there are five parties involved:

1. Customer/payer/buyer: The party making the e-payment in exchange for goods or
services.
2. Merchant/payee/seller: The party receiving the e-payment in exchange for goods
and services
3. Issuer: The banks or non-banking institutions that issue the e-payment instrument
used to make the purchase.
4. Regulator: usually a government agency whose regulations control the e-payment
process.
5. Automated Clearing House (ACH): An electronic network that transfers money
between bank accounts. (Mauritius automated clearing and settlement system-
MACSS)

b) Crucial factors in any e-payment system:

1. Independence
Some e-payment methods require specialized software/hardware. These are less
likely to succeed.
2. Interoperability and portability
All forms of e-commerce run on specific systems that are interconnected with the
enterprise system. E-payment method must be able to connect to these existing
system and applications.
3. Security
How safe is a transfer? If payer risk is higher that payee’s risk, then the method is
unlikely to be adopted.

4. Anonymity
Just like paying with cash is not traceable, some buyers want their identities and
transaction to remain anonymous.
5. Divisibility
Buyers accept credit cards for a range (minimum and maximum value). Below the
minimum value, and above the maximum value, credit cards cannot be used. So
one method that can address this lower and uppur bound, as well as span in the
middle has a high chance of being accepted.
6. Ease of use
In B2C, credit cards are a standard, because of it ease of use.
7. Transaction fees
Academic Tutorial Answers

In credit card payments, the merchant pays a transaction fee of up to 3% of the

item’s purchase price (above a minimum fixed fee). These fees makes it
prohibitive to support smaller purchases, and leave room for alternative
payments.

c) Micropayment are small payments that involve a small amount of money. Examples:

• A Customer goes to online gaming company, plays for 30 mins and plays $
3.00
• A Customer purchases a couple of images and clip arts online for $ 0.80

Micropayments are one area where e-cash and other payment card schemes come into
play, since Credit cards do not work well for such small payments. Vendors who accept
credit cards, typically must pay a minimum transaction fee that range from 25 cents to 35
cents, plus 2 to 3 percent of the purchase price. These fees are practically insignificant for
amount above $10, but are cost-prohibitive for smaller transactions. Therefore, e-cash
being just like traditional paper money does not involve a transaction fee and hence is
suitable for micropayments.

d) An e-check is the electronic version or representation of a paper check. E-checks contain

the same information as paper based checks, can be used wherever paper checks are used,
and are based on the same legal framework.

Two benefits of e-checks: (any two benefits listed below)

1. It reduces the merchant’s administrative costs by providing faster and less paper-
intensive collection of funds.
2. It improves the efficiency of the deposit process for merchants and financial
institutions.
3. It speeds the checkout process for consumers.
4. It provides consumers with more information about their purchases on their account
statements.
5. It reduces the float period and the number of checks that bounce because of
insufficient funds (NSFs).
Academic Tutorial Answers

QUESTION 4:

a) Symmetric v/s Asymmetric:

When using symmetric algorithms, both parties share the same key for en- and decryption. To
provide privacy, this key needs to be kept secret. Once somebody else gets to know the key,
it is not safe anymore. Symmetric algorithms have the advantage of not consuming too much
computing power. A few well-known examples are: DES, Triple-DES (3DES), IDEA, CAST5,
BLOWFISH, TWOFISH.

Asymmetric algorithms use pairs of keys. One is used for encryption and the other one for
decryption. The decryption key is typically kept secretly, therefore called ``private key'' or
``secret key'', while the encryption key is spread to all who might want to send encrypted
messages, therefore called ``public key''. Everybody having the public key is able to send
encrypted messages to the owner of the secret key. The secret key can't be reconstructed
from the public key. The idea of asymmetric algorithms was first published 1976 by Diffie and
Hellmann.

Asymmetric algorithms seem to be ideally suited for real-world use: As the secret key does
not have to be shared, the risk of getting known is much smaller. Every user only needs to
keep one secret key in secrecy and a collection of public keys, that only need to be protected
against being changed. With symmetric keys, every pair of users would need to have an own
shared secret key. Well-known asymmetric algorithms are RSA, DSA, ELGAMAL.

However, asymmetric algorithms are much slower than symmetric ones. Therefore, in many
applications, a combination of both is being used. The asymmetric keys are used for
authentication and after this has been successfully done, one or more symmetric keys are
generated and exchanged using the asymmetric encryption. This way the advantages of both
algorithms can be used. Typical examples of this procedure are the RSA/IDEA combination of
PGP2 or the DSA/BLOWFISH used by GnuPG.

c) A honeynet is a network of honeypots, which are production systems (firewalls, routers,

web servers, database servers, and the like) that can be watched and studied as a network
intrusion occurs. (Setting a trap in a real system, when the hackers attack the system, IT
professionals can watch and learn what tools and techniques are being used.)