Table of Contents About the Authors About the Editors

Table of Contents

Foreword
Representative Sherwood Boehlert (R-NY), Chairman, Committee on Science, U.S. House of Representatives

SECTION 1: MANAGEMENT AND STRATEGY
SECTION II: TECHNOLOGIES AND COUNTERMEASURES
SECTION III: TRENDS AND ISSUES

SECTION 1: MANAGEMENT AND STRATEGY
1. Analyzing Risks to Determine a New Return on Security Investment: Optimizing Security in an Escalating Threat Environment
Warren Axelrod, Pershing LLC, USA
2. Risk Management in Banking– A Review of Principles and Strategies
Goran Bergendahl, Göteborg University, Sweden
Ted Lindblom, Göteborg University, Sweden
3. Developing Information Assurance Alignment in Financial Services
Jean-Noel Ezingeard, Henley Management College, UK
Elspeth McFadzean, Henley Management College, UK
David Birchall, Henley Management College, UK
4. Information Security in Banking
Kevin Streff, Dakota State University, USA
5. Security Risk Management Strategy of Financial Services Institutions
Guoling Lao, Shanghai University of Finance and Economics, China
Liping Wang, Shanghai University of Finance and Economics, China
 

SECTION II: TECHNOLOGIES AND COUNTERMEASURES
6. New technologies in e-banking: convenient and trustworthy?
Niels Jørgensen, Roskilde University, Denmark.
7. Stronger Authentication: Responding to the crisis of confidence
Alvin Y.C. Yeo, SIM University, Singapore
8. Smart Cards for Security and Assurance
Konstantinos Markantonakis, Smart Card Centre, University of London, UK
Keith Mayes, Smart Card Centre, University of London, UK
Fred Piper, Smart Card Centre, University of London, UK
9. Unified Identities in Complex Financial Organizations
Peter Orondo, Acclaim Consulting Group Inc., USA
10. Identity Management and Access
Nick Pullman, Citigroup, USA
Kevin Streff, Dakota State University, USA
 

SECTION III: TRENDS AND ISSUES
11. Swallowing the Bait, Hook, Line and Sinker: Phishing, Pharming and now Rating!
Sylvia Kierkegaard, IAITL, Denmark
12. The evolution of fraud intelligence
David Porter, Detica Corporation, UK
13. Managing Information Assurance in Subscription-based Financial Services
Victoria Ungureanu, Rutgers University, USA
14. Information Disclosure and Regulatory Compliance: Economic Issues and Analysis
Anindya Ghose, New York University, USA

About the Authors

C. Warren Axelrod, Ph.D., CISM, CISSP is director, global information security, at a major financial firm, responsible for security policies, standards and awareness. Dr. Axelrod was honored with 2003 Computerworld Premier 100 IT Leaders and Best in Class Awards. He testified before Congress on cybersecurity in 2001 and represented financial services security interests at the Y2K National Information Center. He co-founded the FS/ISAC (Financial Services Information Sharing and Analysis Center). Dr. Axelrod’s third book, Outsourcing Information Security (Artech House), was published in 2004. His Ph.D. is from Cornell University and his honors bachelors and masters degrees are from Glasgow University.

Goran Bergendahl is Professor Emeritus of Business Administration at Göteborg University, Sweden. He has also been Dean of its School of Economics and Commercial Law. Before that he has worked as an economist for the National Road Administration and for the Swedish Association of the Farmerś Corporations. He holds a doctorate degree in Business Administration from Stockholm University. He has written several books and published numerous articles about agricultural economics, transport economics, energy economics, bank management and financial management.

David Birchall is Director of the School of Management Knowledge and Learning and Director of Henley Learning Advisory Services at Henley Management College. Professor Birchall is a regular speaker on innovation, knowledge project management, IT and learning and new forms of organisation and has designed management development programmes at all levels. He currently directs projects funded by the European Union including multi-national partnerships, UK Government Department and several commercial organisations; moreover, he regularly presents research findings at conferences and seminars worldwide.  His most recent projects include EU funded "e-Learning for Managers and Management Developers". His latest book Capabilities for strategic advantage: Leading Through Technological Innovation – co-authored with George Tovstiga – was published by Palgrave in May 2005.

Hon. Sherwood Boehlert is Chairman, Committee on Science, U.S. House of Representatives (2001-2006). He was first elected to represent Central New York in the House of Representatives in 1982 and has earned a reputation for independence, moderation and thoughtful leadership. Universally recognized as the leading Republican environmentalist in the House, Boehlert has also made a name for himself as a champion of the Federal investment in science and technology.  The Science Coalition has hailed Boehlert a “Champion of Science” for his leadership in advancing the importance of university-based science and engineering research.  The National Council on Science and the Environment said, “He has a well-earned reputation as one of Congress’s scientific leaders.” Boehlert has served on the Science Committee since first taking office in 1983, and was elected Chairman in January 2001.  The Committee has jurisdiction over all federal non-military scientific and technology research and development (R&D) programs.  Federal spending on these programs totals more than $30 billion a year.  This includes the National Aeronautics and Space Administration (NASA), the National Science Foundation, and R&D activities within the Environmental Protection Agency, the Federal Aviation Administration, and the Departments of Commerce, Energy, Homeland Security, and Transportation.

In his first speech as chairman, Boehlert pledged to “build the Science Committee into a significant force within the Congress,” and “to ensure that we have a healthy, sustainable, and productive R&D establishment – one that educates students, increases human knowledge, strengthens U.S. competitiveness and contributes to the well-being of the nation and the world.”

Following the tragic events of September 11, 2001, terrorism moved to the forefront of the Committee’s agenda.  Heeding Chairman Boehlert’s admonition that “the war on terrorism, like the Cold War, will be won in the laboratory as much as on the battlefield,” the Science Committee worked to ensure that the Federal Government was investing in the science and technology necessary to combat terrorism over the long-term.  

The Science Committee played a key role in the development of H.R. 5005, legislation establishing the new Department of Homeland Security, leading the push to make science and technology a priority in the new department and ensuring the establishment of an undersecretary solely responsible for such issues.  Addressing the vulnerability of the Nation’s critical infrastructure, the House approved, and the President signed into law, Boehlert’s landmark “Cyber Security Research and Development Act” (H.R. 3394), authorizing $903 million in new funding for R&D in this critical area. In addition, Boehlert introduced, and the House quickly passed, H.R. 3178, a bill to enhance security at water supply and wastewater treatment systems.  The Committee also held hearings on anthrax detection and decontamination, and urged Federal agencies to better coordinate their response to bioterrorism.  

In addition to being a leader on science issues, Boehlert’s legislative experience and seniority make him one of the most influential members of Congress.  Boehlert’s influence has been praised by many publications, including National Journal, which dubbed him “the Green Hornet” and featured him as one of a dozen “key players” in the House.  Congressional Quarterly referred to him as “an important envoy between the House GOP leadership and the chamber’s increasingly independent Republican swing voters” and Time Magazine highlighted him as a power center on Capitol Hill.

Born on September 28, 1936 in Utica, New York, Boehlert is a graduate of Whitesboro Central High School and Utica College (Bachelor of Science, 1961).  Before serving as Oneida County Executive (1979-83), he was manager of public relations at Wyandotte Chemical (1961-64) and served two years in the U.S. Army (1956-58). 

Boehlert served as chief of staff for two area Congressmen, Alexander Pirnie (1964-72) and Donald Mitchell (1973-79), where he became intimately familiar with the needs of his constituents in Central New York. An avid New York Yankees fan and movie buff, Boehlert and his wife, Marianne (Willey) Boehlert, make their home in New Hartford, New York.  They have four grown children and five grandchildren.

Jean-Noël Ezingeard is Professor of Processes and Systems Management and Academic Dean at Henley Management College. His first degree was in Engineering Science from Ecole Centrale de Lille, an Engineering Grande Ecole. He later obtained an MSc in Advanced Manufacturing Systems and his PhD from Brunel University. His doctoral research was on performance evaluation techniques for Information Systems. He joined Henley in 1998 and became a College Professor in 2004. Before joining Henley, Jean-Noël was a lecturer at Brunel University and Course Director for the Special Engineering Programme. He has developed workshops on Information Systems and Business Processes Management for companies such as TotalFinaElf, Canon, IBM, ISS, Lloyd's of London. He is also a regular speaker at conferences in the UK and overseas. He is also a visiting professor at the Lille Graduate School of Management.

Anindya Ghose is an Assistant Professor of Information, Operations, and Management Sciences at New York University’s Leonard N. Stern School of Business. He joined Stern's Information Systems Group in September 2004. Professor Ghose’s central research skates the intersection between information technology, economics and competitive strategy, brought forth by the transformation of the digital economy’s information infrastructure. His primary research interests include the economics of electronic markets and online textual information, the economics of information security and pricing of information goods. His research has been published in several top-tier academic journals including Management Science, Information Systems Research, Statistical Science and Journal of Management Information Systems. His work has won Best Paper nominations in several conferences such as the International Conference on Information Systems and the Hawaiian International Conference on System Sciences and has been widely covered by press outlets such as The New York Times and CNN. He recently received the 2006 Microsoft Live Labs Award for his co-authored research proposal on combining economics with text mining techniques to measure the effect of online information exchanges. Before joining NYU Stern, Professor Ghose worked in Finance with GlaxoSmithKline, as a Product Manager in HCL-Hewlett Packard, and as a Senior E-Business Consultant with IBM. He has a B. Tech in Engineering from the Regional Engineering College in Jalandhar, and an M.B.A in Finance, Marketing and Systems from the Indian Institute of Management, Calcutta. He received his M.S. and Ph.D. in Information Systems from Carnegie Mellon University’s Tepper School of Business. 

Niels Jørgensen is Associate Professor at Computer Science, Roskilde University. His main interests are technology theory, it security, and open source. His research goal is to understand the engineering aspects of software, and how software engineering resembles and is different from engineering in classical, manufacturing disciplines such as aircraft engineering.

Sylvia Kierkegaard is president of the International Association of IT Lawyers (www.iaitl.org).  She has authored and edited over 2000 articles, books and peer-reviewed papers on international law, which have appeared in prestigious journals, books and magazines. She is a member of the editorial board of 9 international journals, editor of 3 international law journals, a regular Reviewer and Committee member of various conferences, as well as chairman and organiser of several successful international conferences dealing with law, business and technology. She has several postgraduate degrees in law, business, Theology, and Economics obtained with honours from Denmark, England, Netherlands, USA and Manila.

Guoling Lao is associate professor of School of Information Management and Engineering, Shanghai University of Finance & Economics, director of SHUFE-IBM Electronic Commerce Center, concurrently assistant deputy office chief of financial division of the university (responsible for informatization), has published more than 10 textbooks, several dozens academic paper, and completed nearly 30 enterprise and government projects. Main research direction: Electronic commerce, management information system.

Ted Lindblom is Professor and Chairman of the PhD Research Committee of Business Administration at the University of Gothenburg. Since 1998 he has also been Programme Co-ordinator for the Master of Science Programme in Industrial and Financial Economics at the Graduate Business School (GBS). His research mainly concerns corporate finance, pricing, particularly, pricing strategies in decreasing cost industries, and consequences of market deregulation in industries like electricity, banking and retailing. He has for more than twenty years been studying retail banks in Scandinavia with special interest on their pricing of payment services, financial performance and consolidation activity. He has authored and co-authored several articles and books regarding these issues. 

Dr Konstantinos Markantonakis (B.Sc. (Lancaster), M.Sc., Ph.D, MBA (London)) is Information Security Group Smart card Centre Lecturer at Royal Holloway, University of London. He received his BSc (Hons) in Computer Science from Lancaster University in 1995, his MSc in Information Security in 1996, his PhD in 2000 and his MBA from Royal Holloway, University of London. His main areas of interest are smart card security and smart card applications along with security protocol design. He has worked as a Multi-application smart card Manager in Visa International EU, responsible for multi-application smart card technology for southern Europe. He is also a member of the IFIP Working Group 8.8 on Smart Cards. He continues to act as a consultant on a variety of topics around smart card security, smart card migration program planning/project management for financial institutions and transport operators.

Dr Keith Mayes (B.Sc. (Ph.D. (Bath) CEng MIEE) is Director of the Information Security Group Smart card Centre, Royal Holloway, University of London. In his early career he worked with Philips and Honeywell on image processing systems. In 1988 he started work for Racal Research on communications research and advanced development products. In 1996 Keith joined Vodafone's Communication Security and Advanced Development group, initially participating in GSM/3G standardisation. Later he led the Maths & Modelling, plus Fraud & Security groups and was also responsible for patent/IPR issues. In 2000 he became the Vodafone Global SIM Card Manager, responsible for SIM card harmonisation and strategy for the Vodafone Group. In 2002, Keith set up Crisp Telecom and was also appointed as Director of the Smart Card Centre.

Elspeth McFadzean completed her PhD – on the use of creative problem solving techniques and group support systems for strategic decision-making – from Brunel University in 1995.  Currently, she is running her own management education, research and consultancy business and is a partner in a second company which sells meeting tools and technology.  Elspeth is Lead Tutor for the Creative Problem Solving elective at Henley.  In addition, she e-tutors on the Managing Information and the Virtual Tutor courses.  She is also tutors for the University of Surrey (on their core MBA subject of Entrepreneurship and Creativity) and the University of Liverpool (on Business Leadership). Elspeth’s research interests include information assurance, group problem solving and virtual learning teams.  In addition, she has carried out extensive research on creativity, facilitation and group support systems.  Elspeth has written over fifty articles in academic journals, books, conference proceedings and working papers including periodicals such as Interfaces, the Journal of Management Development and Harvard Business Review. 

Peter O Orondo is President and CEO of Acclaim Consulting Group, Inc, a leading technology services consulting firm specializing in Identity and Access Management (IAM) solutions located in Waltham, MA. Mr. Orondo has more than 12 years experience in technology management and consulting. Prior to founding Acclaim Consulting Group, he worked in senior roles at Netegrity, Inc, Computer Associates International and Myers-Holum, Inc, where he spearheaded technology thought leadership, and architected and deployed complex enterprise Identity and Access Management, and E-provisioning solutions.In 2003, Mr. Orondo led Acclaim Consulting Group team to win the Semi Finalist Award at the prestigious MIT $50K Entrepreneurial Competition. Mr. Orondo holds Bachelors and Masters Degrees in Electrical Engineering and Computer Science from the Massachusetts Institute of Technology (MIT). 

Professor Fred Piper, (BSc PhD (London) CEng CMath FIEE ARCS DIC FIMA) is Director of Information Security Group, Royal Holloway, University of London. Fred Piper has worked in security since 1979.  He is a Director of the Information Security Group (ISG) at Royal Holloway. The ISG offers an MSc in Information Security with a PhD programme that has produced over 100 doctorates. In 1985 Fred formed a consultancy company, Codes & Ciphers Ltd, and since then he has acted as a consultant to over 100 companies worldwide. He has published more than a hundred research papers and is joint author of Cipher Systems (1982), Secure Speech Communications (1985), Cryptography:  A Very Short Introduction (2002), and an ISACA research monograph on Digital Signatures (1999).  He is a Trustee at Bletchley Park. In 2002 he was awarded an IMA Gold Medal for “Services to Mathematics”.

David Porter is Head of Security & Risk at Detica, the UK’s leading independent intelligence systems and services organization, with offices in London, England and Washington, DC. As a Certified Fraud Examiner he is a leading subject matter expert in the area of operational risk management and technology, consulting to clients in the government, defense and financial services sectors. Originally an artificial intelligence researcher at London’s South Bank University, he moved into risk management services at Deloitte and advanced technology solutions at Unisys. He is Detica’s chief media spokesman and has extensive experience as an international analyst, speaker, writer and commentator on fraud and security issues.

Nick Pullman is a technical security analyst with Citigroup in the security administration department.  For the past two and a half years he has been developing and implementing several integrated identity management and reporting tools.  Nick is the Treasurer of the South Dakota InfraGard chapter as well as a member of the Financial Services Information Sharing and Analysis Center.  He graduated with a Bachelors degree in Computer Information Systems with a Network and Security specialization and is completing his Masters degree in Information Assurance in the Fall of 2006 with a specialization in Banking and Finance from Dakota State University.

Dr Kevin Streff is an Assistant Professor at Dakota State University and teaches in the information assurance program. Dr. Streff is the Director of the Center for Information Assurance at Dakota State, which has been recognized by both the National Security Agency and The Department of Homeland Security as a national center of academic excellence in information assurance. Dr. Streff has extensive knowledge of the financial services industry, including banking, insurance, and credit operations. Dr. Streff is founder and partner of Secure Banking Solutions, a security consulting firm focused on improving security in community banks across the country. Dr. Streff is also President of InfraGard - South Dakota, a partnership program between Private Industry and the U.S. government (represented by the FBI). Dr. Streff speaks nationally on security issues and solutions relevant to small and medium-sized banks.

Victoria Ungureanu is a system analyst at Standard and Poor’s. Dr. Ungureanu received  a Ph.D. in Computer Science from Rutgers University in 2000. Her  dissertation entitled "The Formulation of Policies for Electronic Commerce, and their Enforcement” was awarded a prize in the  contest for Best Thesis Proposal in E-Commerce, organized by  IBM. This work was supported in part by DIMACS, under contract STC-91-19999. 

Liping Wang, Doctor of School of Finance, Shanghai University of Finance & Economics, has published several papers in journals and academic meetings, participated in the compilation of some textbooks and translation of teaching materials. Since the mayor at the stage of master is electronic commerce security and now is international finance, has a background of interdisciplinary studies in the aspect of bank information assurance. Main research direction: international finance.

Dr Alvin Y.C. Yeo has 10 years of marketing and business development experience. He is currently Senior Manager, Infocomm Development Authority of Singapore, where he is responsible for catalyzing the infocomm sector through investment promotion and infrastructure planning activities. Prior to this, he assumed management responsibilities at the Overseas Union Bank in corporate banking and segment marketing. Dr Yeo has published more than 10 refereed articles in marketing and electronic commerce. He serves as an adjunct faculty at the SIM University (Singapore) and the University of Newcastle. A recipient of two prestigious ASEAN scholarships from Singapore’s Ministry of Education, he holds a PhD from the University of Western Australia, an MBA (with Distinction) from the University of Leicester and a BBA (Finance) degree from the National University of Singapore.

About the Editors

Prof. H. Raghav Rao, University at Buffalo
Dr. Rao's interests are in the areas of management information systems, decision support systems, and expert systems and information assurance. He has chaired sessions at international conferences and presented numerous papers. He has authored or co-authored more than 125 technical papers, of which more than 80 are published in archival journals. His work has received best paper and best paper runner up awards at AMCIS and ICIS. Dr. Rao has received funding for his research from the National Science Foundation, the Department of Defense and the Canadian Embassy and he has received the University's prestigious Teaching Fellowship. He has also received the Fulbright fellowship in 2004. He is a co-editor of a special issue of The Annals of Operations Research, the Communications of ACM, associate editor of Decision Support Systems, Information Systems Research and IEEE Transactions in Systems, Man and Cybernetics, and co Editor- in -Chief of Information Systems Frontiers. He  is the recipient of the 2007 State University of New York Chancellor's award for Excellence

Manish Gupta, M&T Bank Corporation

Manish Gupta is an information security professional in M&T Bank Corporation, Buffalo, NY, USA. He has more than a decade of experience in information systems and assurance including security policies and technologies. He is also a PhD candidate at State University of New York, Buffalo. He has co-edited 3 books in the area of information security and assurance (2 are forthcoming). He has published more than 20 articles in leading journals including DSS, JOEUC and ACM TOIT, conference proceedings and books. He has reviewed papers for more than a couple dozen journals and conferences. He serves in editorial board of International Journal of Electronic banking and had served in program committee/review board of a several international conferences/workshops. He holds an MBA from SUNY-Buffalo and several professional designations including CISSP, CISA, CISM and PMP. He has also received advanced certificates in information assurance and cyber law.

Prof. Shambhu Upadhyaya, University at Buffalo

Shambhu J. Upadhyaya is an Associate Professor of Computer Science and Engineering at the State University of New York at Buffalo where he also directs the Center of Excellence in Information Systems Assurance Research and Education (CEISARE), designated by the National Security Agency. Prior to July 1998, he was a faculty member at the Electrical and Computer Engineering department. His research interests are information assurance, computer security, fault diagnosis, fault tolerant computing, and VLSI Testing. He has authored or coauthored more than 150 articles in refereed journals and conferences in these areas. His current projects involve intrusion detection, insider threat modeling, security in wireless networks, SoC test scheduling, analog circuit diagnosis, and RF testing. His research has been supported by the National Science Foundation, Rome Laboratory, the U.S. Air Force Office of Scientific Research, DARPA, and National Security Agency. In May 1999, IBM sponsored a new Electronic Test and Design Automation Lab to support his teaching and research on VLSI Testing. He has been awarded an IBM Faculty Partnership Fellowship for year 2000-01 in recognition of his research accomplishments in the area of VLSI. He was also an NRC faculty fellow in 2001 and 2002. In 2005, he received Cisco equipment donation to build a computer security lab. He has held visiting research faculty positions at the Center for Reliable and High Performance Computing, University of Illinois, Urbana-Champaign, Intel Corporation, Folsom, CA, Air Force Research Laboratory, Rome, NY and the Naval Research Laboratory, Washington DC. He was the Program Co-Chair of the Fifth IEEE/ACM Great Lakes Symposium on VLSI, 1995. He has served on various Conference Committees including the IEEE Simulation Conference, 1994, 1995, 1997, 1999 - 2004, Fault Tolerant Computing Symposium, 1997, and 1999, IEEE International Symposium on Defect and Fault Tolerance in VLSI Systems, 1997, 1998, 2000 - 2003, and 1999, and IEEE Symposium on Reliable Distributed Systems, 1998 and 1999. He was the publicity chair of 1998 IEEE International Computer Performance and Dependability Symposium, and has served as the Program Co-chair of IEEE Symposium on Reliable Distributed Systems, 2000 held in Nuernberg, Germany. He is an associate editor of IEEE Transactions on Computers, a member of the editorial board of the International Journal on Reliability, Quality, and Safety Engineering published by the World Scientific Publishers. He was a guest co-editor of the book series Interfaces in OR/CS on Mobile Computing: Implementing Pervasive Information and Communication Technologies, Kluwer Academic Publishers, 2001 and is a guest co-editor of a special issue on Secure Knowledge Management in IEEE Transactions on Systems, Man and Cybernetics, March 2006. He was on the Program Committee of 3rd IEEE International Information Assurance Workshop, Washington DC, March 2005, 6th Annual IEEE Information Assurance Workshop, West Point, NY, June 2005, and Dependable Computing and Communications Symposium of IEEE DSN-2005, among others. He is a senior member of IEEE.