Developing an Abstraction Framework for Managing and Controlling Saudi Banks’ Cybersecurity Threats Based on the NIST Cybersecurity Framework and ISO/IEC 27001
Saudi Arabian banks are deeply concerned about how to effectively monitor and control security threats. In recent years, the country has taken several steps towards restructuring its organizational security and, consequently, protecting financial institutions and their clients. However, there are still several challenges left to be addressed. Accordingly, this article aims to address this problem by proposing an abstract framework based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework and International Organization for Standardization/International Electrotechnical Commission (ISO/IEC 27001). The framework proposed in this paper considers the following factors involved in the security policy of Saudi banks: safety, Saudi information bank, operations and security of Saudi banks, Saudi banks’ supplier relationships, risk assessment, risk mitigation, monitoring and detection, incident response, Saudi banks’ business continuity, compliance, education, and awareness about all factors contributing to the framework implementation. This way, the proposed framework provides a comprehensive, unified approach to managing bank security threats. Not only does the proposed framework provide effective guidance on how to identify, assess, and mitigate security threats, but it also instructs how to develop policy and procedure documents relating to security issues.
References
[1]
Tyagi, A.K., Dananjayan, S., Agarwal, D. and Thariq Ahmed, H.F. (2023) Blockchain—Internet of Things Applications: Opportunities and Challenges for Industry 4.0 and Society 5.0. Sensors, 23, Article 947. https://doi.org/10.3390/s23020947
[2]
Yafooz, W.M.S., Emara, A.H.M. and Lahby, M. (2022) Detecting Fake News on COVID-19 Vaccine from YouTube Videos Using Advanced Machine Learning Approaches. In: Lahby, M., Pathan, A.S.K., Maleh, Y. and Yafooz, W.M.S., Eds., Combating Fake News with Computational Intelligence Techniques, Springer, Cham, 421-435. https://doi.org/10.1007/978-3-030-90087-8_21
[3]
Buzdugan, A. and Căpățână, G. (2023) The Trends in Cybersecurity Maturity Models. In: Ciurea, C., Pocatilu, P. and Filip, F.G., Eds., Education, Research and Business Technologies, Springer, Singapore, 217-228. https://doi.org/10.1007/978-981-19-6755-9_18
[4]
Albarraq, A., Alkayyal, A. and Bawareth, R. (2023) Risk Management Framework Analysis. Int J Eng Tech Inf, 4, 1-8.
[5]
Salem, M., Othman, S.H., Al-Dhaqm, A. and Ali, A. (2023) Development of Metamodel for Information Security Risk Management. In: Yafooz, W.M.S., Al-Aqrabi, H., Al-Dhaqm, A. and Emara, A., Eds., Kids Cybersecurity Using Computational Intelligence Techniques, Springer, Cham, 243-253. https://doi.org/10.1007/978-3-031-21199-7_17
[6]
Baras, D.S.A., Othman, S.H., Al-Dhaqm, A. and Radzi, R.Z.R.M. (2021) Information Security Management Metamodel (ISMM) Validation and Verification through Frequency-Based Selection Technique. 2021 International Conference on Data Science and Its Applications (ICoDSA), Bandung, 6-7 October 2021, 292-297. https://doi.org/10.1109/ICoDSA53588.2021.9617527
[7]
Shamshad, H., Ullah, F., Ullah, A., Kebande, V.R., Ullah, S. and Al-Dhaqm, A. (2023) Forecasting and Trading of the Stable Cryptocurrencies with Machine Learning and Deep Learning Algorithms for Market Analytics. IEEE Access, 11, 122205-122220. https://doi.org/10.1109/ACCESS.2023.3327440
[8]
Kitsios, F., Chatzidimitriou, E. and Kamariotou, M. (2023) The ISO/IEC 27001 Information Security Management Standard: How to Extract Value from Data in the IT Sector. Sustainability, 15, Article 5828. https://doi.org/10.3390/su15075828
[9]
Al-Dhaqm, A., et al. (2020) Categorization and Organization of Database Forensic Investigation Processes. IEEE Access, 8, 112846-112858. https://doi.org/10.1109/ACCESS.2020.3000747
[10]
Enshassi, M.S.A., Walbridge, S., West, J.S. and Haas, C.T. (2019) Integrated Risk Management Framework for Tolerance-Based Mitigation Strategy Decision Support in Modular Construction Projects. Journal of Management in Engineering, 35, Article ID: 5019004. https://doi.org/10.1061/(ASCE)ME.1943-5479.0000698
[11]
Seifi Azad Mard, H.R., Estiri, A., Hadadi, P. and Seifi Azad Mard, M. (2017) Occupational Risk Assessment in the Construction Industry in Iran. International Journal of Occupational Safety and Ergonomics, 23, 570-577. https://doi.org/10.1080/10803548.2016.1264715
[12]
Abootorabi, S.M., Mehrno, H. and Omidvari, M. (2014) Proposing a Model for Safety Risk Assessment in the Construction Industry Using Gray Multi-Criterion Decision-Making. Journal of Health and Safety at Work, 4, 67-74.
[13]
Aminbakhsh, S., Gunduz, M. and Sonmez, R. (2013) Safety Risk Assessment Using Analytic Hierarchy Process (AHP) during Planning and Budgeting of Construction Projects. Journal of Safety Research, 46, 99-105. https://doi.org/10.1016/j.jsr.2013.05.003
[14]
Pinto, A., Nunes, I.L. and Ribeiro, R.A. (2011) Occupational Risk Assessment in Construction Industry—Overview and Reflection. Safety Science, 49, 616-624. https://doi.org/10.1016/j.ssci.2011.01.003
[15]
Gunhan, S. and Arditi, D. (2005) International Expansion Decision for Construction Companies. Journal of Construction Engineering and Management, 131, 928-937. https://doi.org/10.1061/(ASCE)0733-9364(2005)131:8(928)
[16]
Yahya, A.E., Gharbi, A., Yafooz, W.M.S. and Al-Dhaqm, A. (2023) A Novel Hybrid Deep Learning Model for Detecting and Classifying Non-Functional Requirements of Mobile Apps Issues. Electronics, 12, Article 1258. https://doi.org/10.3390/electronics12051258
[17]
Mutis, I. and Paramashivam, A. (2019) Cybersecurity Management Framework for a Cloud-Based BIM Model. In: Mutis, I. and Hartmann, T., Eds., Advances in Informatics and Computing in Civil and Construction Engineering, Springer, Cham, 325-333. https://doi.org/10.1007/978-3-030-00220-6_39
[18]
Hammi, A. and Bouras, A. (2018) Towards Safe-BIM Curricula Based on the Integration of Cybersecurity and Blockchains Features. 12th International Technology, Education and Development Conference, Valencia, 5-7 March 2018, 2380-2388. https://doi.org/10.21125/inted.2018.0453
[19]
Parn, E.A. and Edwards, D. (2019) Cyber Threats Confronting the Digital Built Environment: Common Data Environment Vulnerabilities and Block Chain Deterrence. Engineering, Construction and Architectural Management, 26, 245-266. https://doi.org/10.1108/ECAM-03-2018-0101
[20]
Creado, Y. and Ramteke, V. (2020) Active Cyber Defence Strategies and Techniques for Banks and Financial Institutions. Journal of Financial Crime, 27, 771-780. https://doi.org/10.1108/JFC-01-2020-0008
[21]
Mok, A. and Saha, R. (2017) Strategic Risk Management in Banking. Deloitte Insights Magazine, 1, 1-16.
[22]
Alshammari, A. (2023) A Novel Security Framework to Mitigate and Avoid Unexpected Security Threats in Saudi Arabia. Engineering, Technology & Applied Science Research, 13, 11445-11450. https://doi.org/10.48084/etasr.6091
[23]
Du Toit, G., Burns, M., Johnson, B., Sidebottom, P. and De Gooyer, C.H. (2012) Customer Loyalty in Retail Banking: Global Edition. Bain Company.
[24]
Patel, K. and McCarthy, M.P. (2000) Digital Transformation: The Essentials of e-Business Leadership. McGraw-Hill, New York.
[25]
Kebande, V.R. and Ikuesan, R.A. (2020) Virtual Sensor Forensics. Proceedings of the 2nd International Conference on Intelligent and Innovative Computing Applications, Plaine Magnien, 24-25 September 2020, 1-6. https://doi.org/10.1145/3415088.3415117
[26]
Mukherjee, A. and Nath, P. (2003) A Model of Trust in Online Relationship Banking. International Journal of Bank Marketing, 21, 5-15. https://doi.org/10.1108/02652320310457767
[27]
Olanrewaju, T. (2014) The Rise of the Digital Bank. McKinsey Digital Blue.
[28]
Alkhaldi, A.N. (2016) Adoption of Mobile Banking in Saudi Arabia: An Empirical Evaluation Study. International Journal of Managing Information Technology, 8, 1-14. https://doi.org/10.5121/ijmit.2016.8201
[29]
Ramady, M.A. (2010) The Saudi Arabian economy: Policies, Achievements, and Challenges. Springer, New York. https://doi.org/10.1007/978-1-4419-5987-4
[30]
Saleh, M.A., Othman, S.H., Al-Dhaqm, A. and Al-Khasawneh, M.A. (2021) Common Investigation Process Model for Internet of Things Forensics. 2021 2nd International Conference on Smart Computing and Electronic Enterprise (ICSCEE), Cameron Highlands, 15-17 June 2021, 84-89. https://doi.org/10.1109/ICSCEE50312.2021.9498045
[31]
Zawali, B., Ikuesan, R.A., Kebande, V.R. and Furnell, S. (2021) Realising a Push Button Modality for Video-Based Forensics. Infrastructures, 6, Article 54. https://doi.org/10.3390/infrastructures6040054
[32]
Al-Dhaqm, A., et al. (2021) Digital Forensics Subdomains: The State of the Art and Future Directions. IEEE Access, 9, 152476-152502. https://doi.org/10.1109/ACCESS.2021.3124262
[33]
Aldhaqm, A., Abd Razak, S. and Othman, S.H. (2018) Common Investigation Process Model for Database Forensic Investigation Discipline. 1st ICRIL-International Conference on Innovation in Science and Technology, Kuala Lumpur, 20 April 2015, 297-300.
[34]
Alotaibi, F.M., Al-Dhaqm, A. and Al-Otaibi, Y.D. (2022) A Novel Forensic Readiness Framework Applicable to the Drone Forensics Field. Computational Intelligence and Neuroscience, 2022, Article ID: 8002963. https://doi.org/10.1155/2022/8002963
[35]
Ghabban, F.M., Alfadli, I.M., Ameerbakhsh, O., AbuAli, A.N., Al-Dhaqm, A. and Al-Khasawneh, M.A. (2021) Comparative Analysis of Network Forensic Tools and Network Forensics Processes. 2021 2nd International Conference on Smart Computing and Electronic Enterprise (ICSCEE), Cameron Highlands, 15-17 June 2021, 78-83. https://doi.org/10.1109/ICSCEE50312.2021.9498226
[36]
Ameerbakhsh, O., Ghabban, F.M., Alfadli, I.M., AbuAli, A.N., Al-Dhaqm, A. and Al-Khasawneh, M.A. (2021) Digital Forensics Domain and Metamodeling Development Approaches. 2021 2nd International Conference on Smart Computing and Electronic Enterprise (ICSCEE), Cameron Highlands, 15-17 June 2021, 67-71. https://doi.org/10.1109/ICSCEE50312.2021.9497935
[37]
Alhussan, A.A., Al-Dhaqm, A., Yafooz, W., Emara, A.H.M., Bin Abd Razak, S. and Khafaga, D.S. (2022) A Unified Forensic Model Applicable to the Database Forensics Field. Electronics, 11, Article 1347. https://doi.org/10.3390/electronics11091347
[38]
Alotaibi, F.M., Al-Dhaqm, A., Al-Otaibi, Y.D. and Alsewari, A.A. (2022) A Comprehensive Collection and Analysis Model for the Drone Forensics Field. Sensors, 22, Article 6486. https://doi.org/10.3390/s22176486
[39]
Yafooz, W.M.S., Al-Dhaqm, A. and Alsaeedi, A. (2023) Detecting Kids Cyberbullying Using Transfer Learning Approach: Transformer Fine-Tuning Models. In: Yafooz, W.M.S., Al-Aqrabi, H., Al-Dhaqm, A. and Emara, A., Eds., Kids Cybersecurity Using Computational Intelligence Techniques, Springer, Cham, 255-267. https://doi.org/10.1007/978-3-031-21199-7_18
[40]
Al-Dhaqm, A.M.R., Othman, S.H., Abd Razak, S. and Ngadi, A. (2014) Towards Adapting Metamodelling Technique for Database Forensics Investigation Domain. 2014 International Symposium on Biometrics and Security Technologies (ISBAST), Kuala Lumpur, 26-27 August 2014, 322-327. https://doi.org/10.1109/ISBAST.2014.7013142
[41]
Alhussan, A.A., Al-Dhaqm, A., Yafooz, W.M.S., Razak, S.B.A., Emara, A.H.M. and Khafaga, D.S. (2022) Towards Development of a High Abstract Model for Drone Forensic Domain. Electronics, 11, Article 1168. https://doi.org/10.3390/electronics11081168
[42]
Alfadli, I.M., Ghabban, F.M., Ameerbakhsh, O., AbuAli, A.N., Al-Dhaqm, A. and Al-Khasawneh, M.A. (2021) CIPM: Common Identification Process Model for Database Forensics Field. 2021 2nd International Conference on Smart Computing and Electronic Enterprise (ICSCEE), Cameron Highlands, 15-17 June 2021, 72-77. https://doi.org/10.1109/ICSCEE50312.2021.9498014
[43]
Al-Dhaqm, A., Othman, S.H., Yafooz, W.M.S. and Ali, A. (2023) Review of Information Security Management Frameworks. In: Yafooz, W.M.S., Al-Aqrabi, H., Al-Dhaqm, A. and Emara, A., Eds., Kids Cybersecurity Using Computational Intelligence Techniques, Springer, Cham, 69-80. https://doi.org/10.1007/978-3-031-21199-7_5
[44]
Al-Dhaqm, A., Yafooz, W.M.S., Othman, S.H. and Ali, A. (2023) Database Forensics Field and Children Crimes. In: Yafooz, W.M.S., Al-Aqrabi, H., Al-Dhaqm, A. and Emara, A., Eds., Kids Cybersecurity Using Computational Intelligence Techniques, Springer, Cham, 81-92. https://doi.org/10.1007/978-3-031-21199-7_6
[45]
Saleh, M., et al. (2023) A Metamodeling Approach for IoT Forensic Investigation. Electronics, 12, Article 524. https://doi.org/10.3390/electronics12030524
[46]
Ali, A., Razak, S.A., Othman, S.H., Marie, R.R., Al-Dhaqm, A. and Nasser, M. (2022) Validating Mobile Forensic Metamodel Using Tracing Method. In: Saeed, F., Mohammed, F. and Ghaleb, F., Eds., IRICT 2021: Advances on Intelligent Informatics and Computing, Springer, Cham, 473-482. https://doi.org/10.1007/978-3-030-98741-1_39
[47]
Al-Dhaqm, A.M.R. (2019) Simplified Database Forensic Invetigation Using Metamodeling Approach. Ph.D. Thesis, University Teknologi Malaysia, Kuala Lumpur.
[48]
Alshammari, A. (2023) Detection and Investigation Model for the Hard Disk Drive Attacks Using FTK Imager. International Journal of Advanced Computer Science and Applications, 14, 9. https://doi.org/10.14569/IJACSA.2023.0140784
[49]
Al-Dhaqm, A., Razak, S., Ikuesan, R.A., Kebande, V.R. and Othman, S.H. (2021) Face Validation of Database Forensic Investigation Metamodel. Infrastructures, 6, Article 13. https://doi.org/10.3390/infrastructures6020013
[50]
Razak, S.A., Nazari, N.H.M. and Al-Dhaqm, A. (2020) Data Anonymization Using Pseudonym System to Preserve Data Privacy. IEEE Access, 8, 43256-43264. https://doi.org/10.1109/ACCESS.2020.2977117
[51]
Al-Dhaqm, A., Razak, S. and Othman, S.H. (2019) Model Derivation System to Manage Database Forensic Investigation Domain Knowledge. 2018 IEEE Conference on Application, Information and Network Security, Langkawi, 21-22 November 2018, 75-80. https://doi.org/10.1109/AINS.2018.8631468
[52]
Aldhaqm, A., Abd Razak, S., Othman, S.H., Ali, A. and Ngadi, A. (2016) Conceptual Investigation Process Model for Managing Database Forensic Investigation Knowledge. Research Journal of Applied Sciences, Engineering and Technology, 12, 386-394. https://doi.org/10.19026/rjaset.12.2377
[53]
Ngadi, M., Al-Dhaqm, R. and Mohammed, A. (2012) Detection and Prevention of Malicious Activities on RDBMS Relational Database Management Systems. International Journal of Scientific & Engineering Research, 3, 1-10.
[54]
Ali, A., Abd Razak, S., Othman, S.H. and Mohammed, A. (2017) Extraction of Common Concepts for the Mobile Forensics Domain. In: Saeed, F., Gazem, N., Patnaik, S., Saed Balaid, A. and Mohammed, F., Eds., IRICT 2017: Recent Trends in Information and Communication Technology, Springer, Cham, 141-154. https://doi.org/10.1007/978-3-319-59427-9_16
[55]
Ali, A., Razak, S.A., Othman, S.H. and Mohammed, A. (2015) Towards Adapting Metamodeling Approach for the Mobile Forensics Investigation Domain. 1st ICRIL International Conference on Innovation in Science and Technology (lICIST 2015), Kuala Lumpur, 20 April 2015, 364-367.
[56]
Al-Dhaqm, A., Razak, S., Siddique, K., Ikuesan, R.A. and Kebande, V.R. (2020) Towards the Development of an Integrated Incident Response Model for Database Forensic Investigation Field. IEEE Access, 8, 145018-145032. https://doi.org/10.1109/ACCESS.2020.3008696
[57]
Alotaibi, F., Al-Dhaqm, A. and Al-Otaibi, Y.D. (2023) A Conceptual Digital Forensic Investigation Model Applicable to the Drone Forensics Field. Engineering, Technology & Applied Science Research, 13, 11608-11615. https://doi.org/10.48084/etasr.6195
[58]
Bermell-Garcia, P. (2007) A Metamodel to Annotate Knowledge Based Engineering Codes as Enterprise Knowledge Resources. PhD Thesis, Cranfield University, Cranfield.
[59]
Kott, A. (2023) Autonomous Intelligent Cyber Defense Agent (AICA): A Comprehensive Guide. Springer, Cham. https://doi.org/10.1007/978-3-031-29269-9
[60]
Kleijnen, J.P.C. and Deflandre, D. (2006) Validation of Regression Metamodels in Simulation: Bootstrap Approach. European Journal of Operational Research, 170, 120-131. https://doi.org/10.1016/j.ejor.2004.06.018
[61]
Biles, W.E., Kleijnen, J.P.C., Van Beers, W.C.M. and Van Nieuwenhuyse, I. (2007) Kriging Metamodeling in Constrained Simulation Optimization: An Explorative Study. 2007 Winter Simulation Conference, Washington DC, 9-12 December 2007, 355-362. https://doi.org/10.1109/WSC.2007.4419623
[62]
Sargent, R.G. (2015) Model Verification and Validation. In: Loper, M., Ed., Modeling and Simulation in the Systems Engineering Life Cycle, Springer, London, 57-65. https://doi.org/10.1007/978-1-4471-5634-5_6
[63]
Nordstrom, G., Sztipanovits, J., Karsai, G. and Lédeczi, á. (1999) Metamodeling-Rapid Design and Evolution of Domain-Specific Modeling Environments. Proceedings ECBS’99: IEEE Conference and Workshop on Engineering of Computer-Based Systems, Nashville, 7-12 March 1999, 68-74.
[64]
Cawley, G.C. and Talbot, N.L.C. (2004) Fast Exact Leave-One-Out Cross-Validation of Sparse Least-Squares Support Vector Machines. Neural networks, 17, 1467-1475. https://doi.org/10.1016/j.neunet.2004.07.002
[65]
Ellison, D., Ikuesan, A.R. and Venter, H. (2019) Description Logics and Axiom Formation for a Digital Forensics Ontology. European Conference on Information Warfare and Security, ECCWS, 2019, Coimbra, 4-5 July 2019, 742-XIII.
[66]
Jazzar, M. and Hamad, M. (2022) Comparing HDD to SSD from a Digital Forensic Perspective. In: Agarwal, B., Rahman, A., Patnaik, S. and Poonia, R.C., Eds., Proceedings of International Conference on Intelligent Cyber-Physical Systems, Springer, Singapore, 169-181. https://doi.org/10.1007/978-981-16-7136-4_14
[67]
Ahmad, M.N., Colomb, R.M. and Sadiq, S.W. (2010) A UML Profile for Perdurant Ontology of Domain Interlocking Institutional Worlds. International Journal of Internet and Enterprise Management, 6, 213-232. https://doi.org/10.1504/IJIEM.2010.032170
