On March 27, 2023 on the platform of the Information Security Institute under the patronage of the “European Academy of Sciences of Ukraine” (EUASU) held an online round table on “A new security paradigm for financial institutions.”
The following experts participated in this meeting:
Professor Harvey Wolf Kushner is Chairman of the Department of Criminal Justice and Professor of Criminal Justice at LIU Post (New York). He is an academic of EUASU. An expert on terrorism, author of the bestseller Encyclopedia of Terrorism.
Dr. Oleg V. Maltsev is the scientific director of the “Information Security Institute”, member of the Presidium and academician of EUASU, criminologist, psychologist, security specialist. He is the author of numerous books in such fields as applied history, sociology, depth psychology, philosophy and criminology.
Massimo Ortolani is an economist and economic consultant. He has worked in the ENI group, the Mediocredito Centrale and the Unicredit group, carrying out assignments mainly concerning international activities, the evaluation of geopolitical risks and the evaluation of investment projects. He has worked as a consultant in Latin America for UNIDO and in Kazakhstan for European Union programs. He is the author of Economic Intelligence and Geo-Economic Conflict as well as other works.
Olivier Paneke is a member of the expert network of the Belgian organization Human Rights without Frontiers and a PhD candidate at Middlesex University (London). He is a consultant to the OSCE mission in Central and Eastern Europe, as well as in the Balkans, the Caucasus, an observer of election processes, trials, and an expert on the rule of law. From 2014–2020, he had a mandate as an independent UN expert on foreign debt and human rights. He is an economic and legal commentator for The Guardian, Der Standard, and Telepolis. His main areas of research as a scholar are independent finance, human rights, the rule of law and judicial independence.
Andrew Hoskins is an EUASU academic and interdisciplinary professor of global security at the College of Social Sciences, University of Glasgow, UK. His most recent book (with Matthew Ford) is Radical War: Data, Attention and Control in the Twenty-First Century (Hurst/OUP). Founding co-editor of the Cambridge Journal of Memory, Mind and Media (2021), founding editor-in-chief of the Sage Journal of Memory Studies (2008), and co-founding editor-head of Digital War (2020).
Professor Vitaly Lunev is an associate professor at the National Bohomolets Medical University. Member of the Presidium and member of EUASU, member of the “American Psychological Association”, “American Academy of Clinical Psychology”, and “World Federation of Mental Health (USA)”.
Konstantin Slobodyanyuk - member of the Presidium of EUASU. Associate Member of the Academy of Sciences of Ukraine. Head of the Strategic Council of the Information Security Institute. Head of the NGO “Cavalier”. Editor-in-chief of the “Unsolved Crimes” newspaper. She is engaged in research in the field of online reputation management and enterprise security.
Olga Panchenko is a corresponding member of EUASU, attorney, and director of the Redut law firm. Corresponding member of the Ukrainian Academy of Sciences. Journalist of the newspaper “Unsolved Crimes”. Member of the Presidium of the Odessa Scientific-Humanitarian Society and the Historical and Literary Scientific Society.
Pavel Pedina - EUASU expert, expert in finance, banking, insurance and asset valuation. Financial consultant. Slav Invest investment consultant, MANORM holding financial director, head of Paradox Credit Protection Society.
It is safe to say that the round table was a historic event, a response to current challenges, as well as to information threats. For many years, Western security specialists have accepted the primacy of technology over the human factor as an axiom. However, during the last two years the situation has changed dramatically. Actual security practices indicate that without the resolution of the human factor issue, technological solutions are unable to secure financial structures. This public consensus is the result of a series of reports initiated not only by government agencies, but also by leading cybersecurity organizations, financial institutions, CISOs, as well as analytical and expert companies. The main conclusion comes down to the need to solve the key problem in the field of security, namely the human factor.
Speaking of the round table as a historic event, we should first of all emphasize the conclusions of the round table, which boiled down to the need to develop a special program aimed at minimizing the human factor. Up to that moment all the public reports of the Western experts were reduced to the necessity to solve this problem, but neither approaches, nor tools, which could bring experts and business closer to the solution of the human factor problem, were offered.
At the round table, experts not only agreed on the need to resolve the human factor problem, but also described in detail the requirements for a program that must be developed in the coming months and begin to be implemented in business structures and organizations that are seriously affected by the human factor.
Thus, during the round table there was not only a model of the future program, which was proposed by an expert in the field of security Oleg V. Maltsev, but also a list of practical requirements for the approach and selection of practical tools that must be applied in order to eliminate system errors at the stage of program development. In particular, Professor Harvey Kushner focused his colleagues’ attention on the rejection of mass-market tools. Oliver Paneke focused on human rights, which must also be taken into account at the design stage. By the way, Oliver Paneke stressed that such a program is critical not only for financial institutions, such as banks and insurance companies. According to the expert, the program should be extended to medical institutions, the energy sector and a number of other industries highly sensitive to the human factor. Professor Lunev emphasized the possible obstacles at the stage of implementation, which are rooted in the difference in psychological paradigms in the U.S., Western Europe, and Great Britain. Andrew Hoskins emphasized the particular threat posed by the “databrokers,” which must be taken into account in the development of the program. Statistical information regarding the precedents of the human factor was presented by Pavel Pedina. Expert Olga Panchenko, in turn, stressed the need to balance the interests of employees and employers, without which we run the risk of facing two extremes — excessive attention to the rights of employees may result in a financial collapse, and vice versa — the maximum protection of employers’ rights may result in lawsuits and human rights conflicts.
Below are some theses of the participants of the round table:
Oleg Maltsev: Why don’t you give your new Mercedes that broke down to be fixed by the first guy you see on the street? Why do you trust your child’s surgery to a surgeon? But as soon as it comes to business and the security industry, everything is just the opposite. The first thing to understand is that the security industry is not a business, it’s a craft, an art. It is an art like making jewelry, like cutting a diamond. There are no similar tasks here. Here everything starts with the fact that the client is not right about anything. Nobody smiles at the client here, because if the client is sitting across from a security specialist, it means he’s already made a number of mistakes.
Harvey Kushner: I worked with major American banks in the 1960s and 1970s. When bank embezzlement was detected, I was asked to create a program that would prevent future hiring of those who had committed embezzlement of funds. But now the security field is VERY different. I know that many collapses in companies are due to human error and lack of training. So special tools are needed that are not available to everyone, it’s not a mass market. And I would like to participate in creating a system where selection plays a major role. Such a system is needed now for the financial sector, for banks, for the insurance industry, etc.
Vitaliy Lunev: If we are talking about security, I think the most appropriate model to describe it is immunity. Psychodiagnostics “breaks” immunity. We need to detect those threats that, under favorable conditions, will lead to illness, that is, a violation of the norm of the psyche, which will lead a person to crime. The American approach of psychodiagnosis speaks of the variability of the norm. The British approach looks at normality within the framework of neuropsychology. The Western European approach is based on cultural studies.
Thus, we are dealing with a difference of approaches, a difference of indicators and a difference of results. Moreover, people have learned to cheat on tests based on psychometry. In Ukraine, applicants for high state positions underwent certain training in order to correctly answer the right questions of the tests.
None of the classical psychometrics take into account the range of depth of changes in the psyche and do not give objectivity. The projective approach, on the other hand, excludes cultural, mental differences and the possibility of deception because it works with the depths of the unconscious. It also has priority in criminal proceedings. This method should be used depending on the level of access and responsibility of the person — the higher the level of responsibility, the greater the depth of testing.
Olga Panchenko: in order to minimize the human factor, guidelines are needed, not recommendations. And here the question may arise as to whether it would violate human rights, whether it would not be discrimination. When it comes to individual responsibility, an individual’s activity does not lead to repercussions for the collective. But when we are talking about a group tendency — everything changes, i.e., advisory instructions are no longer enough, guidelines are needed.
Enshrining the same principle we see in the legislative norms of all democratic countries. This principle sounds like this: any person can exercise his rights as long as his actions do not violate or restrict the rights and freedoms of others. That is, a person has rights and they are indisputable, but at the same time, there is an edge to their realization — the rights and freedoms of other persons (both individuals and legal entities).
The paradigm that we propose certainly contains exactly the guiding instructions, while it is prototypical, on the one hand, on the other hand, it will certainly contain a balance of the rights of employees and employers, which excludes any discrimination.
The roundtable experts’ conclusions are quite logical, because the issue of human error in cybersecurity, security for the financial industry in particular, and security in general has been raised for at least the last 10 years.
John Bright, former senior risk management manager at Merrill Lynch (a Wall Street company), notes in 2013 after the financial crash that mathematical models don’t work because they don’t account for human frailty, numbers often hide risk rather than show it, and we need to identify the human element in banking risk.
A 2017 McKinsey article, “Protecting Critical Digital Assets: Not All Systems and Data Are the Same,” stated that cybercriminals are increasingly targeting employees and other insiders, using social engineering techniques to trick them into disclosing sensitive information or providing access to systems; employee behavior and insider threats are some of the most significant cybersecurity risks to an organization. Cybersecurity risks cannot be completely eliminated by technology alone and human expertise is critical to identifying and managing risks.
McKinsey’s article, “A Risk-Based Approach to Cybersecurity,” notes that cybersecurity threats often arise from employee behavior, such as clicking on phishing emails or using weak passwords, also talks about the importance of a cybersecurity culture and notes that successful cybersecurity programs depend on people, not just technology.
“PwC Global Economic Crime Survey 2021: Turning Risk into Resilience” identifies the human element as a major threat. Nearly half of all economic crimes are committed by internal actors, employee awareness and education are critical components of an effective economic crime prevention program. 50% of all economic crimes are solved as a result of information from employees, highlighting the importance of having effective channels for employees to report suspicious behavior.
Steve King (director of cybersecurity consulting services at Information Security Media Group, organizer of 9 startups including Endymion Systems and seeCommerce, has held senior marketing and product development roles, served as CEO, CTO and CIO at several startups including Netswitch Technology Management, CIO at Memorex, former co-founder of Cambridge Systems Group) notes in a 2022 cyber risk report that human error and hygiene continue
External attackers are not the only threat that today’s organizations must consider when planning for cybersecurity. Malicious, negligent and compromised users pose a serious and growing risk. According to the 2022 Cost ofInsiderThreats: Global Report, the number of insider threat incidents has increased 44% in the past two years, and the cost per incident has increased by more than a third to $15.38 million.
Proofpoint’s Cybersecurity: Board Perspectives 2022 report found that more than two-thirds of board members believe human error is the biggest cyber vulnerability. They have good reason to believe so, as 82 percent of reported cyber attacks involve human error.
When asked by the Cyber Security Hub in mid-2022 which threat vectors pose the greatest risk to their organizations, 75% of cybersecurity professionals said it was social engineering and phishing. After the survey was completed, many organizations were exposed to such attacks, including Revolut, Twilio, Uber, LastPass, Dropbox and Marriott International, highlighting the importance of cybersecurity professionals remaining aware of the threat of phishing.
The human element is expected to be a significant factor in cybersecurity threats in 2023. According to a World Economic Forum study, in 2022, 95 percent of cybersecurity problems could be due to the human factor.
