Fighting the Wily Hacker: Modeling Information Security Issues for Online Financial Institutions Using the SEAS Environment

Mukul GUPTA <>
Shailendra MEHTA <>
Purdue University

Lorenzo VALERI <>
King's College London
United Kingdom


The explosion of the Internet and the rise of new security threats

The Internet is radically transforming the provision of services and goods because of its immediacy, openness, ubiquity and global reach. The financial and banking industry has not been aloof from the Internet, but has fully embraced its new potentialities as demonstrated by a variegated set of new financial services offered to clients at competitive costs. This development represents just the start of an overall evolution that is expected to embrace the whole financial industry as convergence between information and telecommunication services and new regulations and laws like the 1999 U.S. Financial Services Modification Act deliver the expected benefits. However, leveraging the Internet to increase revenues and profits while lowering costs does not come without new threats and risks. The Internet, in fact, is also becoming the venue for a new set of illegal activities.

According to Information Security magazine, since 1998 about 20 percent of the surveyed financial institutions have suffered disruptions of their information and network systems.[1] Similar findings have been confirmed by the 1999 Computer Crime and Security Survey conducted by San Francisco-based Computer Security Institute and the Computer Intrusion Squad of the U.S. Federal Bureau of Investigation. This initiative revealed that more than 50 percent of the surveyed companies had their networks violated through their Internet connections.[2] Nonetheless, the most troublesome aspect of this rise in computer crime is its global reach, especially for an online financial institution that aims to offer its products and services to clients worldwide. In the final report of Project Trawler, the National Criminal Intelligence Service, the central intelligence body of the various English regional police forces, has indicated an exponential growth of computer crime in the United Kingdom.[3]

The perpetrators of these security breaches may be classified in two categories: external agents and insiders. External actors refer to individuals or groups like hackers, terrorist organizations, business competitors and foreign intelligence organizations.[4] These agents perceive Internet ubiquity and anonymity as advantageous features for accomplishing their strategic and political objectives. The term "insiders" indicates authorized users who take advantage of their authorized access to internal networks and the Internet in general to achieve personal objectives. According to Information Security, more than half of the interviewed organizations have experienced abuses from their employees or authorized users. According to the consulting firm Political Psychology Associates, this high number of misuses may be related to personal frustrations, computer dependency, and reduced loyalty to employers as well as perceived lack of financial entailment for supposed superior technical and managerial capabilities. [5]

These harmful activities would not cause any specific concern to online financial institutions if they did not hamper one of the pivotal elements for the success of any online activity: gaining and maintaining customers' trust through the Internet. Users, in fact, develop trust of specific vendors and service providers, like online financial institutions, when they have confidence in their overall reliability and integrity.[6] Therefore, countering these new threats represents a central strategic issue for business development, revenue increase, and, where applicable, shareholder value because of the centrality of customer retention and management in an e-commerce environment. This aspect has been recently confirmed by the 1999 WWW User's Survey carried out by the Graphic Visualization and Usability Center of the Georgia Institute of Technology. It highlighted that more than 50 percent of Internet users are concerned with online security and reliability. The situation does not differ in case of online banking activities since the same survey indicates that more than two-thirds of Internet users would not bank with financial institutions that do not provide a detailed security statement. It is important to stress that these data do not change if referred to by gender, age group, online individual experience and geographical origins. [7]

Information security, therefore, is a pivotal business and technical undertaking for any company involved on online financial activities. Because of the sensitivity of their activities, financial institutions have always focused on the overall security of their activities and operations. Moreover, government institutions have devised new regulations or updated previous ones. In an online financial environment, nevertheless, the notion of information security cannot be restricted to issues of availability, confidentiality and integrity of both networks and data transferred or held on them. It involves also issues related to authentication and non-repudiation in dealing with new and acquired customers in a digital environment. Actually, it is safe to state that in an Internet environment, these five elements (availability, integrity, confidentiality, authentication, and non-repudiation) have a dependency relationship among themselves. Thus, devising a managerial and technical policy to satisfy them and, as a direct consequence, acquire or maintain customers' trust, may prove a complicated and financially cumbersome for any online financial institutions.

Objective of the proposed study

The purpose of this essay is to introduce the methodological undertakings of an ongoing study concerning possible offensive and defensive strategies to counter the multiple risks facing online financial institutions. These experiments will be conducted through the Synthetic Environments for Analysis and Simulation (SEAS) environment devised by the Krannert School of Management at Purdue University in the forthcoming months. This paper introduces the overall structure together with the initial assumptions, objectives, and hypothesis.

SEAS emulates the U.S. Department of Defense's "war gaming" paradigm in business and economic settings. It is the application of computer-generated modeling techniques, heretofore used to create virtual realities to set up virtual economies. Specifically, SEAS allows for the creation of situation-specific economies through mathematical rule-sets derived from theoretical and empirical work. The goal is to permit scale-controlled experiments where human and synthetic players can play together. In the context of online financial businesses and information security, the experiment involves the establishment of a specific synthetic environment involving three major players: financial institutions, offensive agents such as hackers and terrorists, and customers. These agents are expected to interact among themselves and aim to achieve specific objectives and roles. These interactions center on a set of rules of engagement and specific environmental variables regulating interactions among the agents. Therefore, in order to define these rules and variables, it is pivotal to understand the business and commercial environment, as well as risk scenarios, of online financial institutions.

The Internet and financial institutions: a business overview

In 1996, industry analysts from Morgan Stanley Dean Witter indicated financial services as the sector that would be most profoundly influenced by the Internet, since its service distribution does not require any physical exchange of goods. Nevertheless, the financial services industry is no stranger to developments such as dis-intermediation, product developments and strategic alliances.[10] In terms of household penetration, the newsletter Online Banking Report stated that, while it took nearly 15 years to achieve a mere 1 percent penetration rate of U.S. households in 1996, the figure now has rapidly climbed to 4 - 4.5 percent in last 18 months. Banking and bill payment usages is expected to increase by 4 -5 million households yearly, reaching 22 million (+/- 4 million) by 2001. Afterwards, the growth will continue at a slower rate reaching 42 million (+/- 8 million) by 2010. [11] Morgan Stanley Dean Witter predicts that e-commerce will increase credit card industry charge volume from an annual 11 percent growth rate by 2004. Similar developments are predicted also for online stock brokering which is at the moment attracting most of the media and academic interests.

The statistics presented in the previous paragraphs refer mainly to established financial institutions, such as American Express, BankOne, and Citigroup, which have brought many of their operations online to exploit the favorable customer demographics of the regular Internet users. Moreover, some of these institutions are using their online presence to also advertise and sell non-financial services like travel packages, entertainment tickets, news and even Internet access. Nonetheless, the overall growth of the online financial industry is also connected to the appearance of innovative services such as financial vertical portals, aggregators and specialty manufacturers.

Vertical portals are websites that distribute information and multiple financial solutions. Customers access these sites to collect data about services and goods and, if possible, execute transactions. The success of these commercial ventures is mostly connected to their capacity to develop an open architecture while providing a large array of services and establishing strong alliances and partnerships. Differently from vertical portals, aggregators are destination websites where it is possible to compare products like mortgages or insurance and even buy specific financial products. Specialty manufacturers are companies with best-of-breed suppliers to the main Internet distribution points such as aggregators or vertical portals.

Whatever their business strategy and target may be, online financial institutions are expected to face a growing set of risks due to their reliance on the Internet and its associated software and hardware solutions. The assessment of these risks and related potential origins of the threat is crucial for the definition of the rules of these experiments concerning information security and assurance.

Online financial institutions and potential risks: a classification

The goal of this section is to provide a general overview of the potential risks faced by online financial institutions. This classification and definition is loosely extrapolated from the overall approach recently introduced by the Office of Comptroller of Currency, Administrator of National Banks of the U.S. Department of Treasury (OCC).[12]According to the OCC, risk is defined as "the potential that events, expected or unexpected, may have an adverse impact on the bank's earnings or capital." Overall, earnings and capital are considered to be directly related to the constant availability of advanced services and goods, and the simultaneous maintenance of a stable customer base while conquering new consumers. As mentioned before, the Internet provides new solutions to achieve these objectives, but it creates a new set of vulnerabilities that may undermine the accomplishment of these goals.

These risks can be classified in two categories:

The first category refers to those risks that any kind of organization involved in Internet activities is expected to face. The second set indicates risks that are specifically related to the users' transactions with their online financial institutions. There is a direct correlation between these two categories, since the negative exploitation of each one of these risks by an external actor like an hacker or a disgruntled employee is expected to undermine the trust of legitimate users of that specific online financial institution and, indirectly, the overall industry.

Overall risks

This category refers to two equally important risks faced by online financial institutions:

Strategic risk is the potential impact of adverse business decisions, improper implementation of decisions, or lack of responsiveness to technological, commercial and legal changes involving the financial world. Reputation risks describe potential negative consequences originating from the disapproving customers or overall public opinion. It is possible to see a direct relationship between the two risks, since a reputation loss may hamper a business plan that focuses on a high rate of customers' retention and trust. If network external intrusions and internal misuses continue, users may lose their trust in that particular online financial activity and move to the competition.

Industry-related transaction risks

Foreign exchange risks

Credit risks indicate the possibility of an obligator, either an individual or commercial client, to fail to meet contractual terms undertaken with a given financial institution such as the repayment of a mortgage approved online. Therefore, in order to avoid this eventuality, it is necessary to develop specific procedures to authenticate users and collect the necessary information directly through the Internet. Liquidity risk indicates the opposite situation -- it refers to the inability of a financial institution to meet its advertised or already undertaken obligations towards customers. An example is an online financial institution that advertises 24x7x365 service operations that are undermined by malicious activities of hackers, business competitors, or disgruntled employee. Changes in interest rates are also a possible source of risk (interest rate risks) since online financial institutions may fail to adjust to these changes accordingly and, therefore, suffer either additional costs or immediate dissatisfaction among present and potential customers. Price risks refer to potential losses of earnings and capital originating from value changes involving traded portfolios of financial instruments like equities, foreign exchange or commodities. Finally, foreign exchange risks indicate the hazards of loans or other financial products that are directly managed online but are denominated in a foreign currency or funded through borrowings in another currency. In last case, the main threats may originate from failure to adapt to rate fluctuations and regulatory changes involving transactions with citizens from countries facing economic sanctions such as Iraq or the Republic of Serbia at this moment. The anonymity of the Internet may enhance the possibility of the violations of the strict regulations issues by the U.S. Office of Foreign Asset Control or similar bodies in other countries. Therefore, there is a compelling need to develop specific authentication and non-repudiation procedures to avoid similar scenarios and, indirectly, hamper customers' trust of specific online financial institutions and the industry in general.

Technical and managerial information security policies: pivotal requirements for online financial institutions

The previous paragraphs have provided a classification of potential risks faced by online financial institutions and the related need for an effective and efficient information security policy to maintain customers' trust. However, developing and maintain such a policy may prove extremely complex, since it involves both technical concerns and managerial procedures that need to keep up with the evolution of Internet technologies and solutions. As mentioned at the beginning of this paper, the proposed experimental study based on the SEAS environment aims to aid in this "quest."

Technical information security may be defined as the combination of technical solutions that allow integrity, availability and confidentiality of data, information exchanges, and Internet-based transactions. Although it is not an exhaustive list, in the context of this experiment these technical solutions has been taken into consideration: anti-virus software, firewalls, intrusion detection systems, user identification and authentication, and public key infrastructure.

User identification and authentication represents the first line of defense against possible intrusions or internal violations. Technology in this domain has made significant improvements in recent years, moving away from the username-and-password-only approach to encompass new solutions such as smart cards, tokens and biometrics. User identification systems, nevertheless, may be easily overcome by any skilled intruders or authorized disgruntled employee. Consequently, there is the need for solutions that control and monitor overall access to the organizations' networks according to a pre-defined security policy. In this context, firewalls and intrusion detection systems are two options. Firewalls are expected to delimit access to organizations' networks to authorized users only while shunning off potential offenders. Moreover, they also delimit access to internal and external users to access specific portions of internal databases. Differently from firewalls, intrusion detection systems are information security tools that monitor network traffic to spot anomalies and misuses. There are two categories of intrusion detection systems: anomaly detection and misuse detection. The former monitors network traffic and flags possible anomalies in relation to the regular utilization behavior of a user or group of users - for example, repeated access outside normal business hours of an organization's network that is usually accessed only during the day. Misuse intrusion detection systems, however, monitor network traffic and seek specific signs, such as hackers' signatures, which may indicate malicious activity by an external intruder or a disgruntled authorized user.

As previously stated in the paper, information security policy is also expected to develop authentication and non-repudiation capabilities. Both issues can be tackled through the implementation of public key infrastructures (PKIs), which establish and manage the identities and trust relationships of parties during an electronic interchange. PKIs, in fact, allow for the creation of unique digital "handshakes" called digital certificates. Encryption solutions, finally, allow for data and privacy protection since they can transform plain content information into incomprehensible text. The recovery of the original text is accomplished by using an unscrambling key.

Although the market presents multiple technical solutions for information security, the protection of an organization's networks or data relies involves appropriate management procedures.

One of the main managerial issues concerning information security management is the balance between openness and closeness. In particular, managers have to evaluate how much information should be provided to users and the level of power the same user has to modify or change the information. This last issue relates to problems of choosing between a highly secure system and an insecure one, but backed by disaster management and contingency planning procedures. Whatever option is chosen, management has to recognize that this choice is not static, but needs to be dynamic to counter the constant rise of new threats coming through the Internet.

Researchers at Purdue University have suggested that when a new security policy is put into action, this is not the final stage.  Management should assess it, scrutinize it and make sure that every new control has been put into place to ensure that the organization can react appropriately to any possible unexpected incidents or illegal intrusions.  And this assessment should be constantly repeated and the security policy updated in order to maintain protection.

Achieving information security is extremely complicated and requires the combination of technical resources and management procedures. The objective is to find that specific balance which will provide the required protection to counter the various risks facing any online financial institutions and, in general, any Internet-based business venture. The propose experiment, which is described in the following sections, hopes to provide some answers and guidance in this "information security maze."

Structure of the proposed experiment

The financial section of this paper introduces the artificial online financial institutions in the SEAS environment devised at Krannert School of Management at Purdue University. The strategy is to model the major players in the operation of online financial institutions into the synthetic environment, identify the relationships and transactions between these players, and build these interactions into the model. The experiments initially would be conducted using students from the business schools as subjects. The data and information collected would be utilized to analyze the impacts of the model parameters on the performance of the online financial institutions. Before tackling an in-depth description of the game, it is necessary to introduce the assumption and specific objective of this game.

Assumptions, objectives, and hypothesis

While devising this experimental game, the following assumptions have been taken into consideration during the preparation and, eventually, in understanding the collected data:

By taking into consideration these assumptions, this SEAS-empowered experimental game wants to achieve these four distinctive objectives while testing these hypotheses:

The synthetic environment for the game consists of three major agents:

Each agent has a set of objectives and roles and the decisions are made based on these roles and objectives. They also interact with each other constantly based on certain rules of engagement. Apart from these agents, there are certain environmental variables that govern the interactions between agents.

The financial institutions

Human agents represent online financial institutions. Undergraduate and graduate business school students would form the pool of subjects. Subjects would receive cash incentives to perform well during the game. These agents are called upon to make business decisions to maximize the performance of the online financial institution they are representing. The structure of the online financial markets discussed in the previous sections serves as the guiding line for the participants. The hierarchy and the relationships of the roles of these agents are depicted in the figure.

Strategy layer

Human agents would be asked to devise a set of policies in order to design a security policy that supports their business strategy. In addition to the security policy, the agents are asked to design marketing and legal policies. Marketing policy would govern the level of customer satisfaction the business is looking for and how they are going to achieve it. Therefore, it will have a direct impact on the investment in IT infrastructure. The legal policies would emerge from the security policy governing the use of their IT infrastructure.

Resource layer

Resource layer performs the role of constraints for the financial institutions in the simulated economy. The agents have an initial endowment before the start of the game. In the later periods of the game, the endowments of the agents depend upon their performance in the previous periods. This accounts for the financial constraints on the agents. Apart from the financial constraints, the agents also have human resource constraints. They are allotted a certain amount of human resources that controls the level of operation of these institutions. The human resource level for an agent changes over periods, depending upon the performance of the agents over the periods. The human resources would be classified as:

Once the agents have defined their customers, they determine their operational level. This determines the specific functionalities that the agents decide to provide through their online business. Some of the functionalities of the online business have been discussed in the previous sections.

The services that could be provided by the agents are directly determined by the characteristics of the customers they are serving. We have defined few services for both individual consumers and the business customers that would be included in the game. The product profile for the individual consumers could include:

If the agent chooses to include individual consumers as the customers it can choose one, few or all of these product profiles. The product profiles for the corporate consumers include:

While determining the level of investment in the IT infrastructure, agents also have to establish the investment in information security.

The offense agents represent the sources of various external or internal threats that an organization's information system might face. In the previous sections, we have described the various sources of threats to online financial institutions. We presented a general overview of these sources of threats and justified their levels of risks in light of political, economic, and strategic objectives. These agents were namely:

These offense agents are modeled as artificial agents in the game.

Structure of the offense agents

The types of the technologies used by the offense agents have been classified in one to one correspondence with the IT infrastructure levels for the online financial institutions. Thus, these technologies could prove to be potential threats to one or more of the IT infrastructure layers, i.e., the network layer, the operating system layer, the database layer, the application layer, and the business process layer. The availability of technology characteristics corresponds to how a particular technology is available to the offense agents. The technology could be available for free, or it could be a modified technology, or it could be ad hoc technology created by that particular agent. Two other technology characteristics correspond to the complexity level of the technology, i.e., how sophisticated the technology is, and the cost of technology that depends on the other technology characteristics.

The customers

The customers have been divided into two classes for the purpose of the game. They correspond to the individual consumers and the business customers. The classification has been made base on the types of services they demand from the online financial institutions. Similar to the offensive agents, consumers are being modeled as artificial agents.

The environmental variables

The environmental variables are the external variables that are present in the game and control certain parameter of the game. These variables cannot be controlled by any of the players in the game. The administrators of the game control these environmental variables. These variables are supposed to be taken as given and all the agents have to adjust themselves according to these properties. The environmental effectors include new government and legal requirements that may affect the strategy of the online financial institutions. Another environmental factor is the progress of the technology itself. The offense tool, IT infrastructure, and the security tools all depend upon the current state of the technology and how fast the technology is changing. Different values are given to these environmental parameters for separate sets of experiments.


The goal of this paper was to introduce an experiment being conducted at the Krannert School of Management of Purdue University concerning the technical and managerial complexities associated with information security of online financial institutions. After a brief description of the overall online financial industry and risks faced while conducting transactional activities on the Internet, the paper has presented a description of the game with its assumptions, objectives, and hypotheses. This research effort is still at its infancy in terms of development and testing. Nevertheless, the research team aims to present initial results during this conference and to incorporate comments and suggestions in its future developments.


[1] 1999 Information Security Industry Survey, Information Security magazine, July 1999, available at

[2] Computer Security Institute, 1999 Computer Crime and Security Survey, available at

[3] Information taken from National Criminal Intelligence Service (NCIS), Project Trawler: Crime on the Information Highways, May 1999, available at

[4] Most of the sources concerning the activities of these actors originate as part of the growing literature on information warfare, information operations and revolution of military affairs. For an initial classification of the activities of these offensive actors, refer to Section 2-11 of the Report of the Defense Science Board-Task Force on Information Warfare-Defense (IW-D), prepared for the Office of Undersecretary of Defense for Acquisition and Technology, November 1996. A full text of the report is available in the Survey Section of the

[5] Eric Shaw, Kevin Rubin and Jerrold Post, "The Insider Threat to Information Systems," Security Awareness Bulletin, n. 2 (June 1998), pp. 27-46; and Steven Harrington, "Computer Crime and Abuse by IS Employee," Journal of System Management, vol. 5, n. 2, (Autumn 1995) pp. 6-10

[6] For more information about the concept of trust in an online commercial environment, see Robert Morgan and Shelby Hunt, "The Commitment-Trust Theory of Relationship Marketing," Journal of Marketing, vol. 58, n. 3 (July-September 1994); and Donna Hoffman, Thomas Novak, and Marcos Peralta, "Building Consumer Trust Online," Communications of the ACM, vol. 42, n. 2 (April 1999) pp. 81-84

[7] "How Concerned About Security" and "Would You Bank Without a Security Statement," GVU's User Surveys, October 1999, available at

[8] Morgan Stanley, The Internet Banking Report, September 1999, available at

[9] Ernst and Young LLP, E-commerce and Connecting the Customer-1998 Special Report Technology in Banking and Financial Services, available at

[10] Morgan Stanley Dean Whitter, The Internet Banking Report, September 1999, available at

[11] "Strategic Online Banking Momentum Builds," Online Banking Report, January 1998, available at

[12] Comptroller of the Currency, Administrator of National Banks Internet Banking-Comptroller's Handbook (Washington DC: Office of the Comptroller of the Currency, October 1999), p. 4. The Office of the Comptroller of the Currency regulates and supervises U.S. national banks to ensure a safe, sound and competitive banking system. For more information see

[13] Center for Education and Research in Information Assurance and Security (CERIAS), Purdue University, and Arthur Andersen Consulting, Policy Framework for Interpreting Risk in Ecommerce Security (PFIRES), available at in the section Programs