RESEARCH

We emphasize and encourage links between academic researchers and practitioners at financial institutions to bring theoretical techniques to bear on realworld issues.

Cyber Security and Fraud

Cyber Resilience

According to PricewaterhouseCoopers (2016), 61% of Canadian CEOs believe that cyber security is the biggest potential business threat to their organization's growth prospects. A recent study by Scalar (2017) shows the negative impact of cyber attacks on productivity: in 2016, 53% of Canadian companies reported an incident that resulted in the loss of sensitive information, with an average of 44 events per year and a marked increase in the sophistication and severity of attacks. On average, organizations spent approximately $7.2 million to re-mediate cyber security compromises, which includes clean up or remediation costs, lost user productivity, disruption to normal operations, damage or theft of IT assets and infrastructure, and damage to reputation and marketplace image.

Although many security vendors and consultants claim that their technologies and methodologies offer high levels of protection against cyber-risks, they tend to underestimate their manufactured nature, meaning that attackers constantly innovate to identify new exploitable vulnerabilities and that the asymmetry of the cyber security adversarial landscape plays in their favour. Consider the case of Kaspersky, a prominent cyber security company, whose systems appear to have been compromised by Russian intelligence operatives and used to steal confidential NSA documents that were illegally stored on the home computer of one of the agency's contractors running Kaspersky's antivirus application. The case came to light when Israeli intelligence operatives hacked into Kaspersky's systems and watched their Russian counterparts launch their attack in real time (Perlroth and Shane 2017). The leaks of other secret tools belonging to the CIA and the NSA by Wikileaks and a group called the Shadowbrokers illustrate how even the most security conscious and best resourced organizations will at one point or another be compromised by determined and persistent adversaries.

The empirical approach proposed in this research project will therefore rest on the study of how the concept cyber-resilience is understood and applied by risk managers in financial institutions in four major industry hubs, and what lessons can be learned from the experience of those who have been faced with shocks, no matter the final outcome.

The main objective of this research is therefore to contribute to our understanding of cyber ­resilience in the financial sector by studying the processes, decisions and inter-dependencies that foster a state of resilience. Through case studies that approach cyber-resilience as a dynamic and fluid process instead of as a final state of equilibrium, the aim is to identify key principles, norms, cultural features, technologies and practices that have demonstrated their effectiveness in making financial institutions better prepared to manage and adapt to their growing and complexifying cyber risk portfolio.


UNIVERSITY

University of Montreal

PROJECT LEAD:

Benoît Dupont

 

PUBLICATIONS

 


LEAD RESEARCHER

Benoît Dupont

Benoît Dupont is a professor of criminology at the Université de Montréal, where he also holds the Canada Research Chair in Cybersecurity. He is also the scientific director of the Smart Cybersecurity Network (SERENE-RISC), one of Canada’s Networks of Centres of Excellence.

Benoît’s research focuses on the reciprocal adaptations of technology and delinquency, through the study of several particular forms of crime such as identity theft, bank fraud, computer hacking or telecommunications fraud. In particular, he examines the technological, criminal and control ecosystems that promote the emergence of certain types of illicit practices, as well as the processes by which offenders detect and benefit from new opportunities. The issues of criminal skill development, trust, division of labor and coordination patterns are at the heart of his concerns. In addition, he is also interested in cybersecurity policies and the various regulatory instruments.