Professional Documents
Culture Documents
Issaf Jurnal Luar Negeri 5
Issaf Jurnal Luar Negeri 5
Issaf Jurnal Luar Negeri 5
net/publication/348065190
Article in International Journal of Scientific Research in Computer Science Engineering and Information Technology · December 2020
CITATIONS READS
4 239
3 authors, including:
Some of the authors of this publication are also working on these related projects:
A novel re-keying function protocol for wireless sensor network security View project
All content following this page was uploaded by N. Alsharabi on 20 January 2021.
Article in International Journal of Scientific Research in Computer Science Engineering and Information Technology · December 2020
CITATIONS READS
0 8
3 authors, including:
Adel Nasser
Sa'adah University
19 PUBLICATIONS 13 CITATIONS
SEE PROFILE
All content following this page was uploaded by Adel Nasser on 31 December 2020.
different security areas are grouped [9,10]. These permanence of YBS's business. Furthermore, it is expected
categories are Processes and Procedures (IS operations), to provide recommendations, which would help political
management and governance aspects of IS, Technology leaders, strategic decision-makers to translate it into proper
innovations for IS purposes, and capacity risk work policies and strategic plans. In the remaining four
management. Evaluation, analyzing, and giving the sections of this paper, we complete the proffer of its
appropriate recommendations and improved controls for a content as follows. The second part is dedicated to present
whole banking system in Yemen for all four categories is a the literary aspect and previous studies related to the topic
long and challenging process. For this reason, this paper of the study. A Methodology of research and steps for its
addresses to evaluate, rank, and analyze the extent of implementation are presented in sec. Three. After that, the
processes and procedure domain practices (standardization applied results were summarized and discussed in the
practices related to information security operations- (SPO)) fourth sec., the Fifth section was devoted to the
in the YBS. recapitulation of the most prominent conclusions reached.
So, the main problem of the study can be crystallized in the II. RELATED WORK
following questions:
Q1- What is the actual ML of the SPO in the YBS? A. Information security assessment in banking sector
Q2- What is the gap between the actual ML of the SPO in Many local and regional literatures have addressed the
the YBS and the maximum recommended ML? issue of assessing information security practices in
Q3- What are the principal strength and weaknesses points banking environments. Among the most prominent local
of standardization practices in this sector? studies in this regard is a study [11], which aimed to know
Q4- How to rate the institutions in this sector according to the impact of information security risks on the accounting
their information security maturity level? systems in the Central Bank of Yemen, according to the
Q5- What are the most appropriate solutions and results of this study, the risks of information safety
recommendations to improve the security situation in the security affect the integrity, confidentiality and readiness
YBS sector? of these systems, in addition, the study concluded that
there is no department concerned with risk management in
Therefore, this paper aimed to ascertain the extent and the bank. Regionally, a study [12] aimed at evaluating the
actual maturity level (ML) of standardization practices performance of security mechanisms in banking
related to information security operations (SPO) in the institutions, identifying strengths for their development
Yemen banking sector (YBS). It also attempts to determine and identifying weaknesses to address them. Among the
the gap between the real ML of the SPO in the YBS, and most prominent findings of this study is that banking
the maximum recommended ML. It also aims to discover institutions do not provide an integrated system dedicated
the vulnerable SPO aspects in the YBS and provide the to managing information security issues from all sides.
main necessary recommendations and improvement Therefore, they suffer from many weaknesses, most
actions to diminish the gap and facilitate the SPO practices notably the lack of protection policies, as well as the lack
according to the ISO 27002-2013 standard. of experience among workers with protection mechanisms
and technologies. This study presented many
The prominence of this work sticks from the reputation of recommendations, the most important of which is the
the subject it addresses, i.e., processes and procedures of IS necessity to strive to match the work procedures in these
based on ISO/IEC: 27001/2013 international standard. The banks with the ISO standards and to keep them up to date,
study is essential as it focuses on the topic of IS in the two to provide the qualified and trained human element to deal
primary SPO fields of indicators that this international with this technology, to provide information security
reference provides, i.e., access management 'AM' and specialists to establish security policies and review their
compliance 'COM'. What, too, creates its criticality is the implementation. The study [13] aimed to present and
pivotal role of IT and IS infrastructure, data, and assets in analyse the reality of security measures indicators to
providing the banking business and services and the prevent penetration of the information systems of the
unnamed consequences if it were exposed to IS risks and Rafidain Bank. That study concluded that there are many
breaches. It becomes further essential when the study is weaknesses, and recommended the necessity of working
made under the banking environment, which is to reduce security breaches by training the bank’s
externalized as one of the uttermost significant pillars of employees on the use of effective and efficient protection
the Yemeni financial, business, and economic sector. programs. It also recommended the activating and
Moreover, this research shall support and serve both the applying new indicators to improve the security of
decision-makers, the administrative and functional staff of information systems in that bank. The study [14] aimed at
the IS and IT departments in the YBS, and shall contribute examining the current status of information security
to the progression there IS culture and knowledge on how management in Palestinian banks, measuring the degree of
to control all the SPO aspects so as not to be holdback that application of information security management controls
restricts the YBS’s information protection ability and in Palestinian banks, has reached several findings, most
efficiency. Also, this work is vital as it improves the grasp notably that banks that adopt international information
of handling self-assessment of SPO practices, assuring security management standards apply information security
appropriate management of SPO, which guarantees the management controls to a higher degree than others. It
recommended that international information security ensure the extent to which the relevant operational controls
management standards be followed, that an information and procedures comply with the requirements as mentioned
security regulation and planning approach be formally above. According to [10], the main AM criteria are (1)
adopted, that technology development is followed up and Access control policy;(2) Review of user access rights; (3)
pursued to reduce the vulnerability of banks' technologies. Password use; (4) Removal of access rights; (5)
The study [15] reviewed the maturity levels of the Authorization process for information processing facilities;
standard in the financial services sector in Turkey, and (6) Disciplinary process; (7) Security requirements analysis
concluded that there was still some lack of controls such and specification; (8) Event reporting; (9) Controls against
as the Information Security Department, and malicious code; (10) Teleworking, Audit logging; (11)
recommended that all firms in the financial services sector Security requirements analysis and specification, and
follow the relevant Security directives. project management. The primary compliance criteria are
(1) Identification of applicable legislation; (2) Technical
By analysing these studies, it was clear that, organizations compliance checking; (3) compliance with security policies
do not provide an integrated system dedicated to and standards; (4) Control of technical vulnerabilities; (5)
managing information security issues in all aspects, there Risk response.
is a variation in information security breaches between
banks according to their technical capabilities and human C. The SPO evaluation controls
resources experiences, security threats are evolving with There are popular international IS standards obtainable. It
the development of time and technology, collaboration at over systematic management approach to implement the
all levels of the organization may bring a safe and secure preeminent practice IS controls, measure the acceptable risk
environment for information security, the more level and implement the suitable measures which guard the
information security maturity in the organization the lower privacy, reliability, and accessibility of data, The COBIT,
the final cost of security and vice versa. ITIL, ISO 27001/2005, and the ISO 27001/2013 are some
of them. For each SPO criteria (sec. 2.B), tables 1, 2
Through an analysis of local studies, the absence of illustrate a mapped set of controls and requirements
studies on the application of information security practices (COBIT, ITIL, ISO) to establish, implement, operate,
in banks in the Yemeni environment is evident. Although monitor, review, maintain and improve an SPO
the foreign or regional studies that dealt with these information security domain as a part of the overall IS
practices in foreign banks, they remain studies of a management system.
different environment from the practical reality in Yemen,
especially. So, we seek through this study to reduce this Table 1. The Main AM Security Controls
research gap. C Cobit 4.1 ITIL v3 ISO ISO
2005 2013
1 PO2.2,PO6 2 SD 4.6.4, SD 4.6.5.1 11.1.1 9.1.1
B. The SPO evaluation criteria 2 DS5.4 SO 4.5 11.2.4 9.2.5
Processes and procedures evaluation category is used to 3 PO6.2,DSS4 11.3.1 9.3.1
identify the extent of standardization of the Organization's 4 PO7.8,DSS4 SD 4.5 8.33 9.2.6
operations. International policies and standards provide 5 PO4.3, SS 6.1, SO 3.2.4, SO 6.1.4
PO4.3, 4.4.5.11, SO 5.4
specific guidelines that must be followed to ensure PO 4.9, AI1.4
information security. In keeping with the information 6 PO4.8, O7.8, SD 6.4 8.2.3 7.2.3
security requirements imposed by international standards, DS5.6
two security sub-fields must be included as a measurement 7 AI1.1 SD3-3, 3-4, 3-5, 3-6 10.1.1 12.1.1
indicator for evaluating the organizations' performance on 8 PO9.3 SS 9.5, SD 4.1.5., 13.1 16.1.2
ST 9, SD 4.5
this factor. The access management sub-domain is the first, 9 DS5.9 10.4.1 12.2.1
while the other sub-domain is the compliance. In short, 10 PO3.4,AI2.3 SD 4.6.5.1, SO 5.4 11.7.2 6.2.2
we'll code them by 'AM' and 'COM', respectively. 10.10.1 12.4.1
11 AI1.2 ;Ai 2.4, SD 2.4.2, 3.6, 4.5.5.2 12.1.1 14.1.1
Many researchers, such as [16, 17], argue that access P010
control's primary goal is to prevent unauthorized access to Table 2. The Main COM Security Controls
institutional information assets. This goal can be achieved C Cobit 4.1 ITIL v3 ISO ISO
by assessing the organization's competence to dominate 2005 2013
unauthorized access to the informational content within the 1 PO4.8 SD 6.4 15.1.1 18.1.1
organization's IT infrastructure. The importance of the 2 DS5.5 SO 4.5.5.6, SO 5.13 15.2.2 18.2.3
3 PO4.8 SD 6.4 15.2.1 18.2.2
access management sub-factor stems from the legal 4 AI3.3 SO 5.4 – 5-11 12.6.1 16.6.1
consequences, moral losses incurred, and the commercial 5 PO9.5; DS4.3 SS 9.5, SD 4.5.5.3, ST 4.6; 13.1.2 16.1
damages that affect the continuity of business due to the
infringement of institutions' privacy. The other side of the C. The SPO maturity model and assessment framework
evaluation framework aims to verify the extent to which To measure an organization's information security
institutional systems can meet the specific requirements performance, the information security maturity model
imposed by institutional policies and legal and regulatory (ISMM) should be used. Many definitions of the term
standards. The level of compliance must be verified to "maturity model" are reported in the existing scientific
literature. Researchers in [18] recalled that any systematic different organizations regardless of size and explains the
framework used to implement benchmarking and system as a comprehensive and integrated business risk
strengthen performance could be deemed a Maturity Model management approach; It provides a customized version of
[19]. Another researcher stated that the maturity model ISAF that covers all relevant security requirements
could be defined as a methodological framework to specified in the ISO security standard; The measurement
estimate and enhance operations in an evolutional tool is designed based on both qualitative and quantitative
paradigm [20]. It also was explained as a range of precisely measures. This future makes it more helpful to get more
defined activities that describe the characteristics of accurate results; It determines the performance degree that
effective methods [21]. an organization should be reached to achieve each fixed
maturity level at each given security subdomain. Fig 1.
Many ISMMs exist; some of them are Citigroup's Illustrate Nnatubemugo's ISMM.
Information Security maturity model (CITI-ISEM); NIST
Cybersecurity framework (NIST-CSF), ITIL maturity An appropriate ISAF should be used for assessing the
model, Cobit CMMI, System security engineering CMM, maturity level; author Nnatubemugo provides a mixed
CERT/CSO, CERT/RMM, Saleh's ISMM [20], ISMM for qualitative and quantitative measurement framework. This
secure e-government services [22], and the Nnatubemugo's framework covers the questionnaire block and
ISMM[10]. In this study, we decided to use the measurement scale. The questionnaire block contains 16
Nnatubemugo's ISMM, proposed by [10] for many questions, classified into two subgroups (AM and COM).
reasons: The Information security assessment framework These criteria and indicators will be selected to measure
(ISAF) of this model is based on the ISO/IEC the related ISML in this paper. Fig.2 and Fig 3 illustrate
27001/27002. This standard is distinguished from other these criteria and indicators -Statements(S)).
interpretations: this is a good standard for application in
SA ML Description
AM 1.Vulnerable No policy/procedures in place for coordinating and protecting information within the
organization and while in transit on the networks.
2. Security AwarenessAn access control policy is in place, but implementation across various essential information
facilities is still minimal and uncoordinated.
3.Basic Security Access control mechanisms for users, networks, applications. are in place with little efforts to
track its efficacy and correct shortfalls
4.Meeting Requirement Standard ways of managing access to information in various forms are practiced. The mobile
computing (BYOD) policy is well defined and followed. Performance is measured
5: Robust Security Active control of information access is practiced—regular review of access control policy to
match evolving threats. Dynamic management of information assets to ensure security.
COM 1.Vulnerable Operations are entirely noncompliant for legal, technical, and security regulations and standards
2. Security Awareness The compliance regime shows a desire to comply. Constant review/audit of information systems
is yet not practicable
3.Basic Security Regular reviews by internal audits and actions followed to achieve compliance
4.Meeting Requirement Both internal and external auditors ensure full compliance to security policies, standards, and
legal requirements
5: Robust Security The external audit shows that best practices are consistently followed, resulting in no critical
compliance issues.
Fig 1. The Maturity Values and Their Description (Source: [8])
For each question, the measurement scale provides a five- evidence for each maturity level. Besides, to determine the
point scale (maturity levels) and the weight of each overall ML, the maturity level values should be scored.
corresponding maturity level (1-5), which describes the Fig.4 illustrates the boundary scores related to the overall
degree of performance, and the qualitative or quantitative maturity levels and their descriptions.
III. METHODOLOGY AND MATERIALS To collect data, the selected ISMM and ISAF were
translated into the Arabic language; after that, the research
This study relies on two approaches, descriptive and survey tool was designed and tested. For this purpose, the
analytical, to analyze the existing SPO in the YBS. It also survey tool was developed in its original form; it was
has applied the case study method, through which relevant tested; it was presented to a group of arbitrators from 15
data has been collected. The following sequence problem- academics and bank information security experts. This
solving steps structure of techniques is used: version was modified based on the arbitrators' views and
observations through the addition, modification, and
A. Define the problem, objectives, and questions of reordering statements [table 3]. Thus, the finalized version
research (Section 1). was developed and covered two parts. The first one was
B. Literature review (Section 2); included the demographic data of the two research workers
C. Selection the maturity and assessment model (gender, scientific qualifications, specialization, job
(Section 2 ) position, years of experience).
D. Design of the searching tools used for data
collection; In contrast, the second part was included (16) statements,
E. Testing the collected data; which were grouped into two security areas. After that,
F. Data analysis; and questionnaires were distributed to workers responsible for
G. Finding and recommendation's. information security in all 13 banks; all responses were
accepted and tested. The Cronbach's Alpha has been used to
The total number of banks that their central branch located measure the stability of resolution to measure stability and
in Sana'a is 16 and the study community comprises all 16 internal consistency. An excellent reliability coefficient
banks except for three of them. The excepted banks have (alpha) of 0.87 and an outstanding validity percentage of
refused to cooperate under the pretext that information 93% was reported using the SPSS package.
security is a sensitive and dangerous subject, and
everything about IS should be disclosed no matter how IV. RESULTS AND DISCUSSION
significant the situation. This work was conducted from
April to December 2019. The study is limited to achieve the A. Results
previously defined goal on the YBS in Sana'a. It relies on The evaluation questionnaire of 13 participating banks
ISO 27001:2003 international information security standard using the proposed ISAF is described in this section. For
requirements and applying Nnatubemugo's ISMM and each participant in each investigated bank, the evaluation
ISAF. The names of the sample banks will be coded with points on each security statement (indicator) were collected.
numbers 1 to 13 as follows: 1- The Yemen Bank For After which, these values were averaged. After that, the
Reconstruction And Development; 2- The National Bank average value of maturity level values on both AM and
Of Yemen; 4-Housing Credit Bank 4- International Yemen COM sub-domains and on the SPO main domain is
Bank; 5- Yemen Kuwait Bank;6- Cooperative & calculated and averaged for each bank, as presented in
Agricultural Credit Bank;7- Rafidain Bank;8-Yemen Table 3. Based on these values, the ranking orders of
Commercial Bank;9- Islamic Bank Of Yemen;10- banks, illustrated in table 4, were achieved.
Tadhamon Bank;11- Saba Islamic Bank; 12- Shamil Bank
Of Yemen & Bahrain; and 13- Qatar National Bank.
The average values of maturity level values for each maturity level. This situation implies that the last six
security statement (requirement) for a whole banking sector participants meet the access management requirements,
under both AM and COM areas were calculated, as shown while the former four banks are only covering the
in table 5. This table also represents the ranking order (R) fundamental aspects of this area. However, only two (7 and
of them, the related compliance maturity level (CL), as well 3) of these participants were measured down to level two,
as Statistical testing results: relative importance (RI) and and one of them (b1) measured up to level Five.
standard deviation (SD). The average values (AML) of
these averaged values on both AM and COM subdomains 3) Banks with an id number of (3,6,7) and 12 are on level
and the main standardization security domain SPO. The R, three (3) maturity on the compliance subdomain;
RI, SD, level number (L-id), and CL values are presented in participants (1,2,4,8,9,11) and 13 offer level four (4) IS
table 7. This table also represents the overall gaps between maturity on it. This result means that the last seven banks
the actual ML of application of security requirements and meet the compliance information security needs, while the
the robust level seek by the YBS on both AM and COM former four banks are only accomplishing the fundamentals
subdomains and the main standardization security domain within this area. However, only one bank (5) of these
(SPO). participants was measured down to level two, and two of
them (4 and 10) measured up to level five.
Table 5. The Average Values of ML-Values on Each Statement
SA Statement number AML 4) The ISMS of the YBD is on level four maturity and
1 2 3 4 5 6 7 8 9 10 11 meeting the security requirements of access management
A ML 4.2 2.7 3.8 3.7 4.1 4 3.7 2.8 3.5 3.8 3.5 3.62 and compliance subdomains and standardization of the
M R 1 11 4 6 2 3 6 10 8 4 8 information security operations domain. Its overall MI is
SD 0.90 0.97 0.97 0.97 0.97 0.97 0.97 1.41 1.41 1.41 1.41 3.62, 3.71, and 3.66, respectively.
RI 84 84 84 84 84 84 84 56 56 56 56
% Q2- What are the gap between the actual ML of the SPO in
CL BS BS MR MR MR MR MR BS BS MR BS the YBS and the maximum recommended ML?
C ML 3.6 3.3 3.4 3.9 4.3 3.71 Tables 5 and 6 indicate that: (1) The obtained maturity
O R 3 5 4 2 1 values distribute on two levels; these are the necessary
M security and meet requirement levels; a ratio of the total
SD 1.13 1.13 1.13 1.13 1.13
RI 72 72 72 72 72
number of banks meeting the requirements of these levels
% on both access management and compliance subdomains
CL MR BS BS MR MR are 4:7 and 2:3, respectively. (2) An overall average ML
value is 3.66; this value means (according to [10]) that
Table 6. The Overall Results standard means of controlling access to information in
Security area AML L- CL RI% SD Gap R different variants are implemented. (3) The overall gap
Id values of the ISMS of the YBS under the access
Access 3.62 4 MR 72 0.76 1.38 2
management
management and compliance subdomains and the
Compliance 3.71 4 MR 74 0.69 1.30 1 standardization of the information security operations
3.66 4 MR 73 0.69 1.34
domain are equal to 1.38,1.30 and 1.34, respectively.
SPO
values under this security requirement equals 4.3. The main only 15% of these banks are committed to applying this
reason for this situation is that more than two-thirds (69 %) practice monthly, and 69 %of them used it quarterly.
of banks under question are not exposed to such incidents
during the last year. This result also demonstrates the 3) Another weak point in this area is that IS events
strength of users' compliance in those banks. management's formal procedures were never what they
should be. This pint can be interpreted by the too weak
Q4- What are the major weakness and vulnerable points in proportion of banks that follow strictly standard procedures
the YB sector's information systems? for this purpose (7.7%), comparing to those where these
1) The confirmation compliance of information systems to procedures are never available (23 %), at the ratio of 1:3, or
security and regularly penetration testing and vulnerability comparing to those where these procedures are available,
scanning highlighted the weakness of compliance practices but uncoordinated. No specific actions can be taken (38.5
in these banks; the results show that only 15% of these %), at a ratio of 1:5.
banks were committed to applying these practices, while 38
%of them carried it out every six months. Table 7 illustrates the matches between these main
weaknesses and the banks that are suffering from them.
2) Reviewing and updating the permissions granted for Table 8 shows the mapping between these main weaknesses
users at far intervals in these banks highlighted the and the banks that are suffering from them.
weakness of access control practices; the results show that
Q5. How to rate the institutions in this sector according to presented in this section. Based on ISO 27002 security
their information security maturity level? standard, the following recommendations are suggested
Based on tables 5 and 6: (1) The sequencing order of (tables 8 and 9); the total number of submissions is 16, each
security practices according to theirs average rate of recommendation links to one information security
implementations by the banking sector on both AM and requirement that have the same ID number in the
COM security sub domains are (1> 5> 6> 3> 10> 4> 7> questionnaire. Each guidance addresses a set number of
11> 9> 8> 2) and (5> 4>1>3>2) respectively. (2) Rating the banks (B), which have related weaknesses or vulnerabilities
YBS institutions, according to their security compliance, is in implementing these requirements. Each proposal has the
presented in table 5. same ID number of additional implementation guidance,
which are suggested based on ISO 27002 -2005 and ISO
C. Recommendations 27002 -2013 (tables 10 and 11). The implementation matrix
Q6. What are the most appropriate solutions and to match vulnerable points on sub security domains for each
recommendations to improve the security situation in this bank (B), the linked-to those recommendations, and
sector? additional implementation guidance are summarized in
Solutions that can be recommended for improving the table 12.
information security situation in a whole system are
8 Official event reporting requirements and implementation procedures, awareness programs, including business impact and
regulations aspects, should be in place.
9 Development and implementation of detection, preventing, and recovery controls to protect institutions from malicious codes
and suitable awareness program actions for the user.
10 Develop and implement a teleworking activities policy, operational plans, and procedures. Additional related monitoring,
recording, logging activities should be adapted.
11 Information security should be guided in project management, regardless of the type of project. The requirements related to
information systems must be defined during the phase of projects' requrirments.
There is a set of strengths in favor of banks about applying The security position (location or order) of each bank is
the SPO - information security practices represented in the determined. The bank with the best practices is bank the
first bank, while the fourth bank has the weakest SPO Approach,” Master Thesis. Bahcesehir University. Istanbul. The
practices. Banks should adhere to implement some Republic Of Turkey, 2014
[16] D. Lang & D. Van der Haar, “Recommendations for Biometric
improvement actions to improve their situation and
Access Control System Deployment in a Vehicle Context in
competitiveness. For this, sixteen improvement actions and South Africa. ,” In Information Science and Applications,
recommendations have been suggested to improve this Springer, Singapore., pp. 305-317, 2020
sector's information security operations' standardization [17] N. Agrawal, & S. Tapaswi, “A trustworthy agent-based
practices. Each bank should select the related list of encrypted access control method for mobile cloud computing
suggestions based on the implementation matrix mapping environment,” Pervasive and Mobile Computing, Vol. 52, pp 13-
28.,2019
table, which is also proposed by this study. Additional ISO- [18] Al-Mayahi, Ibrahim, and P. Mansoor Sa'ad. “ISO 27001 gap
based implementation guidance for each bank has been analysis-case study,” Proceedings of the 2012 International
recommended. Hence, the study's objective was carried out Conference on Security and Management (SAM). The Steering
successfully; the previously mentioned questions were Committee of The World Congress in Computer Science,
answered. This paper and its results will help the YBS Computer Engineering and Applied Computing (WorldComp),
sector to enhance its information security practices by 2012.
[19] A. A Nasser, A. A. Al-Khulaidi, & M. N. Aljober, “ Measuring
establishing and implementing these recommendations. the information security maturity of enterprises under uncertainty
Additional works should be done to meet objectives under using fuzzy AHP,” Int. J. Inf. Technol. Comput. Sci.(IJITCS),
other security domains and improve security performance Vol. 10, No 4, pp 10-25, 2018
and compliance in this sector. [20] M. F. Saleh,, “Information security maturity model ,”
International Journal of Computer Science and Security (IJCSS),
Vol.5, No 3: 21,2011
REFERENCES [21] Team, CMMI Product. "Capability maturity model® integration
(CMMI SM), version 1.1." CMMI for Systems Engineering,
[1] IBM Security, "IBM X-Force Threat Intelligence Index ", 2020. Software Engineering, Integrated Product and Process
[2] SF. Alomgeer, “Cyber Crime In Banking Sector of Bangladesh, Development, and Supplier Sourcing (CMMI-SE/SW/IPPD/SS,
”, diss., East West University, 2019. V1. 1) , No 2,2002
[3] S. Kesharwani, M. P. Sarkar, & S. Oberoi, “Growing Threat of [22] G. Karokola, S. Kowalski, & L. Yngström, Towards An
Cyber Crime in Indian Banking Sector.”, CYBERNOMICS, Vol 1, Information Security Maturity Model for Secure e-Government
No 4, pp 19-22,2019. Services: A Stakeholders View. In HAISA, pp 58-73, 2011
[4] N. Tariq, “Impact of cyber-attacks on financial Institutions,”
Journal of Internet Banking and Commerce, Vol. 23, No 2. pp. 1-
11, 2018.
[5] A. R. Raghavan, & L. Parthiban, “The effect of cybercrime on a AUTHORS PROFILE
Bank’s finances,” International Journal of Current Research & Mr. Adel A. Nasser pursued a Bachelor
Academic Review, Vol. 2, No 2. pp. 173-178, 2014. of Science (Information technology and
[6] N. Alber, N., & M. Nabil, “The Impact of Information Security on
computer engineering) from South-
Banks’ Performance in Egypt,” Available at SSRN 2752070
[7] Sanskriti Choubey , Astitwa Bhargava , "Significance of ISO/IEC West State University in 2007. He also
27001 in the Implementation of Governance, Risk and pursued a Master of Science (Devices
Compliance," International Journal of Scientific Research in and Systems of wireless
Network Security and Communication, Vol.6, Issue.2, pp 30-33, communication networks) in 2009 and
2018 a Ph.D. of Technical Sciences in the
[8] Hailye Tekleselase Woldemichael, "Emerging Cyber Security
Threats in Organization," International Journal of Scientific
year 2012. He is currently working as Associate Professor
Research in Network Security and Communication, Vol.7, and Head of Information Systems and Computer Sciences
Issue.6, pp 7-10, 2019 Department, Sa'ada University, Yemen. He is a member of
[9] M.A.M Stambul, R. Razali, “An assessment model of the International Association of Engineers (IAENG) and in
information security implementation levels.,” In the many academic commissions of Sa'adah and Dar Al-Islam
Proceedings of the 2011 Electrical Engineering and Informatics universities, Yemen. He has published more than 40
(ICEEI), IEEE, pp 1-6,2011
[10] Nnatubemugo Innocent Ngwum, “ Information Security research papers (In both English and Russian languages) in
Maturity Model (ISMM). ,” Diss., The University of reputed international journals, including (Thomson Reuters
Manchester., 2013. (Web of Science), the Russian Higher Attestation
[11] W. M. Zeiad, “The impact of information security risks on the Commission (Росская ВАК), Russian SCI, and
accounting systems in the Central Bank of Yemen." Master International conferences; It’s available online (on research
Thesis. The Yemeni Academy for Graduate Studies, Sana'a,
gate and E-library Russian scientific research database). He
Yemen, 2019. [In Arabic]
[12] M. J. Hammodah, “ Evaluating information security strategies in participated in several local workshops to develop several
banking institutions,” Master Thesis. Michigan State University- graduate and undergraduate programs. His main research
Dubai Branch, UAE,2017. [In Arabic] work focuses on information security, information security
[13] Nada Ismaeil , "Protecting the security of information systems, a management, decision support systems, MCDM methods
case study in Al-Rafidain Bank," Tikrit Journal of Administrative and algorithms, fuzzy-based MCDM tools, and their
and Economic Sciences. Vol.7 , Issue 21, pp 72—94, 2011. [In
Arabic]
application in health, education, and business. He has eight
[14] A. L. Muhsen, “Information Security Management In Palestinian years of teaching and research experience.
Banking," Master Thesis. An-Najah National University. Nablus.
Palestine," 2014
[15] İ. A. Gürcan, “Assessing Information Security Management
Requirements For Finance Sector Using An ISO27001 Based