Cybersecurity for Financial Industry: An Analysis of the Cyber Resilience Assessment Framework

37 38 INHERENT RISK ASSESSMENT (IRA) 35 0 5 10 15 20 25 30 FACTOR ANALYSIS While the IRA process provides a comprehensive view of the AIs’ cybersecurity risk exposure, the number of indicators presents a challenge in generalising the statistical findings and insights. To better understand the root cause of the inherent risk and identify any underlying factors that drive an AI’s cybersecurity risk, we have utilized exploratory factor analysis (EFA). Ideally, we would conduct EFA on all the 51 indicators and have the algorithm determine a set of latent risk factors. However, limited by the sample size, we could not simply feed all the indicators into the algorithm, as the “curse of dimensionality” 4 impacts the validity of our EFA variables. Therefore, we substitute the 51 indicators with the 15 grouped sub-domains provided in the previous section. The sub-domain score is calculated by summing up all the indicators scores. For example, there are three indicators under the sub-domain “Cyber Threat Tracked Records – Frequency”. If an AI reported medium risk for two of the indicators and high risk for the remaining one indicator, it would have a score of 2 × 2 + 3 × 1 = 7 for this sub-domain. After obtaining all the sub-domain scores, we fitted a factor model with orthogonal rotation and drew a scree plot to determine the number of latent factors. As the correlation result below shows, we expect the EFA to help us identify and distil the sub-domain even further. 4. Since we have more features than observations (51 versus 22), we could be exposed to the risk of overfitting our model. Variable Factor 1 Factor 2 Factor 3 Factor 4 1 Payment Card Risks Internet Presence Cybersecurity Staffing Risks Cyber Threat Variety 2 Mobile Presence Risks Fund Transfer Risks Cyber Threat Frequency 3 ATM Provision Size Risks 4 Size Risks Client Services Risks 5 Internal Risks Other Service- Related Risks Factor 1 Payment Provision Risk Factor 2 Banking Services Risk Factor 3 Cyber Threat Risk Factor 4 Attack Variety Risk [ Exhibit 29 ] Factor analysis variable groupings Note: See appendix 3 for the full factor loading score table. Exploratory Factor Analysis is a tool for investigating variable relationships. The key concep t i s t ha t mu l t i p l e observed variables have similar patterns of responses because they are all associated with a latent (i.e., not directly measured) variable. We used a scree plot to help us determine how many factors we should use. The eigenvalue measures the explanatory power of the factor. Essentially, a factor with an eigenvalue greater than one explains more variance than an observed variable. 6 4 2 2 4 6 8 10 Factor Mobile Presence Payment Card Risk Payment Provision Risk Size Risk ATM Risk Scree Plot Eignvalue 12 14 0 [ Exhibit 30 ] Factor analysis scree plot [ Exhibit 31 ] Factor analysis illustration Below is an illustration of observed variable to factor mapping. Observed Variables Factors Underlying Factors of Inherent Risks To deduce what each factor represents, we examined the sub-domains with the highest correlation scores. First, for the left-most factor, the most dominant risk indicator group is the Payment Card Risks, followed by ATM and mobile presence risk. This suggests that the first factor is highly likely to represent the payment provision risk of an AI. Moving on to factor 2, we can see that the firm’s fund transfer services, internet presence, and size are the top three sub-domains explaining this factor, indicating this factor is related to an AI’s fund transfer and banking service provision. Next, factor 3 seems to be explained by the cyberattack frequency and the inverse of their cybersecurity staffing risk. Finally, the fourth factor appears to be largely about the cyberattack variety risk. We then regenerate IRA plots using the extracted risk factors. The following chart shows that the risk score between high- and medium-risk AIs have been pulled much closer after the analysis. Yet, the distribution of risk appears to align with the observations we made in distinguishing the AIs. More particularly, we see a strong presence in payment provision for both medium- and high-risk AIs, while high-risk AIs offer more other banking-related services. Risk Score Comparison On The Four Factors Low High Medium Payment Provision Risk Banking Services Risk Cyber Threat Risk Attack Variety Risk [ Exhibit 32 ] Inherent risk score comparison between the four latent factors The grouping above forms a coherent picture of our findings in the sections above, where we found that type of services is particularly salient in explaining the overall risk of the AIs (factor 1) while confirming our observation that cybersecurity staffing risk is inversely related to cyberattack frequency risk. Moreover, it reveals that the banking and fund transfer services of the AIs, together with their internet presence, have helped contributed the second most of the risk level as a group. The latent factors above reveal the underlying cause of cyber risk and demonstrate that indicators across each domain can be highly correlated. 11 23 22 24 32 34 7 8 6 5 7 7