Cybersecurity for Financial Industry: An Analysis of the Cyber Resilience Assessment Framework

63 64 C-RAF AND REAL-LIFE MEASURES [ Exhibit 56 ] Self-signed SSL certification warning message By applying least square regression, we found that both the overall maturity assessment score and the “Protection” maturity domain score are significantly correlated with the average adoption rate of SSL certificates over the 17 periods, despite having a modest level of explanatory power (~0.4 R 2 ). To better understand the relationship between the two areas and the SSL cert adoption, we plot the data as a scatterplot. [ Exhibit 55 ] Number of SSL certification and adoption rate versus Maturity Assessment score Average Certification Adoption Rate and Maturity Assessment Score Average Certification Adoption Rate and Maturity Assessment Score Average Number of Certification Maturity 100 80 60 40 20 0 50 100 250 150 300 200 350 400 Average Certification Adoption Rate Maturity 1.0 0.8 0.6 0.4 0.2 0.0 50 100 250 150 300 200 350 400 Low High Medium Low High Medium By examining the scatterplots, we can better understand how the maturity score correlated with the adoption of SSL certificates of each AI. While the number of certificates has little to no correlation with the AI’s maturity score, the average adoption rate over the 17 periods shows a positive relationship with the maturity score. This can be explained by the nature of SSL certificates, where a company could opt to use one SSL certificate to cover all its website sub- domains instead of using one certificate for each sub-domain. It is also reassuring to see that, as shown in Exhibit 55, several low- and medium-risk AIs had a full SSL certification adoption rate over the period, which is essential to safeguard consumer data and the security of the AI’s official site. SUBOPTIMAL CERTIFICATION ADOPTION In addition to the above analysis, we have also studied the use of the various types of SSL certificates of the AIs, mainly those that might prove to be vulnerable to cyberattacks due to problems such as the lack of sophisticated encryption algorithm. Although in most cases the number of SSL certificates does not reflect how secure the AI is, the number of suboptimal certification types reflects if the problem is an organization-wide problem or specific to a part of the organization. In the ideal scenario, an SSL certificate should be verified by a trusted third party, known as a Certificate Authority (CA), trusted by the users’ browsers, providing an extra layer of security. Alternatively, an AI could issue a self-signed certificate for its sites, which provides basic security and still enables data encryption between the user and the application. However, since the users cannot authenticate these certificates by a known root CA, users are warned about the unknown certificate and must accept it to proceed. Another crucial aspect that dictates if an SSL certificate effectively provides the desired security is the type of hashing algorithm used. If an SSL certificate is signed using a weak hashing algorithm (such as MD5 and SHA1), it will likely be vulnerable to collision attacks. The attacker could then exploit this to create a certificate with the same signature and thus allowing them to disguise as the affected service.