Pierre-Luc Pomerleau · David L. Lowery Countering Cyber Threats to Financial Institutions A Private and Public Partnership Approach to Critical Infrastructure Protection Countering Cyber Threats to Financial Institutions · Pierre-Luc Pomerleau David L. Lowery Countering Cyber Threats to Financial Institutions A Private and Public Partnership Approach to Critical Infrastructure Protection Pierre-Luc Pomerleau David L. Lowery School of Business School of Business Northcentral University Northcentral University Granby, QC, Canada Panama City, FL, USA ISBN 978-3-030-54053-1 ISBN 978-3-030-54054-8 (eBook) https://doi.org/10.1007/978-3-030-54054-8 © The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland AG 2020 This work is subject to copyright. All rights are solely and exclusively licensed by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval,electronicadaptation,computersoftware,orbysimilarordissimilarmethodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such namesareexemptfromtherelevantprotectivelawsandregulationsandthereforefreefor general use. Thepublisher,theauthorsandtheeditorsaresafetoassumethattheadviceandinforma- tion in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respecttothematerialcontainedhereinorforanyerrorsoromissionsthatmayhavebeen made.Thepublisherremainsneutralwithregardtojurisdictionalclaimsinpublishedmaps and institutional affiliations. This Palgrave Macmillan imprint is published by the registered company Springer Nature Switzerland AG The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland To the mentors and leaders in sports, in my academic studies, as well as in my personal and professional lives with whom I have had the opportunity to learn from. —Pierre-Luc Pomerleau This work is dedicated to our modern-day cyber professionals, the men and women serving on the cybersecurity virtual “front lines” every day—the military member, the government civil servant, or the private industry worker at every organizational level—whose diligent efforts and expertise collectively enable our modern online and interconnected society to function. —David L. Lowery Foreword Twomajorconstantsinlifearechangeandevolvingtechnology.Growing up in the late 1950s and early 1960s, I remember when gasoline was 25 cents per gallon and new cars were well under $10,000 each. We all had rotary dial phones, party lines, and calling international was outrageously expensiveatthetime.Ifapieceofequipmentbrokedown,weeitherfixed it ourselves or took it to a professional repairman for repairs so we could continueusingit—astarkcontrasttotoday’sdisposablesociety,wherewe quickly upgrade to the latest technology without a second thought. As a college student in the 1970s, I used a manual typewriter to write my college papers and professors would reject any work that had erasures, whichoftenmeantretypingawholepageforasingleerror.Icouldgoon andonaboutthetechnology-relatedchangesI’veseeninmylifetime,but mymotivehereistopointoutthatmostpeoplealivetodayhaveverylittle comprehensionofjusthowtechnology-dependentweallareandjusthow far-reachingandrapidlytechnologyhasevolvedoverthepastfiftyyears… and where technology will take us tomorrow. Few can truly appreciate just how debilitating a major breakdown in today’s “connected” IT infrastructure would be to our daily lives, our national economy, and the world in general. We have insidiously become totally dependent on cell phones, computers, and the internet. Our cars, airliners, appliances, finances, global logistics—virtually everything relies onourmoderninternet andcomputers.Canyouimaginewakingupone morning and having no cable TV, no cell phone, no internet, no email, vii viii FOREWORD no ATM, and no way to access your finances at all? Traffic signals would nolongerwork,trainswouldn’trun,airtravelwouldcometoacomplete standstill, and even the modern large-scale farming equipment would sit idle! These are truly unacceptable circumstances on many levels. As such, thestakesareenormouslyhighastheprotectionofourglobalIT,satellite networks,andcomputinginfrastructureremainsnotonlyparamount,but increasingly complex due to a number of global geopolitical factors. This solemn-but-critical task is not for the faint of heart nor the lightweight intellectual.Moderncybersecuritysolutionsrequireauniquecombination of both “left-brain” logic/deductive reasoning combined with “right- brain”creativity/imagination,however,thereisnoroomforselfishpower plays nor assumptions of righteous motivations. All would-be cybersecu- rityprofessionalsarepotentialheroesandanyonewithnetworkaccessisa potential vulnerability or threat if poor cyber hygiene is used. In closing, looking forward I anticipate one of the key components needed in future cybersecurity systems will be a more robust “resiliency component.”Theabilitytorecoveramassiveblockofdata,isolateit,and use it as a starting point to begin real-time recovery should that data or systembecorruptedorcompromised.Regulatoryrulesandnetworksecu- rityguidelines,practices,andprotocolsareonlythefirstlineofaneffective cyberdefenseperimeter.Theabilitytorecoveristhecrucialdefensivefall- back we need in place because as long as information is power, there will beactorsineverymajorindustrialsectorlookingtoexploitvulnerabilities and to successfully attack our cyber world. Kailua, Hawaii, USA Brigadier General Stanley J. Osserman, Jr. U.S. Air Force (Retired) Acknowledgments SomeoneoncetoldmethataPh.D.islikeamarathonandthatmarathons arenotforeveryone.Atthatpoint,achievingthedoctoralacademicstan- dard became a new personal challenge of mine. I must admit that the journey to accomplish this doctorate was quite exciting and rewarding. First, I would like to thank the individual study participants. Regardless ofthetimeoftheday,theseprivatesecurityprofessionalsareworkingwith dedication to protect their individual organization’s financial assets from various cyber, financial, and physical threats. To my parents, Gilles and Christine, thank you for teaching me core values of dedication, discipline, and perseverance. Playing football throughoutmychildhoodandearlyadultyearstaughtmetheimportance of hard work, teamwork, and considerable efforts are the key ingredients tosuccess.Tomywifeandbestfriend,Marie-Eve,Icouldnothavedone it without you by my side to remind me what is truly important in life. YouwerealwaystheretosupportthefamilyandI.Tomychildren,Maylia and Nathan, thank you for being so patient with me over the years. I knowthatyoudidnotalwaysunderstandwhydadwasspendingsomuch time in his office working on his computer. Later in life, you will under- stand better and it will be my turn to assist you in reaching your own dreams. To my friends Mathieu and Matthew, thank you for supporting meduringtheadversityofworkingfull-time,lecturing,anddoingaPh.D. at the same time. To my dissertation chair, Dr. Dave Lowery, I want to thankyouforyourleadershipandcontinuedmentorship.Yourexperience, ix x ACKNOWLEDGMENTS motivationalskills,andworkethicwerevitalinmysuccess.Also,Iwould like to thank my Academic Reader, Dr. Leila Sopko for her support and expertiseduringthedissertationprocess.Lastly,IwouldliketothankDr. DavidMaimonfromGeorgiaStateUniversityforhisinsightandexpertise. Thank you all for everything! Pierre-Luc Pomerleau When I retired from the Air Force and transitioned into academia in 2018, my goal was to “pay forward” the many years of professional mentoring and support I myself had received throughout my career by teaching/mentoring the next generation of doctoral/graduate students. Pierre-LucwasoneofthefirsthandfulofdoctoralstudentsIwasassigned as a new dissertation committee chair. Over the next year, we meticu- louslydevelopedPierre-Luc’sresearchplan,garnereduniversityapproval, analyzedthedatahecollected,andIguidedhimasheformulatedhiskey conclusions—all in Pierre-Luc’s one speed: “full afterburner”! It is a true honor and privilege to co-author this manuscript with Pierre-Luc as well astocollaboratewithGeorgiaStateUniversity’sDr.DavidMaimonanda long-timementorofmyown,AirForceBrigadierGeneralStanOsserman, Jr. U.S. Air Force (Retired). I’d like to also share a very special thank you to my loving wife Sarah Lowery, children Jackson, Emma, & Jessica Lowery, father Rickey Lowery, step-mother Myra Lowery, sister-in-law Leslie Lowery, maternal aunts LaRoy Bass & Wynde Brown, and fellow professor-turned-author cousins Billie Jane McIntosh & Gary McIntosh for all their support & encouragement to pursue this endeavor. Special thanks also to my own former doctoral dissertation committee: Valdosta State University’s Dr. LeighRossStanford,FloridaStateUniversity’sDr.HafizAhmad,andDr. KellyGerverafortheirprofessionalmentoringthatallowedmetobehere today. David L. Lowery Contents 1 Contemporary Cybersecurity in Our Daily Lives 1 Introduction 1 A Broad View of Cybercriminals 2 Recent Cyberattack Trends 4 Discerning Overall Cyberattack Trends with Limited Data 7 References 8 2 Relevance of Evidence-Based Cybersecurity in Guiding the Financial Sector’s and Efforts in Fighting Cybercrime 9 David Maimon Introduction 9 Evidence-Based Cybersecurity 11 EBCS Research in the Context of Financial Institutions Efforts in Cyberspace 13 Identify Vulnerable Targets and Increase Cybersecurity Awareness 14 Assess the Effectiveness of Security Tools and Policies 17 Configure Financial Organizations’ Internet Infrastructure 19 Dissemination of Evidence-Based Cybersecurity Research 22 Conclusion 23 References 24 xi