A gap analysis to compare best practice recommendations and legal requirements when raising information security awareness amongst home users of online banking

Abstract

South African home users of the Internet use the Internet to perform various everyday functions. These functions include, but are not limited to, online shopping, online gaming, social networking and online banking. Home users of online banking face multiple threats, such as phishing and social engineering. These threats come from hackers attempting to obtain confidential information, such as online banking authentication credentials, from home users. It is, thus, essential that home users of online banking be made aware of these threats, how to identify them and what countermeasures to implement to protect themselves from hackers. In this respect, information security awareness (ISA) programmes are an effective way of making the home users of online banking aware of both the threats they face and the countermeasures available to protect themselves from these threats. There are certain legal requirements with which South African banks have to comply when implementing ISA initiatives. Non-compliance or failure to demonstrate due care and due diligence should a security incident occur will result in financial penalties for the bank as well as possible brand damage and loss of customers. Banks implement international best practice recommendations in an effort to comply with legislation. These include recommendations for information security awareness. This research investigated both information security best practice recommendations and information security legal requirements for information security awareness. A selected list of information security best practices was investigated for best practice recommendations while a selected list of information security legislation was investigated for legal requirements imposed on South African banks. A gap analysis was performed on both these recommendations and requirements to determine whether the implementation of best practice recommendations resulted in compliance with legal requirements. The gap analysis found that the implementation of best practice recommendations does not result in compliance with legal requirements. Accordingly, the outcome of this research highlighted the importance of understanding the legal requirements and ensuring that adequate controls are in place with which to achieve compliance.