Strategies to mitigate ransomware related cyber-attacks in South African financial institutions Nqobile Mahlangu 2159255 A research report submitted to the Faculty of Commerce, Law and Management, University of the Witwatersrand, in partial fulfilment of the requirements for the degree of Master of Management in the field of Digital Business Johannesburg, 2023 ii ABSTRACT Digital transformation has become topical amongst many organisations and industries alike. Inherent to the adoption of technology to optimise business processes and operations, cyber-attacks have become a growing concern, with ransomware becoming a top concern for organisations. South African banks have not been immune to the associated ransomware risks, as threat actors continue to find motivation to attempt infiltrating SA banks, compromising their confidentiality, integrity, and availability thereafter and demanding a ransom. Cyber-resilience is positioned as an attractive strategy to prevent and mitigate ransomware attacks. This study investigates the effectiveness of employing a cyber-resilience strategy in mitigating ransomware attacks within South African financial institutions, in particular SA banks. The study explores various best practices and factors that influence cyber-resiliency, the role that management plays in ensuring cyber-resiliency, and finally, various methods that can be employed to assess the effectiveness of cyber-resilience as a strategy. The study employs a qualitative research approach, using semi-structured interviews to collect data. With the permission granted by participants, all interviews were recorded, transcribed, and then analysed using thematic analysis. The research questions, which delve into the outlined research objectives, serve as a guide for the discussions of the findings. Literature and findings from the study show that ransomware is considered a top concern for SA banks, with an agreement that “it is not a matter of if ransomware attacks will happen, but rather a matter of when.” In response to this, findings show that the organisations covered in the scope of the study have employed a cyber-resilience strategy for prevention and mitigation of ransomware attacks, as it is noted as an effective strategy in preventing and mitigating ransomware attacks. KEYWORDS Cyber-attacks, ransomware, threat actors, Denial-of-service, cyber resilience, financial institutions, exposure, cyber-crime, NIST Framework, cyber threats iii DECLARATION I, Nqobile Mahlangu attest that this research report is created using my own knowledge, investigation, and use of the materials and sources cited in the report. The report is submitted in partial fulfilment of the requirements for the degree of Master of Management in the field of Digital Business at the University of the Witwatersrand, Johannesburg. This research paper has not been submitted for a degree or an exam at another university in the past. Name: Nqobile Mahlangu Signature: Date: 28 September 2023 iv DEDICATION This research paper is dedicated to my darling husband Felane Mahlangu, my son Lethumusa and daughter Zenokuhle; it is through your love, patience, prayers, and encouragement that I was able to complete this paper. I love and appreciate you always. v ACKNOWLEDGEMENTS First, I would like to raise up my praises in gratitude to my Lord and saviour Jesus Christ, for through Him I was able to successfully complete this paper. To my wonderful husband, Felane for the encouragement, patience, prayers and holding me accountable throughout this journey. Thank you for always understanding and accommodating me, your unwavering support is not taken for granted and is credited to me succeeding in the completion of this paper. To my two beautiful children, Lethumusa and Zenokuhle for your patience and understanding, giving up some of your play time with mom so I can focus on completing this paper. To my family and friends, with a special mention of my mom, dad and ‘mama Thoko,’ thank you for your continued support and words of encouragement throughout this journey. To my supervisor, Dr Kiru Pillay for the patience through the various challenges, the support, guidance, and valuable knowledge shared throughout this journey. To my employer and funder, for availing and encouraging learning opportunities, for your support and understanding throughout the process of completing this research project. Lastly, I would like to thank all the participants for availing themselves and partake in the study, the insights provided, and valuable discussions have contributed immensely towards the success of this paper. vi TABLE OF CONTENTS ABSTRACT ___________________________________________ ii DECLARATION _______________________________________ iii DEDICATION _________________________________________ iv ACKNOWLEDGEMENTS ________________________________ v LIST OF FIGURES _____________________________________ x LIST OF TABLES _____________________________________ xii LIST OF ACRONYMS _________________________________ xiii 1 Introduction _____________________________________ 15 1.1 STATEMENT OF PURPOSE ____________________________________ 15 1.2 BACKGROUND OF THE STUDY _________________________________ 15 1.2.1 FINANCES SERVICES _____________________________________________ 15 1.2.2 THREATS ______________________________________________________ 16 1.2.3 RANSOMWARE __________________________________________________ 16 1.2.4 CYBER-RESILIENCE ______________________________________________ 19 1.3 RESEARCH PROBLEM _______________________________________ 22 1.4 RESEARCH OBJECTIVES _____________________________________ 22 1.5 RATIONALE ______________________________________________ 23 1.6 DELIMITATIONS OF THE STUDY_________________________________ 24 1.7 ASSUMPTIONS ____________________________________________ 24 1.8 DEFINITION OF TERMS ______________________________________ 25 1.9 CHAPTER OUTLINE _________________________________________ 26 2 Literature Review ________________________________ 28 2.1 INTRODUCTION ___________________________________________ 28 2.2 CYBER THREATS __________________________________________ 28 2.2.1 CYBER THREAT LANDSCAPE ________________________________________ 28 2.2.2 CYBER-ATTACKS ON FINANCIAL INSTITUTIONS ___________________________ 32 2.3 RANSOMWARE ____________________________________________ 36 2.3.1 ORIGINS OF RANSOMWARE? ________________________________________ 36 2.3.2 CATEGORIES OF RANSOMWARE? _____________________________________ 38 2.3.3 GLOBAL TRENDS OF RANSOMWARE ___________________________________ 38 2.3.4 IMPACT OF RANSOMWARE ON SOUTH AFRICAN BANKING SECTOR _____________ 39 2.4 CYBER RESILIENCE ________________________________________ 42 vii 2.4.1 DEFINING CYBER RESILIENCE _______________________________________ 42 2.4.2 UNDERSTANDING CYBER RESILIENCE AS A STRATEGY _____________________ 42 2.5 FRAMEWORKS AND BEST PRACTICES THAT INFORM CYBER RESILIENCE ____ 45 2.5.1 ISO 27000 SERIES ______________________________________________ 46 2.5.2 NIST CYBERSECURITY FRAMEWORK __________________________________ 46 2.5.3 COBIT _______________________________________________________ 48 2.6 EVALUATION METHODS OF CYBER-RESILIENCE _____________________ 49 2.6.1 CYBER RESILIENCE REVIEW (CRR) __________________________________ 50 2.6.2 CYBER-RESILIENCE ASSESSMENT FRAMEWORK (C-RAF) ___________________ 51 2.6.3 ASSURANCE REVIEWS ____________________________________________ 54 2.6.4 METRICS ______________________________________________________ 55 2.7 SENIOR MANAGEMENT AND CYBER RESILIENCY ____________________ 57 2.7.1 MANAGEMENT’S AWARENESS OF RANSOMWARE AS A TOP RISK _______________ 57 2.7.2 ROLE OF SENIOR MANAGEMENT IN ENSURING CYBER-RESILIENCE _____________ 57 2.8 ANALYTICAL FRAMEWORK ____________________________________ 59 2.8.1 THEORETICAL FRAMEWORK ________________________________________ 59 2.8.2 NIST FRAMEWORK _______________________________________________ 62 2.9 CONCEPTUAL FRAMEWORK __________________________________ 68 2.10 RESEARCH PROPOSITIONS ___________________________________ 65 2.10.1 PROPOSITION 1 _______________________________________________ 65 2.10.2 PROPOSITION 2 _______________________________________________ 65 2.10.3 PROPOSITION 3 _______________________________________________ 65 2.10.4 PROPOSITION 4 _______________________________________________ 66 2.11 CONCLUSION: ____________________________________________ 66 3 Research Methodology ___________________________ 68 3.1 RESEARCH APPROACH ______________________________________ 68 3.2 RESEARCH DESIGN ________________________________________ 70 3.3 DATA COLLECTION METHODS _________________________________ 71 3.4 POPULATION AND SAMPLE____________________________________ 71 3.4.1 POPULATION ___________________________________________________ 71 3.4.2 SAMPLE _______________________________________________________ 72 3.4.3 SAMPLING METHOD ______________________________________________ 72 3.5 THE RESEARCH INSTRUMENT _________________________________ 73 3.6 PROCEDURE FOR DATA COLLECTION ____________________________ 73 3.7 DATA ANALYSIS AND INTERPRETATION ___________________________ 75 3.8 LIMITATIONS OF THE STUDY ___________________________________ 77 3.9 QUALITY ASSURANCE _______________________________________ 78 3.9.1 CREDIBILITY ____________________________________________________ 78 3.9.2 DEPENDABILITY _________________________________________________ 80 3.9.3 TRIANGULATION _________________________________________________ 80 3.10 DEMOGRAPHIC PROFILE OF RESPONDENTS _______________________ 82 3.11 ETHICAL CONSIDERATIONS ___________________________________ 82 3.12 CONCLUSION _____________________________________________ 83 viii 4 Research Findings _______________________________ 85 4.1 INTRODUCTION ___________________________________________ 85 4.2 RESEARCH OBJECTIVE 1: ASSESS THE LEVEL OF CONCERN AND PRIORITIZATION THAT ORGANISATIONS HAVE ON RANSOMWARE CYBER- ATTACKS; _______________________________________________ 87 4.3 RESEARCH OBJECTIVE 2: INVESTIGATE THE KEY INFLUENCES THAT CONTRIBUTE TO A CYBER-RESILIENT POSTURE OF AN ORGANISATION AGAINST RANSOMWARE ATTACKS; ______________________________ 89 4.4 RESEARCH OBJECTIVE 3: ASSESS THE ROLE AND INFLUENCE OF SENIOR MANAGEMENT IN INFLUENCING THE RESILIENT POSTURE AGAINST RANSOMWARE CYBER-ATTACKS; _______________________________ 92 4.5 RESEARCH OBJECTIVE 4: INVESTIGATE HOW ORGANISATIONS CAN EVALUATE THE EFFECTIVENESS OF CYBER RESILIENCE AS A MITIGATING STRATEGY; ______________________________________________ 96 4.6 SUMMARY OF FINDINGS _____________________________________ 98 5 Discussion of findings ___________________________ 103 5.1 INTRODUCTION __________________________________________ 103 5.2 DISCUSSION ON ASSESSING THE LEVEL OF CONCERN AND PRIORITIZATION THAT ORGANISATIONS HAVE ON RANSOMWARE CYBER-ATTACKS; _______ 103 5.2.1 DISCUSSION ON THE INVESTIGATION OF THE KEY INFLUENCES THAT CONTRIBUTE TO A CYBER-RESILIENT POSTURE OF AN ORGANISATION AGAINST RANSOMWARE ATTACKS; __________ 105 5.2.2 THE ABILITY TO IDENTIFY__________________________________________ 105 5.2.3 ABILITY TO PROTECT ____________________________________________ 106 5.2.4 ABILITY TO RESPOND AND RECOVER _________________________________ 107 5.3 ROLE OF SENIOR MANAGEMENT ______________________________ 108 5.3.1 PRIORITIZING CYBER-RESILIENCE ___________________________________ 109 5.3.2 ENCOURAGING A CYBER-RESILIENT CULTURE ___________________________ 109 5.3.3 DISCUSSION ON THE EVALUATION OF CYBER-RESILIENCE __________________ 110 5.3.4 BENCHMARKING AGAINST INDUSTRY STANDARDS ________________________ 110 5.3.5 RED TEAMING EXERCISES AND PENETRATION TESTS _____________________ 111 5.3.6 TABLETOP AND SIMULATION EXERCISES ______________________________ 112 5.3.7 BACKUP, DR AND RESTORATION TESTING _____________________________ 112 5.3.8 USE OF METRICS _______________________________________________ 113 5.4 CONCLUSION ____________________________________________ 113 6 Conclusions and Recommendations _______________ 114 6.1 INTRODUCTION __________________________________________ 114 6.2 CONCLUSION REGARDING RQ1 _______________________________ 114 6.3 CONCLUSION REGARDING RQ2 _______________________________ 115 6.4 CONCLUSION REGARDING RQ3 _______________________________ 115 6.5 CONCLUSION REGARDING RQ4 _______________________________ 116 6.6 RECOMMENDATIONS ______________________________________ 116 6.7 SUGGESTIONS FOR FURTHER RESEARCH ________________________ 117 ix 7 REFERENCES __________________________________ 118 APPENDIX A: Information sheet ________________________ 124 APPENDIX B: Agreement form _________________________ 126 APPENDIX C: Interview guide __________________________ 127 APPENDIX D: Research analysis data association ________ 130 APPENDIX E: Ethical Clearance Certificate _______________ 134 x LIST OF FIGURES Figure 1 Cyber-kill Chain Model (Source: Researcher, 2023) .......................... 18 Figure 2 How a Botnet Attack Works (Source: BasuMallick (2022)) ................ 30 Figure 3 The flow of ransomware works (Source: Leventopoulos (2022)) ....... 32 Figure 4 Number of cyber incidents in the financial industry worldwide from 2013 to 2021 (Source: Petrosyan (2022) .................................................................. 33 Figure 5 Evolution of Ransomware (Source: O'Kane et al, 2018) .................... 37 Figure 6 Categories of ransomware (Andronio et al., 2015) ............................. 38 Figure 7 Ransomware by the numbers (Source: (MARSH, 2023).................... 39 Figure 8 The Cyber Resilience Process (Source: Conklin et al. (2017)) .....Error! Bookmark not defined. Figure 9 Five Principles of COBIT 5 (Source: IT Governance (2022)) ........Error! Bookmark not defined. Figure 10 CRR Domain Composition (Source: U.S. Department of Homeland Security (2020)) ................................................................................................ 51 Figure 11 Inherent Risk Rating mapping to Expected Maturity Level (Source: Lee (2016)) ............................................................................................................. 52 Figure 12 Maturity assessment (in seven domains). (Source: Lee (2016)) ...... 53 Figure 13 Components of the maturity assessment (Source: Hong Kong Monetary Authority, 2016) ................................................................................ 54 Figure 14 Cyber Resiliency Metrics Can Repurpose Security, Risk, or Resilience Metrics (Source: Bodeau et al., (2018)) ........................................................... 56 Figure 15 Routine Activity Theory (RAT) (Source: Govender et al., (2021) ..... 60 Figure 16 Application of Routine Activity Theory (Researcher own, 2022) ...... 62 xi Figure 17 Five Core functions for effective Cybersecurity (Source: Hanacek, 2018) ................................................................................................................ 63 Figure 18 Adaptive Cyber Resilient Framework (Researcher own, 2023) ........ 69 xii LIST OF TABLES Table 1 Cyber incidents involving financial institutions (Source: (Carnegie, 2023) ......................................................................................................................... 36 Table 2 Cyber incidents involving financial institutions (Source: (Carnegie, 2023) ......................................................................................................................... 42 Table 3 Common Assurance Methods (Source: National Cyber Security Centre (2023) ............................................................................................................... 55 Table 4 Types of Triangulation (Source: Guion (2002)) ................................... 81 Table 5 Information of participants ................................................................... 86 xiii LIST OF ACRONYMS APT: Advanced Persistent Threats CIA: Confidentiality, Integrity, and Availability CIO: Chief Information Officer CISO: Chief Information Security Officer COBIT: Control Objectives for Information and Related Technologies CRMM: Cyber Resilience Maturity Model CRR: Cyber Resilience Review CSIR: Council for Scientific and Industrial Research DDOS: Distributed Denial of Service DLP: Data Loss Prevention ICT: Information and Communication Technology IDS: Intrusion Detection System IPS: Intrusion Prevention System IRP: Incident Response Plan ISO/IEC: International Organisations for Standardisation/ International Electrotechnical Commission ISS: Information Systems Security NCPF: National Cybersecurity Policy Framework NIST: National Institute of Standards and Technology RAT: Routine Activity Theory SA: South Africa xiv SABRIC: South African Banking and Risk Information Centre VA: Vulnerability Assessment 15 1 Introduction 1.1 Statement of purpose This qualitative study investigates the effectiveness of cyber-resilience as a strategy in mitigating ransomware cyber-attacks within the South African financial sector. 1.2 Background of the study In recent years, digital transformation has become topical as many organisations in both the public and private sectors have explored ways to use technology to digitally reach their customers, automate their processes, and leverage the data generated to develop various efficiencies and remain competitive (Blafka, 2023). The drive for digital transformation within organisations can be linked to the rapid and prominent introduction of digital innovations, which are causing what is termed 'digital disruption’ across different industries (Skog, Wimelius, & Sandberg, 2018). Bradley et al. (2015) introduces the concept of a digital vortex to highlight how various industries are impacted by digital disruptions. The digital vortex illustrates the inevitable movement of the different industries towards a “digital centre," where digitization of processes, business offerings, customer reach are to be digitised. 1.2.1 Finances Services One of the industries identified as being drawn into the centre of the digital vortex is financial services. ‘Financial Services’ cover a broad range of activities, which include banking, investing, and insurance (Asmundson, 2011). In considering the role that financial services play in a South African context, the National Treasury Policy Document (2011) describes financial services as being at the heart of the South African economy, which allows people to make daily economic transactions, save and preserve wealth to meet future aspirations and retirement needs, and insure against personal disaster. The Treasury report (2011) further 16 highlights that financial services “enable economic growth, job creation, the building of vital infrastructure, and sustainable development for South Africa”. As financial services digitally transform and adopt technologies that enable their strategic objectives, they also become inherently more vulnerable to cyber- attacks. According to Pieterse (2021), the frequency and severity of cyber-attacks have escalated and have been experienced on a global scale. South Africa has not been immune to these cyber-attacks. 1.2.2 Threats Cyberattacks have increased, particularly in South Africa, according to a Surfshark report that places the country among the top five nations affected by cybercrime and shows that the country's cybercrime density increased by 7.8% between 2021 and 2022 (DefenceWeb, 2023). According to a report by Accenture (2020), South Africa was highlighted as “having the third most cybercrime victims worldwide, causing a loss of R2,2 billion a year”. The rise in cyber threats is indicating that cyber criminals are finding South Africa an attractive target. The Accenture report (2020) further argues that threat actors perceive South African organisations to have lower defences as compared to developed countries, together with a widely spread belief that one has a lower chance of being caught or prosecuted if committing a crime in South Africa. The following are enlisted as interconnected factors that contribute to threat actors targeting South Africa: • Lack of investment in cybersecurity • Developing cybercrime legislation and law enforcement training • Poor public knowledge of cyber threats • The use of shadow IT 1.2.3 Ransomware While there are a number of cyber-attack vectors used by threat actors, the use of ransomware as an attack path has increased in popularity. Ransomware is 17 understood as ‘a form of malware that uses algorithms to encrypt a user’s files so that they cannot be accessed without a decryption key.’ The attackers then request that an amount of money commonly used in cryptocurrency be paid to them in exchange for the decryption key (Group IB, 2018). It is important to note that the deployment of ransomware is the last step of a successful attack, after which a threat actor would have successfully breached the network of an organisation, stole, and/or further proceeded to encrypt the data. To understand the key phases threat actors follow to successfully deploy a ransomware attack, one can consider the Cyber Kill Chain model with an example attack path as illustrated in Figure.1.1 below: 18 Figure 1 Cyber-kill Chain Model (Source: Researcher, 2023) The rise in using this attack path can be attributed to the financial gain that threat actors stand to potentially gain if successful in deploying ransomware. Additionally, the introduction of ransomware-as-a-service (RaaS) has made it easy for underground criminals to access ransomware and conduct malicious activity without needing to be highly skilled. Accenture (2020) further suggests that some threat actors use South Africa as a testing ground for malware before deploying against targets that are more sophisticated. Ransomware attacks in South Africa remain a top-of-mind threat for many organisations, with South Africa cited as the country most affected by targeted ransomware in the first quarter of 2021, according to Interpol (2021). 19 Some notable ransomware attacks and attempts include the following recorded incidents: • 2019 | South African Banking and Risk Information Centre (SABRIC) confirmed a ransom-driven Distributed Denial-of-service (DDOS) attack that targeted various South African banks (Fin24, 2019). • 2021 | South African banks were caught up in a third-party exposure where a debt collector (Debt-IN) associated with several SA Banks was compromised by a ransomware attack, exposing as much as 1.4 million personal records of South Africans (Moyo, 2021). • 2021 | State enterprise Transnet experienced a cyber-attack which affected container terminals and forced Transnet to halt operations at container terminals in several Cities in South Africa. Transnet was forced to declare force majeure at their container terminals and switch to manual processing of Cargo (CCDCOE, 2021). • 2023 | The Western Cape Provincial parliament experienced a cyber- attack where for a period their ICT systems were rendered as inaccessible (McCain, 2023) A study by the Central Bank indicates that a number of cyber threats are increasing within the banking sector, with a Prudential Authority report highlighting ransomware as an attack path also being on the rise and a concern for the South African banking sector (SARB, 2022). In the case of financial services, when it comes to the defence, response, and recovery from cybercrimes, cyber resilience is of paramount importance, as it is critical to ensure that they can maintain the confidentiality, integrity, and availability (CIA) of the data and systems used. This is often cited as the “crown jewel," which attackers may seek to compromise. 1.2.4 Cyber-resilience Consequently, cyber resilience, which is commonly understood as an organisation's ability to anticipate, prevent, withstand, and recover from cyber- attacks (Ross R. et al., 2021), has equally become a top priority for organisations. 20 Cyber resilience comprehensively relies on the key goals, which, according to Ross et al. (2021) include: Anticipation: an organisation being able to anticipate threats, which can be achieved in several ways, such as by identifying and understanding the organisation’s assets so adequate plans can be created in case a threat materializes. Investing in threat intelligence capabilities can also assist an organisation in being better prepared for potential attacks. The key driver of anticipating attacks is to ensure that an organisation can plan and potentially prevent the likelihood of an attack materialising. Prevent: Preventative solutions may not always provide a foolproof solution to potential cyber-attacks, but they can help organisations reduce the probability of an attack taking place as well as limit an attack’s blast radius. Some of the common approaches to increasing prevention include having strict access controls in place, ensuring there are backups in place, and increasing user awareness and training to build a human defence (Beaman et al., 2021). Withstanding: Being prepared to withstand an attack assumes that an attack will happen, and when it does, the organisation would need to be clear in its response. A response to an attack takes varied forms when considering the risk appetite of the organisation. Depending on the level of potential impact, an organisation can choose to absorb some level of attack but ensure that the infection is contained to reduce the blast radius of infection throughout the network by implementing solutions like network segmentation and zero trust. Organisations can also elect to deflect and transfer the risk to an insurance company, which, in the case of ransomware, can assist in ransom payments or the recoverability of lost systems. Recovery: Planning for a recovery means if an attack would have materialised, and losses would have been experienced by the organisation. A key factor in being able to recover is ensuring that backups are in place and that the organisation can adequately recover from those backups. In the case of ransomware, having backups that are linked to your network may prove to be futile if an attacker is able to reach and alter the backups as part of an attack. A 21 growing alternative is for organisations to ensure that they have immutable backups or offline copies from which they can recover. A pertinent question remains, whether organisations would be able to recover fast enough to limit business impact and maintain their CIA even if they had immutable or offline backups. Adapt: To ensure sustainable cyber resiliency, an organisation needs to maintain continuous correction by removing or adding new controls that are fit for purpose and in line with the changing threat landscape. Through strategies of attack simulation, intelligence collected on emerging threats, or simply learning from materialised cyber-attacks, organisations can better prepare themselves by reviewing, redefining, and adjusting things like systems' requirements, architecture, design, configuration, acquisition processes, or operational processes to ensure that resiliency is maintained. When putting together a cyber-resilience strategy, one also needs to consider cybersecurity frameworks, which would be fit for purpose as a guide. One popular framework is the National Institute of Standards and Technology (NIST) security framework, which provides guidance on what organisations need to consider as part of improving their cyber resilience (Scofield, 2016). The NIST framework is cited as a widely accepted and adopted approach by organisations to facilitate cybersecurity risk management (Gordon, Loeb, & Zhou, 2020). The NIST Cybersecurity Framework is intentionally broad and flexible to allow companies to adopt the macro-overview approach while having the flexibility to apply the details of the implementation in line with organisations’ needs and strategies (Gordon, Loeb, & Zhou, 2020). The framework achieves this by outlining five main functions: identify, protect, detect, respond, and recover, giving organisations guidance on which function they may need to focus on to improve their cyber resilience (Lawyer, 2014). Other industry frameworks that can be considered when constructing a cyber- resilience strategy include the ISO/IEC Security Control Standards, CIS Critical Security Controls, COBIT, and Cybersecurity Assessment Framework (CAF), to name a few. 22 Financial services are a target of cyber-criminals looking for financial gain and therefore increasingly need to focus on improving their cyber resilience to minimise the likelihood and impact of attacks (Imeson, 2020). 1.3 Research problem An adequate response and recovery to a ransomware attack is a concern for South African financial service organisations (Ngila, 2022). An improved cyber resilience posture is a well-understood strategy to mitigate cyber-attacks. There is however, a dearth of information on the extent and effectiveness of cyber resilience strategies for mitigating cyber-attacks being adopted within the South African financial sector. According to Dupont (2019), though the concept of cyber resilience has become popular in discussions on cybersecurity, it is often seen as difficult to define and measure. However, with organisations coming to terms with the realisation that no organisation is immune to cyber-attacks, cyber resilience strategies offer attractive approaches to effectively mitigate cyber-attacks (Dupont, 2019). Therefore, it is opportune for a study to investigate the effectiveness of cyber resilience strategies to mitigate ransomware cyber-attacks that can be adopted by South African financial services as part of their cybersecurity strategy. 1.4 Research objectives The objective of this study is to investigate the cyber-resilient strategies that banks in South Africa are adopting to mitigate and adequately respond to ransomware cyber-attacks. To achieve its objectives, the study will: • Assess the level of concern and prioritisation that organisations have for ransomware cyber-attacks. • Investigate the key influences that contribute to the cyber-resilient posture of an organisation against ransomware attacks. • Assess the role and influence of senior management in influencing the resilient posture against ransomware cyber-attacks. 23 • Investigate how organisations can evaluate the maturity and effectiveness of cyber resilience as a mitigating strategy. To support the research objective, below is the main research question and its sub-questions: Main research question – How effective is a cyber-resilience strategy in mitigating against ransomware related cyber-attacks within South African banks? Sub-question one - Does financial institutions' cybersecurity strategy prioritize the threat of ransomware? Sub-question two - What are the factors that influence the cyber resiliency posture of a South African financial institution? Sub-question three - Can management’s involvement in establishing a cybersecurity strategy accelerate the organisations’ cyber resilience maturity? Sub-question four - How can financial institutions assess how well their cyber resilience works as a mitigation strategy? Using these questions as guidance, the study will investigate strategies that would be effective in reaching a desirable cyber resilient maturity level to mitigate ransomware related cyber-attacks for financial institutions. 1.5 Rationale Organisations are noted to be accelerating digital transformation through the adoption of technology to enable their strategic objectives (Accenture, 2019). Pancholi et al. (2019) highlights that regardless of an organisation’s digital footprint, where an organisation has a reliance on technology, there is an inherent risk of cybercrime. This brings about a pertinent question and point of interest that organisations need to consider in terms of how they would need to go about securing themselves from these cybercrimes. This study is positioned to contribute to research (and organisations) on areas of focus to curate effective cyber resilience strategies as part of their digital transformation journey. 24 1.6 Delimitations of the study The concerns around cyber-attacks span across many different industries, including but not limited to healthcare, telecoms, energy and utilities, construction, financial institutions, etc. (SecurIT, 2021), making it a large scope to consider for a single research study. For the purposes of this study, amongst the various industries, the focus will be placed on financial services, highlighted as one of the industries that is already being pulled towards the digital centre. To further narrow the scope of this study, the focus will be placed on banking, which, according to Asmundson (2011), primarily offers services such as administering payments, accepting deposits, helping companies buy and sell securities, foreign exchange, and derivatives, and managing assets, amongst many others, as the core function evolves over the years. In South Africa, there are four (4) banks that are commonly cited as the major banks, namely Absa Group Limited, FirstRand Bank, Nedbank, and Standard Bank. Within the banking sector, there are also areas of focus such as physical security that can be considered when developing a cyber-resilient strategy (Wyss et al., 2007). For this study, physical security will be excluded. 1.7 Assumptions The assumptions made in this study are that all the main South African banks are on a digital transformation journey and, as a result, would be equally concerned about following an effective cyber-resilient strategy against cyber-crimes. Therefore, all the employees invited to participate in the study from the afore- mentioned banks will be willing to participate as respondents. Participants will be well versed in the topic of cybersecurity concepts and understand the cyber threat landscape. The study will be able to collect adequate data for analysis and use within the study, as cyber-resilience is topical and imperative for all the banks to have in place. 25 1.8 Definition of terms Cyber Resilience – The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources (Ross et el., 2020). Cybersecurity – The process of protecting information by preventing, detecting, and responding to attacks (NIST, 2018) Cyber Threat – Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organisations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service (CSRC, 2015). Digital Transformation - A unique transformation that organisations undergo, as it depends on understanding the role of data and available technologies, which bring drastic changes to an organization’s structure and capabilities (Baslyman, 2022). Distributed Denial-of-service (DDOS) – A denial of service technique that uses numerous hosts to perform the attack (CSRC, 2015). Risk - A measure of the extent to which an organization is threatened by a potential circumstance or event, and typically a function of the following: a. the adverse impacts that would arise if the circumstance or event occurs; and b. the likelihood of occurrence. Likelihood is influenced by the ease of exploit and the frequency with which an assessment object is being attacked at present (CSRC, 2015). Threat Actor – The instigators of risks with the capability to do harm (CSRC, 2015). Vulnerability - Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source (CSRC, 2015). 26 1.9 Chapter Outline The outline of this study is structured with six (6) chapters. Chapter 1: Introduction This chapter introduces the research study, outlining the purpose and background of the study, positioning the research problem, and the research objectives coupled with the research questions. This is followed by a view of the delimitations of the study, the definition of the key terms and assumptions made in the study, and finally the chapter outline. Chapter 2: Literature Review Following this, chapter 2 outlines the literature review aligned to the proposed research topic, objectives, and questions covered in chapter 1. This is achieved by reviewing specific topics related to the research questions. The section further presents consideration of a theoretical framework and proposes an analytical framework. Chapter 3: Research Methodology Chapter 3 outlines the research methodology, covering the research approach and research design, data collection methods, and the procedures for data collection and analysis strategies. The section also covers limitations and challenges anticipated in the study, as well as ethical considerations. Chapter 4: Research Findings Chapter 4 outlines findings from the research conducted on South African banks' cyber resilience strategies against ransomware attacks. The section summarises responses from the interviews conducted with various participants working in SA banks and is presented in a narrative format, where verbatim extracts from the interviews are indicated using quotation marks. Chapter 5: Findings Discussion 27 Chapter 5 focuses on the discussion of the findings extracted from the semi- structured interviews, linking key points to answering the research question and further supporting a better understanding of the overall research study. Chapter 6: Conclusions and Recommendations This chapter provides an overall summary and conclusion of the study in line with the research questions and propositions. Additionally, the researcher provides recommendations as well as suggestions for further research. 28 2 Literature Review 2.1 Introduction South African financial institutions are embracing digital transformation, where many organisations are forced to ‘adapt or die’ to continue to be leaders in their respective trades. This drive to adapt has required South African institutions to also relook at their business strategies and operations and leverage technologies to remain relevant in a competitive market (Kekwaletswe & Modiba, 2020). Inherent to digital transformation in organisations is an increase in cyber threats, which can have a significant impact on their daily operations, especially if the organisations’ cyber resilience is not effective. In a bid to prevent and mitigate cyber threats, the concept of cyber resilience as a strategy has been explored as a potential effective strategy. This chapter aims to review the literature in line with the proposed research topic, research problem, objective, and research questions. The review examines literature that relates to cyber threats, ransomware, cyber resilience, and the role of senior management in the context of building an effective cyber resilience strategy for an organisation. This section closes out with the analytical framework and conclusion. 2.2 Cyber Threats 2.2.1 Cyber Threat Landscape The cyber threat landscape is constantly evolving as cyber attackers develop new techniques for attack paths, use new tools, and establish new targets to exploit vulnerabilities (Deloitte, 2014). Cyber threats can have impacts ranging from compromising data confidentiality and integrity as well as availability to disrupting critical infrastructure, which many organisations depend on for business continuity. Materialised cyber-attacks can cause great financial and non-financial impact, including reputational damage and customer loss, and even possibly undermine national security. 29 Over the past couple of years, the growth of cyber incidents has been noted, impacting even some of the well-known and otherwise well-established organisations such as Solar Winds (Security, 2021), Microsoft, and a Michigan- based bank (Heiligenstein, 2022), amongst many other examples. South Africa has not been immune to cyber incidents, citing examples such as credit bureau Experian, which suffered a data breach; Transnet suffering a ransomware attack; the Justice Department; and the South African National Space Agency also falling victim to cyber-attacks (Moyo, 2022). In 2019, the South African Banking and Risk Information Centre (SABRIC) also confirmed a ransom-driven distributed denial-of-service (DDOS) attack that targeted various South African banks (Fin24, 2019). Furthermore, South African banks have been caught up in third- party exposure where a debt collector (Debt-IN) associated with several SA banks was compromised by a ransomware attack, exposing as much as 1.4 million personal records of South Africans (Moyo, 2021). It is, however, key to note that globally, cyber-attacks are well reported and documented, where one can only really find reported and well documented cyber incidents up until the end of 2016 (Pieterse, 2021), whereas in the South African context, the maturity of reporting and documenting cyber-attacks is still developing. The assumption is that South African organisations may fear this as an indication of security weakness for their respective organisations. As noted in the reported incidents, cyber threats come in different forms. Below is a view of four categories of attacks as presented by the Ponemon Institute (2014): Botnets: Botnet attacks are cited as being financially motivated. These attacks use multiple networks of infected hosts to run bots on devices, thereafter using all the infected devices to attack an organisation's critical infrastructure, such as their servers, websites, devices, etc. (Ponemon Institute, 2014). Below is a visual illustration of how a Botnet attack would work: 30 Figure 2 How a Botnet Attack Works (Source: BasuMallick (2022)) Distributed denial-of-service (DDoS) attacks: A DDoS attack is defined as ‘a denial-of-service technique that uses numerous hosts to perform the attack’ (CSRC, 2015). This type of attack has become popular with threat actors who wish to make a statement, and it is noted that organised criminals use it to blackmail companies, also distracting the incident response teams of organisations while they launch further attacks on the organisation (Ponemon Institute, 2014). One can also note that a botnet is often used in a DDoS attack (Petters, 2020). Insider Threats: 31 An insider threat is often caused by an authorised person or entity who can be authenticated and authorised to get past the organisation's security controls (i.e., an employee with privileged access). An attack by an insider often cannot be detected by the organisation's security system, but human behaviour monitoring of employees could help identify if there is a rogue employee who may be motivated to launch an insider attack (Ponemon Institute, 2014). Advanced Persistent Threats (APTs) This type of threat is where an intruder successfully gains access to the target’s network but remains undetected for a lengthy period while they use the time to collect information on the organisation that they can use at a later stage (Ponemon Institute, 2014). This type of threat is particularly a big challenge to security teams, and they will need the cybersecurity teams to continuously scan the network for any suspicious activity and investigate deception tools where necessary to try to catch the intruder. Ransomware Ransomware is commonly understood as a sort of malware that locks down a file on a victim’s computer or device and thereafter demands a ransom from the victim. The ransom is usually paid using a payment method that cannot be traced back to the threat actor, such as bitcoin or similar, for the victim to recover access to the compromised system (Kiru & Jantan, 2019). Below is a visual illustration of how a Ransomware attack would be deployed: 32 Figure 3 The flow of ransomware works (Source: Leventopoulos (2022)) 2.2.2 Cyber-attacks on financial institutions The growth of cyber-attacks has accelerated cyber risks to financial institutions. Data indicates that attacks are no longer deployed for financial gains but are focused on destroying data, files, or interrupting services or networks (Gulyás & Kiss, 2023). Considering that financial institutions host enormous amounts of data where customers rely on them to keep the data confidential as well as the integrity; additionally, the availability of service is of paramount importance to service customers, this makes financial institutions attractive targets to attackers (Doerr et al., 2022). According to Gulyás et al. (2023), the underlying question that financial institutions are faced with is no longer whether they will be “attacked or not”, but more of “when” they will be attacked. A comparison by Petrosyan (2022) of the number of cyber-attacks in financial institutions recorded between 2013 and 2021 indicates a significant rise in cyber incidents in the year 2021. When interrogating the trend, an increase over the years is evident as illustrated in figure 4. 33 Figure 4 Number of cyber incidents in the financial industry worldwide from 2013 to 2021 (Source: Petrosyan (2022) The impact of COVID-19 has seemingly also caused a surge in cyber-attacks on financial institutions. Because of COVID-19, organisations, including financial institutions, were forced to conduct their business remotely. This consequently increased the vulnerability of insecure network connections by employees working from home, with indications of up to 47% of individuals proving to likely fall for phishing scams, as well as more than 500 000 people impacted by breaches where their personal data from video conferencing was subsequently stolen and sold on the dark web (Nabe, 2023). According to Skelton (2017), apart from the impact of cyber-attacks compromising the CIA of a financial institution, the nature of a bank's business increases the risk of a domino-effect impact across all banks in the case of just one of them succumbing to a cyber-attack. Below are some examples of cyber-attacks that involved financial institutions: 34 Incident Impact Location Year Beanstalk Farms cryptocurrency theft The decentralised finance platform Beanstalk Farms lost $180 million in a cryptocurrency heist. United States 2022 Fakecalls banking trojan Banking Trojan Fakecalls, which can ‘talk’ to victims and pretend to be an employee of the bank to gain access to the victims’ contacts, microphone, camera, location and call handling, and attackers attempt to gain payment data or confidential information from the victim. South Korea 2022 Ronin cryptocurrency theft Blockchain project Ronin lost $615 million in ether and USD Coin tokens in the second largest cryptocurrency heist to date. Canada 2022 TransUnion SA data breach Cyber-attack saw around three million customer's data stolen by a criminal third party. South Africa 2022 35 Aon ransomware attack Aon was hit by a ransomware attack, causing limited disruption to a number of their services. United States 2022 OCBC phishing scam 790 banking customers of Singaporean bank OCBC were targeted in a phishing scam resulting in a loss of at least $13.7 million. Singapore 2021 Bitmart security breach Bitmart, a crypto trading platform, experienced a major security breach, resulting in hackers withdrawing almost $200 million in assets. Multiple Locations 2021 Taiwanaise Financial institutions cyber espionnage Attackers ran malicious code on local systems and installed a RAT that allowed them to maintain persistent remote access to the infected system. Taiwan 2021 Banking trojan targets Indian Android-based financial customers Android phone banking customers in India were being targeted the Drinik banking trojan malware. The malware stole users' India 2021 36 personal data and funds using phishing techniques. German banks hit by DDoS attack on IT provider A German company that operates technology on the nation's cooperative banks, was hit by a DDoS attack, disrupting more than 800 financial institutions in the country. Germany 2021 Table 1 Cyber incidents involving financial institutions (Source: (Carnegie, 2023) The table above provides a view of multiple incidents targeted at financial institutions in just two years – many more of similar examples exist across the globe, highlighting a great concern for financial institutions. 2.3 Ransomware 2.3.1 Origins of Ransomware? Ransomware, which is well known as malicious malware, has been wreaking havoc in the online world for many years. By encrypting files, it is known to prevent users from accessing their systems (O'Kane et al., 2018). A ransom is requested for victims to regain access to their files. According to Kansagra et al. (2015), the earliest recorded ransomware attack was in 1989, which was a Trojan called “PC Cyborg” or “AIDS Trojan”. A Trojan, which is understood as malware that disguises itself as a standard programme to hide and mislead its true intent (Crowdstrike, 2017), displayed a message that the user’s licence had expired, and they would need to make a payment to unlock it. According to O'Kane et al. (2018), the creator of the ‘AIDS Trojan’ was a man called Joseph Popp, who is referred to as the founder of ransomware. Later in 2005, another ransomware variant (TROJ_CRYZIP.A) was reported in Russia, 37 where files were zipped with a password and a ransom note was left for users to pay to access the files (Kansagra et al., 2015). In later years, the evolution of ransomware saw threat actors begin to use encryption of data and request ransom in exchange for the decryption keys. Over the years, ransomware as an attack path has grown by up to 600% (O'Kane et al., 2018). An evolution timeline for ransomware can be noted in the figure below: Figure 5 Evolution of Ransomware (Source: O'Kane et al, 2018) As the attack path evolved, the payment of the ransom also saw an evolution. According to O'Kane et al. (2018), payment methods evolved from threat actors requesting gift vouchers, using payment systems like PayPal, and using prepaid online payment systems such as Paysafecard and Moneypak, which are methods not linked to an individual’s bank account, making them difficult to trace. However, the one payment method that has become popular is payment using cryptocurrency, specifically bitcoin, because of the anonymity this method provides, making it close to impossible to trace the threat actor. 38 2.3.2 Categories of ransomware? According to Bearman et al. (2021), ransomware can be characterised into three main forms, namely locker, crypto, and scareware, as shown in the figure below: Figure 6 Categories of ransomware (Andronio et al., 2015) 2.3.3 Global trends of ransomware A preliminary literature review suggests that there is a heightened focus on ransomware at the board level, and organisations are increasing their capability in cyber resiliency in preparation for when an attack does happen (Tuttle, 2021). Tuttle (2021) further notes that regulators, customers, and shareholders increasingly hold corporate leaders personally accountable for cybersecurity failures, which brings an added level of pressure to senior management and boards of financial services as they are highly regulated, and the nature of their business has a direct impact on customers and shareholders. Some of the attack methods or patterns include the use of social engineering tactics or phishing campaigns to gain administrative privileges, where the threat actor can make lateral movements within the network and exploit vulnerabilities. If an attacker is successful in gaining administrative privileges, they are also able to start gathering data, which can then later be used to bargain for ransom. According to Aurangzeb et al. (2017), ransomware attacks all follow similar characteristics, which include device locking, data encryption, data deletion, data stealing, and sending threatening messages. The detection of the evolving 39 techniques used is noted to be maturing, with ongoing investigations to improve the effectiveness of detecting new patterns (Kapoor et al., 2021). When considering trends, one key trend that has also been recorded is that attackers target organisations' backups first and use this as bargaining leverage for ransom to be paid. This is due to the organisation’s previous reliance on their backups for business continuity, which they could restore. The risk, however, remained that threat actors could still sell or leak personal information that was stolen, which would still compromise the confidentiality of data that organisations keep. According to a report by MARSH (2023), a global leader in insurance broking and risk advisory, ransomware attacks are ‘intensifying in frequency, severity, and sophistication. Below reflects the statistics collected by MARSH. Figure 7 Ransomware by the numbers (Source: (MARSH, 2023) 2.3.4 Impact of ransomware on South African Banking sector Although ransomware is not a new phenomenon, it has recently become more common and sophisticated because of the accessibility of encryption technologies, anonymous payment methods, and exploit kits, with COVID-19 exacerbating ransomware attacks on various institutions within healthcare, 40 financial services, and government (Bearman et al., 2021). Financial institutions, in particular banks, may suffer severe harm because of ransomware attacks, which includes financial losses, operational and availability impacts, reputational damages, and regulatory impacts resulting in fines. The financial losses can be attributed to having to pay the ransom, as well as indirect financial losses such as customer attrition, loss of trust, recovery efforts, loss of opportunities, and regulatory fines. The impact further goes into legal obligations on duty to take care of customer personal data, which may be compromised because of a ransomware attack (Akinbowale et al., 2023; SABRIC, 2019; Ogunjuyigbe, 2020). Stats and Trends According to SABRIC (2023), 13 438 incidents across banking apps, online banking, and mobile banking cost the industry more than R250 000 000 in gross losses. It is, however, not clear how many of these incidents are ransomware. The researcher also notes that there is a dearth of information in the literature relating to ransomware attacks in the South African banking sector. The following ransomware incidents occurred in South African financial institutions, some of which were banks, according to a timeline by Carnegie (2023). Incident Impact Location Year Dexter Malware hits South Africa's Banks Hackers infected electronic point-of-sale terminals with a malware called Dexter, allowing them to breach most major South African banks and make off with millions of rand South Africa 2013 41 South African Insurer Ransom Attack South African insurer Liberty Holdings was targeted by hackers who claimed to have seized data from the firm. The hackers threatened to publicly disclose the data unless compensated. South Africa 2018 SABRIC DDoS Attacks The South African Banking Risk Information Centre (SABRIC) reported a series of distributed denial-of- service attacks which targeted several public facing services across multiple banks in the country. The attacks started with a ransom note delivered via email to several publicly available addresses. South Africa 2019 South African debt collector ransomware attack Debt-IN Consultants, a South African debt collector, was hit by a major ransomware attack, resulting in a significant data breach of consumer and employee personal information. The data of more than 1.4 million South South Africa 2021 42 Africans was illegally accessed from the company’s servers, with confidential consumer data and voice recordings of calls between Debt-IN debt recovery agents and financial services customers posted on the dark web Table 2 Cyber incidents involving financial institutions (Source: (Carnegie, 2023) 2.4 Cyber Resilience 2.4.1 Defining Cyber Resilience Dupont (2019) defines cyber-resilience as “the capacity to withstand, recover from, and adapt to the external shocks caused by cyber risks.” Dupont (2019) further cites that cyber-attacks have become inevitable, and even mature financial institutions would not be able to eliminate threats despite the amount of investment they make in cybersecurity technologies. In the cybersecurity industry, one often hears the phrase “it’s not if an attack will happen, but rather when it will happen” (Pearlson et al., 2021). The key question subsequently becomes, ‘How prepared is the organisation to be in a position to detect, respond, and recover accordingly?' These are key activities within a cyber-resilient strategy for mitigating attacks. Pearlson et al. (2021) cite that 47% of organisations have not yet assessed their incident response teams, which potentially means that when an attack does take place, the impact could have dire effects (Ponemon Institute, 2014). 2.4.2 Understanding Cyber Resilience as a strategy According to Johnson et al, (2011), strategy is defined as: 43 “…the direction and scope of an organisation over the long term. It achieves advantage for the organisation through its configuration of resources within a changing environment to meet the needs of markets, customers, or clients and to fulfil stakeholder expectations.” In line with Johnson et al.'s (2011) definition of strategy, ensuring that an effective cybersecurity strategy is in place not only ensures that the operations of organisations are safeguarded but also ensures that customers or clients are safeguarded against potential cyber threats. In the context of cybersecurity, taking into consideration the rapid growth of cyber-attacks, with ransomware being one of the most noticeable attack paths, any organisation operating digitally will need to ensure that they have an effective strategy in place specific to building the cyber resilience of that organisation. However, Conklin et al. (2017) argue that there is not any industry that has managed to develop an effective standard strategy to protect itself against the growing cyber-attacks. While many adopt and focus on protecting the logical points of access, this strategy still leaves organisations’ critical assets vulnerable to being compromised by a cyber-attack. According to Conklin et al. (2017), adopting cyber-resilience as a strategy means that an organisation would focus on protecting their most critical assets to reduce the business impact in the event of an attack. Additionally, cyber-resilience ensures that the correct resources are in place to detect any malicious activity, and where, in an unfortunate event, the attack is successful, the organisation needs to be able to respond and recover as quickly as possible to reduce service impact. Therefore, having a cyber-resilient organisation would require well-defined processes to effectively respond to attacks and any successful penetration to prevent the attacker from reaching and compromising the organisation's critical assets. To support the adoption of cyber- resilience as a strategy, according to Dupont (2019), for organisations to have an advantageous position against cyber threats, they would need to look at adopting cyber-resilience as a complementary alternative to an existing cybersecurity paradigm. 44 Conklin et al. (2017) share seven generic principles, which are described as the “Cyber Resilience Process”, discussed below. The principles outlined are closely aligned and comparable to the various steps outlined in the NIST framework. Classify: The principle of classification puts emphasis on the fact that you cannot protect assets you do not know exist. To classify assets, organisations need to identify, label, and sort all assets, which can be used to determine things like which assets are considered critical to business operations, therefore taking precedents in protection, backing up first, and ensuring quick recovery. This principle is comparable to the “Identify/Classification” step of the NIST Framework (NIST, 2014). Risk: To ensure effective resiliency, organisations need an appropriate and well-communicated risk appetite. A risk assessment considering various threat scenarios is key to determining how much risk the organisation is potentially exposed to. The risk-based approach also assesses internal controls and the application thereof. This principle is comparable to the NIST step “Assessing Security and Privacy Controls in Information Systems and Organisations” (NIST 800-53A, 2022). Rank: Organisations need to have clear visibility of their critical and non- critical assets to deploy the correct resources for the best possible chance of having a minimal impact in the event of an attack. To be able to get to such a view, the “rank” principle looks at ranking an organisation's assets according to their criticality. This principle is comparable to the NIST step of "select," which serves the purpose of ensuring that the correct controls are tailored and selected to protect the organisation’s critical assets in line with the risk appetite (NIST, 2023). Design/Deploy: For resilience to be effective, resilience controls need to be embedded in the architecture and design thereof. This principle is comparable to the NIST step of "implement," which is focused on how specific security and privacy controls are implemented within the organisation to ensure a level of resilience (NIST, 2023). 45 Test: Once all controls have been applied, this principle serves to assure that resilience can be achieved through testing. During this step, methods such as penetration testing can be used to test the resilience of the implemented controls. The “test” principle is comparable to the “assess” step of the NIST framework, which serves the purpose of assessing whether the implemented controls are operating as intended, effective, and producing the desired outcome of ensuring resilience (NIST, 2023). Recover: In the case of a realised attack, an organisation needs to be able to quickly recover. To do this effectively, a recovery plan needs to be established, well documented, and even tested to ensure a seamless and full recovery. This principle is comparable to the “recovery” function of the NIST framework (NIST, 2018). Evolve: To keep up with the ever-changing threat landscape, organisations need to be agile and dynamically adjust various security controls, processes and even architecture to remain cyber resilient. Adjustments can be derived from lessons learned internally and externally, outcomes from the test phase or even from continuous monitoring and observations of key changes from the threat landscape. This principle is comparable to the “Monitor” step of the NIST framework (NIST, 2023). 2.5 Frameworks and best practices that inform cyber resilience Cybersecurity, as defined to be ‘the process of protecting data and systems from theft and being damaged'—in order for an organisation to successfully achieve this, there are a set of standards, processes, and frameworks that can help guide them in implementing cybersecurity across the different levels of their business (Taherdoost, 2022). According to Taherdoost (2022), standards are ‘documents or rules made based on a general agreement and validated by a legal entity that help to achieve optimal results as a guideline, model, or sample in a particular context’, where standards provide organisations with the necessary guidelines for successful 46 compliance and governance that can assist organisations in obtaining desired results. Standards are also said to ensure the safety, reliability, and consistency of services, products, and systems for organisations. Furthermore, frameworks are introduced in industry to provide a guideline to organisations on specific domains, which can be adopted by each organisation. It is important to note that a framework does not prescribe for an organisation to adopt specific options but rather acts as a guidance note for organisations (Taherdoost, 2022). The main objective of standards and frameworks within the cybersecurity field is to assist organisations in preventing and mitigating cyber-attacks, as well as reduce the risks of cyber threats. In the field of cybersecurity, there are several standards and frameworks available for organisations to adopt. Below is a description of some popular standards and frameworks taken from available literature: 2.5.1 ISO 27000 Series ISO 27000 is an internationally recognised standard that focuses on information security. This standard is designed to help organisations manage their information security by focusing on the people, processes, and technology aspects of an organisation. ISO 27000 is commonly used in conjunction with ISO/IEC 27001, where the latter is used to ensure the effective implementation of information security in an organisation. 2.5.2 NIST Cybersecurity Framework The framework is a voluntary framework that helps organisations understand and improve their management of cybersecurity risks (NIST, 2018). The NIST framework consists of five core functions, with the categories and sub- categories derived from various industry best practices, standards, and guidelines. The five core functions are designed to offer a high-level and strategic view of an organisation's lifecycle in the management of cybersecurity risk (NIST, 2018). 47 The NIST framework is one that many organisations align with as an industry best practice for their cybersecurity and, in turn, for building their cyber resilience. The NIST framework is recommended to be used in conjunction with any implemented frameworks in organisations to complement rather than replace them (Almuhammadi & Alsaleh, 2017). The NIST framework consists of five core functions, with the categories and sub- categories derived from various industry best practices, standards, and guidelines. The five core functions aim to offer a high-level and strategic view of an organisation's lifecycle in the management of cybersecurity risk (NIST, 2018). The five core functions are described below. Important to note is that these functions are not prescribed to organisations but rather to offer a static end state for the organisation's cybersecurity programme. Identify: For an organisation to adequately put cyber-attack mitigation strategies in place, they would need to ensure that they have a full inventory of key elements within their business, such as critical information, company assets, and existing capabilities. The ‘identify’ function’s objective is to help guide organisations to identify and adequately manage their cybersecurity risk to systems, people, assets, people, data, and capabilities. Categories within this function include asset management, business environment, governance, risk assessment, and risk management strategy (NIST, 2018). Protect: An organisation has a mandate to protect their critical infrastructure as well as to ensure that there is minimal impact in the event of a cyber-attack. The ‘protect’ function provides guidance to organisations on how to develop and implement appropriate safeguards for critical infrastructure. The categories of this function include identity management and access control; awareness and training; data security; information protection processes and procedures; maintenance; and protective technology (NIST, 2018). 48 Detect: In a case of a cyber-attack, to potentially minimise the impact thereof, an organisation needs to be able to swiftly detect the activities of cybersecurity events. The ‘detect’ function assists organisations to timely discover cybersecurity events, where they can use various tools and techniques to achieve this. Categories of this function include anomalies and events; security continuous monitoring; and detection processes (NIST, 2018). Respond: Once a cybersecurity event has been detected, the cybersecurity team needs to be able to respond accordingly to minimise the impact of the attack. The ‘respond' function offers guidance on how organisations can develop and implement suitable actions and activities once a cybersecurity incident has been detected. Categories within this function include response planning, communications, analysis, mitigation, and improvements (NIST, 2018). Recover: In the unfortunate case of a successful cyber-attack or intrusion, an organisation will need to ensure that they are able to recover in a timely manner to avoid a severe and widespread impact on business and customers alike. The 'recover' function thus provides guidance around this in terms of how organisations can develop and implement activities required to maintain resilience plans, including backing up critical systems and restoring any impacted capabilities and services. Categories within this function include recovery planning, improvements, and communications (NIST, 2018). 2.5.3 COBIT Control Objectives for Information and Related Technologies (COBIT) is a framework that was developed by the Information Systems Audit and Control Association (ISACA). ICASA is an independent organisation made up of governance professionals with the main objective of helping organisations get a balance between their IT and business goals by bridging the gap between 49 technical issues experienced by organisations and business risks (Taherdoost, 2022). The COBIT framework offers five (5) principles that are designed to guide the effective management and governance of an organisation. The five principles include: 1. Meeting Stakeholder Needs, focused on the importance of getting a buy in from all stakeholders. 2. Covering the enterprise end-to-end by integrating governance IT into enterprise governance, ensuring that the focus is not only placed on the IT function but treats information and related technologies as assets. 3. Applying a single integrated framework by serving as an overarching governance framework which aligns with all the other relevant standards and frameworks. 4. Enabling a holistic approach to ensure that all areas are adequately considered and covered. 5. Separating Governance from Management, where governance remains the responsibility of the board of directors under the leadership of a chairperson, and management is the responsibility of the executive management under the leadership of the CEO. The five principles are designed in such a way that an organisation would be able to create a holistic framework for its governance and management of its IT infrastructure (IT Governance, 2022). 2.6 Evaluation methods of cyber-resilience As the frequency and sophistication of cyber-attacks rapidly grow, while organisations focus on improving their cyber-resilience, one of the key actions they ought to consider is to test or evaluate the effectiveness of the employed cyber-resilience strategy to ensure that they are adequately prepared in case of an attack (Bodeau et al., 2018). There are several evaluation methods that organisations use to evaluate the effectiveness of their cyber-resilience strategies. The testing is focused on the assessment of the organisations’ ability 50 to prevent, detect, respond, and recover from cyber-attacks (Lee, 2016). While each of the evaluation methods has its own strengths and weaknesses, organisations have the responsibility to consider which assessments will be a good fit for their respective organisations. Below is a description of methods and frameworks identified from the literature that can be used to evaluate the effectiveness of cyber resilience. 2.6.1 Cyber Resilience Review (CRR) The Cyber Resilience Review is a framework created by the U.S. Department of Homeland Security aimed at providing a comprehensive evaluation and measurement of an organisation’s operational resilience capabilities and cybersecurity practices. The CRR is created using guidance from the Cyber Resilience Evaluation Method and the CERT Resilience Management Model (CERT-RMM) (U.S. Department of Homeland Security, 2020). The method of assessment employed by this framework is in the form of an interview-based assessment facilitated in a workshop style where critical questions are posed on topics including critical infrastructure, the organisation’s personnel in cybersecurity, operations, physical security, and business continuity. According to the U.S. Department of Homeland Security (2020), the assessment can be replicated as it uses the same questions, scoring mechanisms, and options for improvement. When conducting the assessment, the framework focuses on ten domains where it seeks to assess and understand the capacity and capabilities that an organisation has in relation to planning, managing, measuring, and defining the cybersecurity practices and behaviours conducted (U.S. Department of Homeland Security, 2020). Each of the domains outlined has a purpose statement to provide an overview and intent of the domain, specific goals and practices that are unique to the domain and are assessed accordingly, and finally a maturity indicator level (MIL), which is also assessed through questions. The ten domains and how they relate to the number of goals, practices, and maturity indicator level are illustrated in the figure below: 51 Figure 8 CRR Domain Composition (Source: U.S. Department of Homeland Security (2020)) Once the assessment is completed, a report is produced highlighting all the gaps and cybersecurity improvement areas, along with recommendations and considerations that are based on recognised standards and industry best practices (U.S. Department of Homeland Security, 2020). 2.6.2 Cyber-resilience assessment framework (C-RAF) The cyber-resilience assessment framework is a framework that was released by the Hong Kong Monetary Authority (the "HKMA") in November 2020. The framework is designed as a risk-based framework where organisations can use it to assess their own cyber risk profiles and benchmark their respective cyber resilience to determine whether it is effective or not against potential attacks (Deloitte, 2023). The C-RAF features a two-part self-assessment and an intelligence-led cyberattack simulation test (iCAST) (Carter & Crumpler, 2019). The self-assessment component is based on and guided by various other frameworks, including the FFIEC Cybersecurity Assessment Tool (CAT), the NIST Framework, and the BIS/IOSCO Guidance on Cyber Resilience for Financial Market Infrastructures, which evaluates security systems against 366 controls derived from these frameworks. In the framework’s three-step approach, an assessment of the organisation’s inherent risk is determined by considering key factors, including technologies 52 used, delivery channels adopted, activities, products, services, infrastructure, operating environment, where an inherent risk rating is applied to each aspect. The ‘inherent risk rating’ is then further mapped to an expected “maturity level,” (see figure below for a visual representation of the mapping). Figure 9 Inherent Risk Rating mapping to Expected Maturity Level (Source: Lee (2016)) The second step of the approach assesses the maturity of the seven domains, with the key objective of determining the level of resilience maturity in each domain and later components. The seven domains of the maturity assessment can be seen in the below figure: 53 Figure 10 Maturity assessment (in seven domains). (Source: Lee (2016)) Each of these domains is made up of further components, which can be seen in the figure 2.11 below: 54 Figure 11 Components of the maturity assessment (Source: Hong Kong Monetary Authority, 2016) Once the assessments in the two steps have been completed, the outcomes from both the inherent risk assessment and the expected maturity assessment are then compared, where gaps are identified for consideration and a remediation roadmap is put together to address the gaps (Hong Kong Monetary Authority, 2016). Where an organisation has an inherent risk rating of “medium” or “high,” the Cyber Resilience Assessment Framework requires intelligence-led cyber-attack simulation testing (iCAST) to be conducted. The iCAST requires comprehensive penetration testing based on test scenarios to determine the effectiveness of existing controls and help identify any existing gaps (Carter & Crumpler, 2019). Traditional penetration testing is commonly known to have the limitation of only focusing on technical assessments; however, the assessment conducted as part of the iCAST extends the testing to “people and processes” (Lee, 2016). Further to this, penetration testing under iCAST is augmented by including threat information and additional knowledge verification of the penetration tester(s) to the typical penetration test to create end-to-end testing scenarios, allowing for simulations close to real-life attacks (Hong Kong Monetary Authority, 2016). 2.6.3 Assurance Reviews Assurance is a method that is used to provide confidence in the implemented security controls, highlighting their effectiveness. While there are many ways to provide assurance in this regard, the National Cyber Security Centre (2023) discusses four common methods: Method Description 55 Self-Assessment In this method, the internal cybersecurity teams assess and report of the effectiveness of the implemented controls. This can be completed by answering pre-determined questions. The evaluation of the effectiveness is however subjected to the individuals performing the assessment. Internal Assessment Internal assessments are usually performed by staff members such as Internal Audit teams. Whilst this team may be employed by the organisation, the assessments are conducted independent from the security teams to provide a more objective assessment. External Assessment External assessments can take various forms, including table-top exercises, simulating breaches, benchmarking against industry standards and penetration testing. This type of assessment provides an objective evaluation by testing the various points of vulnerability. Automated Assessment Automated assessments make use of in-built testing, monitoring, and reporting. This may often work well on technology systems rather than the assessment of processes or people. Table 3 Common Assurance Methods (Source: National Cyber Security Centre (2023) 2.6.4 Metrics Metrics are defined as “the result of a process or method for measuring, evaluating, or comparing similar objects” (Bodeau et al., 2018). According to Bodeau et al. (2018), metrics can be used by the organisation to identify and describe how well the implemented controls, efforts, and even performances enable achieving the objectives of cyber-resilience; metrics can also be used as 56 a tool for learning and decision-making. The National Cyber Security Centre (2023) supports the idea that metrics and indicators are used to inform decisions in an organisation, which will enable effective operation. Metrics can enable an organisation to consistently track the effectiveness of their cybersecurity programmes. While security and resilience metrics are closely related to risk metrics, there are some nuanced differences (Bodeau et al., 2018). In the table below, the differences in the metrics are outlined and are to be considered when creating metrics specific to cyber resilience: Figure 12 Cyber Resiliency Metrics Can Repurpose Security, Risk, or Resilience Metrics (Source: Bodeau et al., (2018)) Metrics are noted to be best used on a continuous and consistent basis to inform items such as trends, address gaps through remediation efforts, and help inform the adjustment of security programmes. 57 2.7 Senior Management and Cyber resiliency 2.7.1 Management’s awareness of ransomware as a top risk Literature suggests that there is a heightened focus on ransomware at the board level, and organisations are increasing their capability in cyber resilience in preparation for when an attack does happen (Tuttle, 2021). Tuttle (2021) further notes that regulators, customers, and shareholders increasingly hold corporate leaders personally accountable for cybersecurity failures, which brings an added level of pressure to senior management of financial services as they are highly regulated, and the nature of their business has a direct impact on customers and shareholders. According to Bajpai & Enbody (2020), senior management has regarded ransomware as a top threat and concern. Brewer (2016) further highlights the amount of money that is lost annually by organisations because of ransomware, which has certainly gotten the attention of senior management to pay closer attention to preventing and mitigating any potential ransomware attacks. Contrasting this view, according to Triplett (2022), many of the senior management still view cyber threats as “a technological catastrophe”, which tends to place focus and often pressure solely on the IT department to “sort things out”. Although organisations adopt various approaches in their business model, Asana (2021) suggests that a top-down approach works better for organisations to achieve some of their complex business decisions. Where cyber resilience is concerned, it is imperative to have alignment across all levels of the organisation, with the executive and board members on board with the cyber resilience plans. 2.7.2 Role of senior management in ensuring cyber-resilience The role of strategic leadership in an organisation is of paramount importance when trying to establish an effective cyber resilience strategy against rapidly rising cyber threats. It is important to note that cybersecurity and cyber resilience are not just the business of the IT department but of the organisation at large, with senior management leading by example. 58 Lending from the idea of “leading by example,” literature points us in the direction that, when it comes to building cyber-resilience, humans are considered the weakest link. According to Triplett (2022), the human element should remain at the centre of any business operations, and more so in building cyber resilience. This is supported by the notion that humans are more susceptible to making errors such as the use of weak passwords, clicking on malicious phishing links, or even being targeted through social engineering, all of which are potential exploitable points for cyber criminals. Triplett (2022) proposes that one of the key roles that senior management should play in building cyber resilience is to actively promote cyber education and training. The promotion of cyber education and training is further supported by Al-Alwawi et al. and Al-Bassam (2019), who discuss the importance of staff training on matters of cybersecurity, despite the role any individual fulfils in the organisation. Promoting the training and education of cybersecurity across the organisation increases the defences and thus resilience against potential cyber threats, as well as subsequently promoting a cyber-aware culture across all staff. While literature indicates that to ensure a cyber-resilient organisation, all staff members need to be well trained and actively partake in the safeguarding of the organisation, there still needs to be an overall driver and an accountable person or persons for cybersecurity. When it comes to senior management or the senior leadership team, traditionally there are a number of c-suite titles to consider, including but not limited to CEO, COO, CFO, and CIO. As a result, organisations have actively moved to employ a Chief Information Security Officer (CISO) to take the overall driving seat in influencing a cyber-resilient posture for the organisation with the support of the rest of the c-suite (Reilly et al., 2016). With this role, Triplett (2022) positions that this leader will need to be a person who can effectively communicate with the board and rest of business on issues relating to cybersecurity, but also be able to relate and provide guidance to the IT teams doing the groundwork. This stance is equally supported by Bagheri et al. (2023) who further explain that there needs to be a mutual understanding on issues of cybersecurity across all senior leadership to cascade and align this with the rest of the business. 59 One other key role played by senior management in building a cyber-resilient organisation is that of effective budgeting and correct allocation of funds. It is well understood that investing in various technologies can be an expensive exercise, and one cannot solely rely on technology to be a silver bullet for building cyber- defences for an organisation. According to Al-Alawi et al. (2019), senior management needs to place cybersecurity as a top priority, and this should reflect in the budget allocations to ensure that the organisation is armed with sufficient resources and security controls to promise adequate cyber-resiliency. Overall, the literature illustrates that the buy-in and support from senior management in building an effective cyber-resilience strategy for an organisation is of paramount importance. 2.8 Analytical Framework According to Gale et al. (2012), an analytical framework is defined as “a set of codes organised into categories that have been jointly developed by researchers involved in analysis that can be used to manage and organise the data. The framework creates a new structure for the data (rather than the full original accounts given by participants) that is helpful to summarise or reduce the data in a way that can support answering the research questions.” Lending from this definition, an analytical framework is the underpinning structure to assist a researcher in guiding and facilitating the sense-making of various theories and models in a research study. In this section, different theories and models will be discussed under ‘theoretical frameworks and a conceptual framework will be positioned as a guide for this study. 2.8.1 Theoretical Framework According to Grant & Osanloo (2014), the theoretical framework is an important aspect of the research process that influences various parts of the research, including the selection of a topic, the development of research questions, the design approach, and the analysis plan. 60 This study will consider the Routine Activity Theory (RAT). Figure 13 Routine Activity Theory (RAT) (Source: Govender et al., (2021) Routine Activity Theory, as illustrated in Figure 1, is cited as a model that was initially framed by Lawrence E. Cohen and Marcus Felson in 1979 and is commonly used in the study of criminology and crime science (Miro, 2014). Although RAT is commonly used for studies in criminology and crime science, authors such as Govender et al. (2021) have applied this theory to cybercrime- related studies. Furthermore, through an analysis, Leukfeldt & Yar (2016) position RAT as a suitable theory to test cyber-related crimes, additionally highlighting that, depending on the study, some of the RAT elements may be more applicable than others. For the purposes of understanding the elements that are evaluated through RAT, Miro (2014) shares that RAT is made up of three (3) essential elements, namely (a) a likely offender, (b) a suitable target, and (c) the absence of a capable guardian. Where there is a convergence of the three elements, the theory concludes that a crime would take place. For this study, the researcher will focus on the element of ‘the absence of a capable guardian.’ The likely offender is identified as a person who would have a motive to commit a crime as well as the capability and capacity to conduct a crime (Felson & Cohen, 1980). In the context of this study, a likely offender would be a threat actor who 61 has the skills, capability, and, at times, the funds to launch a cyberattack by exploiting open vulnerabilities (CSRC, 2015). A suitable target is identified as “a person or property that may be threatened by an offender” (Miro, 2014). A suitable target is often considered to hold something of value that the likely offender can benefit from. In this instance, a suitable target would be a South African financial institution or bank that is positioned as a potential big pay-out target after being challenged by the emergence of various fintech companies to transition into digital businesses for both their business and customer strategic objectives (Ledesma, 2021). While the adoption of digital services and processes alike offers vast benefits, it also comes with the risk of increased cyber-attacks, and, more recently, a looming ransomware attack where threat actors may hope to get big payouts due to the nature of the data and service offerings that financial institutions have (Ledesma, 2021). The RAT theory adds a third element, which is ‘the absence of a capable guardian.’ A capable guardian is described as someone or something that can intervene or help mitigate a crime from taking place (Cohen & Felson, 1979). Miro (2014) explains that a guardian who can prevent a crime is one who, when present or applied, would prevent a crime from happening; however, in a case where a capable guardian is absent, a crime taking place will become more probable. In the case of this study, a capable guardian refers to the cybersecurity posture of a financial institution, where the various security controls and measures are employed by an organisation to safeguard against a probable cyber-crime. Govender et al. (2021) support this proposition by stating that guardianship in the form of security measures is essential in protecting a suitable target from a likely offender (cyber threat actors). A presupposition of the proposed use of RAT in the study is depicted below: 62 Figure 14 Application of Routine Activity Theory (Researcher own, 2022) 2.8.2 NIST Framework To support this theory in evaluating the functionality of the research objectives, this study will also consider the security NIST Framework, previously referred to in the Introduction and Research Problem sections, focusing on the five core functions that are positioned to increase cyber resilience. 63 Figure 15 Five Core functions for effective Cybersecurity (Source: Hanacek, 2018) The NIST framework is one that organisations align with as an industry best practice for their cybersecurity. The NIST framework is recommended to be used in conjunction with any implemented frameworks in organisations to complement rather than replace them (Almuhammadi & Alsaleh, 2017). The NIST framework consists of five core functions, with the categories and sub- categories derived from various industry best practices, standards, and guidelines. The five core functions aim to offer a high-level and strategic view of an organisation's lifecycle in the management of cybersecurity risk (NIST, 2018). The five core functions are described below. Important to note is that these functions are not prescribed to organisations but rather to offer a static end state for the organisation's cybersecurity programme. Identify: For an organisation to adequately put cyber-attack mitigation strategies in place, they would need to ensure that they have a full inventory of key elements within their business, such as critical information, company assets, and existing capabilities. The ‘identify’ function’s objective is to help guide organisations to identify and adequately manage their cybersecurity risk to systems, people, assets, people, data, and capabilities. Categories within this function include 64 asset management, business environment, governance, risk assessment, and risk management strategy (NIST, 2018). Protect: An organisation has a mandate to protect their critical infrastructure as well as to ensure that there is minimal impact in the event of a cyber-attack. The ‘protect’ function provides guidance to organisations on how to develop and implement appropriate safeguards for critical infrastructure. The categories of this function include identity management and access control; awareness and training; data security; information protection processes and procedures; maintenance; and protective technology (NIST, 2018). Detect: In a case of a cyber-attack, to potentially minimise the impact thereof, an organisation needs to be able to swiftly detect the activities of cybersecurity events. The ‘detect’ function assists organisations to timely discover cybersecurity events, where they can use various tools and techniques to achieve this. Categories of this function include anomalies and events; security continuous monitoring; and detection processes (NIST, 2018). Respond: Once a cybersecurity event has been detected, the cybersecurity team needs to be able to respond accordingly to minimise the impact of the attack. The ‘respond' function offers guidance on how organisations can develop and implement suitable actions and activities once a cybersecurity incident has been detected. Categories within this function include response planning, communications, analysis, mitigation, and improvements (NIST, 2018). Recover: In the unfortunate case of a successful cyber-attack or intrusion, an organisation will need to ensure that they are able to recover in a timely manner to avoid a severe and widespread impact on business and customers alike. The 'recover' function thus provides guidance around this in terms of how organisations can 65 develop and implement activities required to maintain resilience plans, including backing up critical systems and restoring any impacted capabilities and services. Categories within this function include recovery planning, improvements, and communications (NIST, 2018). Furthermore, one would also need to factor in an assessment framework or method, which would help in assessing the effectiveness of the strategies selected to mitigate cyber-attacks. Having an assessment framework or method in place will assist management in basing their decisions on tested foundations and subsequently help them to outline and prioritise their investment strategy to improve their cyber resilience maturity level. 2.9 Research Propositions Based on the literature review and in line with the research objectives, the following propositions are put forward: 2.9.1 Proposition one Ransomware is prioritized as a top risk as threat actors' motivation is heightened to exploit financial institutions. 2.9.2 Proposition two Components derived from the NIST framework (Identify, Protect, Detect, Respond and Recover) are key factors that influence cyber resiliency in financial organisations. 2.9.3 Proposition three Senior management have a critical role in ensuring cyber resiliency in financial institutions. 66 2.9.4 Proposition four Various methods and techniques can be employed to evaluate the cyber- resilience of an organisation. 2.10 Research Gaps Through this literature review, there is an indication that the cyber-resiliency of South African financial institutions is not clearly defined or well documented in research. Additionally, there is a limitation in detailed exploration of various emerging threats including the use of Ransomware-as-a-Service or artificial intelligence, which may contribute to things to consider when formulating a mitigating strategy. When considering the aspects of management’s role and decision-making, while the research indicates the importance of the role management plays in cybersecurity management, there is not a wide coverage on challenges that are faced by management in implementing cyber-resilience strategies. Additionally, to further enhance the practical application of remediation, the researcher was unable to find specific guidance on prioritization of remediation efforts when it comes to formulating a strategy to mitigate ransomware risks. 2.11 Conclusion: Studies have indicated the rapid growth in cyber threats and the dynamic cyber landscape that many organisations grapple to keep up with. It is well noted that cyber-attacks have also increased specifically in financial institutions, where attacks have shifted from just attempts at extorting money from organisations to targeting the attractive exploitation of data housed in financial institutions. One cannot ignore the role that COVID-19 also played in accelerating the number of