gi-Geldinstitute Expert Talk: How banks keep track of IT vulnerabilities

An article by Stefanie Walter, Editor | 01.03.2022 – translated with DeepL.com – Original in German available HERE

Expert Panel: Christian Meusel, Berliner Volksbank – Gerrit von der Hardt, Targobank – Thorsten Demski, Volksbank Bielefeld-Gütersloh – Andreas Meyer, Union IT Services DZ Bank Group – Jochen Werne, Prosegur – Marion Gratenberg, Targobank

The rapidly advancing technological transformation in the banking sector also brings problems. Instead of leading to increased security, labour savings and customer friendliness, different applications can also bring performance problems and even failures.

This must be recognised and averted in good time. Application performance management, performance engineering, software intelligence, overservability or process mining are the new buzzwords here. A holistic overview of all applications is helpful in resolving weaknesses and freeing up capacities for innovations in the business. In the gi-Geldinstitute roundtable discussion, this topic will be examined by experts.

Meusel: As a bank, we must first and foremost provide services for our clients. They are our main drivers. We in the operational organisation are therefore currently investing intensively in usability and direct availability in particular.

Demski: We want to avoid media discontinuities and streamline and improve process transitions in individual departments. The work on process improvement has accelerated a bit due to the pandemic. But it is a fundamental issue that we are dealing with in the context of digitalisation. Our last project focused on the speed of the credit processes. Our goal is not only to bring about decisions quickly, but also to ensure that they are as error-free as possible.

Gratenberg: We are concerned with making processes faster, but also more efficient from the customer’s point of view. In the last two years, we have invested a lot of time and analysis in the automation and optimisation of existing customer processes. An agile squad was also founded for this purpose. In the squad, we analyse where there is further potential to optimise and automate processes.

Werne: The goal of our process automation is to be as customer-friendly as possible. In Germany, we provide about 50 per cent of the total cash logistics. We thus guarantee the cash supply of the population and secure the liquidity cycle of companies, credit institutions and municipalities. In our cooperation with the banks, we want to drive the transformation. In our group, we are driving the optimisation of the IT outsourcing processes of the entire cash management and projects such as crypto custody. With Prosegur Crypto, we have launched a solution for the custody and management of digital assets that works automatically without an internet connection to achieve maximum protection against cyber attacks.

Meyer: Union Investment has two good reasons to optimise processes today – increasing process cost efficiency and regulatory law. As part of regulatory audits, we are required as one of the leading German asset managers to produce a business process map as part of the written order. I like the result: by using modern process intelligence tools, we recognise process weaknesses that need to be optimised. At the same time, we produce process models required by banking supervisory law. The auditing company PricewaterhouseCoopers confirmed an availability of 99 percent (2021) for the 170 applications used in the investment process. As part of the Genossenschaftliche FinanzGruppe (Cooperative Financial Network), we are the expert for the asset management of 4.8 million private and institutional investors with more than 400 billion euros in assets under management. We thus provide the IT required for this to more than 1,100 internal Union users with high availability.

Diener: In my role at Atruvia, the digitalisation partner of the Genossenschaftliche FinanzGruppe, I am responsible for measuring and analysing performance data for around 820 affiliated Volks- und Raiffeisenbanken. Basically, you have to distinguish between two topics in process optimisation: the business management part and the technical part.

When I think back to the early days of my working life in the early 80s, you would enter a short code into the old IBM terminals to support your work and be happy to receive an answer milliseconds later. Over the decades, many things have changed massively here. Business and technical performance moved closer together. IT has become a central core of everyday work and an essential part of overall process optimisation. In addition to dealing with speed, response times or simply checking whether systems are available, more emphasis is now placed on user experience and user behaviour. How is the customer, what are they doing, where are they having problems getting on in the application?

Von der Hardt: Challenges arise above all with very long process routes via different interfaces with channel breaks. Then you have to assemble information from the most diverse systems, databases or process areas. Because it is difficult to optimise something with a sixty percent view without knowing what the one hundred percent end-to-end customer view looks like. The goal is not to think in small puzzle pieces, but to have the entire customer journey in mind.

Werne: In the pandemic, our process management faces the additional challenge that, for example, retailers or bank branches that we supply with cash close here today and reopen somewhere else tomorrow. Against the backdrop of our current modernisation programme, we are also moving everything to the cloud. Since we operate globally, coordination between the different countries and standardisation play an additional role.

Von der Hardt: Challenges arise especially with very long process paths via different interfaces with channel breaks. Then you have to bring together information from the most diverse systems, databases or process areas. Because it is difficult to optimise something with a sixty percent view without knowing what the one hundred percent end-to-end customer view looks like. The goal is not to think in small puzzle pieces, but to have the entire customer journey in mind.

Werne: In the pandemic, our process management faces the additional challenge that, for example, retailers or bank branches that we supply with cash close here today and reopen somewhere else tomorrow. Against the backdrop of our current modernisation programme, we are also moving everything to the cloud. Since we operate globally, coordination between the different countries and standardisation play an additional role.

Meusel: The back office is an extreme driver of efficiency potential. With consistent optimisations and consolidations, we have been able to significantly reduce the resources tied up in recent years, not only through Atruvia’s solutions, but also through the broad use of technical innovations from other partners in the area of automation. Nevertheless, we still see topics with great potential, for example in the passive market succession, keyword probate, garnishment processing and other payment transaction services. As is well known, the active back office is currently experiencing high growth in the lending business. At the same time, the margins are melting away. We must therefore continue to look very intensively at how the balancing act of resource optimisation and business growth can be made possible, for example by means of process management. Here, of course, we use the analysis possibilities of Atruvia at our process times and try to achieve the necessary benchmarks through continuous process development.

Demski: We have also started in the back office. In the new year, we will take another look at customer service in the process analysis. This is where we can make the most profit. The procedure is first of all a precise recording of the processes and their interfaces. Based on this, we then evaluate which optimisation and/or automation steps make sense. Examples of automation for us are the processing of estates and processes related to online banking.

Von der Hardt: Targobank belongs to the cooperative Crédit Mutuel Alliance Fédérale Group from France. We are a retail and commercial bank with a focus on financing. Our process optimisation relates to these core processes. With Targo Dienstleistung we have a high-performance customer centre in Duisburg, which emerged from an industrialisation initiative at the end of the 1990s. Targobank has more than 20 years of expertise in digitalisation and process automation. It benefits from a large IT service provider and sees itself well equipped for the future in the highly competitive financial services market.

Gratenberg: In existing customer management, for example, we have automated large parts of the account closure process. This has been working very well for us for over a year now.

Werne: With regard to cash, the banking world has been in a transformation process for quite some time. Various credit institutions are already completely outsourcing their cash management for process optimisation and cost reasons. With smart machines, which Prosegur installs at its customers’ premises, cash can be disposed of directly and credited on the same day. The smart infrastructure, including dynamic monitoring and forecasting, optimises cash logistics and reduces costs.

Meyer: We already very successfully implemented a group-wide digitalisation initiative in the period from 2007 to 2010. Together with the central institutions of the DZ

Bank Group, more than 18 custodian banks and almost 90 securities trading houses, we were able to achieve a dark processing rate of 95 percent for transaction management and accounting across all countries and locations – both areas where the factors of mass and standard processing matched. Challenging in this context was the unification of message standards in the networks for financial transactions such as SWIFT and FIX and the first use of machine learning-based applications for the processing of still paper-based bookings. Today, the focus is on examining the use of AI in the context of feasibility and profitability considerations and thus realising further efficiency potential.

Diener: Processes are organised very differently at banks. We see our task in providing tools with which our customers can map, optimise and monitor the processes. It is no longer enough to look at individual use cases, from the click to the information expected by the customer on the screen. Business processes are viewed as a whole. The question is, what can be automated? Of course, this always takes into account the regulatory framework. A lot has happened in recent years in terms of technical performance. New technologies such as virtualisation, containerisation, self-healing systems – systems that manage themselves – have taken hold. The processing of a request in the data centre has become more complex and dynamic. It is important to make these new possibilities tangible for the customer and to support him in process optimisation.

Von der Hardt: There are cross-departmental and cross-bank teams/squads both in operational process management and in process optimisation initiatives. Especially in the case of RPA automation, departments and IT work together across the board.

Demski: We now have a fixed, very broad-based team. Among them are colleagues from organisational development who have always been involved in process management. We recruited the RPA team from this group and supplemented it with colleagues from IT and technology. They are then joined by experts from the specialist departments of the processes concerned. Together, they take a close look at the process side, analyse what can be automated and then enter into the development. The procedure is rather iterative in the sense of agility. A first version of an automated process does not necessarily have to cover 100 per cent of all cases. The best way for the developers to determine the greatest benefit is to work together with the departments.

Meusel: It’s always about giving a voice to as many people as possible who are ultimately users of process flows and results. It is important for us to find the right degree of participation so that we don’t get lost in too broad a grassroots democratic process in the further development. It is clearly about quality, about the return of investment, how much time I have to invest to improve the processes and what the actual effect is. For example, we have defined clear guard rails with the automation team for RPA and OCR solutions. In addition, there is always a comparison with the strategic goals. Often we have to fulfil various parameters with scarce human resources. In addition to involving the right people, we want to make the whole process as transparent as possible in order to make decisions understandable. We work very collaboratively, instead of putting every evaluation on the table and saying this is how we do it now.

Meyer: We have always carried out major changes as part of a project portfolio in cooperation between IT and the business department. We always look at the expenditure plus follow-up costs/benefits over five years. Based on this, we have a ranking and allocate resources to the projects accordingly. We don’t tackle every sub-process that could be automated because it simply doesn’t pay off.

Meusel: We always have evaluation options for our essential applications. What is challenging, however, is the networking and visualisation of the individual systems and analyses. The right degree of considered systems and subsystems plays an important role here. There are certainly promising offers on the market here. Since process mining is an important field for us, we are already in contact with service providers. But our discussions so far have also shown that good advice is expensive.

Werne: Despite several analysis tools that we use, it is sometimes not so easy to manage performance engineering in connection with different systems so that they are scalable and comparable. We haven’t yet found the egg-laughing lizard, where you just click and then know exactly what brings what performance. I doubt that it will ever exist in the level of detail that the theory implies. Do we have an overall view? The answer is, of course, yes. It’s not just banks that need to have it, but all companies with critical infrastructures. And not just because the regulator expects it. With new processes being introduced almost daily, the biggest challenge is to integrate them perfectly in order to continue to perform as usual.

Meyer: The use of such tools with regard to the IT infrastructure is carried out by our IT providers. At Union Investment itself, we successfully use such tools to analyse business processes. We can now load the data required for the analysis from the underlying applications into a process intelligence tool and systematically identify throughput times and routes, quantity structures, manual processing steps and their process effort. Because today almost every processing step leaves a digital footprint in the databases – and the tool generates the entire process model almost independently.

Diener: We have initiated many things in recent years: On the one hand, from a pure tool perspective, but also organisationally. System and application monitoring were to be merged, the entire monitoring process was to be put on a new footing. In particular, we invested in a comprehensive solution from Dynatrace. Their software intelligence platform uses a proprietary form of artificial intelligence to clearly visualise and monitor applications, microservices, container orchestration platforms and IT infrastructures, and offers automated problem detection. Analyses under a highly dynamic platform, such as Openshift, can only be performed in an automated way.

We want one hundred per cent visibility across all 50,000 systems we currently have in use in order to detect faults in advance. With the dynamics of communication between the technologies, it is no longer possible to say exactly which components are used for an individual communication. That’s why it’s so important to have this monitored via AI and to have it signal us when there are deviations from the norm that we need to take action or use automatisms from the outset to heal it accordingly.

Von der Hardt: Our process team has to identify very precisely where the weak points are in the overall process. We don’t yet use any special analysis tools from process mining for this. Personally, I think we first need a general streamlining of some processes. We are so busy changing processes that we no longer have time to optimise them significantly. We are constantly complicating them with new regulatory requirements.

Gratenberg: We can say that we have significantly fewer complaints and improved customer ratings with processes that are very standardised and automated. There are different degrees of automation. Partly, employees are involved in the processes if they are very complex. After reading out customer letters, for example, very different types of processing can become necessary, some of which still require human intervention. In addition to reducing the workload and making it error-free, there are of course still challenges with automation that are just a little different than before. If systems fail, a robot cannot work. An employee can still use a workaround. But there are always solutions. The processing by the robot could be postponed, depending on the urgency. It may also be possible to use a replacement robot, with the help of another licence.

How can performance engineering help to increase safety?

Diener: When customers report faults, we have to identify very quickly whether it is an isolated incident or a large-scale problem. Furthermore, in the past it was often difficult to recognise whether a system was the cause of a malfunction or was only suffering from a malfunction of a different origin. However, the central goal is to detect malfunctions or weaknesses preventively. In 2018, we had over 60 monitoring tools. With the Dynatrace platform, we now have a holistic performance data warehouse as a central component of our monitoring strategy. The number of tools has been reduced through consolidation. When a malfunction is reported, we can thus quickly determine which groups of users and exact functions it affects. We are able to quickly narrow down possible causes in order to fix the problem permanently. Incidents are specifically forwarded to the person who can solve them.

Meyer: Around 500 servers are operated for us in the data centres of our IT provider Atruvia for about 170 applications. These are permanently monitored using more than 20,000 measuring points. If a fan fails somewhere and a server gets too warm, expected data transfers do not take place and the like, the responsible application managers or the Atruvia control centre are informed immediately. Our service-oriented organisation has regulated standard processes for this. In such cases, incident or problem management is immediately active. Depending on the type of fault, either at Atruvia and/or at Union IT Service.

Meusel: The smaller or more individual a bank is, the more challenging it is to have its own process engineering. We are grateful that we work closely with Atruvia on this. When it comes to regulatory requirements, innovations, availability and performance monitoring, we can handle the complexity much better together with our central service providers. Often, our internal control centre can be quickly provided with centralised information and focus on communication with customers and employees. The central lever of Performance Engineering is the reduction of own applications and their monitoring.

Demski: We largely rely on Atruvia for the IT infrastructure and thus naturally benefit directly or indirectly from their monitoring systems. At the same time, we also operate our own monitoring for critical parameters of the decentralised or self-operated systems. In addition to the short-term disruptions already mentioned, the measured values are of course also indications of the utilisation and performance of systems and possible problems, for example, the runtimes for data backups or loading processes in the nightly maintenance windows provide information.

Do you have a concrete example from practice for vulnerability management?

Von der Hardt: Sometimes we first hear from the customer that we have a problem. If there is one, the customer looks for a way. Then you realise how many contact channels you have, some of which were not intended for this purpose. IT problems can usually be found and solved quickly. It becomes more difficult with failures of other companies. External business failures during the Corona period or the insolvency of a travel provider are examples here, where many customers with personal and financial concerns contact you via several channels and payment processes have to be checked at short notice. Then speed and good networking of the information channels within the company as well as to other third-party service providers is crucial. We still have homework to do here. We have to ensure the flow of information around the customer in such a way that we can give him satisfactory feedback at short notice.

Meyer: One example was the critical vulnerability called Log4Shell in the widely used Java logging library Log4j, which became known at the beginning of December. Through this vulnerability, attackers were able to execute arbitrary code. Together with our IT provider, we deployed crisis teams, used vulnerability scanning tools immediately and effectively, and where necessary, applied the appropriate security patches within a very short time.

Publication: For the good of all – Why standards are so important

gi-Geldinstitute published „For the good of all – Why standards are so important“, A plea for future-oriented minimum standards in the CIT industry, underlining Prosegur‘s frontrunner role as resilient infrastructure provider in the security and cash management industry.

Find Original in German HERE. Translation generated with deepL.com

A plea for future-oriented minimum standards in the CIT industry. The neighbouring banking industry (and often the customers of CIT companies) is already protected by standards such as MaRisk and BAIT. However, cash-in-transit companies that work closely with their customers (banks) have less high standards in IT, whereby the industry is becoming increasingly digitalised. Prosegur argues for higher standards across the CIT industry.

Emeritus professor of literature Hans-Dieter Gelfert, who has spent many years researching German, British and American mentalities, expressed in an interview with Deutsche Welle that the orderly society of modern Germany has a long genesis. “Order is one of the sacred words in Germany, and that has something to do with the German emphasis on security as opposed to freedom,” he said. “For the last thousand years, security has always been the supreme value and order is a mainstay of security.” Part of Germany’s success is built on norms. It is not without reason that the encyclopaedia “Brands of the Century” lists more than 200 German brands such as Hipp or Tempo as examples of entire product categories. The entire title is: “German Standards – Brands of the Century”. Aha, standards then – a coincidence?

Without rules, norms or minimum standards, a modern society would be almost inconceivable. They structure, make things comparable and act as a control mechanism. Cultural imprints and regional differences come into play in their design. For example, many an EU citizen groans about the General Data Protection Regulation when a form has to be filled out for consent to the use of personal data. On the other side of the Atlantic, people certainly pay respect to the GDPR for the standards it sets. Standards that reflect the values of an enlightened Europe.

Own rules in the business world

Beyond social norms and local legislation, there are other rules in the business world. There is hardly an industry that has not already given itself a catalogue of minimum standards. This is an advantage for many, because the complexity on the supply side is often reduced for those asking. But the question must be allowed whether minimum standards are sufficient and whether they all focus on the well-being of customers and society. Too often the focus is on the providers. Yet there are standards that need to be established today in order to prepare for future challenges.

Prosegur is committed to more than minimum standards to position the entire industry for the future and to ensure society’s trust in this system-critical industry. An industry that does nothing less than ensure the unrestricted supply of central bank money to the population and the safe return of several million euros of cash income daily to the accounts of businesses to ensure their liquidity.

A look at the customer environment reveals that the related banking industry is leading the way: with MaRisk (Minimum Requirements for Risk Management) or BAIT (Bank Supervisory Requirements for IT), credit institutions have positioned themselves for the future. Since banks usually cooperate with a cash-in-transit company, it is only logical for Prosegur to apply these already existing requirements in an identical manner to its own business operations today and consequently to demand rapid implementation from all providers of cash and valuables transport.

All players operating in such an important part of our economic life must keep their eyes on the future and never cling to the status quo. Today, topics such as digitalisation and environmental protection naturally belong in the programmes of sustainably oriented companies. Every organisation needs courage, creativity and a willingness to invest in finding a digital language for analogue solutions. This fact is of particular importance in the Corona pandemic, because it acts as an accelerator for the global digital transformation.

Politicians underlined that they have recognised this on 9 December 2020 with the BMI’s draft bill for a second law to increase the security of information technology systems. But even before the draft becomes law, the following applies to Prosegur: the further development of current standards, investment in sustainable technologies and personnel as well as in the certification of processes and models must absolutely be in the interest of every serious money and value service provider already today.

Resilience through standards and digitalisation

It is essential to arm oneself against all kinds of threat scenarios – known and new, present and future – and to become resilient against external shocks. To be resilient so that, as a critical infrastructure, citizens can access money even in crises or exceptional situations. And to offer support to other critical infrastructures to also become resilient in order to avert supply bottlenecks for the population in cooperation. Prosegur consistently pursues this maxim, among other things with the smart cash procedure, in which cash receipts, for example in the supermarket or pharmacy, are deposited in a smart safe, where they can be credited to the business account via Early Value. Independent of the physical collection of the money, the company can use it to do business. A lack of liquidity does not become a showstopper for supermarkets and pharmacies in times of crisis. They remain open and the supply of goods and medicines is maintained. In the impulse paper “Resilient pioneers from business and society” of the German Academy of Science and Engineering (acatech), Prosegur Smart Cash was presented in December 2020 as a resilient concept for success.

Standards create resilience. So what standards should the cash and cash-in-transit industry additionally orient itself to? In Prosegur’s opinion, the standards of the credit institutions with which the cash and valuables transport industry cooperates on a daily basis. Not only in terms of their own resilience, but also in order to be a true partner for customers with their very own challenges in the low and negative interest rate environment, in the digital transformation and in the climate crisis. Then the players in this industry not only transport, process and store values, they also embody them and prepare to take on even greater responsibility in the “cash cycle” value chain.

New ways – Artificial Intelligence in Cyber Security

Defense against cyber attacks through new technologies

Author: Jochen Werne – published by Der Bank-Blog – 15 February 2019

Cyber crime has become a serious threat to business, politics and private individuals since a long time. New technologies based on the use of artificial intelligence might offer more security.

The fight against cyber threats has become significantly more complex for global government organisations, businesses, and individuals in recent years. Technical protection of IT systems and infrastructures and thus data security in the narrower sense are no longer the only issues. Companies, for example, need to address the much broader concept of information security.

Solutions based on artificial intelligence could prove helpful in the fight against cybercrime. According to a study by the IBM Institute for Business Value, the spread of intelligent, AI-based security solutions will increase significantly in the coming years.

Technical protective measures have long since been based on machine learning, for example, to identify spam or phishing e-mails or to record trends and anomalies in large amounts of data – both in data traffic within the corporate network and in its external connections.

Jochen Werne
Jochen Werne

AI systems for the identification of cyber attacks

In future, for example, systems might also be able to identify hidden channels in the corporate network through which cyber criminals attempt to acquire data. AI’s greatest strength, pattern recognition, enables automated detection of a wide range of anomalies and security incidents. For this purpose, however, AI-based systems must also learn to distinguish between common IT failures and cyber attacks. In addition, self-learning algorithms need to take internal corporate processes into account to come up with precise results.

In the near future, according to a forecast by Christian Nern, former Head of Security Software DACH at IBM Germany and today Partner at the Consulting firm KPMG, AI-based security analysis systems will be able to detect and fend off attacks proactively. Then, according to the former IBM security software chief, the confrontation between cyber criminals and security officers could possibly take place directly between the AI systems they use.

Germany as a pioneer country

Germany, which considers itself a pioneer country in the fields of learning systems and artificial intelligence, has already launched a platform for artificial intelligence on this topic initiated by the Federal Ministry of Education and Research (BMBF): “Learning Systems”. The platform with its 200 members brings together leading experts from science, business and society and deals with technological, economic and social issues relating to the development and introduction of learning systems on an interdisciplinary and cross-sector basis.

One of the seven working groups deals in particular with IT security, privacy, law and ethics. The composition of the topics in this group shows the interwoven culture-specific discussions that will later lead to scenarios, recommendations, guidelines and roadmaps.

Intelligent combination of available modules

As often in cyber security topics, there is no patent solution for the numerous questions and challenges. A company-wide risk management system, which establishes appropriate technical and organisational measures and also takes into account findings from psychology and cultural studies, seems to be a sensible way forward.

The right balance between security awareness and security, individual freedom paired with increased personal responsibility as well as support through technology and organisational structure is probably the most promising approach in the current state of research and technology to effectively meet the challenges for information and IT security.

Tradition meets modernity: Why more and more banks are relying on artificial intelligence

Artificial intelligence is finding its way into the highly regulated world of banking. And not only GAFA Silicon Valley high-tech companies see it as the technology of the future, but also FinTechs and established banks. How it came to this, what possibilities and limits there are at the moment and why humans will remain irreplaceable not only when it comes to money – the commentary

by Jochen Werne, innovation and transformation expert
Munich private bank Bankhaus August Lenz

Original published in German in the IT-Finanzmagazin (31 July 2018). Translation by DeepL

After “FinTech”, “Blockchain” and “Crypto”, “AI” is the new buzzword in the banking world. Whether chatbots in the digital customer center or self-learning algorithms for highly complex investment strategies are being discussed – the omnipresence of the term suggests that the integration of artificial intelligence into one’s own business model seems to be virtually vital.

Artificial intelligence and big data are currently the strongest and most vibrant innovation trends in the financial sector …

… was also one of the guiding principles of Prof. Joachim Wuermeling, board member of the Deutsche Bundesbank, in his speech on “Artificial Intelligence” at the second annual FinTech and Digital Innovation Conference in February 2018 in Brussels.

The choice of the conference venue, which like rarely any other city combines both a belief in progress and a deeply rooted European tradition, can hardly be more symbolic of the forthcoming change. In fact, the topic is by no means new: the development towards an increased use of so-called non-human intelligence is based on approaches from the 1940s – with the invention of the first computers

Artificial intelligence: revolution as a reaction to mountains of data?

But what is now possible in times of exponential technologies is in fact nothing less than a revolution. The financial industry is sitting on a valuable mountain of data, the extent of which is currently difficult to estimate. The maturing AI systems would not only make the preparation and processing of this data easier, but also much more cost-effective, faster and more targeted. Data already collected could become the most valuable raw material and a resource due to the technological leaps in the field of AI, which, in combination with the enrichment of external, non-structured data, must be “usable” in a meaningful way.

The industry is asked to use private data in a sensitive way for the benefit of the customer, – a goal that should certainly apply to all AI-based approaches.

To find meaningful regulations for the handling and the effects of the use of AI on society, economy and thus on our life and the work of tomorrow is the task of politics. The fact that this topic is taken very seriously is evident not only in national initiatives such as the German Platform for Artificial Intelligence “Learning Systems”, but also in the European Artifical Intelligence shoulder-to-shoulder approach, which is being pushed forward by France and Germany.

“Digital hand holding” in the event of a financial crash is not enough

At present, it is still too early to say which operational areas of the financial world will sooner or later be supported – in part or even entirely – by the use of AI systems. However, the financial crises of the past have shown this time and again:

Trust is crucial when it comes to money. Trust in the markets, the banking system and the human contact as an intermediary in a complex issue”.

However, the banking industry knows very well from its own experience how easy it is to loose customer’s trust. An experience that Mark Zuckerberg and Facebook recently also had to make in connection with the Cambridge-Analytica scandal. As with every new technology and every new approach, the same applies to the topic of “intelligent” systems: a lot of trust, coupled with half-knowledge and a big dash of emotionality results in a popular trend cocktail, which, however, bears a certain risk of headaches on the following day.

Jochen Werne

Jochen Werne is the authorized signatory responsible for Marketing, Business Development, Product Management, Treasury and Payment Services at Bankhaus August Lenz & Co. After two years as navigator of the sailing training ship ‘Gorch Fock’, the international marketing and banking specialist completed his studies as client coverage analyst at Bankers Trust Alex. Brown International and in Global Investment Banking at Deutsche Bank AG, he has worked on numerous projects in other European and American countries. In 2001, he joined Accenture as a Customer Relationship Management Expert in the Financial Services Division before joining Bankhaus August Lenz & Co. AG in Munich, where he has since been responsible for various areas of the institute. As part of the Innovation Leadership Team of the Mediolanum Banking Group, a member of the expert council of Management Circle and the IBM Banking Innovation Council, Jochen Werne is a keynote speaker at numerous banking and innovation conferences.

The Cultural Dimension of Cyber Threats

Country-specific aspects of cybercrime.

The number of cyber attacks on businesses, governments and individuals is increasing worldwide. The human being in his cultural environment is an important element. Different cultures seem to be associated with different susceptibilities.

by JOCHEN WERNE – Original published in German on January 18, 2019 at Der Bank-Blog – Translation with DeepL.com



In its annual management report “The Situation of IT Security in Germany 2018”, the Federal Office for Information Security records a threatening scenario: The number of cyber attacks on the federal government, German industry and private individuals is increasing at an alarming rate. Germany, in particular, is being massively targeted by criminal hackers.

One thing is certain: almost 90 percent of all cyber attacks have a criminal background. Approximately ten percent of all cyber attacks are caused by state cyber warriors. The goal of criminals is either personal data (account connections, credit card numbers, passwords, etc.) or capturing the computer for new attacks via bot network or to extort ransom money for the renewed release of the computer. The ransomware “Wannacry” is an equally prominent and frightening example of this. If state systems become the target of hackers, this usually results in sabotage, espionage and the spying out of trade secrets. The BSI discovered 800 million malicious programs for computer systems last year. In the previous year, the figure was 600 million – around 400,000 malware variants are added daily.

Cyber Security and the Human-Cultural Factor

The view must be directed to an important dimension of the human factor: The influence of different cultures on the handling of technology and in particular on the behaviour of individuals in the context of cyber security. Cultural peculiarities influence preferences, prejudices and behaviours. In his renowned book “The Culture Code”, anthropologist and marketing expert Dr. Clotaire Rapaille explores how members of different nationalities have developed very different codes for the image of products, companies or countries.

These findings come from client assignments in which Dr Rapaille conducted extensive interviews with focus groups to identify cultural preferences, prejudices, idiosyncrasies and behaviors. In more in-depth analyses, a piece of generalized psycho-cultural characteristics is then derived from representatives of the countries studied.

Country-specific aspects of cybercrime

Questions arise as to what protective concepts and guidelines might look like that take this background into account appropriately? And what role do cultural and country-specific aspects play here, such as the famous “German Angst” and corporate cultural aspects, such as the comparison of a classical hierarchical system versus Holacracy models, which have become increasingly en vogue in times of digital transformation?

Some concise examples from the findings of Dr. Rapaille: Americans define themselves strongly through their work. In this culture, professional activity largely determines the image of one’s own identity. The importance of money in this culture is proof of diligence and success.

The author sees completely different meanings in European countries. In France, for example, work and money are regarded more as “necessary means to an end” – those who can afford it expect at least a certain amount of entertainment and comfort from their job there. According to Dr. Rapaille, quality and technical perfection play an important and in some cases even absolute role in Germany or Japan, while US-Americans, according to his analyses, in many cases content themselves with “It just works” and are even sceptical about excessive perfection.

The author recognizes the Germans’ tendency towards perfectionism, which is partly exaggerated from a foreign point of view, as decisive for the quality of “German Engineering” and the global economic success of the Germans in this field. Dr. Rapaille is convinced that US culture, on the other hand, is characterized by a widespread refusal to grow up, which in turn leads to a great competitive advantage in the field of innovation.

Conclusions for more cyber security

This raises the question what are the appropriate protection concepts in an increasingly complex threat situation. A classic approach is the definition and enforcement of policies, both on a technical and organizational level, which are intended to guarantee compliance with security measures. The more hierarchically and authoritatively a corporate culture is aligned, the more restrictive the corresponding guidelines usually become.

However, the approach of establishing security primarily through bans and restrictions on user freedoms has proven to be double-edged in practice. The more the possibilities of an individual user are restricted, the more this encourages the tendency to escape the corset of safety-related rules.

A typical consequence is the “Bring Your Own Device” (BYOD) problem with which many company IT departments have been confronted for years – if the functions and authorizations of their work equipment are too limited, users bring private end devices with them to the workplace. These are then often not integrated at all into the protection and security concepts of the company. If the BYOD escape route is also suppressed, such measures often result in a refusal attitude à la “The desired is not possible with the means available – if the IT department wants it that way, then this task cannot be solved”.

Flat hierarchies and personal responsibility as a solution?

Is the better way, then, in holacracy models, in flat hierarchies, or in “loose reins” in terms of security and a strengthening of employees’ personal responsibility?

For the reasons derived in the preceding sections, this approach is by no means a guarantee for higher IT and information security. A healthy middle course could lie in adequate risk management. Technical and organisational security measures take into account the hazard level of specific data and applications. Sensitive areas and particularly sensitive data are subject to more stringent security measures, business areas or processes with less sensitivity are also protected, but assign employees a higher degree of personal responsibility. All protective measures take into account the above-mentioned psychological and cultural-historical findings.