Developing a Conceptual Model for Applying the Principles of Crisis Management for Risk Reduction on Electronic Banking

: Despite many benefits of e-banking for customers, operators and bank managers, e-banking activities are associated with some kinds (types) of risks. Therefore, it is essential to manage E-banking risks utilizing the concepts of risk reduction techniques such as crisis management. The main aim of the present research work is to utilize the principles of crisis management for risk reduction in e-banking. Major risks associated to e-banking including security, provisional, operational, reputational, legal and strategic activities have been identified at the first stage followed by developing a conceptual model for the application of crisis management countermeasures to reduce the risks of electronic banking activities at the second stage. The proposed conceptual model has been validated by analyzing the filled out questionnaires designed for this purpose. In addition to conceptual model approval, results revealed that the principles of crisis management could be applied to reduce the risks which are associated with e-banking activities for both customer relations and internal transactions


Introduction
The existence of an efficient banking system is essential for entering and active presence in global markets and enjoying a great deal of e-commerce activities. E-commerce can provide financial interactions for both domestic and foreign customers along with other advanced banks over the world. Moving from manual to fully computerized processing and increasing processing capacity has increased risk involvement, which is the most worrying concern of banking activists. This is getting to be more important when the use of electronic systems in financial and credit institutions has being rapidly expanded [1] and the number of users of electronic banking services is increasing day to day as well. Increasing the number of users can be known as a double-sided consideration of opportunity and also threat for banks, so it seems to be necessary to conduct relevant research on e-banking and the risks those could interfere with this system to identify the types of existing risks. Since, risk may have negative impacts on capital or bank revenues, the conceptual model of this research has been developed for applying the principles of crisis management to reduce the risks of electronic banking.

Electronic Banking and Risks
Electronic Banking is used to prepare any kind of access to banking services for customers through secure and convenient means without physical presence in the bank. Users of this system carry out financial operations without wasting time and expense in the bank [2]. Electronic banking branches include internet banking, mobile banking, telephone banking, ATM-based banking, e-banking, and bank cardbased banking [3]. Risk on any kind of events is very important because it may have negative effects on capital and bank revenues [4]. Although, there are many risks in ebanking, most notably security risk, privacy risk, operational risk, reputational risk, legal risk and strategic risk, but the origin of risk comes from a lack of confidence that is always present throughout the life of the organization. So it is clear that the risk cannot be completely eliminated, but it can be reduced to prospect, or managed and guided properly. Since, the risk is uncertainly measurable [5], it is inherent in banking activities and virtually impossible to eliminate the risk of banking operations [6].
Security risk: Security risk is presented as unauthorized access to bank information such as the account system, risk management system, and so on. A breach of security can result in a direct loss of funds for the bank. For example, hackers can do business over the Internet, access and use confidential customer information, and virus replication. The result of this is the loss of information, theft or tampering with customer information, the disabling of an important part of the internal computer system of the bank, which leads to a violation of service and repair costs, etc. [7].
Privacy risk: Privacy comes back to the protection of personal information [8]. Privacy can be also defined as customer perception of the organization's ability to monitor and control customer information. One of the major obstacles on electronic trading is frustration and disappointment in the privacy of consumers. Consumers are concerned that the bank may place its customers profile as information and attempt to sell more products to other companies. In addition, the security and privacy of our customers are the most important challenges for the future of the bank. Maintaining personal information such as account numbers, passwords and transaction information is defined as the privacy of the customer. Failure to maintain this information is an important concern to e-banking. In fact, privacy in electronic banking is the ability of banks to monitor and control information in the customer's perspective. Sometimes, customers have a positive perception of giving information that banks are trusted [9,10].
Operational risk: Operational risk as a trading risk is the most common type of risk associated with Internet banking. It results from inappropriate processing of transactions, nonperformance of contracts, system failures, compromising data integrity, lack of privacy and confidentiality, unauthorized access, penetration into banking and transaction systems, and so on. These risks can be due to weaknesses in design, implementation, and monitoring of bank information systems. In addition to technological deficiencies, human factors such as negligence by customers and employees, fraudulent activities of employees, crackers and hackers can be a potential source of operational risk. There is often a subtle difference between operational risk and security risk, and both words are used instead [7].
Reputational risk: Internet allows quick information dissemination known as reputation or credit risk. Any incident is quickly reflected on the Internet and comes to the attention of many users or people. The speed of the Internet significantly reduces the response time not only for banks but also for users. Banks need to make sure that crisis management processes have the ability to deal with Internet related events. Reputational risk can occur when systems or products don't securely work as expected, resulting in a widespread negative reaction. Reputation risk may also be created in cases where customers have not been given sufficient information about the use of the product. If there is a disturbance in access to the customer account, the bank faces a reputation risk. The risk of a hacker attacking the site and infiltration of its information also poses a risk to reputation. Risk of reputation does not threaten only a specific bank, but a threat to the entire banking system. If one of the banks faces a reputation risk, it also threatens the risk of other banks, and the general security of banking systems is questioned [11,12].
Legal risk: There is a risk that arises from regulatory uncertainty in electronic money transfers due to the problem of identifying the location of an electronic company, called legal risk [11]. Due to the new nature of Internet banking, the rights and obligations are unclear in some cases and the use of unclear or obscure laws and regulations results in legal risk. Other reasons on legal risk are uncertainty about the validity of some agreements made through electronic media, customer rights, and privacy protections. A customer who is not adequately informed about the bank's rights and regulations may not have taken the necessary precautions in using Internet banking services and products, which could lead to problems in transactions, unexpected bank charges, or other common penalties [7].
Strategic Risk: This risk is related to the introduction of a new product or service in the electronic banking system. Misconceptions about the costs of developing operations or creating new operations, lack of adequate staffing staff to support operations are among the factors that contribute to this risk [13]. Electronic banking services should be consistent with the bank's financial strategy. A strategic vision should determine how to design, deploy, check, and control e-banking products. Bank officials should have an outlook for an e-banking program. Electronic banking requires strategic planning and evaluation by the management group as current banking services to expand into a new economic or geographic field. Planning and poor investment decisions in e-banking can increase the strategic risk of banks and financial institutions [7].

Crisis Management
The issue of crisis management has always been an important concern for organizations in competitive markets and for governments for disasters. A crisis, event, or incident is a natural, technical or social cause, with unforeseen consequences such as destruction or chaos. With increasing number and complexity of risks, this focus has been increasingly predicted to prepare for the coping phase in the crisis management cycle, and the efforts of governments and organizations to minimize the effects of these phenomena with the necessary measures. The well-known planning and crisis preparedness approach in the form of crisis management design is of great interest and attempts to reduce financial risks through preventive design [14,15]. Crisis Management is defined as a systematic process in which the organization tries to identify and predict potential crises and then to take preventive measures against them in order to minimize their impact. As shown in figure 1, the three-stage model of the crisis management seems to be a comprehensive frame work. This model consists of three steps including before the crisis, during and after that. The pre-crisis phase includes all measures to prevent the crisis, the crisis stage, the steps to respond to and the response to the crisis and the post-crisis phase, including ensuring security of the organization and the organization's security and learning from the event in order to prevent its re-occurrence [16,17].

Vision
Electronic banking system is one of the essential tools for the realization and expansion of e-commerce and the use of electronic systems in financial and credit institutions is growing as well as the number of users of e-banking services is on the rise over the world. Since, this process is known as an opportunity and also threat for banks, so given the importance of the issue, it is essential that more research should be conducted on e-banking and the risks that could create a disruption to the system. Applying the principles of crisis management and identifying types of e-banking risks as effective solutions, which are the main viewpoints of this study, can be made to reduce them. Previous research works have identified e-banking risks and proposed methods to mitigate them in accordance with the recommendations of the Banking Supervision Committee.
In the present study, after explaining the most important risk components of electronic banking and finding ways to reduce these risks, the principles of crisis management are used to distinguish each of the risk reduction methods in the three stages before the occurrence of a risk crisis, during and after the occurrence. The relationships between the principles of crisis management and risk reduction methods have been investigated and which ways in which the risk reduction of ebanking is applied in each crisis management stage.

Research Methodology
In this research, e-banking risk components including security, privacy, operational, reputational, legal and strategic have been identified. Then, for each identified risk, methods and strategies for coping and reducing them are determined based on combination of principles crisis and risk management. By assessing and evaluating risk strategies, a conceptual model is presented based on the classification of risk reduction methods in which the risk domain and relevant associated strategies are presented. At the final stage, a questionnaire has been developed based on five point Likert Scale to assess the viewpoints of experts, managers and bank experts. The basis of the average review of the answers provided by the experts is compared to numerical average of 3 (µ=3) and finally the final conclusion is made. All research steps are now depicted in Figure 2.

Developing Conceptual Model
This model is presented after evaluating risk strategies based on the classification of risk reduction methods in which the risk domain and its associated strategies are presented. In this model, for each identified risk, risk reduction strategies are presented and classified into three steps of before, during and after the occurrence of risk. In the security risk that is presented as unauthorized access to essential bank information such as the account system, risk management system, etc., it includes fraudulent types of fraud and fraud committed through electronic communications and electronic banking. Before it happens, solutions such as the use of the SSL protocol and checking https at payment site, server authentication and the user, during the occurrence of this kind of risk from a strong firewall and anti-phishing, and after the occurrence, to manage the security risk crisis, change the code and password Internet are used. Principles of crisis management for operational risk in the pre-risk period are to improve the service quality and recruitment of skilled people in electronic banking. During the occurrence of risk, the monitoring system is used during data entry, processing, and withdrawal of information and after operational risk, the methods of payment of fines are used for the damage caused by making the wrong file and adding more security factors. All strategies for reducing each risk relevant to conceptual model of the present study are classified in Table 1. In this table, each suggestion is determined next to its code and the relevant cited reference, if referred.

Model Validation
One of the well-known ways to assess the validity of conceptual models is to conduct a questionnaire. The purpose of research based designed questionnaire design is to evaluate and validate each of the proposed solutions for risk reduction in electronic banking. The designed questionnaire which includes 28 questions related to risk reduction strategy, is based on the Likert scale of five choices filled out eventually by 38 experts, managers and others employees of state and private banks of Iranian northern province of Guilan. The basis for reviewing the average of the answers provided by the experts is compared to the use of the Likert scale with the mean number 3, and ultimately the final conclusion. The research designed questionnaire is shown in Appendix (A). As it can be observed, 28 statements are set up to assess the reliability of risk reduction strategies, so the well-known criterion of Cronbach's alpha coefficient is used to determine the approved and acceptable strategies using equation 1.

Questionnaire
After developing the conceptual model that includes crisis management stages and in each stage of risk management methods, in order to evaluate and validate the conceptual model, a questionnaire has been designed that each strategy as a question related to the risk reduction strategy in the questionnaire is inserted. For example, there is a type of risk known as security risk which can be managed in pre-crisis stage. It means that using SSL and HTTPS protocols can reduce the security risk in electronic banking. For validation of the proposed suggestion, one question has been designed as "The use of the SSL and HTTPS protocols at the Internet Banking Paid provides privacy protection". Experts presented their opinions using Likert scale and data have been collected from all experts' opinions to make a clear vote on proposing the above suggestion on is it suitable to apply or not. Other questions designed for all connections relevant to conceptual model in the questionnaire are shown in Appendix (1). The well-known measure coefficient of alpha Cronbach is used for questionnaire validation calculated by equation (1), where, k is the number of questions, variance related to the answers to the question i from the question k and is the total variance of the questionnaire responses for each sample. If Alpha coefficient is more than 0.7 means that all questions are reliable to collect data for research purposes [23]. According to the Alpha coefficient, this questionnaire has a strong reliability. In this research, the Cronbach's alpha value was obtained with 28 statements 0.83. Following gathering all answers from completed questionnaires, the average and Variance value calculated for each column containing one proposition and 38 respondent samples.

Checking Model Validation
A single-sample T test is based on a comparison with the mean and standard deviation performed on a small set of data. The T test is obtained by equation 2. Considering the fact that the 5-point Likert scale was used in the questionnaire, the basis for the examination and the value of the test item is µ=3 is considered, where, X is the mean value, µ is the basis of the survey, δ is the standard deviation and n is the sample number.
For testing and validation, T test value for one of the risk reduction strategies an evaluation of the solution for using the SSL and HTTPS protocols in an Internet Banking payment portal that protects privacy is done as follows: The solution was answered by 38 questionnaires with a mean value of 4.42 and a standard deviation of 0.59. The value of the variance is estimated to be 0.35 the value of the Tstatistic is derived from the equation 2 of the number 14.63 and the significance level of zero is obtained. Since the numerical value is less than 0.05, the suggestion is accepted or approved. For other suggestions, the same way, the final result and the values obtained for each suggestion and results tabulated in Table 3. Results revealed that the proposed suggestions for risk reduction have been approved in the form of crisis management.   Considering the 95% of confidence interval, suggestions with p-value of more than 0.05 have not been approved. So, according to Table 3, the solutions "Use anti-spyware and anti-phishing to control fraud" and "Hiding the terms and conditions of the banks, the rights of obligations between the organizations and customers" have not been approved and other suggestions can be considered to reduce the risk in ebanking activities.

Summary and Conclusion
In this research, risk reduction methods have been investigated on electronic banking. Following a proposed conceptual model, each suggestion for risk reduction is adapted based on the principles of crisis management, which includes the pre-crisis stage, during the risk crisis and after that. For each risk a suggestion is considered which should be applied to reduce the correspondent risk. In order to check the validity of conceptual model, a questionnaire has been designed in which each strategy as a proposition related to the risk reduction step is connected to a specific question. Conceptual model has been validated after gathering the data from questionnaires filled out by experts, managers and banking staff. Statistical analysis was performed utilizing Ttest in which for each of the risk-related suggestion, the Ttest and the significance level have been calculated, and the correspondent suggestion is approved if the significant level is smaller than 0.05. In general, results goes to have a positive attitude towards the proposed risk reduction strategies, means that risk can be more managed over the ebanking activities. For further studies in this field researchers are recommended to study more on the below headlines: a) This model provides risk mitigation strategies in ebanking according to the principles of crisis management. It is possible to check suggestions related to customers and ebanking staff in two distinct parts as a new conceptual model. b) Each suggestion presented in the conceptual model of research may be a costly activity for both organization and bank. It is recommended to investigate suggestions considering operation costs of suggestions.

Appendix: Questionnaire
This questionnaire is designed to assess the security status of electronic banking systems and e-banking risk reduction methods in Internet, mobile, Internet-based payment portals, ATM terminals, and e-commerce card readers. For each of the risks of e-banking, risk reduction strategies are presented in the following questionnaire as a proposition related to the risk reduction strategy. By filling out the questionnaire by experts, senior executives, employees and banking experts, each of the solutions is validated. Appendix A. Questionnaire designed to validate conceptual model using Likert five-scale rates.

Code(s)
Question associated with the risk reduction strategy Quite agree Agree Somewhat Disagree Totally disagree 1 The use of the SSL and HTTPS protocols at the Internet Banking Paid provides privacy protection.

1
To identify a bank's primary site and a fraudulent site, the actual address of the bank's site in the browser's address bar must be HTTPS.

2, 3
Using multiple authentication (such as passwords, biometric methods, such as electronic signatures or fingerprints) makes more security when entering and doing transactions. 4 To reduce the risk of ATMs, anti-skimming and camera installation are effective. Quite  agree  Agree Somewhat Disagree  Totally  disagree   3 To authenticate the e-banking user, alert via SMS or e-mail, and two-step verification during the transaction is necessary.

16, 17, 23
Banks use intrusion detection systems and identify unauthorized activities for greater security.

24, 25
Banks use logging and event logging systems and systematically inspect information to discover suspicious transactions.

5,6
Implementing the ISMS Information Security System to secure the data exchange environment in banks and enforce PCI rules, DSS is essential for the security of payment cards.

7, 10, 15
For data entry, processing and deletion of information in the bank, there is a monitoring system and access to the attacker or hacker is blocked by the firewall. 8 Anti-spyware and Anti-phishing are not very effective in preventing and controlling phishing scams (fake sites).

11
After the occurrence of risk, changing the password of the card and the Internet code does not have an effect on reducing the risk of electronic banking.

12
The secure credit card security SET protocol ensures that the order information is securely transmitted between the different parts over the Internet.

13, 14
Information about e-banking rules and the privacy of online banking customers is announced in the Bank's quality policy.

26
For losses caused by making a wrong file by a bank employee, it's best to consider a fine.

27, 28, 33
After the risk, adding more security factors and gaining more experience and financial power will be useless. 9, 19, 20 E-banking staffs are given training and skilled people are hired in e-banking.

18, 32
Increasing Service Quality Guarantee (SLA), a legal contract between the service provider and the service provider, is not affected by the reduction of electronic banking risk to ensure quality service parameters.

28, 29
Privacy safeguards customers' confidence in e-banking. Maintaining personal information such as account numbers, ciphers and transaction information is part of the customer's privacy.

21
The development of ATMs, the development of telecommunications networks, the level of technology used in credit cards, periodic reviews of individuals in key posts, the classification of sensitive data and limited access of employees to reduce the operational risk of electronic banking.

22
Internal control, the ability to track transactions, control the opening, change and close an account by the customer, and control the issuance of permission to enter customers into the electronic banking system (credential validation) has little effect on the reduction of operational risk.

36
It is not necessary to identify information security policies for all personnel in banking systems.

34
From risk reduction strategies, there is a possibility for customers to receive damages if they are unable to meet their financial obligations.

37
The transparency of the rules, the creation of a reference base for RRD rules, the resolution of ambiguities, and the revision of the laws related to electronic banking, are not considered as risk reduction methods for e-banking.

38
In order to protect banks against reputational, legal and commercial risks, electronic banking services should not be performed on a regular basis in accordance with customer expectations.

30, 31
To reduce the risk of e-banking, things like high information security, customer privacy, and full customer information about e-banking services are being used.

35,3 9
To avoid legal issues, banks need to hide the terms and conditions, related rights, and obligations between their organizations and their customers who use ebanking.

41, 42
Identifying customer needs and the adequacy of information management systems to track the function and profitability of e-banking is one of the appropriate strategies before the occurrence of risk.

40, 43, 44
After the occurrence of risk, changes to the laws and regulations affect the capacity of electronic banking and the creation of a group for the investigation of new electronic services.