OPTIMAL ONLINE BANKING SECURITY CONFIGURATION UNDER BURDEN OF PROOF

Transcription

1 Association for Inforation Systes AIS Electronic Library (AISeL) ICIS Proceedings International Conference on Inforation Systes (ICIS) OPTIMAL ONLINE BANKING SECURITY CONFIGURATION UNDER BURDEN OF PROOF Myunsoo Ki KAIST Business School, Byungtae Lee KAIST Business School, Follow this and additional works at: Recoended Citation Ki, Myunsoo and Lee, Byungtae, "OPTIMAL ONLINE BANKING SECURITY CONFIGURATION UNDER BURDEN OF PROOF" (). ICIS Proceedings This aterial is brought to you by the International Conference on Inforation Systes (ICIS) at AIS Electronic Library (AISeL). It has been accepted for inclusion in ICIS Proceedings by an authorized adinistrator of AIS Electronic Library (AISeL). For ore inforation, please contact

2 OPTIMAL ONLINE BANKING SECURITY CONFIGURATION UNDER BURDEN OF PROOF Copleted Research Paper Myunsoo Ki KAIST Business School 87 Huegiro Dongdaeoon-gu Seoul, Korea Byungtae Lee KAIST Business School 87 Huegiro Dongdaeoon-gu Seoul, Korea Abstract Against the threat of online banking theft, governents are iposing two different types of legal schees: strict liability and negligence. Countries like the U.S. are iposing strict liability on online banking transactions to ensure that service providers like banks take ore care. However, under strict liability banks does not provide adequate client security easures. Countries like Korea are iposing burden of proof on online banking transactions to ensure that general public take ore care and reduce burden of accident prevention on banks. However, under burden of proof service providers are developing and providing excessive nuber of client security easures for their users. In each legal regie online banking security configurations are not consistent with the original intention of the related liability schee. This paper investigates using icroeconoic odels how unique characteristics of inforation technology changed traditional working echanis of the liability schee with icroeconoic odels and it also provides practical iplications for anagers. Keywords: Online banking, security, burden of proof, strict liability, inforation technology Thirty First International Conference on Inforation Systes, St. Louis

3 IS Security and Privacy Introduction Inforation and counication technology enables everyday online banking transactions. With a personal coputer hooked up to the internet, anybody can ake oney transactions whenever and wherever they are. This new oney transaction ethod, i.e. online banking, is popular and its use is increasing. The total nuber of active online banking custoers reached 47 illion in the U.S. in 8, and additionally ore than 3% of all banking transactions were internet based. However, there exists a downside of online banking. Online theft is also draatically increasing, with a total of 656 cases as of the end of 8. It showed an increase of 47% in the US in 7. And the threat of online theft is recognized as a ajor barrier to online banking adoption (Suh and Han, ). A cyber thief will try to break or fool installed security easures and transfer an innocent user s oney to the thief s account so he ight withdraw it as cash. One of the ost popular ethods is called stolen identity. A thief will install key-logging software on the victi s personal coputer, which records every key stroke the victi enters in his/her coputer including online banking passwords, and send that inforation to a designated location (ost probably the thief s coputer). Then, the thief will receive the victi s online banking password and using this inforation he/she can log into the online banking syste with the stolen identity, and will be able to transfer the victi s oney into his/her own account. Unlike old ATM systes based on host-terinal architecture, new online banking is ostly based on the serverclient architecture. A personal device and an internet connection are essential to online banking transactions. The bank s coputer is working as a server and all users personal units are working as clients, and both server and clients are connected via internet. A cyber thief can attack either server or client, or even both. A bank, which is generally a large organization, usually hires proper security experts to deal with such attacks. Unfortunately, when it coes to the client situation, properly aintained security is not easily achieved. To protect a client s personal coputer, a proper set of security easures is needed. Such security easures include anti-keylogger progras, digital signage encryption ethods, one-tie passwords and otherwise siilar ethods. However, developing and applying such security easures needs a lot of coputer related experience, and the general online banking users do not have such extensive knowledge about coputer security. Users are not in a good position to identify which security easures are needed, let alone developing the. Hence, the general user s client personal coputer is an easy target, and for such reasons is often targeted by online banking thieves (Beak, 6). Coputer scientists have researched the subject of how to iprove the client personal coputer s protection (Claessens, ) and any business related papers brought up its ipact on business strategy (White, 8). However, very few have looked the legal side effects and their related iplications. Since a user owned personal coputer is essential for online banking, a siple question ust be answered: who is responsible for the daage if an attack on the client s personal coputer was successful? The law ust be involved to answer such a question. There are two different liability schees that are applicable to the atter: strict liability and negligence. Soe countries like the United States (regie hereafter) ipose a strict liability schee (i.e. product liability) in which a bank will iediately copensate the victi for any daage caused by electronic transactions 3. The idea of strict liability is that a fir is in a better position to prevent accidents (Cooter, 4). Therefore it is cheaper if the fir ebraces all the responsibility and reduces the cost fro it by according to the econoy of scale. A good exaple would be a lawnower equipped with a safety handle. It is obviously cheaper if the safety handle is ass produced by the production copany itself, than if every custoer akes their own safety handle in their own garage. Under strict liability, banks should receive ore incentives for developing and providing client security easures, as they have full responsibility. On the other hand, in countries like the Republic of Korea (regie hereafter), in order for a custoer to get proper reiburseent fro any fraudulent transaction, the related law requires proof that the user was not grossly negligent during the online banking transaction 4. This is a typical negligence liability schee and is based on the idea that coscore State of Online Banking. Identity Theft Resource Center, 9. 3 Federal Reserve Board s Regulation E: 4 Korean electronic coerce law, article 9 Thirty First International Conference on Inforation Systes, St. Louis

4 Ki & Lee / Security Configuration under Burden of Proof both parties (in this case, the user and the bank) ust take appropriate care to prevent any accidents (Cooter, 4). A good exaple would be a traffic accident. Any involved party should have been careful to prevent an accident. If anyone of these parties cannot prove that it took proper care, then that party ust bear full responsibility for the entire daage of the accident. A bank in regie has a relatively better chance to escape fro liabilities than a bank in regie. This should lead to relatively less strict prevention easures on the bank side and to an increased level of care on the user s side, which inevitably leads to increased cost requireents to the user. It is very interesting that banks do not see to fulfill the obligations expected fro each liability schee. Banks in regie do not explicitly provide any viable client security easures, for there are worries such as as soe consuers are finding out the hard way, only a usernae and password stands between criinals and their hardearned oney. 5 In regie there are ongoing debates about excessive client side security easures that are required for a siple online transaction ost websites require at least 4 preinstalled security easures. 6 The strict liability schee in regie should have forced banks to protect their clients personal coputers ore aggressively, however currently virtually no client security easures are provided. Also the negligence liability schee in regie should have the effect of urging online banking users to take additional care, and of reducing the burden of responsibility fro the banks. However banks are providing too any client security easures than the users want. Noral technological or traditional law and econoics perspectives are not enough to fully explain such a seeingly contradictory phenoenon. We suspect that the unique characteristics fro inforation technology, such as client-server architecture, software, and the internet have distorted the original intent of those legal schees. Considering characteristics of inforation technology, we will explain this seeingly contradictory phenoenon with a siple icroeconoics odel. Another issue is blae shifting. There is an ongoing debate that software copanies and online service providers tend to shift the blae to internet users as a last resort. They either force users to take full responsibility through End User License Agreeents or let the handle sensitive processes for theselves (Anderson, 994). Anderson suggested that liability can be transferred to a 3 rd party or even to the custoers. For exaple, a software vendor could provide their latest upgrade to internet users without any charge, and the user would only have to download and install it. Or the vendor could provide it for a substantial fee. Most users save oney by installing the upgrades theselves and in doing so lose uch of their rights to sue the vendor if their files get corrupted. If we apply the idea of blae shifting to online banking, a bank in regie could hide its intention of shift blaing by disguising it as a good will: You will becoe safer with our newly developed client security easure. The bank faces the choice of how to shift blae and how uch security is optial for the. We will provide a odel to explain under what conditions the bank will shift blae to its users. For this end, the following specific research questions are addressed. The first research question is: Why were online banking security configurations developed in the opposite directions that were intended in each legal schea? The client security easures in online banking are not being configured as the legal schee intended. We will show that characteristics of inforation technology have caused banks to deviate fro what laws and econoics odels suggest, and this has resulted in unintended security configurations. Second: under what conditions will banks try to shift blae to their custoers via client security easures? In regie, banks and governents are continuously increasing andatory client security easures for online banking transactions, for the users own safety. However, we will show that under the negligence liability schee which involves burden of proof that the bank has enough incentives to provide ore client security easures than the users actually want, if those client security easures create enough burden of proof assigned to its users. The final research question is: Can a bank of one legal schee use strategies fro banks of the other legal schee? Banks under different legal schees are using totally different strategies that see to be incopatible. With our suggested odel and iplications, anagers can identify the relative copetitiveness and utilize it in different liability schees. In section, we will review previous studies and define how we will take our approach to address the aforeentioned research questions. In section 3, we present a basic odel to describe client security easures and their legal side effects in the case of regie, which explain why banks are reluctant to provide client security easures under strict liability. In the ensuing section, we show that in regie, banks will ore aggressively 5 Bob Sullivan, Online bank fraud concerns consuers, MSNBC, 4. 6 Openweb suit, Thirty First International Conference on Inforation Systes, St. Louis 3

5 IS Security and Privacy provide client security easures that clearly differ fro regie. Finally in section 5, anagerial and policy iplications for banks and governents are discussed along with liitations and possible future research directions of this study. Literature Review There have been ongoing debates about changes fro negligence to strict liability or whether product liability is econoically efficient or not. Since 94, it is widely accepted that product liability is better when () anufacturers have arket power, which allows the to dictate unfair ters in warranties and underinvestent in product-safety technology, () anufacturers are better placed than consuers are to spread the losses fro product related injuries, (3) anufacturers are better placed than consuers are to iniize the losses fro product accidents by taking precaution and iproving technology (Cooter, 994). However, only after several decades, Priest (985) claied that first two of these preises are wrong. Therefore hasty oveent to enterprise liability ay be based on isled rationales. On the other hand, Landes and Posner (985) suggested that product liability is, in general, efficient. In online banking, attepts to steal a victi s identity are generally done using Trojan horses type alware. It is virtually ipossible to bring the creator of specific alware into the court. In fact, it is very hard to even identify which alware did the job for the thief. Moreover, with an econoic perspective, online theft or identity theft has significant effect on social diension (Singh, 6). Awe on online theft works as a barrier in online banking adoption (Suh and Han, ), for security issue is a ajor deterrent to user acceptance of online banking (Wang, 3). A disturbing report about why online banking users are not increasing as forecasted, points also at securities (White, 4). Although these studies linked security perforances and entry barriers for using online banking, it is still unclear how uch costs to users can be attributed to the lack of security perforances. In addition, who should take the burden or the risk, is still in debate. McCullagh (5) suggested a user ust weigh both risk of online theft and benefits fro convenience. In regie, as a bank s responsibility for this atter has draatically increased over the last few years, now there is a debate regarding its effectiveness fro econoic perspective (Jung, 5). Technologically there is also a critical issue regarding online privacy. Shuaila (3) suggested that in order to create e-trust in electronic banking, both parties ust be soehow infored of the history of transactions. However the ore the inforation goes through online, the ore increases the risk that online thefts ay take place (Caudill, ). This can be even trickier when dealing with international transactions, which involves different liability schees (Miller, ). Anderson (994) also suggested, in regie with strict liabilities, banks are offered fewer incentives to develop effective security easures, for they are not worthy. While in regie a user ust install nuerous client security easures already, banks and governent agencies suggest that users ust adopt ore security easures in order to prevent online theft. Although these studies aied on explaining risk and benefits of security easures, and responsibility of trading parties, it is still not clear what burden of proof or cost of care goes to who, or how those cost are created and transferred. These issues have been widely studied in legal reals but not specifically under inforation security context. In addition, we already explained that arket outcoes see to be grossly deviated fro what laws and econoic theories have suggested in liability schees for general trades. We try to fill this void. Furtherore, security easures are not the only things that evolve. Evolution in alware eans the law ust have ore technological insights. Due to increasing uses for stolen identities, and the recent revolution of botnet, Malware attacks on personal coputers are increasing ore than ever. If a alware operates in server coputers of banks, it would be a bank s proble. On the contrary, if a alware operates on the user s coputer, the issue becoes draatically coplex and unsettled. If we subscribe to product liability, users are certainly not in a better position to find out with what or how they should protect their own financial transactions and assets which lie in the bank server. This eans governent or banks ought to invest ore to reduce the user s burden, especially when strict liability is not applied. Baek (6) suggested that the Korean governent and banks ust adopt a new ethod to deal with this proble other than just increasing the aount of traditional security software. Clearly legal schees ay have strong influence how banks and governents should behave so that they also have ipact on banks profit and social welfare. The ensuing sections illustrate the. 4 Thirty First International Conference on Inforation Systes, St. Louis

6 Ki & Lee / Security Configuration under Burden of Proof Regie under Strict Liability Basic Model Law and econoics have suggested any icroeconoic odels on liability issues. We incorporate inforation technology characteristics into our odel based on the skeleton of those odels. A bank is providing online banking service for any users. Each user requires online oney transfer with a certain transaction size s, which is uniforly distributed over [, ]. A bank will receive a fixed fee f fro users for each transaction. The fee is set at the arket price. Any online transaction will face the threat of online theft, with probability of p, p. The thief steals the oney if the attack succeeds. Hence, without any post accident legal protection, a user s expected daage is p s. The probability of theft will be lowered if one or both parties take soe level of care to prevent the theft. Let p be the probability of theft with adequate security easures. Since we assue that those easures are soewhat effective, p is assued to be saller than p. Online banking is based on server-client architecture, both server and client ust be protected fro possible theft attepts. This is clearly different fro the old ATM syste which is based on host-terinal architecture. With the ATM syste, both host and terinal are under the bank s responsibility. However, with online banking, the client s coputer is under the user s responsibility and ownership. In order to achieve the lower probability of theft p, both user and bank ust exercise due care to protect the client and server, respectively. The required level of care to achieve p, should be the total su of both parties level of care. Now let x be the level of care for a user, then that of the bank is x. It is clear that both parties will try to shift the responsibility to each other under the assuption that additional care always incurs ore costs. However, a user is clearly in the worse position to decide the level of care, x. In online banking, the user s level of care can be translated to the nuber of software client security easures he or she uses to protect his/her own coputer. It is assued that each individual user is virtually unable to develop proper client security easures with their own eans, partially due to the lack of expertise or the lack of inforation on server-side progras 7. Hence, banks should deterine a set of security easures and enforce the. Higher security easures ay have software applications which ay be downloaded via internet with virtually no cost to banks in copying and distributing client security easures (Shapiro, 999). This eans that banks decide x and ake those available to its users. The online banking transaction will not work unless the user accepts the entire set of client security easures required by the bank. Unlike a typical tort situation of other physical goods, online banking users cannot decide their level of care. The user can only decide whether to use the recoended client security easure or not: take it or leave it. If a user decides not to accept the required client security easures, a user does online transaction with the higher probability of p Cost of Care Cost of care eans the cost incurred by taking a certain level of care. With online banking, a user ust install and activate provided client security easures. Installation requires waiting tie, activation also requires waiting tie and at least additional clicks even for the password, in soe cases even additional independent passwords. Tie and resources can be considered as the user s cost of care c, c, incurred by client security easures. The bank which we assue to be large enough to carry out appropriate easures already bought and aintains large scale coputer related security services. Hence the arginal cost of care for any additional transaction is negligible. And since we are focusing on relatively short ter behavior, the fixed cost is sunk and can be ignored. 7 The user can use coercial security easures fro 3 rd party security software vendors. However if the 3 rd party security easures are not certified by the bank, the user cannot be sure that they will work for the various kinds of online theft or not. Therefore, as long as the security easures fro the bank are free, there is no need to use uncertified security easure fro other sources. Thirty First International Conference on Inforation Systes, St. Louis 5

7 IS Security and Privacy Let s assue that the bank offers client security easures while other copetitors do not. Let s be the noralized transaction size of a typical custoer of the bank with security easures (i.e. s [, ]). A user can choose this bank or one without security easures. The expected profit functions with the bank and any other becoe () and () where f is the transaction fee at the copetitive arket price. u = f p s c () u = f p s () Obviously, the agnitude of c and the effectiveness of security easures decide the balance between the two cases. Hence, banks with security and without ay co-exist in the arket. However, in the following subsection we show that no bank will try to provide security easures first under a strict liability schee. Strict Liability In the case of Judd vs. Citibank (Anderson, 994, pp.6-7), Citibank claied that their syste was infallible, which the jury found out not to be true. Since then, for any U.S. custoer who loses oney over electronic transactions, the bank ust refund fully the losses fully inus $5. Reg-E, or the Federal Reserve Board s Regulation E 8 was established under the Electronic Funds Transfer Act of 979. This covers situations that any access devices such debit card or online banking password is lost, consuer liability is capped for $5 under the conditions that the custoer notifies the bank within two business days since he/she recognizes the lost. Consuers who notify the bank within 6 days have their liability capped at $5. After 6 days, any daage which occurred becoes the consuers' responsibility. On the other hand, if no access device is lost, and fraudulent charges ysteriously appear on a consuer's account, the liability clock begins when the bank notifies its custoer of the activity, usually through regular onthly stateents. Banks ust investigate disputed charges within days, and report results to the consuer within three days. Errors ust be fixed within one day. If the investigation cannot be copleted within days, banks ust issue a provisional credit to the consuer for the disputed aount, less $5. The user has no responsibility whatsoever to take preventative actions. Analysis Under strict liability, the bank will copensate any daage done to the user iediately and that banks are not required to achieve p because general public is already protected by unconditional post-accident copensation. This changes user s profit functions draatically. Now let us consider the case when our bank is trying to develop and provide client side security easures under strict liability. The liability schee is affecting all banks in the regie. We will ignore the refund fee since we are focusing on the user s cost induced by legal schea. Eq. () and eq. () becoes (3) and (4) respectively. u = f c = f (4) u No user will use the bank with client security easures (CSM) due to induced cost of care. And any bank ust pay all incurred daage to custoers. The bank which enforces CSM has its expected profit function: That of one without CSM is: b = f p sds = f p (5) b = f p sds = f p (6) (3) Thirty First International Conference on Inforation Systes, St. Louis

8 Ki & Lee / Security Configuration under Burden of Proof A siple noral for gae theory approach will show the above arguent ore clearly. Table. Bank s Profit under Strict Liability The bank / The other CSM No CSM CSM ( f p, f p ) (, f p ) No CSM ( f p,) ( f p, f p ) Note that the bank with CSM will not have any custoer in asyetric cases in this gae according to the aforeentioned result fro Equation (3) and (4). While players will be better off when both banks provide CSM and it is also socially ore desirable since p < p, no bank will try to do it first, because of possible breach. This is a typical prisoner s dilea working against social welfare, and only strong external incentives or regulations will solve this suboptial equilibriu. Proposition : Under strict liability, online banking users will not accept services involving client security easure due to incurred cost of care as long as there are other services without cost of care. Now under strict liability no bank will try to provide client security easures. We find that banks eploy other easures to itigate the risk such as liiting transaction size. As of 9, Citibank is restricting its size of transactions. 9 Doestic transactions are liited to $~$ per day. If we set axiu transaction size as a decision variable, it is easy to derive that the bank s profit is axiized when f s strict = (7) p Since bank s profit function is b = fs p zdz. And, Proof is in Appendix A. Regie under Burden of Proof s s strict < (8) Burden of Proof Regie invokes burden of proof, which usually states banks are strictly liable unless the victi was grossly negligent. Also, the definition of gross negligence follows the rule of one or both of the following conditions: the victi lent particular access devices, including passwords; or the victi did not protect access devices even if the victi knew the risk of breach. This type of liability schee is ore precisely categorized as strict liability with defense of contributory negligence (Cooter, 4). The service provider, in this case the bank, will be strictly liable except when the victi was negligent. Governent agencies insist that these conditions are only for extree cases 9 Citibank online: Korean electronic coerce law, article 9 Korean electronic coerce law enforceent ordinance, article 8 Thirty First International Conference on Inforation Systes, St. Louis 7

9 IS Security and Privacy therefore the burden of proof will be inial. Indeed, this condition changed fro negligence to gross negligence in the year 6, further lowering the burden of proof. Soe anecdotal evidence in regie shed light on how financial institutes behave differently under this condition. Despite the governent and consuer agencies efforts, Kookin Bank, one of the ajor Korean retail banks, never copensated any victi for online theft during the years 7 to 8 3. Kookin Bank has been waiting for the official police investigation. There has been only one reported case of actual copensation of the daage fro online thefts to the victis in Korea, by Korea Exchange Bank, another ajor retail bank. However, this bank claied we are not paying the victi because we are liable; we are paying because we value our custoers. 4 These delays or denials in victi copensation are clearly different fro regie cases. If strict liability is in effect, the victis get copensated alost iediately 5. At least, it is safe to say in regie, burden of proof for the victi of online theft is practically in effect. Such facts bring questions about exactly how high this burden of proof should be. It is obvious that online banking users with burden of proof have less protection fro theft daage. The governents will try to protect the general public by reducing the probability theft. Hence, there tends to be ore copliance requireents. For instance, in Korea (a typical case of regie ), online banking transactions require digital signage, a pre-assigned key-code and even one-tie-password (OTP) devices for larger transactions, in addition to basic anti-keylogger, anti-virus, anti-alware software. They are all required by laws. Hence, the lower probability of theft, p is soewhat iposed by society rather than an endogenous decision by the banks theselves. While it is possible for banks to optiize its probability level by adjusting investent levels on server side security easures, since they have easier and often cheaper alternative of changing x to users without incurring uch cost, we assue that banks try to coply the exogenously iposed level p. Under this assuption, we investigate how any client security easures the bank ust set to axiize its profit. Burden of proof is typically odeled as a litigation cost. A user ust pay litigation costs to prove that he was not grossly negligent. We will set the litigation cost as k x, and of course,. For siplicity of analysis, let k x kx, k. When users are given ultiple sets of security easures, they have to prove that none of given easures were executed without proper care. Hence, it will ultiply users burden of proof. Still, if a user doesn t want to use the bank s services, the user ay adopt soe other solutions provided by 3 rd parties like Paypal 6. Since such solutions don t provide client security easures for user convenience, we ignore the cost of care and litigation cost of the in our odel. In litigation, users using any other online transaction ethod other than our bank cannot be copensated in any way. The only way for a user to get copensation is if the user applies all the client security easures properly. Analysis Fixed Cost of Care For siplicity, let us assue that the cost of care c is invariant with the nuber of client security easures x since each installation and activation of client security easures usually is an autoated batch-job. We will investigate the user s profit function along the user s online banking transaction size. Figure shows how the user s expected cost or profit changes along the transaction size. The user can be categorized into one of the following 3 cases according to his/her transaction size. Digital Ties, 7, 3 NewsToato, 8, 4 MoneyToday, 5, Regie countries like Korea have services siilar to Paypal, which are not explicitly protected by the law: 8 Thirty First International Conference on Inforation Systes, St. Louis

10 Ki & Lee / Security Configuration under Burden of Proof Figure. User s expected cost along the transaction size Let s = in{ s C, s L } and s = ax{ s C, s L } where s C = f + c p p and sl kx =. p Case where s< s (sall transactions), Case where s < s< s (ediu transactions), and Case 3 where s < s (large transactions). The user s choices in the three cases are different. In Case, the users do not adopt CSM as their transaction size is not worth the fee and the induced cost of care. While we odel the onopoly bank, nowadays, there are any alternatives such as digital payents, cell phone payents, and electronic payent such as Paypal. Most of the are widely used for icro-transactions. Hence, when the bank enforces security easures, we assue that the users will leave the bank for alternatives. Users with the ediu sized transactions will use CSM. However, due to litigation costs, these users would not sue the bank. 7 Clients with large transactions (Case 3) pay the fees, cost of care, and eventually litigation costs to get copensation when the daage occurs. We can write the user s profit function in general for as following: u = ax{ f p s, f p s c, f k x c} (9) The aggregated profit of all users becoes: case case case3 7 We are assuing both parties pay their own litigation costs to see the effect of litigation cost ore clearly. U.S. courts allocate legal fees to both parties, while ost European courts state that the loser ust pay all legal fees. Even if the court allocates the legal fees to the loser, the actual reallocation is done after the verdict, which could be take place after a very long tie period. Hence, theoretically, when litigation cost can be recovered by winning, the expected cost of litigation can be lowered and the plaintiff will take consideration of winning probability. Therefore the winner still faces risks of teporal poverty (a type of opportunity cost), and these risks can be translated as the litigation cost. The scale paraeter k reflects the. Thirty First International Conference on Inforation Systes, St. Louis 9

11 IS Security and Privacy ut, s s = f ( s ) c p sds p sds k x ds () s s Under regie, it is assued that users will be fully copensated by courts when burden of proof is et. Then, the resulting profit of the bank becoes s s Fee Incoe Copensation Expenditure ( ) b x = f ds p s ds c+ f k x b( x) = p p p p ( ) () () It is self-evident that the bank s profit is axiized with the optial allocation of users share of CSM, x p k = (3) * b Note that with this optial allocation, s burden = sl = s =, since deterining x will autoatically deterine s. Hence, with this result, the following proposition is derived. Proposition : Under burden of proof and when the cost of care is fixed, the bank always assigns the unique optial nuber of client security easures, and transaction size liit is set at the axiu. Let s assue that financial regulatory agency focuses only welfare of custoers, and then it will try to axiize the aggregated surplus of bank users, defined in Equation (8). Then, we can easily show that is the social optial. The reason that the optial is set at the corner solution is because the agency does not take account of welfare of banks but only the users. It is obviously the best to users when as uch as costs were assigned to firs. Both results are consistent with intuitional expectations. The bank will certainly try to iniize copensation, enforcing the axiu litigation cost to users. Since we capped user transaction size at, the bank will try to ipose enough litigation cost on its users to avoid any copensation, by giving a large nuber of client security easures. With less litigation cost users have better chance to get copensation initiating litigations. Thus, bank s desirable nuber of client security easure is positive and uch larger than the social optial. Since we are investigating bank s possible exploitation of litigation cost over online banking transactions, our onopolistic assuptions have siplified the analysis and helped to provide an understanding of the litigation cost transfer echanis. As we have discussed in previous sections, in regie banks are denying or at least delaying online theft victi s copensation, while users are coplaining about the excessive nuber of client security easures. The analysis and iplications are valuable in understanding such real world phenoenon. Also, note that under regie strict liability, optial allowed transaction size was set as s strict f = < p, while under regie : burden of proof the bank will allow the axiu transaction size which is when cost of care is fixed. Our findings predict that under burden of proof bank will allow far larger sized transactions than of a bank under strict liability. Reality coincides with our finding, for Kookin Bank which is under regie sets a far larger transaction size liit than Citibank 8. The forer s liit is $3, ~ $3, per day while that of the later is only between $, and $,. 8 d=866 Thirty First International Conference on Inforation Systes, St. Louis

12 Ki & Lee / Security Configuration under Burden of Proof Variable Cost of Care Now, we assue that the cost of care can depend on the nuber of client security easures. For instance, a user ust always unplug the USB digital signage fro any public coputer he or she had logged on, and ust always lock his or her office desk drawer where he keeps key-code cards or one-tie-password devices. For siplicity of analysis, we assue the linear function, i.e., c(x) = cx. The bank s profit function becoes: ( x b ) = f ds p s ds s s Fee Incoe s = in{ scb, slb} s = ax{ scb, slb} With and where s Copensation Expenditure CB f = p + cx p kx and slb =. p Unlike the previous fixed cost case, the bank now faces a trade-off. More client security easures yield reduced copensation expenditure for it increases the litigation cost for users, however it also increases cost of care for users. Increased cost of care will cause ore users to give up using the service and it will reduce the bank s incoe fro transaction fee. The bank can forfeit incoe fro sall transaction users while iniizing copensation expenditure or can take the axiu incoe fro all the potential custoers fee, while fully copensating users b k daage fro online theft. The profit function of the bank is quadratic and convex over x, for = >. x p * Hence, the optial aount of CSM is always one of boundaries. Then it is obvious that when xb =, s burden = * p and when xb =, s burden =. k p p In Appendix B, we show that b() b( ) when and otherwise, b() b( ) k k <. Proposition 3: Under burden of proof with variable cost, the bank will allocate client security easures at the sae level with the fixed cost case when the litigation cost is relatively large and otherwise, it does not allocate any. Even with the risk of losing custoer because of increased cost of care, the bank will still choose to iniize copensation expenditure by increasing nuber of client security easures if every additional client security easure creates relatively ore litigation cost than the cost of care. In reality, it ay be ore likely that the litigation cost is uch larger than the cost of care in online transaction. Proving in court that the security devices were perfectly working at the tie of the theft would be uch difficult than locking the desk drawer containing the security devices. Thus, the bank is ore likely to allocate CSM to users. So far we have only considered short ter decisions and both c and k are given. However, if we consider the long ter perspective we ay have ore intuitional insights. If a bank can invest in technological advanceent in a long ter, the bank ay change both c and k slightly. However, our odel suggests that even with long ter investent, bank will not try to reduce k, for reducing k does not give the bank any benefit. Although the bank ay try to reduce c to capture ore potential custoers by long ter investent, the fact that the bank has no incentive to reduce k can be very probleatic to society, since any litigation cost is social dead weight. These intuitional expectations can be a viable answer to Are banks shifting blae to its users? for banks alone will not stop assigning litigation cost to its users even with the long ter perspective. For exaple, in regie client security easures given by banks are not equipped with easy-to-use log analysis functions. The logs fro each client security easures can be very helpful to users who ust fight in court. i.e. reducing litigation costs. However as our odel suggests, banks have no incentives to reduce users litigation costs. We will discuss the governent s possible reaction in later sections. Thirty First International Conference on Inforation Systes, St. Louis

13 IS Security and Privacy Iplications Optional client side security easures So far our odel only assued that a bank offers only andatory sets of client security easures in regie. We can easily extend the odel with optional client side security easures. First, a bank can provide ore-than-andatory client security easures. While these optional client side security easures do create ore cost of care, they do not create any additional burden of proof, for they are not andatory. Soe users will find that with full option, the services are cheaper than basic client security easures which have bigger probability of accidents. Figure. Case of ore than andatory option Figure shows how optional client side security easures affect user s behavior. With full option, the probability of accident will be lower than with only andatory CSM, p o < p. However full options create a higher cost of care, shifting the overall cost curve upward. Soe users will find their transaction size is not worth burden of proof, if ore optional security easures are available. Therefore, with optional client security easures that exceed andatory, banks can reduce liability cost further. On the other hand, banks can provide less than andatory options. The users who only need very sall sized transactions will give up using the bank s service because of the excessive cost of care induced fro andatory set of client security easures if no other options are provided. With less than andatory option, soe of those who previously gave up using the service will reconsider if the service provides the better chance of avoiding accident with bearable cost of care. Figure 3 shows the aount of profit fro those users who have reconsidered, thus generating ore profit for the bank. Thirty First International Conference on Inforation Systes, St. Louis

14 Ki & Lee / Security Configuration under Burden of Proof Figure 3. Case of less than andatory option For each possible option there exists opportunities which can be exploited by bank to attract ore custoers who couldn t use the bank s service or deter who would definitely sue the bank when only andatory client side security easures are provided. A bank s anager ust investigate their custoer s transaction size distribution and decide whether to provide options for potential custoers. We can further extend our iplications fro optional client security easures to custoers across regie. Our bank in regie under strict liability can provide ore than andatory client security easures to attract large transaction size users who are willing to bear cost of care for ore protection. In earlier sections we have assued that under strict liability, user is copensated iediately. However in reality copensation still can take soe tie for days, such inconvenience can soeties surpass cost of care of security easures. And we can expect the larger transaction size, the ore inconvenience fro the procedure of being stolen and getting copensation. In this case nuber of andatory client security easures is zero. Even with no litigation cost and full copensation, the reduced expected daage is favorable to both users and banks. On the other hand, banks in regie can provide less than andatory client security easures to attract sall transaction size users, who didn t feel the cost of care was too high considering their transaction size. Actually, bank can provide other protection schee such as insurance, reducing less than andatory nuber of client security easures to zero. Even with no cyber protection at all, soe users will enjoy reoved cost of care and bank can capture custoers previously unavailable to the. The banks in both regies have learned fro each other, and this enu of services is already observable in real world. Further discussions are in the next section. Menu of services For bank anagers, our findings so far indicate that with a burden of proof (regie ), a bank can provide client side security easures to its users to axiize its profit. However with too any client side security easures, users with sall transaction sizes will stop using the service. It is iportant that the bank to align its security architecture to its business strategy. If the bank s target custoer intends to ake transactions large enough to cover burden of proof with online banking, he or she will value security ore than the cost of care or burden of proof. Therefore the bank ust provide good security easures to capture custoers. In contrast, if the target custoer intends to ake transactions that are not large enough to cover even the cost of care, the bank ust provide various options to reduce the cost of care. Since the target custoer is ost likely to give up suing if an accident happens, the burden of proof is not iportant in this case. How to ake and how to provide easy-to-use security easures are ore iportant factors. Thirty First International Conference on Inforation Systes, St. Louis 3

15 IS Security and Privacy Under strict liability (regie ), the bank has a liited nuber of ways to configure its security architecture, for no one will use client side security easures that induce cost of care. The only ethod that is actually in use is restriction in transaction size. We can safely assue that a bank s actual cost per electronic transaction is invariant with the transaction size. Therefore additional handling fees for large transaction sizes can be translated as insurance fees. Table shows that banks are charging different handling fees according to transaction sizes and other risk indicators in regie. This works exactly as per-transaction insurance, for there is no other way to cover the risk. On the other hand, under burden of proof (regie ), users are using client security easures intensively. Our odel predicts that a bank has a saller probability of possible accidents, and a saller expenditure in legal costs in regie. Hence, banks in regie will allow very large online transactions, as in Table Regie (Kookin Bank) **All online transactions are free of charge Required Client Security Measure Table. Transaction Size Allowance per Day Allowance per day for individual Regie (Citibank) Destination & Fee Allowance per day for individual Keycode Only Up to $5, Between Citibank (Free) Up to $, Keycode and Cell Up to $5, User s account in other Up to $, phone U.S. banks (Free) One Tie Password Up to $5, Other account in other U.S. banks ($8.75) Up to $5, These legal differences between countries are ore iportant for global firs. If a bank originates fro a country which needs burden of proof, the bank ust have invested significant aounts of oney in client side security easures, which are useless in a country with strict liability. On the other hand, a bank originating fro strict liability will have probles in a country with burden of proof, for no user under burden of proof will ake use of that service, unless proper security easures are provided to his or her personal coputer. Fro a user s perspective, a user who only needs sall size transactions under burden of proof, is annoyed by assive client side security easures and cost of care while a user who needs a large size transaction under strict liability is annoyed by the risky service with high transaction fees. This brings up the idea about service enu based on self-selection. A bank with well developed client side security easures could sell their services to potential custoers who require large transactions under strict liability, while a bank with experience in operating under strict liability could sell their insurance services to potential custoers who only need sall transactions under burden of proof. In regie, to provide client security easure under strict liability, Let insurance fee r s r s is in effect. Then eq. (4) becoes u = f r s (4) For a ore conservative assuption, let c(x) = c x. Then eq. (3) becoes: u = f c x (5) The users under strict liability will gladly use client security easure, if r s c x. The bank ay provide client security easures if the induced cost of care is sall enough, or the required insurance fee for the transaction size is large enough. In regie, soe banks have recently been selling or providing links for client security easures 9. Our bank in regie lost custoers in case, whose transaction size is too sall to bear induced cost of care. In order to retain those custoers, let our bank provide insurance fees to cover their expected daage. Then the user s expected cost in case changes fro: Thirty First International Conference on Inforation Systes, St. Louis

16 Ki & Lee / Security Configuration under Burden of Proof To u = f p s (6) u = f r s This is the sae as in eq. (6). The users will gladly use a specific bank given that the insurance fee r s is saller than the expected daage, p s r s p s. In regie, Internet Banking Insurance has been available for banks and service providers since 7, and restrictions on transaction sizes are in effect and change according to the user s security easures. The banks of both legal schees are already learning fro each other and taking actions to utilize it. For governents We have showed in regie which is under strict liability that there can be a prisoner s dilea working against social welfare, preventing any bank fro providing client security easures which can be ore beneficial for society. Only strong society-wide external incentives or regulations can break the dilea and increase social welfare. Governents, under regie, ust be aware of differences between client side security easures and server side security easures, for this technological difference affects the outcoe of social econoic efficiency. Governents ust recognize that too any client side security easures are suboptial, deising welfare of online banking users who only need sall transactions. Therefore, governents ust set liits on burden of proof by regulating set of andatory client side security easures. And our findings suggest governent agencies should onitor or regulate the effectiveness of client side security easures, for banks do not have enough incentive to aintain effectiveness of client security easures. Banks still can iniize copensation expenditure by throwing ore the less effective client security easures to its users. However it is known to be very hard for governents to onitor fir s security effectiveness by governent (Anderson, 994). Moreover, governents ust be sure that there are plenty other ethods available for sall sized transactions. If not, governents ay be required to regulate about the easy-ofuse in ters of using client side security easures, to aintain the lowest cost of care possible in online banking. In recent report by the Korean Inforation Security Agency, suggests that the user-unfriendly nature of online signature syste is bottlenecking online transactions (KISA, 8). In addition, governents ust be aware of long ter new technology developent opportunities which can reduce litigation cost and ipose certain regulations for the, since banks do not have even long ter incentives to reduce litigations cost assigned to thier users. Of course, governents are also responsible of applying appropriate liability in the first place, since it would be very hard to change social-wide liability schees on the fly. Governents ust investigate social-wide online transaction characteristics, like transaction size profiles or the copetitiveness of doestic coputer security industry. Only a carefully planned liability schee and specific regulations can overcoe an unexpected econoical outcoe in social welfare. Conclusions This paper investigates unique legal effects on online banking security configurations, due to the characteristics of inforation technology. Under regie : strict liability, banks cannot provide adequate client security easures to their users due to incurred cost of care. Although client security easures are needed to lower the probability of accidents to a socially desirable level under server-client architecture, legal costs such as cost of care prevent actual ipleentation of client security easures. Bank options are liited to transaction size restrictions. Under regie : burden of proof, the bank can control its users cost of care and litigation cost by providing the client side security easures for free. The bank faces a tradeoff between the loss of custoers due to enforced cost of care, and the gain in liability costs due to enforced burden of proof. However, if the decision is ade by banks, the nuber of client security easures ay be larger than the user s desirable nuber, or even larger than a socially desirable. This ebiz@insurance Thirty First International Conference on Inforation Systes, St. Louis 5