Table 8 Risk features of the two financial institutions.
From: Comprehensive assessment of privacy security of financial services in cloud environment
Risk indicators | Company 1 | Company 2 |
|---|---|---|
I1: Malicious Internal Employee Behavior | Lower level of disciplinary infractions exist | Internal employees have a high disciplinary record |
I2: Software or application vulnerability | Has no obvious technical vulnerabilities and can pass security tests | Has no obvious technical vulnerabilities and can pass security tests |
I3: Abusive collection of permissions by third-party applications | There are few financial product ads is abusive collection of information | There are more investment trading ads that collect more users’ information |
I4: Data leakage due to internal system or platform error | Internal systems and platforms are stable and pose little threat to users’ privacy in the event of a service failure. | Systems and platforms have been in operation for many years and service failures can pose a significant threat to users’ privacy |
I5: Data Store or Server Authentication Vulnerability | Strict access control such as real-name authentication | Can be logged in through third-party applications, some vulnerabilities exist |
I6: Connection to unsecured network during data transfer | Secure network connections are used, Sensitive information such as users contact details will not be exposed | Sometimes a secure network connection is not used, which may expose information such as users contact details |
I7: Services provider data loss | Take multiple security measures to prevent data loss | The security measures implemented are not sufficient to avoid users’ data loss |
I8: Operating system or terminal device vulnerabilities | No obvious vulnerabilities in terminals | No obvious vulnerabilities in terminals |
I9: User rights not properly configured or managed by internal personnel | The rights are properly configured. Internal employees can access only basic users’ information | The permission configuration is improper, and some employees can access a large number of users information |
I10: Third party applications hacked | Not being associated with or authorized to cooperate with third-party applications, it is relatively secure | Have risks associated with information and authorized cooperation with third-party applications |
I11: Vulnerability of encryption mechanism | A strong encryption mechanism is used to protect users’ information from vulnerability threats | The encryption mechanism used is not strong, and users’ information may be threatened |
I12: Improper key management during use | Regular rotation and stringent control measures are implemented for the key | There is no regular rotation and strict control for the key |
