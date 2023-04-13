Across the globe, much of financial services are done using mobile phones. From point-of-sale purchases to sending money to friends or family, digital wallets and using apps for payable services such as rides, food delivery, and bill pay, our world is intrinsically tied to mobile digital financial services (mDFS). The potential to bring efficient, seamless, and easy access to money for citizens of countries in the midst of change is high- and so is the potential for fraud. Governments need to prepare for and defend against fraudulent actors. This involves investing in stronger infrastructure and deploying more secure production requirements as current ones become obsolete with a transition to 5G in many sectors. For example, many regions rely on unstable networks and have limited access to internet.

Limited resources can impede progress. The ever-expanding array of attacker strategies aimed at stealing or compromising financial and personal data, combined with continuing challenges in creating a foundation that provides access to both broadband internet and banking-related services, results in significant variations in the ability of both individuals and businesses to securely access mDFS. In our quest to provide tech for public good, we at MITRE Engenuity are rising to the challenge and have developed an analytical risk model that uses information from a nation’s current systems to produce recommendations of resource investments that will most efficiently lower risk associated with attacks. The model provides a flexible yet consistent approach. First, it identifies the most relevant cybersecurity threats and obstacles to secure access in a given sector. Following this analysis, it then recommends the policy and technical approaches most applicable to expanding and improving secure mDFS access.

Technical + Policy This model simultaneously draws upon a “unique blend of deeply technical subject matter experts across multiple disciplines,” says Cynthia Wright, model researcher and MITRE Principal Cybersecurity Engineer. She notes that it is based on a model that pinpoints potential means of attack on financial services enterprises and its insights were mined from industries including “international cyber capacity building, cybersecurity engineering, systems engineering, and cyber threat intelligence.” Drawing upon MITRE’s deep cyber threat modeling expertise and its International Cyber Capacity Building Framework, the MITRE Engenuity mDFS Risk Management Model (RMM) uses a “dual lens” approach that combines both technical and policy/governance risk factors and mitigants to create a comprehensive and multi-dimensional view of the challenges that threaten the mDFS ecosystems. Cultivated from this extensive array of expert knowledge and resources, the mDFS RMM is one of the most comprehensive models ever developed for the mobile space. Users identify recommendations tailored to their country’s unique technology and policy environment that will reduce risk, improve access, and increase trust.

Validation results have arrived Cynthia also shared that, as part of our support to the mobile money cybersecurity initiative for the Bill & Melinda Gates Foundation, MITRE Engenuity conducted a study to test the efficacy of the RMM by applying it to several countries with very different technology and policy/governance ecosystems, for example levels of financial inclusion and access to internet connectivity: Bangladesh, Kenya, Nigeria, Rwanda, and Togo. Overall, the research validated the RMM, since for each country it could identify a combination of technical and policy approaches that would more widely improve access and security than technical approaches alone can provide. In the next step of validation individuals and organizations deeply familiar with the countries will examine the policy/governance recommendations provided by the model and determine their relevance for assisting the countries in improving their mDFS ecosystems. (The technical security recommendations are straightforward and well-validated in other models.)