Countering Cybercrime Risks in Financial Institutions: Forecasting Information Trends

Abstract

This article aims to forecast the information trends related to the most popular cyberattacks, seen as the cyber-crimes’ consequences reflecting on the Internet. The study database was formed based on online users’ search engine requests regarding the terms “Cyberattacks on the computer systems of a financial institution”, “Cyberattacks on the network infrastructure of a financial institution”, and “Cyberattacks on the cloud infra-structure of a financial institution”, obtained with Google Trends for the period from 16 April 2017 to 4 October 2022. The authors examined the data using the Z-score, the QS test, and the method of differences of average levels. The data were found to be non-stationary with outliers and a seasonal component, so exponential smoothing was applied to reduce fluctuations and clarify the trends. As a result, the authors built additive and multiplicative cyclical and trend-cyclical models with linear, exponential, and damped trends. According to the models’ quality evaluation, the best results were shown by the trend-cyclic additive models with an exponential trend for predicting cyberattacks on computer systems and the cloud infrastructure and a trend-cyclic additive model with a damped tendency for predicting cyberattacks on the network infrastructure. The obtained results indicate that the U.S. can expect cybercrimes in the country’s financial system in the short and medium term and develop appropriate countermeasures of a financial institution to reduce potential financial losses.

1. Introduction

Over the past two decades, the Fourth Industrial Revolution has rapidly increased information and communication technologies and actively implemented them in different areas of society worldwide. On the one hand, this has facilitated and promoted positive trends, such as the digital transformation of business, the development of the Internet of Things, the sharing economy, the virtualization of IT infrastructure, 3D marketing, the emergence and use of cryptocurrencies, blockchains, artificial intelligence, I-tracking, etc. (Kwilinski 2019; Miskiewicz 2020; Bezpartochna and Trushkina 2021; Kuzior and Sira 2022). On the other hand, the computerized and digitalized processes have resulted in such negative phenomena as cybercrime, simultaneously accompanied by an increase in digital literacy and a decreased cost for technology to commit cybercrimes. For example, it costs $1 to install malicious software on the dark web marketplace, while anyone’s personal data can be obtained for only USD 3 (Vojinovic 2022). In other words, anyone can become a cybercriminal or gain access to any sensitive data for a small price.

The relevance of cybercrime and cyberfraud is evidenced by other statistics, which show a dynamic growth of its negative consequences in recent years. For example, the average cost of a cyber incident worldwide in 2022 was USD 4.35 million, an increase of about 24.29% compared to 2014 (USD 3.5 million) (IBM 2022a). The most affected sectors are Healthcare (USD 10.1 million), Financial (USD 5.97 million), Pharma (USD 5.01 million), Technology (USD 4.97 million), Energy (USD 4.72 million), Services (USD 4.7 million), and Industrial (USD 4.47 million) (IBM 2022b).

The financial sector is ahead of all other sectors in its exposure to these risks, and not only in terms of economic losses from cyber incidents. This industry is also in second place regarding the volume of cyberattacks. It accounts for 22.4% of all attacks among all other sectors. At the same time, 70% of attacks are aimed at banks, 16% at insurance companies, and 14% at other financial organizations (IBM Security 2022). If we compare the average cost of cybercrime, it is 40% higher for companies in the financial services sector than for companies in other spheres (The Actuary 2019). Banking experts put cyber risks and data protection first, among other threats. A total of 75% of respondents from European banks consider it the most severe operational risk. Fully 82% of respondents who are professional analysts also single it out along with geopolitical risk among all other threats. (EBA 2022). In the consulting company Deloitte’s report, the financial services provider notes, “The financial sector has always been exposed to cyber-attacks, and it is not only about stealing our clients’ money, but also about doing damage just to do damage.” (Deloitte 2021). That is, the financial sphere is the most targeted industry for cyber criminals and is one of the most vulnerable to cybercrime.

How can cybercrime be countered? Global IT companies are engaged in developing appropriate solutions for the protection of cyber-information and computer infrastructure, contributing to the formation of the relevant cyber protection market. In 2022, revenue from cyber solutions and cyber services is expected to be USD 159.84 billion, an increase of 14.88% over the level in 2021 and 91.68% above that in 2014 (Statista Research Department 2022). Meanwhile, the cybersecurity market is projected to grow by 86.87% to USD 298.7 billion (Statista Research Department 2022). Experts estimate that the cyber incident insurance market will also continue to grow. It reached USD 4 billion in 2018, USD 9 billion in 2020, and is projected to reach USD 20 billion in 2025 (Insurance Insider 2018). Regarding the financial sector, financial institutions are the largest investors in the cybersecurity industry, investing much more than companies in other fields (Jones 2021). They can spend 6 to 10% of the IT budget on such matters annually (Deloitte Insights 2019). For large banks, this figure can reach significant amounts. For example, Brian Moynihan, CEO of Bank of America, has stated that the bank’s cybersecurity spending has recently reached over $1 billion per year (Bursztynsky 2021). That is, the growth of cybercrime risks requires more and more severe capital investments from the financial sector, which will contribute not only to the strengthening of countermeasures but also to the development of the cybersecurity market.

Global organizations have introduced several programs and initiatives to combat cybercrime. In 2016, NATO member states recognized cybersecurity as an industry to be taken care of by the Alliance on a par with protection on land, air and sea and adopted the defensive mandate (NATO 2022). In 2021, a new Comprehensive Cyber Defense Policy was proposed and endorsed at the NATO Summit (NATO 2022). United Nations developed the Cybersecurity and New Technologies program to develop and strengthen measures against cyber terrorism for member nations and private companies (United Nations 2020). Due to the war launched by the Russian Federation against Ukraine, many countries have introduced enhanced cybersecurity measures. For example, The White House (2022) outlined appropriate steps for private entities to counter cyberattacks that could be a consequence of the cyber war in a fact sheet. National Cyber Security Centre (2022) prepared and published new guidance to support staff resilience, which companies must comply with in the face of cyber threats initiated by military aggression.

The European Commission is the leading developer of cyber strategies for the financial sector. It published a Fintech action plan in 2018, which aims to ensure greater cyber resilience for financial institutions (European Commission 2018). It also initiated the Digital Operational Resilience Act (‘DORA’), which regulates the risks associated with information and communication technologies and emphasizes creating and enforcing standards that limit cyber incidents’ impact (European Commission 2021). The European Banking Authority (EBA) is engaged in developing regulatory documents regulating IT and cyber risks. It proposed the Guidelines on ICT and security risk management, which contain defined requirements for the ICT and cyber risks management, which are based on the organization of internal control of a financial institution (European Banking Authority 2019). Also, the activities of The Euro Cyber Resilience Board for pan-European Financial Infrastructures (ECRB) and The European Union Agency for Cybersecurity (ENISA) to ensure cyber security issues for financial organizations should be noted. While the first agency performs an educational function to raise awareness of cyber security issues, the second performs an expert function to develop and implement relevant policies. Despite the strong international support for the implementation of cyber security strategies of financial institutions, the main direction for them is the development and implementation of personal measures to detect and counter threats identified as cybercrimes.

Thus, the issue of combating cybercrime is relevant, and the growing interest in it has been noticed over time, especially on the part of financial institutions as the most targeted objects for cybercrimes. Under these circumstances, it is essential to pay attention to various directions of solving the problem of preventing cyber-risk situations, which requires a systematic approach to their research and implementation at both practical and scientific levels.

2. Literature Review

The analysis of literature sources on cybercrime relevant to economics allowed us to state that there are studies for the macro level, business, and financial sphere. Thus, scholars worldwide are focusing on the macroeconomic issues of cybercrime. Kobushko et al. (2021) proved that not only is money the foremost tool of influence on different spheres of life of the country, but also information and communication technologies exist as a means of obtaining it. Their rapid development resulted in the transformation of the economy in a positive way, which, as noted by Tiutiunyk et al. (2021a), may also affect the macroeconomic stability of countries. However, the massive digitalization of society has caused the cybercrime development, which fostered just the formation of the shadow sector, as the financial flows from this type of activity are not transferred to the country’s development, are not taxed and accumulated in offshore accounts of criminals (Logan and Esmanov 2017). As a result, the countries’ innovation potential is weakened, as was proven by Vysochyna et al. (2020). Cybersecurity measures must be developed to counter cybercrime and its impact on a country’s development. Petroye et al. (2020) proved that information security in general, and cybersecurity in particular, significantly influenced the formation of the country’s image in the international arena, making it one of the effective strategic areas for most countries worldwide when considering their development.

The following research direction looks to publications addressing cybercrime issues in the business sector. Thus, Skrynnyk (2021) notes a positive perception of enterprises’ informatization and computerization of business processes, because they increase the quality and efficiency of decision-making management and reduce routine operations in economic activity. On the other hand, possible cyber-risks are the most dangerous for effective business management and their growth results in increased losses for the national economy (Semenova and Tarasova 2017; Bilan et al. 2020). Zadorozhnyi et al. (2021) determined that the level of digital competitiveness influences the increased cyberthreats. However, factors such as information and communication technology development, the innovativeness of the economy, and access to the Internet may also significantly influence a company’s cyber-risks (Leonov et al. 2019; Fernando Alonso Ojeda 2021). The global pandemic has made it possible to transfer the business processes of many companies to cloud-based platforms. On the one hand, this has contributed to the cost reduction for the use of physical storage facilities, while, on the other hand, increasing costs to ensure cybersecurity because cloud technology facilitates cybercriminals’ access to data (Djamila and Abdelatif 2022). Cybersecurity is nowadays considered to be a significant area of management innovation development and support in business (Fernando Alonso Ojeda 2021). Therefore, comprehensive information technology covering key business processes in the company as well as measures to prevent cyberattacks and data leaks needed to be organized to ensure cybersecurity operates effectively (Rahiman et al. 2021).

The study of cybercrime risks in financial institutions is a rather specific topic connected with the closedness and non-publicity of information in this sector. Despite this limitation, some scientists are trying to solve several problems in this field. Thus, Nicholls et al. (2021) introduced the concept of “financial cybercrime”, which means a set of financial and cybercrimes that occur in the cyber environment and are directed at financial institutions. Akinbowale et al. (2020) proved, based on the balanced scorecard, that the growing level of cybercrime has a negative impact on the banking sector. The Fintech sector is the most vulnerable to cyber criminals, which correlates to the greatest extent with cyber risks due to its technological component. What are the most critical cyber threat risks for the finance area? Primarily, computer infrastructure is exposed to cyberattacks, which can lead to operational disruptions, physical damage, and outages (Kumar et al. 2020). Computer networks support the work of many divisions of financial institutions and must withstand the Internet load from many customers. Their vulnerability can be a source of cyber threats, requiring authentication, privacy, and encryption risk management (Umaselvi et al. 2022). Although cloud services reduce computing infrastructure losses, they are also the main targets of cyberattacks (Aldasoro et al. 2022). Ghazi-Tehrani and Pontell (2021) highlight phishing as a targeted cyberattack to steal personal financial information. Makki et al. (2019) consider credit card cyber fraud the most critical threat to banks and their customers.

The global COVID-19 pandemic was one of the causes of the slowdown in economic growth and sustainable development (Tiutiunyk et al. 2021b). But it also affected the growth of the financial services business, which for customers takes place mainly online and with the use of mobile technologies. (Kyslyy et al. 2021). That is, this crisis has created a favorable environment for financial cybercrime development. Some scholars explore other reasons for this. Thus, Vasylyev et al. (2021) note the low level of information measures applied among the population in some countries regarding the risks of becoming a cybercrime victim, especially those that are least developed or currently going through the economic development phase. Didenko et al. (2020) found a direct correlation between the population’s digital and financial literacy level and the cybersecurity measures they take to counter cybercrime. Naser (2021) highlights the concept of digital financial inclusion, which is one of the circumstances behind the rise in monetary cyberfraud.

Furthermore, research concerning the psychological aspects of the financial cybercrime issue can be singled out. Their implementation is a complex process that combines the fraudster’s awareness of computer and information technology, motivation, and the availability of software and hardware tools to commit cybercrimes. Therefore, when developing preventive measures, it is necessary to consider not only the factors listed above but also to understand the nature of the cybercriminal’s decision-making (Njegovanović 2018). Leukfeldt and Roks (2021) confirmed that cybercrime incidents correlate with and are isolated incidents that may be considered when determining relevant attributes in the cybersecurity-building process. Stults and You (2021) researched that the low level of self-control of information systems and computer technology users leads to an increased risk of becoming a cybercriminal victim. This fact may also be used to develop the concept of cyber threat prevention in financial institutions. One of the potential sources of cyber threats is social networks, through which criminals can apply social engineering methods and obtain personal and financial data (Kirichenko et al. 2017; Kuzior and Kuzior 2018; Štrbová and Kuzior 2019). This direction must be considered in determining the risks of cyber threats for bank clients.

How can cybercrime risks be countered in financial institutions? Chinnasamy et al. (2021) emphasize the need to develop cybercrime risk prevention standards to support the Fintech industry. Mugarura and Ssali (2020) are inclined to the fact that, after all, the problem of the imperfection of legislation in the field of cyber risks is key to combating financial cybercrimes. Pandey et al. (2022) explore the need to develop an innovative cyber security system for banks based on the most effective cyber threat detection algorithms. Al-Dhaqm et al. (2017) suggest using a forensic examination of databases, which will contribute to their prompt assessment and detection of cyber threats. Qasaimeh et al. (2022) point out that predictive systems effectively combat cybercrime and should be integrated into complex cybersecurity software solutions of financial institutions.

To solve this issue, the most effective application of mathematical methods and models are those proposed by scholars from different research schools worldwide. These include traditional econometric research methods such as regression analysis (Leonov et al. 2014), structural equation modeling methods (Brychko et al. 2021), VAR- and VEC-modeling (Tiutiunyk et al. 2022), binary and matrix approaches (Yarovenko et al. 2021), fuzzy sets-based methods (Sarwar et al. 2021), gravity modeling (Lyeonov et al. 2020), data mining (Kuzmenko et al. 2020), and machine learning (Sivakumar et al. 2021), while artificial intelligence (Obeid et al. 2020) also became popular in the research. In this study, information trends of the most popular types of cybercrime will be used as input data. Since their values represent a time series, it is advisable to use econometric methods for their forecasting that are easy to implement and provide accurate results in the short- and medium-term perspectives.

3. Data and Research Methodology

3.1. Data

A set of input data was generated based on Google Trends toolkit queries to research and predict cybercrime trends. This included the most popular internet users’ queries for the terms “Cyberattacks on computer systems of a financial institution” (CS), “Cyberattacks on the network infrastructure of a financial institution” (NI), and “Cyberattacks on the cloud infrastructure of a financial institution” (CI) for the period from 16 April 2017 to 10 April 2022, in the context of week-by-week levels.

This information was selected based on the following considerations. Mass cyberattacks tend to be carried out in the economic entities of a particular country or countries. These events are reflected in the growing interest among Internet users in the network regarding these events. The time gap between actual cybercrime and online activity is not excessively large, because users’ responses to significant events within the country and around the world are instantaneous. Official sources that collect, process and publish statistical data usually publish it with a significant time lag and in an aggregated form. Therefore, in this case, the information trends reflecting the Internet users’ queries are a quick response to real events. Accordingly, their research will make it possible to predict possible cybercrimes worldwide quite accurately.

Decomposition of the studied temporal trends of global network users’ queries, considering seasonal, trend and random components for additive and multiplicative models are presented in Figure 1, Figure 2 and Figure 3.

An analysis of the “Cyberattacks on computer systems of financial institutions” time series decomposition (Figure 1a,b) shows that it is a challenge to determine visually whether the trend component is present, so to check the series for stationarity requires the application of tests. The present outliers also need to be checked. The series contains a seasonal component, and the density of residual distribution indicates the model to be additive. Analysis of the “Cyberattacks on the network infrastructure of a financial institution” time series decomposition (Figure 2a,b) indicates that the present seasonal component and the density of the distribution of residuals testifies to an additive process. As for the trend component, the visual analysis does not allow us to conclude its absence or presence. (Figure 3a,b) shows the decomposition of the “Cyberattacks on the cloud infrastructure of a financial institution” time series, which demonstrates the clear presence of a trend, seasonal components, and consistency with an additive process.

Thus, the data under study are time series, which can be modeled by exponential smoothing models or autoregressive models depending on whether the evidence of the process is stationary or non-stationary.

3.2. Research Methodology

The information trend forecasting of cybercrime indicators involves the following steps.

Step 1. Checking time series for the presence or absence of anomalous values and making appropriate adjustments. To implement this step, we will use the Z-score statistical method. The Z-score measures the distance between the value of observation and the mean value by means of standard deviations and is calculated by the Formula (1):

$$z=\left(x-\mu \right)/\sigma ,$$

(1)

where $x$ is the actual value of observation; $\mu$ is the mean value of the series; and $\sigma$ is the root-mean-square deviation.

The calculated values of the Z-score are compared to extreme ones (−3 та +3). If one of the values is greater than +3 or less than −3, then the observation is an outlier.

Step 2. Checking for seasonality component for CS, NI, CI time series by performing QS test.

Seasonal persistence occurs when the process is nearly periodic in the season. In this case, we might think of average time series level x_t as being modeled as:

$$x_t=S_t+w_t,$$

(2)

where $S_t$ is a seasonal component that varies a little from one year to the next, according to a random walk:

$$S_t=S_{t-12}+v_t$$

(3)

where $w_t$ and $v_t$ are uncorrelated white noise processes.

To check for seasonal component existence in CS, NI, CI time series it is proposed to use QS test and its application in R on the base of “seastests” package. The score idea of QS test is pillared on the ratio:

$$QS=n\times \left(n+2\right)\times \left(\frac{R_s^2}{n-s}+\frac{R_{2s}^2}{n-2s}\right),$$

(4)

where n is the number of observations in the time series and s is the periodicity of the data (12 in this case with monthly data); $R_s^2$ and $R_{2s}^2$ denote the autocorrelations obtained for the corresponding time series. This statistic follows approximately the χ² distribution with 2 degrees of freedom.

To perform the QS test for seasonality in a time series, the function is used:

$$qs\left(x,freq=NA,diff=T,residuals=F,autoarima=T\right),$$

(5)

where x—time series; freq—Frequency of the time series; diff—the differenced series; residuals—the residuals of a model; autoarima—automatic.

Step 3. Checking the stationarity in time series by applying the method of differences of average levels. This test verifies the hypothesis about the homogeneity of variances of parts of the time series and the hypothesis about the trend absence. It is reasonable to apply this test for the input data, as the trend graphs (Figure 1, Figure 3 and Figure 5) show that the data are not homogeneous over the whole period and there is an inflection. To implement it, it is necessary to divide the series into two parts with approximately the same number of points and calculate their variance (6):

$${\sigma }_1^2=\frac{{{\displaystyle \sum }}_{t_1=1}^{n_1}{\left(Y_{t_1}-\overline{Y_1}\right)}^2}{n_1-1};{\sigma }_2^2=\frac{{{\displaystyle \sum }}_{t_2=1}^{n_2}{\left(Y_{t_2}-\overline{Y_2}\right)}^2}{n_2-1},$$

(6)

where ${\sigma }_1^2$, ${\sigma }_2^2$ are variances of two parts of the time series; $Y_{t_1}$, $Y_{t_2}$ are actual values of two parts of the time series; $\overline{Y_1}$, $\overline{Y_2}$ are mean values of two parts of the time series; $n_1$, $n_2$—the number of observations in the first and second parts of the time series.

The hypothesis for the homogeneity of the series is carried out using Fisher’s criterion (7):

$$F=\{\begin{array}{c}{\sigma }_1^2/{\sigma }_2^2,{\sigma }_1^2>{\sigma }_2^2 \\ {\sigma }_2^2/{\sigma }_1^2,{\sigma }_2^2>{\sigma }_1^2\end{array},$$

(7)

where $F$ is the calculated value of Fisher’s criterion. If its value is less than the value in the table, which is determined for the significance level of $0.05$ and $(n_1-1)$, $(n_2-1)$ are degrees of freedom, then the hypothesis of homogeneity of dispersions is accepted, otherwise, the method does not provide an answer to the question about the presence or absence of a trend.

The hypothesis of the trend absence is tested using Student’s criterion (8):

$$t=\frac{\left|\overline{Y_1}-\overline{Y_2}\right|}{\sqrt{\frac{\left(n_1-1\right)\times {\sigma }_1^2+\left(n_2-1\right)\times {\sigma }_2^2}{n_1+n_2-2}}\times \sqrt{\frac{1}{n_1}+\frac{1}{n_2}}},$$

(8)

where $t$ is the calculated value of Student’s criterion. If its value is less than the table value determined for the significance level of $0.05$ and $(n_1+n_2-2)$ are degrees of freedom, then the hypothesis regarding the trend absence is accepted, otherwise, the trend is present.

Step 4. Section 4 of this study proves that the analyzed series are non-stationary, so exponential smoothing models will be chosen to predict cybercrime information trends.

A simple exponential smoothing model is of the form (9):

$$S_t=\alpha \times X_t+\left(1-\alpha \right)\times S_{t-1}$$

(9)

where $S_t,S_{t-1}$ are exponentially smoothed values at time $t$ and $\left(t-1\right)$ respectively ($t=\overline{1,n}$); $\alpha$ is the smoothing parameter, taking a value from zero (when all current observations are ignored) to one (when all previous observations are completely ignored); $X_t$ is the level of time series at time t.

In this paper, the following types of exponential smoothing models will be constructed:

(1)

An additive cyclical model (10):

$$S_t=\alpha \times X_t+\left(1-\alpha \right)\times S_{t-1}+I_{t-p},I_t=I_{t-p}+\left(1-\alpha \right)\times e_t,$$

(10)

where $I_t,I_{t-p}$ are the smoothed seasonal factor at time $t$ and $t-p$ (season length); and $e_t$ are the residuals at time $t$;

(2)

A trend-cyclic additive model with a linear trend (11):

$$S_t=L{T}_t+\alpha \times X_t+\left(1-\alpha \right)\times S_{t-1}+I_{t-p},I_t=I_{t-p}+\left(1-\alpha \right)\times e_t,$$

(11)

where $L{T}_t$ is a linear trend (value at time $t$);

(3)

A trend-cyclic additive model with an exponential trend (12):

$$S_t=E{T}_t+\alpha \times X_t+\left(1-\alpha \right)\times S_{t-1}+I_{t-p},I_t=I_{t-p}+\left(1-\alpha \right)\times e_t,$$

(12)

where $E{T}_t$ is an exponential trend (value at time $t$);

(4)

A trend-cyclic additive model with a damped trend (13):

$$S_t=D{T}_t+\alpha \times X_t+\left(1-\alpha \right)\times S_{t-1}+I_{t-p},I_t=I_{t-p}+\left(1-\alpha \right)\times e_t,$$

(13)

where $D{T}_t$ is the damped trend (value at time $t$);

(5)

A multiplicative cyclical model (14):

$$S_t=\left(\alpha \times X_t+\left(1-\alpha \right)\times S_{t-1}\right)\times I_{t-p},I_t=I_{t-p}+\delta \times \left(1-\alpha \right)\times e_t/S_t,$$

(14)

where $\delta$ is the seasonal smoothing parameter, which is specified only for seasonal models;

(6)

A multiplicative trend-cyclic model with a linear trend (15):

$$S_t=L{T}_t\times \left(\alpha \times X_t+\left(1-\alpha \right)\times S_{t-1}\right)\times I_{t-p},I_t=I_{t-p}+\delta \times \left(1-\alpha \right);$$

(15)

(7)

A multiplicative trend-cyclic model with an exponential trend (16):

$$S_t=E{T}_t\times \left(\alpha \times X_t+\left(1-\alpha \right)\times S_{t-1}\right)\times I_{t-p},I_t=I_{t-p}+\delta \times \left(1-\alpha \right);$$

(16)

(8)

A multiplicative trend-cyclic model with a damped trend (17):

$$S_t=D{T}_t\times \left(\alpha \times X_t+\left(1-\alpha \right)\times S_{t-1}\right)\times I_{t-p},I_t=I_{t-p}+\delta \times \left(1-\alpha \right).$$

(17)

Although the visual analysis of the input data has been proven to follow an additive process, multiplicative exponential smoothing models will also be built to justify mathematically the conclusions obtained.

Step 5. The last stage of this study provides the assessment of prediction accuracy of indicators: “Cyberattacks on computer systems of a financial institution”, “Cyberattacks on the network infrastructure of a financial institution,” “Cyberattacks on the cloud infrastructure of a financial institution,” calculated by the constructed exponentiation models. For this purpose, the following values will be calculated: Mean Error, Mean Absolute Error, Sums of Squares, Mean Square, Mean Percentage Error, and Mean Absolute Percentage Error.

4. Results

At the first stage of the proposed methodology for cybercrime information trends prediction, time series were analyzed for the presence of anomalous values. The Python programming language was used to implement the Z-score statistical method. As a result, one anomalous value was found for the “Cyberattacks on computer systems of a financial institution” time series, five—for the “Cyberattacks on the network infrastructure of a financial institution” time series, and three—for the “Cyberattacks on cloud infrastructure of a financial institution” time series. The detected values were replaced by the arithmetic mean taken for the observations preceding and following the anomalous one.

At the second stage, a QS test, carried out with the help of the R programming language, was applied. As a result, it was found that the cyclical component value for the three series of dynamics equals 48, which is also confirmed by the visualized seasonal component in Figure 1, Figure 2 and Figure 3.

At the third stage, autocorrelation functions of time series were constructed to carry out their visual analysis for stationarity. The results are presented in Figure 4, Figure 5 and Figure 6:

Analyzing the obtained graphs, a preliminary conclusion was drawn that the series “Cyberattacks on computer systems of a financial institution” (Figure 4) and “Cyberattacks on cloud infrastructure of a financial institution” (Figure 6) are non-stationary, as the autocorrelation coefficients for the first levels are statistically significant. As for the series “Cyberattacks on the network infrastructure of a financial institution,” we cannot definitely state that the series is stationary or non-stationary because the value of the autocorrelation function for the first level equals 0.5, which indicates only a visible level of connectivity and does not allow to conclude with certainty about stationarity. Therefore, a mean level difference test was carried out using MS Excel software, the results of which are presented in

Table 1. Results of the mean level difference test.

Criteria and Conclusions	CS	NI	CI
F Calculated	4.6901	1.1489	1.8905
F Critical	1.3374	1.3374	1.3374
The result of the hypothesis testing for the series homogeneity	Homogeneity hypothesis is rejected.	Homogeneity hypothesis is accepted.	Homogeneity hypothesis is rejected.
t Calculated	9.1187	2.3558	18.5668
t Critical	1.9692	1.9692	1.9692
The result of the hypothesis testing regarding the absence of a trend	The trend is present.	The trend is present.	The trend is present.

.

The test results show that the “Cyberattacks on computer systems of a financial institution” and “Cyberattacks on the cloud infrastructure of a financial institution” series are heterogeneous and contain a trend. For the “Cyberattacks on the network infrastructure” series, the presence of a trend was confirmed, although it appeared to be homogeneous. Thus, a class of exponential smoothing models can be applied to the research data.

At the fourth stage, exponential smoothing models were constructed to predict the information trends of queries for cyberattacks on computer systems, network, and cloud infrastructure of a financial institution. For this purpose, the tools of the STATISTICA analytical package were used. The results of obtained predicted models are presented in

Table 2. Predictive models of exponential smoothing of information trends of queries for cyberattacks on the computer systems, network, and cloud infrastructure of a financial institution.

Indicator	Model	Model Features
Cyberattacks on Computer Systems of a Financial Institution	Model 1	Additive season (48); S0 = 62.42; No trend; Alpha = 1.00; Delta = 1.00
	Model 2	Additive season (48); S0 = 57.50; T0 = 0.0815; Linear trend; Alpha = 1.00; Delta = 1.00; Gamma = 0.00
	Model 3	Additive season (48); S0 = 60.70; T0 = 0.9991; Exponential trend; Alpha = 1.00; Delta = 1.00; Gamma = 0.00
	Model 4	Multiplicative season (48); S0 = 62.42; No trend; Alpha = 0.883; Delta = 0.125
	Model 5	Multiplicative season (48); S0 = 57.50; T0 = 0.0815; Linear trend; Alpha = 0.887; Delta = 0.109; Gamma = 0.00
	Model 6	Multiplicative season (48) S0 = 60.70; T0 = 0.9991; Exponential trend; Alpha = 0.887; Delta = 0.114; Gamma = 0.00
Cyberattacks on the Network Infrastructure of a Financial Institution	Model 1	Additive season (48); S0 = 53.90; No trend; Alpha = 0.569; Delta = 0.00
	Model 2	Additive season (48); S0 = 56.88; T0 = −0.012; Linear trend; Alpha = 0.564; Delta = 0.00; Gamma = 0.00
	Model 3	Additive season (48); S0 = 58.86; T0 = 0.9984; Exponential trend; Alpha = 0.573; Delta = 0.00; Gamma = 0.00
	Model 4	Additive season (48); S0 = 74.05; T0 = −0.728; Damped trend; Alpha = 0.361; Delta = 0.00; Phi = 0.017
	Model 5	Multiplicative season (48); S0 = 53.90; No trend; Alpha = 0.518; Delta = 0.00
	Model 6	Multiplicative season (48); S0 = 56.88; T0 = −0.012; Linear trend; Alpha = 0.518; Delta = 0.00; Gamma = 0.00
	Model 7	Multiplicative season (48); S0 = 58.86; T0 = 0.9984; Exponential trend; Alpha = 0.527; Delta = 0.00; Gamma = 0.00
	Model 8	Multiplicative season (48); S0 = 71.43; T0 = −0.618; Damped trend; Alpha = 0.328; Delta = 0.00; Phi = 0.020
Cyberattacks on the Cloud Infrastructure of a Financial Institution	Model 1	Additive season (48); S0 = 33.73; No trend; Alpha = 0.763; Delta = 0.00
	Model 2	Additive season (48); S0 = 25.94; T0 = 0.0667; Linear trend; Alpha = 0.756; Delta = 0.00; Gamma = 0.00
	Model 3	Additive season (48); S0 = 27.21; T0 = 1.000; Exponential trend; Alpha = 0.761; Delta = 0.00; Gamma = 0.00
	Model 4	Multiplicative season (48); S0 = 33.73; No trend; Alpha = 1.00; Delta = 1.00
	Model 5	Multiplicative season (48); S0 = 25.94; T0 = 0.0667; Linear trend; Alpha = 1.00; Delta = 1.00; Gamma = 0.00
	Model 6	Multiplicative season (48); S0 = 27.21; T0 = 1.000; Exponential trend; Alpha = 0.815; Delta = 0.00; Gamma = 0.00

.

The results of the detected cyclical components of three types of time series under study are presented in Appendix A.

Let us represent the modeling results in Figure 7, Figure 8 and Figure 9 as the ratio of actual, theoretical, and predicted levels of the “Cyberattacks on the computer systems of the financial institution” indicator. Predicted values reflect the period from 16 April 2017 to 9 July 2023.

Let us present the results of the exponential modeling in Figure 10, Figure 11, Figure 12 and Figure 13, as the ratio of actual, theoretical, and predicted levels of the “Cyberattacks on the network infrastructure of a financial institution” indicator. The predicted values reflect the period from 16 April 2017 to 9 July 2023.

Figure 14, Figure 15 and Figure 16 show modeled results of a ratio of actual, theoretical, and predicted levels of the “Cyberattacks on the cloud infrastructure of a financial institution” indicator. The predicted values reflect the period from 16 April 2017 to 9 July 2023.

Calculated predicted values of the cyberattack indicators on computer systems, network and cloud infrastructure of a financial institution for the period from 17 April 2017 to 9 July 2023 are systematized in the form of a table and presented in Appendix B.

The development of a model for predicting cyberattacks on the computer systems, network, and cloud infrastructure of a financial institution required testing the accuracy of calculated predicted levels. Therefore, at the fifth stage, the following list of indicators was analyzed: Mean Error, Mean Absolute Error, Mean Square, Mean Percentage Error, and Mean Absolute Percentage Error (

Table 3. Prediction accuracy rates for the “Cyberattacks on computer systems of a financial institution” indicator.

Error Name	Model 1	Model 2	Model 3	Model 4	Model 5	Model 6
Mean Error	0.0539	−0.0088 *	0.1152	0.0229	−0.0472	0.0917
Mean Absolute Error	4.3026	4.2923 *	4.2948	4.3488	4.3289	4.3471
Mean Square Error	31.3206	31.2654	31.2653 *	35.7870	35.6338	35.6815
Mean Percentage Error	−0.3187	−0.4186	−0.2200 *	−0.4462	−0.5556	−0.3336
Mean Absolute Percentage Error	6.9939	6.9803	6.9776 *	7.0286	6.9983	7.0197

* The lowest error values are highlighted in grey.

,

Table 4. Prediction accuracy rates for the “Cyberattacks on the network infrastructure of a financial institution” indicator.

Error Name	Model 1	Model 2	Model 3	Model 4	Model 5	Model 6	Model 7	Model 8
Mean Error	0.1481	0.1503	0.2695	0.0162 *	0.0476	0.0507	0.1810	−0.0699
Mean Absolute Error	5.9178	5.9115	5.9130	5.8966 *	5.9721	5.9706	5.9709	5.9698
Mean Square Error	57.4386	56.9725	56.6455	55.7306 *	61.2920	60.9472	60.6463	60.2038
Mean Percentage Error	−1.1104	−1.1033	−0.8663 *	−1.2791	−1.3870	−1.3739	−1.1162	−1.5270
Mean Absolute Percentage Error	11.3017	11.2936	11.2782 *	11.2887	11.3923	11.3905	11.3712	11.4027

* The lowest error values are highlighted in grey.

and

Table 5. Prediction accuracy rates for the “Cyberattacks on the cloud infrastructure of a financial institution” indicator.

Error Name	Model 1	Model 2	Model 3	Model 4	Model 5	Model 6
Mean Error	0.0812	0.0332 *	0.0915	0.0430	0.0052 *	0.0692
Mean Absolute Error	4.4419	4.4221	4.4229	4.6343	4.6063	4.3387 *
Mean Square Error	41.5554	41.4867	41.4841 *	45.5725	45.3386	44.1604
Mean Percentage Error	−1.6617	−1.7840	−1.5980 *	−1.6119	−1.7041	−1.6788
Mean Absolute Percentage Error	13.4378	13.3832	13.3663	13.9018	13.8019	12.914 3*

* The lowest error values are highlighted in grey.

for the three considered directions of cyberfraud attacks).

An analysis of the calculated accuracy characteristics made it possible to select suitable models for the time series under study. Model 3 (Table 3), a trend-cyclic additive model with an exponential trend, proved to be the most accurate for the “Cyberattacks on computer systems of a financial institution” series by many indicators. The trend-cyclic additive model with a damped trend is accurate for the “Cyberattacks on the network infrastructure of a financial institution” series (Table 4). The trend-cyclic additive model with an exponential trend showed the best results for the “Cyberattacks on the cloud infrastructure of a financial institution” series (Table 5). The results also confirmed that the studied series follow an additive process and have trend and seasonal components.

5. Conclusions

The research topic of predicting cybercrime information trends becomes relevant due to the rapid growth of cybercrime over the past decade. The consequences of cybercrime are felt worldwide by increased financial losses from the theft, loss and recovery of personal information and data of business entities, government organizations, etc. This issue is particularly tangible in the context of warfare and global pandemics, as they form a favorable environment for cybercriminals and cyberfraudsters. That is why its prevention and early detection are strategic goals in combating this phenomenon.

The research paper has revealed that the issue of cybercrime is being actively studied by the scientific community, which pays attention to macroeconomic problems, namely, its impact on macroeconomic stability, the country’s capacity for innovation, and its image, as well as the growth of the shadow sector. Researchers also study the influence of information technology on business development, issues of business process re-engineering in the context of cloud-based technology implementation, conditions for increased cyber-risks and cybersecurity organization measures. The scientific direction associated with the issues of cybercrime against users of information systems and computer technology, which may occur through social networks, mobile and Internet applications is also relevant. The psychological causes of cybercrime, motivation of criminals and other factors are investigated.

We have proposed a research methodology, one which includes the investigation of input data set for anomalous observations by using the Z-score, and the QS-test to identify the cyclical patterns of the series, using the mean level difference test to carry out the hypothesis of trend absence, modeling and forecasting the series of dynamics based on exponential smoothing method, and building additive and multiplicative cyclical models with linear, exponential and damped trends, as well as assessing the quality of the built models. Information trends of Google user queries regarding cyberattacks on computer systems, networks and cloud infrastructure of a financial institution were selected as input data. The data were selected according to the consideration that the response to any event is faster on the Internet than in reality, so a corresponding growing user query is identified as a response to cyberattacks.

The decomposition of the selected time series revealed that they follow an additive process with seasonal and trend components. An analysis of the series for anomalous observations revealed that the information trend of queries for “Cyberattacks on computer systems” contains one anomalous observation, the trend of queries for “Cyberattacks on network infrastructure” contains five anomalous observations, and the trend of queries for “Cyberattacks on the cloud infrastructure” contains three anomalous observations. Their values were replaced by the arithmetic mean taken for the observations preceding and following the anomalous one. The QS-test determined that the cycle period is equal to 48 for all three series, which is also confirmed by the visualization of their seasonal component. The mean level differences test revealed that the information trends of cyberattacks on computer systems and cloud infrastructure have heterogeneous variance while the series of cyberattacks on network infrastructure has a homogeneous variance. However, the study of Student’s criterion values found that the series are non-stationary and have a trend component, so exponential smoothing models can be used for their modeling and predicting. As a result of their building and quality assessment, it was determined that the additive trend-cyclic model with an exponential trend sufficiently well models and predicts several queries regarding cyberattacks on computer systems and cloud infrastructure, and the additive trend-cyclic model with a damped trend—a number of queries regarding cyberattacks on the network infrastructure.

The study of the information trends of user queries regarding cybercrimes and their predictions will make it possible to prevent mass cyberattacks, which are common in cyberwarfare and cyberterrorism at the state level. The methodology proposed in this paper and its results are also practically significant for improving cybercrime strategies for financial institutions. One of the possible directions is developing an internal standard for determining potential cyber security risks, which will provide for implementing the following countermeasures, considering the results of this study. Firstly, a company will have the opportunity to continuously analyze potential cyber threats due to the availability and interactivity of these information trends. Secondly, rapid monitoring screening of crucial business processes least at risk for cybercrimes can be initiated based on receiving operational forecasts of cyberattacks. Thirdly, the risk action plan in the event of a cyber threat can be improved by risk management based on received predictions of mass cyberattacks. Fourthly, the forecast’s results will increase the personnel’s awareness of the possible risks of cyberattacks and contribute to implementing appropriate responses. Fifthly, the information trends of cyberattacks will contribute to the identification of potential dangers of their influence on the activities of a financial institution in a proactive mode. In further research, it is planned to expand the list of cyberattacks information trends to have an opportunity to identify a broader range of cybercrime risks in financial institutions.