risks in terms of their likelihood ratio and impact. An example of such checklist wasprovided by Alpha-Bank and it is presented in Appendix 1. This checklist, in whichnew risk factors are identified and their impact to the organization evaluated, consistsof five main clusters.The evaluation phase was also a significant stage of the overall goal setting process inthe context of security risk management within all of the three IT groups. In the caseof Omega-Bank, the IT group considered an additional activities step, that of securitypolicies and procedures, based on which the IT group investigates whether there is aneed to change any particular aspect. The difference in the case of Omega-Bank, ascompared to the case of Alpha-Bank and Delta-Bank, is that the IT group makes amore frequent evaluation of the security policies and procedures after theimplementation of security projects.However goal setting within all of the three case studies was a significant andconsistent part of the overall organizations’ business activities plan and development.The procedures according to which the IT groups in the three case studies set goals,exhibited similar patterns, albeit with few minor differences in the implementationprocess, in terms of stage prioritisation.4.2 Risk Communication in the Context of Goal SettingGoal setting in the three case studies was an integral part of the organizations’ overallbusiness activities plan. From the interviews in Delta Bank, the issue of riskcommunication was believed to have an effect on the level of goal setting to thedegree that one IT member was capable of understanding the goal to be achieved.That is, the capability of each IT member to understand the IT group goals that had tobe achieved in the context of Internet banking security, so that the communication ofmessages with other group members would take place effectively.However, the differences of the business scope within different banking units had anultimate effect upon the IT group’s Internet banking security activities plan since thebusiness units did not seek always to ‘communicate’. One such reason was that sincemost interactions between users and security mechanisms take place in a socio-16
