Social Engineering SWOT Analysis in Government-Owned Commercial Banks and National Private Commercial Banks

This research examines the phenomenon of social engineering at government-owned commercial banks and national private commercial banks. The research method used is descriptive qualitative with a literature study. The research results show the bank's strengths, weaknesses, opportunities, and threats. In addition, several strategies are recommended for banks to prevent social engineering attacks, namely building information technology in banking according to the standards and regulations of the Financial Service Authority (Otoritas Jasa Keuangan), utilizing social media as an educational tool, training employees, monitoring and optimizing data security and banking information technology networks, suppressing the circulation of social issues on behalf of banks that can trigger social engineering, increasing financial literacy and awareness of data security personal customers and employees. To prevent social engineering attacks, banks can implement strategies that are considered adequate.


INTRODUCTION
According to data from the Operations Center Security National Cyber Indonesia, in 2021, as many as 1.6 billion cyber-attacks in Indonesia experienced enhancement compared to 2020, which is 496 million cyber-attacks.One sector the most frequently caught problem cyber is sector banking with economic motives.Issues frequent cyber happening in the industry banking, among others, social engineering, OTP Fraud, weaknesses in the system banking, phishing, and SIM swaps.Social engineering is an art that influences people to obtain information secrets, such as passwords, addresses, and others obtained with methods that utilize human vulnerability, like feelings, beliefs, and habits (Chetioui et al., 2021).Frequent social engineering modes are happening in the banking sector: internet banking fraud and online transactions, bank contact centers, and SMS fraud (Ratulangi et al., 2021).The destination of social engineering is to get illegal access to the system information banking to do fraud, infiltration the network, activity spy, tamper with the system or steal identity (Junaedi, 2017).In their research, Airehrour et al. (2018) mention that all risk from cyberspace influences banking and the country's economy, which will influence the reputation and infrastructure of finance banking and can cause damage to trusted customers.Banking is crucial to the country's economy, and all process performance companies always relate to society because the trusted public in banking is the foundation prominent in system banking (Bidari et al., 2020).Suppose this social engineering problem continues to occur and causes damage to the reputation of banks, causing banks to experience a decline in public trust and financial losses.In that case, other economic problems may arise (Indonesian Bankers Association, 2015).As mentioned in research conducted by Salahdine and Kaabouch (2019), social engineering that occurs in banking impacts significant loss, which needs detection early to social engineering attack.According to report data Implementation of Prevention Fraud Strategy Period Semester I 2020 -Semester I 2021, there were 7,087 fraud events committed in cyber mode.In fraud cyber mode, 76% happened in commercial banks owned by the government, 28% in private banks, and 0.3% in foreign banks (Otoritas Jasa Keuangan, 2019).
So, this study aims to examine the social engineering phenomenon for government-owned and national private commercial banks using SWOT analysis (Strengths, Weaknesses, Opportunities, Threats).In this study, SWOT analysis aims to evaluate social engineering in banking, primarily government-owned and national private commercial banks, which is expected to reduce weaknesses in the banking sector and push impact threats arising from social engineering.

LITERATURE REVIEW
Commercial banks are the executing bank activity effort from service in activities payments made good in a manner conventional nor with sharia principles.Services provided by commercial banks, that is, whole service banking and operating areas, could be carried out throughout the region.Commercial banks owned by the government are registered commercial bank establishment capital owned by the government so that the government will own the whole bank's profits.A commercial bank's private national is the entire bank or part magnitude privately owned, deed establishment founded by the private sector, and the bank's profits will be owned privately (Kasmir, 2019).
Definition of social engineering According to Wang et al. (2020), in the context of security cyber, social engineering is one type of cyber attack where attackers utilize vulnerable people through social interaction to get access to security cyber.People cover psychology, cognition, consciousness, thinking, behavior, and others in this vulnerability.Then, for safety cyber in question is the problem equipment safety electromagnetic system communication information, operating data, and applications system in cyberspace.According to Alzahrani (2020), there are four categories of behavior of people whom social engineering attackers can exploit for attacks, including carelessness, comfort, helpfulness, and fear.Social engineering attacks can be classified into two main categories: attack direct and indirect social engineering.Social engineering attacks are directly conducted to contact in a manner direct among both perpetrator and victim from contact physical, contact eyes, and interaction sound.Meanwhile, social engineering attacks are not directly conducted with the help of technology, and there is no need for contact between perpetrator and victim.Social engineering attacks that are not direct could be conducted through email or SMS (Salahdine and Kaabouch, 2019).In his research, Grimes (2020) states that, in general, there are several types of social engineering: physical, social, technical, and social-technical approaches.Airehrour et al. (2018), in their research on social engineering attacks in Banking Zealand New, mention that social engineering is a growing threat that needs attention.Junaedi (2017), in his research, mentions that social engineering harms banking and, to reduce risk, recommend that banking should do staff training and education related to threat safety and method to recognize social engineering attack.
SWOT analysis compares external and internal factors: strengths and weaknesses, opportunities and threats (Rangkuti, 2016).SWOT analysis is a framework planning strategy used to evaluate the organization, plans, and business activities (Gürel, 2017).With knowing strengths, the company could develop strengths so that the performance company could be better in the future.So, if the weakness company is known, the company could do repairs if the opportunity company is known so that the company could utilize the opportunity as well as possible for the progress company.Meanwhile, the threat will be found, so the company must develop a strategy (Tamara, 2016).Kapoor and Kaur (2017) use SWOT analysis to research the implementation of Basel III in India with results study that advises banks in India to accept Basel III so it will achieve harmonization with standard international.Alalie et al. (2019) study the SWOT analysis of superior competitive, sustainable sector banking in Iraq, showing research results where a SWOT analysis helps sector banking in Iraq identify positive and negative factors and develop a strategy for superior competitive sustainability.Jahan et al. (2022) use perspective SWOT analysis, investment, and determinants to adopt the practice of agroforestry as a mitigation change climate in Bangladesh shows results that although some prominent farmers already used to practice agroforestry, only a few are experienced.In their research, Citta et al. (2019) use SWOT analysis to analyze the influence of financial technology in the banking industry in South Sulawesi.The results show that financial technology application delivers strengths, weaknesses, threats, and opportunities to the banking industry, so banking must increase infrastructure technology information to collaborate with financial technology.Baidowi (2018), in his research, uses SWOT analysis to know the challenges and opportunities of using financial technology in Islamic banking.Research results show that using appropriate financial technology with the regulation will create a good opportunity for increased quality service in Islamic banking.However, it also can become a challenge for banking, where financial technology can swipe institution banking.Ririh et al. (2020) also use SWOT analysis in their research to implement artificial intelligence (AI) in Indonesia on business government and BUMN, with results showing high level AI implementation affected by improvements in effectiveness and efficiency company.

METHODOLOGY
The method research used in this study is descriptive qualitative.The research only deciphers responses about situations or events without explaining connection causality, nor does a hypothesis test (Wulannata, 2017).This study describes social engineering with SWOT analysis using knowing strengths, weaknesses, opportunities, and threats owned by government-owned and national private commercial banks with studies cases at Bank Rakyat Indonesia (BRI Bank) and Bank Central Asia (BCA Bank).Bank Rakyat Indonesia (BRI Bank) is a sample of commercial banks owned by the government, and Bank Central Asia (BCA Bank) is a sample of commercial banks private national.BRI Bank and BCA Bank were selected because both belong to Indonesia's Core Capital Bank Group IV category, namely banks with a capital of over Rp 70 trillion.BRI Bank has a core capital value of IDR 256.5 trillion, the largest of other government-owned commercial banks.BCA Bank has a core capital value of IDR 195.1 trillion, the only national private commercial bank in the Core Capital Bank Group IV group (Pahlevi, 2022).The data used in this study are secondary data obtained from studies literature, from annual banking reports 2021 on BRI Bank and BCA Bank websites, books, journal articles, and news.The data collection is done by collecting, reading, and studying various relevant sources to answer research problems.

RESULT AND DISCUSSION
Stages in to do SWOT analysis begins with step data collection.These activities are carried out at this stage: collecting data, classifying, and pre-analysis.Data is classed as internal data and external data.Internal data can be obtained from the report finance company, report human resources, report operational activity, and others.Meanwhile, external data could be obtained from market analysis, analysis of competitors, analysis of community, analysis of government, and others.Internal data analysis can be conducted with matrix Internal Factor Analysis Summary (IFAS).Moreover, external data could be analyzed using the matrix External Factor Analysis Summary (EFAS) (Rangkuti, 2016).Based on the results of a literature review from banking annual reports, journal articles, news, and books, it is known that internal and external factors are analyzed with EFAS, IFAS, and SWOT Matrix.

External Factor Analysis Summary (EFAS) and Internal Factor Analysis Summary (IFAS)
Giving weight to each factor is the maximum total weight is 1 (one).Giving a rating value for a positive factor (strength and opportunity) if the factor is the greatest strength, then it must be given the most significant positive rating, and vice versa.Meanwhile, giving a rating value to a negative factor (weaknesses and threats), if the weakness is the greatest, it must be given the most negative rating, and vice versa (Wardoyo, 2011).

Social Engineering SWOT Analysis in Government-Owned Commercial Banks
and National Private Commercial Banks (Nadillah Syafitri and Grisvia Agustin)  From calculations of the EFAS matrix and IFAS matrix, it is known that the score of the IFAS matrix is 2.90; meanwhile, the score of the EFAS matrix is 3.00, which is known as point coordinates.The X axis describes IFAS factors, and the Y axis describes EFAS factors.For the SWOT diagram, the point coordinate is (3.00; 2.90).Thus, it is known that government-owned and national private commercial banks are in quadrant I, which means the company has the opportunities and strengths to utilize them.A strategy must be set to support an aggressive strategy policy (Rangkuti, 2016).

Strength:
Build digital transformation and other digital innovation services and implement high-availability banking services by building data centers and cloud technology.
Based on the 2021 annual report issued by government-owned and national private commercial banks, the two banks developed a digital transformation of the business system.Government-owned commercial banks build a capability-driven digital strategy framework to develop grouped digital products by digitizing core, digital ecosystem, and new digital prepositions.Innovations made by governmentowned commercial banks in their business processes are seen in the presence of several digital products.Besides, government-owned commercial banks' digital products strive to develop and strengthen system technology information with 3 (three) data center (DC) facilities that have reached tier 3, supporting active DC continuity business when disaster occurs to support the high availability of banking services.Government-owned commercial banks also started utilizing cloud technology to increase capability infrastructure to support the business's growth and give the best service to customers (Bank Rakyat Indonesia, 2021).
Temporarily, national private commercial banks also consistently invest in system technology information, system security, and innovation to provide solution banking for customer needs.Digital innovation carried out by national private commercial banks in their business processes is seen from the availability of digital products.National private commercial banks also support the presence of bank digital products, implement a high availability system strategy by adopting cloud technology, building a new data center, and modernizing infrastructure and security technology information well as forming team special that stand by 24/7 for guard availability systems and services in serve transaction big customers, national private commercial banks ensures IT systems always active with no downtime (Bank Central Asia, 2021).Research conducted by Owusu-tucker (2019), Yenew (2019), and Cheng et al. (2022) in their research for evaluating the role of cloud technology in reaching convenience sector strategy banking shows that cloud utilization makes more infrastructure flexible and fast time provision, saving time and money, and risk operational.Banking that adopts cloud technology has more profit with more low costs.However, it increases the risk of operational banking.

Have a policy for the security of customer data privacy.
Government-owned commercial banks and national private commercial banks have their own and apply policies for the security and protection of customer data privacy, as loaded in the report annual 2021.National private commercial banks to protect customer data, implement solution internal data security policies, prevent data loss, procedures, and technology for data leaks, and disguise sensitive data to prevent data leaks.National private commercial banks also use machine learning and artificial intelligence (AI) to detect anomalies in data access (Bank Central Asia, 2021).Government-owned commercial banks also have set policies and guidelines that safeguard customer data throughout operational work units listed in various internal regulations, e.g., external regulation compliance, data secrecy policy, IT security policy, etc.

Social Engineering SWOT Analysis in Government-Owned Commercial Banks and National Private Commercial Banks (Nadillah Syafitri and Grisvia Agustin)
Besides that, government-owned commercial banks also have applied a policy for asking permission from customers to perform the opening process account related to agreement from candidate customers for the use of candidate data customers necessity offer bank products and services.Government-owned commercial banks have instructed the implementation of bank secrets, delayed transactions, and reporting to the third (Bank Rakyat Indonesia, 2021).Rinaldi and Krisnadi (2019) stated that open information demands industry players to protect company and personal data.Abubakar and Handayani (2022) state that reinforcement and implementation regulation are crucial for preventing the potency of the risks involved in technology information and data protection.In their research, Palinggi and AlloLinggi (2020) state that the constitution on personal data protection could solve ITE issues and minimize the potency of internal data leaks in the Fintech business in Indonesia.

Have a security program to prevent cybercrime.
Government-owned and national private commercial banks have a security program to prevent cybercrime, as loaded in the 2021 annual report.Governmentowned commercial banks have policy-regulated cyber security related where bank information whose cybersecurity policies are arranged based on standard ISO27001:2013, PCI DSS, and POJK regulatory policy No. 38/POJK.03/2016concerning Application Management Risk in the use of technology information by Commercial Banks and government-owned commercial banks has part particular about Security Operation Center (SOC), which monitors cyber threats continuously for 24 hours, every week, 365 days.The bank has a procedure for handling incident security information and team responsive incident corresponding cyber (CSIRT).Bank cooperation with experienced international security experts in facing cyberattacks.Bank also confirmed that all the talent in the security field is already standardized, certified, and has the appropriate skills standard international.For facility technology, government-owned commercial banks' information and products during 2019-2021 have succeeded in getting International Standards Certification such as ISO and PCI.And have successful digital apps that obtain ISO 20000-1:2018 recommendations.Government-owned commercial banks also have a brand protection program on duty to monitor Brand abuse on social media.The bank also cooperates with third parties to identify bank system vulnerabilities and review bank information security periodically independently through vulnerability assessments, penetration tests, and simulations of cyberattacks (Bank Rakyat Indonesia, 2021).
National private commercial banks also try to prevent the potency threat cyber, where the bank is committed to increasing the protection of infrastructure, network, application, and data, reinforcing security monitoring centers and management risk security cyber with keep going strengthen where data security system management security bank information is successful get ISO 27001:2013 certification.Besides that, national private commercial banks also get PCI DSS 3.2.1 certification for data centers (global data security), ISO 20000-1:2018 for management IT services, ISO 90001:2015 for network data centers, assurance IT quality & contact centers, ISO 20000-1:2011 for network data center & management incident.To ensure the protection of transactions, national private commercial bank customers take advantage of the latest technology to protect internet banking transactions, including the ability to detect transactions intercepted by "parties third."Besides that, the bank also makes use of its Security Orchestration and Automation Response (SOAR) arranges response in a manner automatic for all detected anomalies.Bank has started using Security Information and Event Management (SIEM) to find patterns or connections from a few incidents for the next possible suspicious activity to anticipate and deal with related transaction banking fraud.Bank periodically operates simulations or practices incident security to ensure deep bank readiness to face cyber-attacks and increase cyber resilience.The bank also improves governance security cyber through application policies, standards, procedures, and practices throughout the organization (Bank Central Asia, 2021).
In their research, Masyrifah et al. (2020) mention that the application ISO standard 2700:2013 has influenced positive and significant personal data security user technology financial.Meanwhile, the International Standard, The Payment Card Industry Data Security Standard (PCI DSS), or the mandatory PCI security standard implemented by each stakeholder interest, where are requirements technical and operational stipulated by the Standards Board Security Industry Card Payment for protect holder data card (Rofi, 2022).Research conducted by Syafie (2022) shows that in operational banking that requires banks to interact with society, in the era of the current industrial revolution, this protects systems and networks could be implemented cyber security harder or strengthening security network and system.

Give education to customers related to social engineering and personal data security.
Social engineering and personal data security of government-owned commercial banks and national private commercial banks actively educate customers and workers to prevent this from happening.Government-owned commercial banks routinely conduct a care program data and information security through posters and internal publications, e-learning and webinars, and phishing campaign emails to all bank employees.Temporarily, to educate customers, government-owned commercial banks use the advantages of social media via YouTube, Twitter, Instagram, and print media and give education directly to customers when they visit the bank (Khoirunnisaa, 2022).National private commercial banks consistently prevent social engineering crimes and personal data security by increasing customer awareness through webinars, social media, and company website activities and implementing e-learning, phishing, and smishing simulations for all employees (Bank Central Asia, 2021).Junaedi (2017) educates customers and workers rated capable of preventing follow crime through social engineering.Aldawood and Skinner (2019) state the importance of giving training and education to employees related to social engineering to prevent the following of crime in social engineering.

Weaknesses:
Amount large employees and customers.
Junaedi (2017) also mentions that four groups of individuals in companies are often the target of crime social engineering, i.e., receptionist or help desk, supporter technical from the technology division information, system administrators and computer users, partners work or company vendors, and new employees.Sometimes, the perpetrator of social engineering could pretend to become a bank employee to commit a social engineering crime against the customer.could use behavior man to attack the system information by manipulating targets.Chetioui et al. (2021) also mention that social engineering attacks the vulnerability of people with a focus on how people think, behave, and react.That could conclude that large employees and customers can be one bank's weakness face action social engineering if no accompanied knowledge will follow crime social engineering and its importance guard data security.It supported research conducted by Aldawood and Skinner (2019 ), which states that employees have an important role in protecting interest organizations from social engineering attacks.

Use of social media
Social media users in Indonesia are very high, according to a Hootsuite survey (We are Social) (Indonesia Digital Report, 2019).It is known that 150 million Indonesians use social media (Anggraeni and Djuwita, 2019).In his research, Setyadi (2020) states that social media means communication between the company and the consumer.His research shows four classifications of relative content dominant in interaction companies with consumers on Twitter, including questions, complaints, education, and collaboration.Nur (2021), in his research, states that social media is a means for giving information to the public both online or manually during the COVID-19 pandemic.Using social media to give information and education, government-owned commercial banks and national private commercial banks can prevent crime through social engineering because there are more social media users than expected.More customers and the public who understand and know related social engineering could be spared from social engineering attacks.This is in line with the results of research conducted by Fitriani (2021 ), which states that using social media as a suggestion of content digital education helps its users add knowledge and outlook and helps the user understand the theory education provided.

Support from the government in preventing cyber crime banking.
According to Constitution Number 19 of 2016, which is a change from Constitution Number 11 of 2008 concerning Information and Transactions Electronic state in Indonesia, cybercrime is crimes with illegal activity, act-related penalties with interference, act criminal facilitates prohibited acts.It acts as criminal forgery of information or document electronics.Cybercrime in service finance and banking is social engineering and skimming (Ratulangi et al., 2021).Supported by Management Consultative Paper Risk Security Commercial Bank Cyber issued by the Financial Services Authority in 2021, which contains direction settings management risk security cyber for Commercial Banks (Otoritas Jasa Keuangan, 2021).Besides, the Financial Services Authority also issued Regulation Financial Services Authority Republic of Indonesia Number 11/POJK.03/2022Concerning Administration Technology Information by Commercial Banks expected to increase resilience and readiness of commercial bank operations in maintenance technology information.Regulations could become a reference at a time of support for banking to keep doing security and protection in maintenance technology information on banking to avoid and detect cyber crime attack (Maizal Walfajri, 2022).

Threats:
The low-level finance literacy and awareness will personal data security in Indonesian society.
In 2019, according to Financial Services Authority data, the finance literacy index among Indonesian people increased by 38.03%.It experiences an increase if compared to years before.However, it still belongs low.Financial literacy is understanding features, benefits, risks, rights, and obligations related to product and service finance (Kusnandar, 2022).A survey conducted by Saptoyo and Galih (2022) shows that from 1,014 respondents in 34 provinces in Indonesia, as many as 46.5% of respondents do not know and realize online activity is an important data source.From the data above, it could be concluded that Indonesian people's literacy and awareness of personal data security is still low.It naturally could become a cybercrime threat, as disclosed by the Ministry of Communication and Informatics (Pratiwi, 2021).This is also supported by research conducted by Wicaksana et al. (2020), which mentions robust protection systems and technologies for data security.However, the human factor becomes vital security information.

High cybercrime in Indonesia.
Data from the Operations Center Security National Cyber revealed that in 2021, as many as 1.6 billion cyber-attacks occurred in Indonesia.One of the most frequent sectors caught problems is sector banking, with social engineering as a motive for cybercrime.Junaedi (2017) states that high cybercrime could threaten banking, where banking is one sector of potential cyber-attack.

Conditions and situations are social.
Perpetrator social engineering often utilizes situations and conditions middle social in society to attack, as mentioned by Hanafi (2021) in his research that amidst the COVID-19 pandemic, anxiety and worry about related health and economic triggers make highly public use of system electronics and transactions electronics in the end exploited by the perpetrator's cyber crime for to do cyber crime like design attack with use COVID-19 theme for trap society and then To do data theft.Alzahrani (2020) also states that during the COVID-19 pandemic, cybercrime exploitation worries people for stealing confidential information and data to do social engineering.Herdiana et al. (2021) mention that during the COVID-19 pandemic, three types of cyber threats are fraud and phishing, malware, and denial service distributed (DDoS).Hijji and Alam (2021) also mention that during the Covid-19 pandemic, several types of social engineering attacks, i.e., phishing, scamming, spamming, smishing, and vishing, combined with the most frequently used socio-technical methods: fake emails, websites, and mobile applications.
High Internet usage and activities operational banking conducted digitally.Parulian et al. (2021), in their research, mention that existing online technology requires the public to be more careful because of the higher risk they will face, which is cyber-attacks.Machine learning and artificial intelligence cause social engineering attacks to be increasingly efficient and aggressive (Wang et al., 2021).Progress technology caused banking to adopt artificial intelligence, delivering a positive impact that could give convenience and efficiency to customers and systems banking.However, behind the positive impact, it turns out there is also a negative impact where utilization of technology information on where the perpetrators are cybercrime potentially steal customer data or company (Nathanael and Puspita, 2021).Research conducted by Arofah and Priatnasari (2020) shows that Internet banking positively and significantly affects cybercrime banking in Tegal City.
Based on the analysis of the results with the use of a SWOT matrix of several internal factors, in the form of strengths and weaknesses, as well as factor external form opportunities and threats, the strategy can carry out by governmentowned commercial banks and national private commercial banks companies are building technology information on banking in accordance established standards and rules determined by the Financial Services Authority, active use social media as means give education to the customer, active doing training to employees related system technology information and cyber crime, utilize and apply with reasonable existing regulations and rules set by the government related banks utilization technology information, active monitor and optimize data and network security technology banking information.Suppressing the circulation of social issues on behalf of banks that can trigger social engineering, add expertise and knowledge of related technology information and risks to employees, and increase literacy finance and awareness of personal data security customers and employees.

CONCLUSION
The banking sector is potentially a target for cyberattacks with an economic motive.A social engineering attack is one type of cyberattack in the banking sector.Social engineering research with SWOT analysis on government-owned and national private commercial banks shows the strengths, weaknesses, opportunities, and threats that must prevent social engineering from occurring.The study results also recommend several strategies considered effective in overcoming social engineering attacks for banks.Researchers realize that many things still need to be improved in studying this.However, the expected study could contribute to and benefit readers and researchers on studies related to social engineering attacks in banking.Moreover, for stakeholders' policy from neither company banking nor government, this study could become a consideration in preventing crime through social engineering in banking.

Social Engineering SWOT Analysis in Government-Owned Commercial Banks and National Private Commercial Banks (Nadillah Syafitri and Grisvia Agustin)
Airehrour et al. (2018)state that social engineering attacks only depend on factor humans.Attackers