Attacker-centric thinking in security: perspectives from financial services practitioners.