Developing and assessing a cyber-resilience framework for Kenyan banks

Abstract

Rampant cyber incidences in Kenya targeting banks call for mediations beyond existing cybersecurity principles. This quantitative study sought to collate multi-domain variables from previous works to develop a framework for measuring cyber-resilience in Kenyan banks known as the Cyber-resilience Framework for Banks (CRF4Banks). The framework consists of eight key cyber-resilience constructs and their constituent variables, identified from empirical research and literature. Cyber-resilience has not received the attention it requires in Kenyan banks. Often conflated and confused with cybersecurity, cyber-resilience has not received as much attention as cybersecurity principles. Many reports on financial institutions in Kenya focus mainly on organisational and financial stability, done as part of annual financial audit, and ignore the role played by cyber-resilience. Compounding this, are the fragmented and competing cybersecurity assessments from a multitude of cybersecurity providers that lack coherence. The financial sector in Kenya needs its own unified framework and common measurement indicators, built from best practices, and curated for cyberresilience. The research, through CRF4Banks, roots for an integrated approach towards measuring cyber-resilience. Three factors motivate this: first, because banks share a cyberspace with everyone else who are facing unlimited and borderless vulnerabilities, second, because these vulnerabilities have interlinked causative factors such as financial performance, organisation structure, ICT infrastructure, human; and lastly, because there is a public perception driven by media that banks in Kenya have been hiding cyber-attacks, fearing reputation damage. Kenyan banks were used as the target population. The research used descriptive research approaches augmented by quantitative techniques to measure the variables. The framework was first validated by cybersecurity subject-matter experts and then through a pilot study. A sample of forty out of the possible forty-four banks in Kenya was selected using simple random sampling. One cyber-security accountable respondent was provided by each bank to participate in an online and self-administered questionnaire, delivered to the respondents through Survey Monkey. Survey questions were close-ended Likert-scale types. Data was processed and analysed further using SPSS and Excel. The expected outcomes were, first, a comprehensive cyber-resilience framework instrument, second, a cyber-resilience status report of all banks. The expected outcome from the study was threefold: first, a comprehensive cyber-resilience instrument with localized variables for banks, second, a framework for measuring cyber-resilience, and lastly, a survey report showing cyber-resilience status of Kenyan banks. The cyber-resilience report seeks to confirm or disapprove the main null hypothesis that most Kenyan banks are not cyber-resilient. Finally, the tool was deployed in a survey and the outcome of the survey showed strong performances in all the eight constructs of cyber-resilience, contrary to adverse media reports. Besides providing a tool for assessing cyberresilience, the research helped to foster cyber-resilience principles among banks. It also provides new dimensions for banks, offering insights into areas that remain unexploited such as cyber-crime risk transfer. Besides, the research also identified some areas of improvement such as the use of advance technologies, development of cyber law frameworks and the need for training law enforces on digital forensics.