dc.description.abstract | Rampant cyber incidences in Kenya targeting banks call for mediations beyond existing
cybersecurity principles. This quantitative study sought to collate multi-domain
variables from previous works to develop a framework for measuring cyber-resilience
in Kenyan banks known as the Cyber-resilience Framework for Banks (CRF4Banks).
The framework consists of eight key cyber-resilience constructs and their constituent
variables, identified from empirical research and literature. Cyber-resilience has not
received the attention it requires in Kenyan banks. Often conflated and confused with
cybersecurity, cyber-resilience has not received as much attention as cybersecurity
principles. Many reports on financial institutions in Kenya focus mainly on
organisational and financial stability, done as part of annual financial audit, and ignore
the role played by cyber-resilience. Compounding this, are the fragmented and
competing cybersecurity assessments from a multitude of cybersecurity providers that
lack coherence. The financial sector in Kenya needs its own unified framework and
common measurement indicators, built from best practices, and curated for cyberresilience. The research, through CRF4Banks, roots for an integrated approach towards
measuring cyber-resilience. Three factors motivate this: first, because banks share a
cyberspace with everyone else who are facing unlimited and borderless vulnerabilities,
second, because these vulnerabilities have interlinked causative factors such as
financial performance, organisation structure, ICT infrastructure, human; and lastly,
because there is a public perception driven by media that banks in Kenya have been
hiding cyber-attacks, fearing reputation damage. Kenyan banks were used as the target
population. The research used descriptive research approaches augmented by
quantitative techniques to measure the variables. The framework was first validated by
cybersecurity subject-matter experts and then through a pilot study. A sample of forty
out of the possible forty-four banks in Kenya was selected using simple random
sampling. One cyber-security accountable respondent was provided by each bank to
participate in an online and self-administered questionnaire, delivered to the
respondents through Survey Monkey. Survey questions were close-ended Likert-scale
types. Data was processed and analysed further using SPSS and Excel. The expected
outcomes were, first, a comprehensive cyber-resilience framework instrument, second,
a cyber-resilience status report of all banks. The expected outcome from the study was
threefold: first, a comprehensive cyber-resilience instrument with localized variables
for banks, second, a framework for measuring cyber-resilience, and lastly, a survey
report showing cyber-resilience status of Kenyan banks. The cyber-resilience report
seeks to confirm or disapprove the main null hypothesis that most Kenyan banks are
not cyber-resilient. Finally, the tool was deployed in a survey and the outcome of the
survey showed strong performances in all the eight constructs of cyber-resilience,
contrary to adverse media reports. Besides providing a tool for assessing cyberresilience, the research helped to foster cyber-resilience principles among banks. It also
provides new dimensions for banks, offering insights into areas that remain unexploited
such as cyber-crime risk transfer. Besides, the research also identified some areas of
improvement such as the use of advance technologies, development of cyber law
frameworks and the need for training law enforces on digital forensics. | en_US |