Perceived effects of cybersecurity culture on financial performance of Kenyan commercial banks: moderated by audit committee characteristics

Abstract

Commercial banks in Kenya, like many institutions globally, face a growing number of cyber threats that could severely impact their financial stability, customer trust, and operational effectiveness. Over the years, the financial performance of Tier II and Tier III commercial banks in Kenya has been on the decline. This study sought to establish the effect of cybersecurity culture on the performance of commercial banks in Kenya, moderated by audit committee characteristics. The objectives of the study were to determine the effect of top management support on performance of commercial banks in Kenya, to examine the effect of information security policy on performance of commercial banks in Kenya, to investigate the effect of cyber security training on performance of commercial banks in Kenya and to assess the moderating effect of audit committee characteristics on the relationship between cybersecurity culture and performance of commercial banks in Kenya. The study was anchored on the institutional theory, the resource-based view and the agency theory. The study adopts a positivist philosophy. A descriptive research design was used, involving a cross-sectional survey. The research targeted 38 commercial banks in Kenya. A random sampling technique was employed, to select a sample size of 114 employees. A structured questionnaire was used to gather data on a 5-point Likert scale. Financial performance data was obtained from reports from the Central Bank of Kenya. Descriptive statistics (mean, standard deviation) was used, followed by multiple regression analysis to assess the influence of cybersecurity culture factors on the banks’ performance. The study revealed that top management support, information security policies within the commercial banks and cybersecurity training have a significant positive effect on the financial performance of commercial banks in Kenya. The audit committee characteristics significantly moderates the relationship between cybersecurity initiatives and financial performance. The Central Bank of Kenya should develop and enforce cybersecurity governance guidelines that mandate minimum standards for management involvement and audit oversight in cybersecurity. There is need to implement policies that require the continuous review and updating of information security policies at least annually. Commercial banks management should aim to improve the relevance and applicability of cybersecurity training.

Key words: financial performance, cybersecurity, culture, management, training, audit, policy