Evaluating the implementation of CBK cybersecurity guidelines and their effect on online banking security: institutional resources as a mediating factor

Abstract

This study investigates the effectiveness and extent of implementation of the Central Bank of Kenya’s Guideline on Cybersecurity for Payment Service Providers (GCPSP), issued in July 2019, with a specific focus on its role in enhancing the security of online banking transactions in Kenya. The purpose of the study is to assess how well these guidelines have been implemented by commercial banks, evaluate their impact on cybersecurity outcomes, and examine the mediating role of institutional resources in influencing their effectiveness. The research was guided by five key objectives: to determine the extent of access control measures implementation; to establish the degree to which incident response mechanisms have been put in place; to examine the integration of data protection protocols; to assess the application of network security standards; and to investigate the moderating effect of institutional resources on the relationship between GCPSP implementation and the security of online banking in commercial banks. The study focused on 38 commercial banks and 1 mortgage finance company, which has transitioned from being a mortgage financier to a provider of integrated financial solutions with interests in Personal Banking, SME and Commercial Banking (HF Group Overview, 2025). The headquarters of all these financial institutions are situated within the Nairobi metropolitan area. The study was anchored in Diffusion of Innovation Theory and Agency Theory. A descriptive survey design was employed, targeting 429 individuals involved in online transaction monitoring, with a final sample of 220 respondents. Data was collected using structured questionnaires and analyzed using SPSS. The findings revealed that access controls, incident response mechanisms, data protection protocols and network security standards significantly contribute to secure online banking. Additionally, institutional resources (financial, technological, and human) were found to moderate the effectiveness of GCPSP implementation. The study was constrained by strict timelines, which limited respondent engagement and required a streamlined data collection process within the academic schedule. The research offers actionable insights for policymakers and financial institutions seeking to strengthen cybersecurity compliance and resilience in Kenya’s digital banking sector.