Abstract
The ongoing advancement of the Internet has facilitated the development of new
applications and enterprises, which have become essential across various sectors,
including finance, commerce, governance, communication, education, research, and
innovation. In Nigeria, the Information Communication Technology (ICT) sector is
significantly reshaping financial institutions, particularly within the banking sector.
However, as banks advance and refine their services, there is a concurrent rise in
global cybercrime, leading to substantial financial repercussions across Africa. This
situation has positioned information security as a critical concern, necessitating
sophisticated strategies that encompass technical and behavioural dimensions,
including the roles of individuals (people), processes, and technology.
This thesis focuses on advancing information security behaviour within Nigeria's
banking sector by leveraging the concept of Information Security Culture (ISC). The
main objectives are to assess the current state of Information Security Culture, identify
key elements that foster a robust security culture, develop a conceptual framework,
and offer practical recommendations to improve security behaviours among banking
employees.
The thesis employed a mixed-methods approach, integrating qualitative and
quantitative analyses. In this thesis, a thorough review of existing literature was
conducted to identify research gaps, it revealed the insufficient attention given to
multicultural contexts in Africa, the neglect of the ‘human factor’, and an excessive
dependence on technological solutions. It evaluated the present landscape of
information security in Nigeria and underscores the necessity for a mixed-methods
approach. The research utilized existing literature, internal documents from banks in
Nigeria, and ISO/IEC 27001:2013 standards to formulate research hypotheses,
interview questions, and survey instruments. For quantitative approach, Participants
were chosen through probability sampling and completed questionnaire utilizing a 7-
point Likert scale. Data preparation included addressing missing values and
performing normality assessments. The reliability of the data was evaluated using
Cronbach's alpha and composite reliability measures. The CFA methodology was
employed for the analysis of the measurement model, focusing on aspects such as
convergent validity, discriminant validity, and goodness-of-fit assessments. The
evaluation of construct fitness was conducted through various goodness-of-fit indices,
while hypothesis testing was carried out by examining path coefficients and P-values.
To gather qualitative data, semi-structured interviews were performed utilizing quota
sampling, and the data were subsequently analysed using thematic analysis.
Triangulation techniques were applied to synthesize and present the research
outcomes. The thesis findings offer a comprehensive analysis of the information
security landscape within Nigeria's banking sector, underscoring several critical
aspects that influence the effectiveness of security practices. A key observation is the
fundamental role that a security-oriented organizational culture plays in enhancing
information security. When security values are deeply embedded within the
organizational culture, employees are more likely to adhere to security policies and
exhibit proactive security behaviours. This integration of security into the cultural fabric
of the organization fosters a shared responsibility for security across all levels, from
leadership to operational staff.
Leadership commitment emerged as a pivotal factor in shaping and maintaining a
robust information security culture (ISC). The active involvement and visible support
from top management are essential in promoting a security-conscious environment.
Leaders who prioritize information security and visibly back security initiatives create
a culture of compliance and vigilance among employees, thus reinforcing the overall
security posture of the organization.
Ethical practices also play a significant role in information security, as the research
highlights the strong connection between ethics and security compliance. Employees
who uphold high ethical standards are more likely to follow security protocols and
report potential breaches. This underscores the importance of incorporating ethical
training into broader security education efforts, emphasizing that ethical behaviour is
integral to effective information security.
Continuous employee training emerged as another critical component in sustaining
and improving security behaviours. Regular, targeted training programs are vital for
keeping employees informed about the latest security threats and best practices. This
ongoing education helps reduce the likelihood of human error, a major contributor to
security incidents, by ensuring that employees remain vigilant and knowledgeable.
The thesis further emphasized the importance of addressing human factors in security,
recognizing that security is not solely a technical issue but also a behavioural one.
Personal beliefs, attitudes, and motivations significantly impact security outcomes.
Therefore, tailored behavioural interventions that address these human factors are
crucial for enhancing the overall security posture of banks.
Effective risk management practices are highlighted as essential for identifying and
mitigating potential security threats. This thesis revealed that banks that integrate risk
management into their daily operations, including regular security assessments and
audits, are better equipped to respond to emerging threats. This proactive approach
is key to preventing security breaches and minimizing their impact, demonstrating the
importance of a structured risk management framework within the banking sector.
Compliance with international standards, particularly ISO/IEC 27001, was identified as
a critical component of successful information security strategies. Banks that align
their practices with these standards demonstrate a higher level of security maturity
and resilience against cyber threats. Adherence to such standards not only enhances
security but also provides a benchmark for continuous improvement in security
practices.
Cultural diversity within the workforce was also found to be a significant factor
influencing security behaviours. In a multicultural context like Nigeria, understanding
and addressing the diverse cultural perspectives within the organization is vital for
implementing effective security measures. This finding highlighted the need for
culturally sensitive security policies and training programs that consider the varied
cultural backgrounds of employees, ensuring that security practices are inclusive and
effective across the board.
Contributions of this research include the development of a conceptual framework that
integrates key elements of ISC, employee behaviour analysis, and compliance
metrics. This framework offers a comprehensive approach to improving information
security behaviour in the banking sector of Nigeria, providing both academic and
practical insights. Additionally, the research bridges a significant gap in the literature
by focusing on behavioural information security in a multicultural African context, which
has been largely underexplored.
Recommendations for the banking sector emphasize the need for continuous
employee training programs that address the human element of security,
strengthening organizational culture to prioritize security, and implementing regular
assessments of security practices aligned with international standards. It also
advocates for the adoption of a proactive approach to risk management, ensuring that
security strategies evolve in response to emerging threats.
Future research paths are identified based on the thesis' limitations. These include the
need for further exploration of ISC in other sectors beyond banking, the impact of
cultural diversity on security behaviours in African countries, and the development of
tailored security strategies that address specific regional challenges. Additionally,
longitudinal studies could provide deeper insights into how ISC evolves over time and
its long-term impact on security outcomes.
Key differences between this thesis and other research in the field include its focus on
a multicultural African context, which has been relatively neglected in existing studies.
While previous research has often emphasized technical solutions, this thesis
highlights the importance of integrating behavioural and cultural dimensions into
information security strategies. The thesis’ use of a mixed methods approach also
provides a more comprehensive understanding of ISC, combining quantitative rigor
with qualitative depth to offer actionable insights for both practitioners and scholars.
In summary, this thesis advances the understanding of behavioural information
security within a multicultural framework, offering a conceptual framework and
practical recommendations to improve security practices in Nigeria's banking sector.
The findings have significant implications for policymakers, industry leaders, and
academics addressing cybersecurity challenges in developing economies, particularly
in Africa.