BANKING CYBERSECURITY CULTURE INFLUENCES ON PHISHING SUSCEPTIBILITY

Abstract

The banking industry faces an unprecedented number of phishing attacks as cybercriminals circumvent security and technical countermeasures to deceive banking employees. There is a lack of scholarly research on the causes of phishing susceptibility in the U.S. banking sector. The literature review analysis highlighted the following gaps: (a) studies on information security and organizational culture failed to link theoretical underpinnings to information security results, (b) the lack of scholarly studies on the banking sector impedes academic perspective on the business problem, and (c) there is a need to investigate banking cybersecurity culture influence on phishing susceptibility. This study consists of two qualitative inquiries; the initial study was an interpretive inquiry that resulted in a conceptual framework and highlighted a need for theory on banking cybersecurity culture influence on phishing susceptibility. The qualitative interpretive study only included interviews from security and technology executives. This study yielded the following three major themes: (a) continuous security awareness, (b) executive-driven security climate, and (c) human-centered security operations. From the inductive analysis, a reducing phishing susceptibility through executive influence and culture conceptual framework emerged. From this study, the basis of a grounded theory study was necessary to develop theory to address phishing in the banking sector. The second inquiry was a grounded theory inquiry that expanded the initial study by interviewing (a) security and technology executives, (b) cybersecurity professionals, and (c) non-technical employees and executing a rigorous data analysis process. This study resulted in the following five major themes: (a) lack of executive coordination and support, (b) security awareness, (c) stronger security resiliency, (d) positive security behavior and environmentalignment, and (e) phishing strategy confusion. Theses findings derived from the data analysis resulted in the development of the Dynamic Phishing Susceptibility Reduction Theory, an organizational approach for solidifying phishing countermeasures through banking cybersecurity culture. The Dynamic Phishing Susceptibility Reduction Theory reinforces phishing countermeasures with a robust approach due to the hyperactive threat environment and constant changing of tactics. Keywords: Banking, cybersecurity culture, phishing susceptibility, organizational culture