Enhancing Data Breach Risk Management: A Case Study of Kenyan Commercial Banks

  IJETT-book-cover  International Journal of Engineering Trends and Technology (IJETT)          
© 2019 by IJETT Journal
Volume-67 Issue-10
Year of Publication : 2019
Authors : Silas Nzuva


MLA Style: Silas Nzuva  "Enhancing Data Breach Risk Management: A Case Study of Kenyan Commercial Banks" International Journal of Engineering Trends and Technology 67.10 (2019):158-177.

APA Style: Silas Nzuva, Enhancing Data Breach Risk Management: A Case Study of Kenyan Commercial Banks  International Journal of Engineering Trends and Technology, 67(10),158-177.

With the recent technological advancements, there is the need for a business organisation to employ risk management strategies that are aimed at combatting the incessant data breaches, whose negative implications are many. The main aim of the study is to investigate the current information security risk management strategies employed by the Kenyan Banks and suggest measures that the banks can adopt to bolster them and ameliorate adverse effects on their financial performance that is associated with a data breach. The research was carried out using quantitative descriptive design. Data was collected from 20 Kenyan banks, which were selected randomly from the 44 banks operating in the Kenyan financial sector. The design of the questionnaire design was informed by the general deterrence theory as well as the information systems security theory. The results of the study were then analysed using Microsoft Excel and Statistical Package for Social Sciences (SPSS). The results of the study indicated that the Kenyan Commercial banks have average risk avoidance measures, are reluctant to transfer their risks to third parties through outsourcing, and lack robust risk mitigation measures, specifically business continuity plan and disaster recovery plans.


[1] Alanezi, F., & Brooks, L. (2014). Combatting online fraud in Saudi Arabia using the general deterrence theory (GDT).
[2] Angst, C. M., Block, E. S., D'arcy, J., & Kelley, K. (2017). When do IT security investments matter? Accounting for the influence of institutional factors in the context of healthcare data breaches. MIS Quarterly, 41(3), 893-916.
[3] Appan, R. & Bacic, D. (2016) Impact of information technology (IT) security information sharing among competing for IT firms on financial performance: An empirical investigation. Communications of the association for information systems, 39(12), 214-241
[4] Arcuri, M., Brogi, M. & Gandolfi, G. (2015). How does cybercrime affect firms? The effect of information security breaches on stock returns. Proceedings of the First Italian Conference on Cybersecurity (ITASEC17), Venice, Italy. Retrieved from: http://ceur-ws.org/Vol-1816/paper-18.pdf
[5] Ashford, W. (2017). A strong cybersecurity posture reduces the impact of breaches. Retrieved from: https://www.computerweekly.com/news/450419072/Strong-cyber-security-posture-reduces-impact-of-breaches
[6] Baskerville, R., Spagnoletti, P., & Kim, J. (2014). Incident-centered information security: Managing a strategic balance between prevention and response. Information & management, 51(1), 138-151.
[7] Bell, B. G., Ndje, Y. J. & Lele, C. (2015). Information systems security management: optimized model for strategy, organisation, operations. American Journal of Control Systems an Information Technology, (1), 22.
[8] Bennett, J., Stager, M., Shevlin, G., & Tang, W. (2013). U.S. Patent No. 8,516,594. Washington, DC: U.S. Patent and Trademark Office.
[9] Bromiley, P., McShane, M., Nair, A., & Rustambekov, E. (2015). Enterprise risk management: Review, critique, and research directions. Long range planning, 48(4), 265-276.
[10] Bryman, A. (2015). Social research methods. Oxford university press.
[11] Cardona, O. D. (2013). The need for rethinking the concepts of vulnerability and risk from a holistic perspective: a necessary review and criticism for effective risk management. In Mapping vulnerability (pp. 56-70). Routledge.
[12] Cavusoglu, H., Cavusoglu, H., Son, J. Y., & Benbasat, I. (2015). Institutional pressures in security management: Direct and indirect influences on organisational investment in information security control resources. Information & Management, 52(4), 385-400.
[13] Cheng, L., Li, W., Zhai, Q., & Smyth, R. (2014). Understanding personal use of the Internet at work: An integrated model of neutralisation techniques and general deterrence theory. Computers in Human Behavior, 38, 220-228.
[14] Cheng, L., Liu, F. & Yao, D. (2017). Enterprise data breach: Causes, challenges, prevention, and future directions. WIREs, 7(5)
[15] Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M., & Baskerville, R. (2014). Future directions for behavioral information security research. computers & security, 32, 90-101.
[16] De Haes, S., Van Grembergen, W., & Debreceny, R. S. (2013). COBIT 5 and enterprise governance of information technology: Building blocks and research opportunities. Journal of Information Systems, 27(1), 307-324.
[17] Dwivedi, Y. K., Wastell, D., Laumer, S., Henriksen, H. Z., Myers, M. D., Bunker, D., ... & Srivastava, S. C. (2015). Research on information systems failures and successes: Status update and future directions. Information Systems Frontiers, 17(1), 143-157.
[18] Flores, W. R., Antonsen, E., & Ekstedt, M. (2014). Information security knowledge sharing in organisations: Investigating the effect of behavioral information security governance and national culture. Computers & Security, 43, 90-110.
[19] Horne, C., Ahmad, A., & Maynard, S. (2016). A Theory on Information Security. Australasian Conference on Information Systems, 2016. Wollongong, Australia
[20] Hovav, A., & Gray, P. (2014). The Ripple Effect of an Information Security Breach Event: A Stakeholder Analysis. CAIS, 34, 50.
[21] Kostopoulos, K., Papalexandris, A., Papachroni, M., & Ioannou, G. (2011). Absorptive capacity, innovation, and financial performance. Journal of Business Research, 64(12), 1335-1343.
[22] Martin, K. D., & Murphy, P. E. (2017). The role of data privacy in marketing. Journal of the Academy of Marketing Science, 45(2), 135-155.
[23] Martin, K. D., Borah, A., & Palmatier, R. W. (2017). Data privacy: Effects on customer and firm performance. Journal of Marketing, 81(1), 36-58.
[24] Martins, C., Oliveira, T., & Popovič, A. (2014). Understanding Internet banking adoption: A unified theory of acceptance and use of technology and perceived risk application. International Journal of Information Management, 34(1), 1-13.
[25] Modi, S. B., Wiles, M. A., & Mishra, S. (2015). Shareholder value implications of service failures in triads: The case of customer information security breaches. Journal of Operations Management, 35, 21-39.
[26] Nagin, D. S., Cullen, F. T., & Jonson, C. L. (2018). Classical Theory: The Emergence of Deterrence Theory in the Age of Enlightenment. In Deterrence, Choice, and Crime, Volume 23(pp. 13-38). Routledge.
[27] National Research Council. (2013). Education for life and work: Developing transferable knowledge and skills in the 21st century. National Academies Press.
[28] Nofer, M., Hinz, O., Muntermann, J., & Roßnagel, H. (2014). The economic impact of privacy violations and security breaches. Business & Information Systems Engineering, 6(6), 339-348.
[29] Periyasamy, S. & Duraiswamy, K. (2013). A proficient traceback approach using provincial locality aspects to eliminate denial of service attacks. J. Comput. Sci., 9, 271-276.
[30] Ponemon. (2010). 2009 annual study: US cost of a data breach. Retrieved from http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/US_Ponemon_CODB_09_01220 9_sec.pdf
[31] Prajogo, D., Toy, J., Bhattacharya, A., Oke, A., & Cheng, T. C. E. (2018). The relationships between information management, process management, and operational performance: Internal and external contexts. International Journal of Production Economics, 199, 95-103.
[32] Rajakumar, M. & Shanthi, V. (2014). A security breach in trading system-countermeasure using IPTracedback. American Journal of Applied Sciences, 11(3), 492-498
[33] Safa, N. S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N. A., & Herawan, T. (2015). Information security conscious care behaviour formation in organisations. Computers & Security, 53, 65-78.
[34] Safa, N. S., Von Solms, R., & Furnell, S. (2016). Information security policy compliance model in organisations. Computers & Security, 56, 70-82.
[35] Schatz, D., & Bashroush, R. (2016). The impact of repeated data breach events on organisations' market value. Information & Computer Security, 24(1), 73-92.
[36] Sen, R., & Borle, S. (2015). Estimating the contextual risk of a data breach: An empirical approach. Journal of Management Information Systems, 32(2), 314-341.
[37] Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs a more holistic approach: A literature review. International Journal of Information Management, 36(2), 215-225.
[38] Spanos, G., & Angelis, L. (2016). The impact of information security events on the stock market: A systematic literature review. Computers & Security, 58, 216-229.
[39] Taylor, S. J., Bogdan, R., & DeVault, M. (2015). Introduction to qualitative research methods: A guidebook and resource. John Wiley & Sons.
[40] U.K Government (2018). The Data Protection Act. Retrieved from https://www.gov.uk/data-protection
[41] Von Solms, R., & Van Niekerk, J. (2013). From information security to cyber security. computers & security, 38, 97-102.
[42] Wortley, R., & Sidebottom, A. (2017). Deterrence and Rational Choice Theory. Juvenile Delinquency and Justice, 1-6.
[43] Wu, D. D., Chen, S. H., & Olson, D. L. (2014). Business intelligence in risk management: Some recent progresses. Information Sciences, 256, 1-7.
[44] Zafar, H., Ko, M. S., & Osei-Bryson, K. M. (2016). The value of the CIO in the top management team on performance in the case of information security breaches. Information Systems Frontiers, 18(6), 1205-1215.
[45] Conklin, W. A., & Dietrich, G. (2008, January). Systems theory model for information security. In Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008) (pp. 265-265). IEEE.
[46] Modi, S. B., Wiles, M. A., & Mishra, S. (2015). Shareholder value implications of service failures in triads: The case of customer information security breaches. Journal of Operations Management, 35, 21-39.
[47] P[arliamane of Kenya. (2018). The data protection bill, 2018: Arrangement of clause. Retrieved from http://www.parliament.go.ke/sites/default/files/2017-05/Data_Protection_Bill_2018.pdf
[48] Privacy International. (2019). State of Privacy Kenya. Retrieved from https://privacyinternational.org/state-privacy/1005/state-privacy-kenya
[49] Central Bank of Kenya. (2018). Central bank of Kenya directory of licensed commercial banks, mortgage finance institutions and authorized non-operating holding companies. Retrieved from
[50] https://www.centralbank.go.ke/wp-content/uploads/2017/05/Directory-of-Licenced-Commercial-Banks-Mortgage-Finance-Institutions-and-NOHCs.pdf

data breach, cyber attacks, data protection, data confidentiality, data protection strategies, risk management strategies.