IJNSA 01

EVALUATING THE EFFECTIVENESS OF
CYBERSECURITY FRAMEWORKS IN MITIGATING
PHISHING THREATS IN DIGITAL MICROFINANCE
INSTITUTIONS

Richard Mathenge, Catherine Mukunga and Ephantus Mwangi

School of Pure and Applied Sciences, Kirinyaga University, Kerugoya, Kenya

ABSTRACT

Phishing remains a dominant cybersecurity threat worldwide, particularly affecting Digital Microfinance Institutions (MFIs) in resource-limited settings. Although the most popular frameworks, including ISO/IEC 27001, NIST CSF, COBIT, and CIS Controls, are widely recognized, their effectiveness in preventing phishing attacks in MFIs remains unexplored. This research follows a qualitative-dominant mixed-methods design, with a primary focus on semi-structured interviews with cybersecurity managers (n=24), a staff survey (n=150), and analysis of phishing incident reports from six MFIs in Nairobi, Kenya. Institutions that implemented cybersecurity systems holistically reported reductions in phishing incidents ranging from 22–35% within the sampled institutions, especially when detection and response systems were actively maintained. In contrast, 83% of MFIs used the frameworks as compliance checklists, with limited training and no real-time monitoring. The semi-structured interviews also indicated that infrastructural limitations, poor governance, and the lack of behavioral awareness further limited the framework’s effectiveness. To tackle these challenges, the study presents an Adaptive Cybersecurity Framework combining a modular governance system with a lightweight GRU-based phishing mitigation method, tailored for low-resource environments. The study advances understanding of framework adaptation in developing economies and provides actionable insights for developing robust, human-centered cybersecurity frameworks within digital financial inclusion ecosystems.

KEYWORDS

Phishing attacks, Cybersecurity Frameworks, Digital Microfinance Institutions, Adaptive Cybersecurity, GRU Neural Networks

1,INTRODUCTION

The rapid digitalization of microfinance services has transformed financial inclusion in emerging markets; however, significant gaps remain in technological development and cybersecurity readiness. In Sub-Saharan Africa, platforms such as Kenya’s M-Pesa enable Microfinance Institutions (MFIs) to integrate API-based systems to detect fraud. Such structural differences create a specific vulnerability profile: Kenyan MFIs face the risk of API exploitation and Subscriber Identity Module (SIM) swapping.

Phishing persists as the most flexible and widespread cybersecurity threat, exploiting technical vulnerabilities and human behavior through SMS spoofing, fake applications, and region-specific social-engineering tactics. Lack of infrastructure, small IT departments, and inconsistent training programs limit MFIs’ cybersecurity maturity relative to that of commercial banks. Unequal preparedness and insufficient regulatory enforcement were identified in a study by Wang et al. [1], which found that 73% of MFIs lacked incident-response measures.

Although comprehensive cybersecurity frameworks such as ISO/IEC 27001, NIST Cybersecurity Framework, COBIT, PCI-DSS, and CIS Controls are accessible, their adoption within microfinance institutions (MFIs) remains primarily symbolic. Frameworks are often used as compliance checklists, which miss local attack vectors, bandwidth limits, and behavioral factors that shape user vulnerability. The lack of connection underscores the need for context-aware, resilience-oriented cybersecurity strategies that integrate technological and human defense components.

Digital Microfinance Institutions (MFIs) play a significant role in promoting financial inclusion for underserved populations; however, the rapid digitalization of their operations has also increased their vulnerability to advanced phishing attacks that exploit both system and cognitive vulnerabilities. [2], [3]. Such attacks, including SMS and email spoofing schemes, fake agent portals, and others, are especially hazardous in low-resource environments due to limited cybersecurity resources and awareness [4]. According to recent surveys, over 60% of MFIs lack real-time monitoring capabilities and rely on limited or outdated staff training [1], [5]. As a result, phishing attacks are on the rise, undermining institutional credibility and threatening the stability of digital financial ecosystems.

The main problem is that existing cybersecurity frameworks remain mostly focused on compliance and are technologically demanding, with limited adaptation to the sociotechnical ecosystems of MFIs. To address this gap, it is essential to assess their practical effectiveness and develop adaptable, scalable solutions, such as AI-driven phishing detection and a resilienceoriented security culture, to enhance protection in low-resource settings. This study fills the gap by empirically evaluating the effectiveness of widely used cybersecurity frameworks in digital microfinance institutions operating in resource-limited environments.

Drawing on a mixed-methods multiple-case study of MFIs in Nairobi, the research examines how governance structures, human behavioral factors, and contextual infrastructure constraints influence phishing resilience. Based on these insights, the study proposes an adaptive cybersecurity framework that integrates lightweight AI-assisted threat detection, modular governance mechanisms, and behaviorally embedded security practices tailored to the operational realities of digital microfinance ecosystems.

1.1. Research Objectives

1. Identify and categorize predominant forms, frequencies, and delivery mechanisms of phishing attacks targeting MFIs, emphasizing how they exploit infrastructural and human vulnera-bilities.

2. Evaluate the degree of adoption and practical effectiveness of existing cybersecurity frameworks in reducing phishing incidents and improving detection-response outcomes.

3. Examine how organizational structures and human factors jointly influence institutional resi-lience.

 4. Design adaptive enhancements to existing frameworks, including lightweight AI-based phishing detection mechanisms such as Gated Recurrent Unit (GRU) models, optimized for low-bandwidth environments.

1.2. Research Questions

1. What are the dominant forms, delivery channels, and contextual features of phishing attacks targeting digital MFIs?

2. To what extent do existing cybersecurity frameworks reduce phishing incidents and enhance detection and response in MFIs?

3. How do governance structures and human behavioral factors collectively affect institutional resilience against phishing?

4. What adaptive, AI-supported mechanisms can be embedded in existing frameworks to streng-then phishing detection and response in constrained environments?

2. LITERATURE REVIEW

2.1. Cybersecurity Frameworks in Financial Institutions

Cybersecurity frameworks provide well-organized systems for handling digital threats and enhancing resilience. The most well-known are ISO/IEC 27001, the NIST Cybersecurity Framework (CSF), COBIT, PCI-DSS, and the CIS Controls, which have strengthened governance in the commercial banking sector [6], [7]. However, their applicability to digital microfinance institutions (MFIs) is limited by differences in infrastructure, culture, and resources.

ISO/IEC 27001 is a well-established risk-based information security management framework, but it demands documentation, audits, and leadership engagement, which are often impractical for small MFIs. The five foundational functions of NIST CSF, which are Identify, Protect, Detect, Respond, and Recover, presuppose centralized logging and real-time monitoring [8], capabilities not available to many MFIs. COBIT focuses on congruence in IT governance [9], whereas CIS Controls offer practical configurations [10] that rely on expensive automation tools. Beyond the widely adopted frameworks discussed above, several additional cybersecurity standards are particularly relevant to financial institutions. The Payment Card Industry Data Security Standard (PCI-DSS) provides a comprehensive set of security controls to protect payment systems and cardholder data in financial transactions. Similarly, the National Institute of Standards and Technology Special Publication 800-53 (NIST SP 800-53) provides an extensive catalog of technical security controls that cover system monitoring, identity management, incident response, and data protection. While governance-oriented frameworks such as ISO/IEC 27001 and the NIST Cybersecurity Framework focus on organizational risk management and strategic oversight, PCI-DSS and NIST SP 800-53 emphasize operational and technical safeguards that support system security implementation [9], [11].

Despite their robustness, these frameworks often assume advanced technological infrastructure, continuous monitoring, and specialized cybersecurity expertise. Such requirements may be difficult to satisfy in digital microfinance institutions operating in low-resource environments. Consequently, the adoption of these frameworks within MFIs is often partial or symbolic, emphasizing documentation and regulatory compliance over fully operational security practices. Across the frameworks, a recurring weakness is inadequate accommodation of human and contextual vulnerabilities, especially in phishing [12].

These frameworks are conceptually sound but operationally incomplete when applied in MFI contexts, thereby prompting investigation of their adaptive performance in low-resource environments.

2.2. Application of Cybersecurity Frameworks in Microfinance Contexts

The adoption of frameworks within MFIs is partial and nominal. Severe budgetary, expertise, and infrastructural constraints limit implementation beyond policy documents [5], [11]. Most MFIs use cloud-based systems like NAMBUIT, which often have limited local expertise [13]. The requirements of frameworks, such as automated patching and continuous monitoring, are difficult to meet in rural or resource-limited environments [14].

Weak governance further undermines institutional resilience; most MFIs lack dedicated cybersecurity positions, robust audit controls, or regulatory oversight [15]. The behavioral dimension worsens these issues; phishing exploits psychological manipulation, linguistic trust, and social hierarchy [13], [16]. Field employees often fail to recognize phishing messages, which is a side effect of insufficient awareness training.

However, there are some localized adaptations. Some MFIs have used modular, low-cost practices, such as manual threat reporting, role-based access control, and peer simulation, which have shown quantifiable positive impacts [11]. These achievements show that modular, contextsensitive implementation can be effective in promoting resiliency despite resource limitations.

2.3. Phishing Threats in Digital Finance

The most widespread cyber threat in digital microfinance is phishing [17], [18]. It exploits system weaknesses and the cognitive and cultural patterns of trust in a low-income society. Manifestations included smishing, vishing, QR-code spoofing, and fake mobile applications. MPesa and Airtel Money services in East Africa are a particular focus for fraudsters, who use fraudulent alerts and impersonation messages [14], [19].

Behavioral vulnerabilities can enhance exposure, as users tend to trust community validation over technical verification [20]. Institutional reactions remain disjointed, as most organizations view phishing as a form of fraud and lack simulation drills or clear response guidelines [21]. The ensuing loss of trust poses a threat to financial inclusion [5] and underscores the need to align framework adoption with the effectiveness of phishing prevention measures.

2.4. Evaluating the Effectiveness of Frameworks

Empirical studies support the hypothesis that the frameworks strengthen governance systems; however, their effect on reducing phishing cases is not uniform. For example, Taherdoost [22] found ongoing phishing activity in ISO 27001-compliant Brazilian banks, whereas Dupont [10] found a lack of detection-focused interventions in Namibian institutions. The lack of key performance indicators for phishing, e.g., susceptibility rates or incident-reporting speed, prevents an accurate evaluation of organizational resilience [23]. By contrast, simulation-based interventions have shown a 27% decrease in vulnerability, regardless of the framework [9].

Modern research incorporates artificial intelligence into frameworks; GRU-based anomalydetection networks improve phishing detection and response time [24]. However, implementing these solutions in microfinance institutions is hampered by technical and infrastructural limitations. As a result, traditional frameworks have underscored the importance of compliance, underscoring the need for hybrid socio-technical approaches.

2.5. Gaps in Existing Research

Although numerous studies have examined cybersecurity frameworks, most focus on commercial banks in developed economies [25], [26]. Very few studies analyze how these frameworks adapt to the realities of MFIs, characterized by low digital literacy, fragmented infrastructure, and limited budgets [27].

Theoretical foundations for human behavior are lacking: while phishing in MFIs exploits cognitive biases and social status, research continues to view human error as a minor factor [28]. Besides, AI-enhanced defense systems are rarely tested in low-resource environments [24]. Cross-sectional designs and audit-based scoring are methodological limitations that hinder understanding of framework performance over time [21].

To address these gaps, combined and comparative research evaluating contextual, behavioral, and technological aspects is required. This study responds directly by empirically assessing the efficacy of frameworks and by suggesting adaptive, AI-aided models for resource-constrained digital finance.

2.6. AI-Enhanced Phishing Detection in Low-Resource Settings

Recent developments in gated recurrent unit (GRU)-based neural networks offer promising, lowcost solutions for phishing detection in mobile finance environments. On-device inferences with TensorFlow Lite enable anomaly detection without high-bandwidth requirements. Prior studies report detection accuracies exceeding 90% and reductions in false-positive rates of more than 30% in both African and South Asian deployments [28], [29]. Integrating these adaptive models with traditional frameworks such as the NIST Cybersecurity Framework bridges the gap between policy compliance and operational resilience, thereby supporting scalable, context-aware defenses.

2.7. Theoretical Framework

This study adopts a socio-technical theoretical perspective integrating Protection Motivation Theory (PMT), the Design–Reality Gap model, and Resilience Engineering to explain how cybersecurity frameworks operate within digital microfinance institutions (MFIs).

Protection Motivation Theory provides an established behavioral framework for understanding how individuals respond to cybersecurity threats. PMT posits that protective behavior emerges through two cognitive processes: threat appraisal and coping appraisal. Threat appraisal evaluates the perceived severity and vulnerability of a threat, while coping appraisal assesses the efficacy of responses and self-efficacy. In organizational cybersecurity contexts, PMT has been widely applied to explain employee compliance with security policies and their ability to recognize phishing attacks. Employees who perceive phishing as a serious threat and believe they possess the skills to respond appropriately are more likely to report suspicious communications and follow security procedures. Conversely, insufficient training or punitive reporting environments reduce perceived self-efficacy and discourage proactive security behavior [1].

While PMT explains employee behavior at the individual level, institutional cybersecurity performance is also influenced by structural and technological factors. The Design–Reality Gap model provides a useful lens for understanding why externally developed cybersecurity frameworks may fail when implemented in resource-constrained environments. The model argues that information systems often fail when the design assumptions embedded within them do not align with the local institutional context in which they are implemented. In the case of MFIs, many widely adopted cybersecurity frameworks assume the availability of dedicated security teams, centralized monitoring infrastructure, and continuous compliance auditing. These assumptions may not hold in smaller institutions with limited budgets, fragmented technological infrastructure, and evolving governance structures [3].

Resilience Engineering complements these perspectives by focusing on the adaptive capacity of socio-technical systems. Resilience-focused cybersecurity methods emphasize an organization’s capacity to anticipate, identify, react to, and learn from disruptions, rather than strictly following predefined controls. In cybersecurity environments characterized by rapidly evolving threats, such as phishing, organizational resilience depends on the continuous interplay among technological defenses, governance mechanisms, and human behavior [3].

Integrating these three perspectives provides a comprehensive framework for evaluating the effectiveness of cybersecurity in digital MFIs. Protection Motivation Theory explains employeelevel phishing detection behavior, the Design–Reality Gap model explains institutional challenges in implementing international cybersecurity frameworks, and Resilience Engineering highlights the importance of adaptive organizational practices. Together, these theories inform the conceptual foundation of the Adaptive Cybersecurity Framework proposed in this study, which integrates behavioral awareness, governance adaptation, and lightweight technological detection mechanisms to enhance institutional resilience against phishing attacks. Table 1 outlines how the theoretical foundations support the proposed Adaptive Cybersecurity Framework, showing how each perspective influences particular functional parts.