Cybersecurity for the unbanked: usable security heuristics for mobile financial services.

Abstract

Financial service providers leverage the growing adoption of mobile phones to develop and deploy new business models to provide financial services to new and existing customer bases. This has enabled the deployment of innovative financial products via mobile devices to capture new market segments while reducing operational costs. However, the downside of this development is the increased risk of cybersecurity threats to customers. These threats have affected existing users of mobile financial services and have the potential to impact 1.4 billion of the global adult population who are unbanked. Existing technical countermeasures, such as strong encryption algorithms, multi-factor authentication, and higher passcode complexity, have not fully addressed the cybersecurity problem in Mobile Financial Services (MFS). Literature has identified usable security as a problem area that leads to cybersecurity issues that affect users and developers of MFS solutions. While various aspects of this problem have been studied, the nature of usable security in the MFS sociotechnical system and how to address it, from the perspective of stakeholders in the ecosystem, has not been thoroughly examined. This PhD thesis provides both theoretical and practical contributions by providing an understanding of socio-technical factors in mobile financial services and their impact on usable security from the perspective of stakeholders in the ecosystem. Also, it provides empirical evidence of the impact of user behaviours and DevOps practices on usable security for mobile financial services through a survey of 698 end-users and semi-structured interviews with 37 DevOps participants. Finally, the thesis presents a set of 12 usable security heuristics that were applied in a real-world scenario in the development and usable security evaluation of MFS.