Cybersecurity for the Unbanked: Usable Security Heuristics for Mobile Financial Services
Financial services providers such as Banks, Insurance Firms, etc., use mobile platforms as an alternative delivery channel for financial services. This has enabled the deployment of innovative financial products via mobile devices to capture new market segments while reducing operational costs. However, the downside of using mobile devices to bridge the banking gap is that mobile devices are now an added vector for cybersecurity threats. These threats have affected trust in mobile financial systems, impacting over 25% of the global adult population who are unbanked. Existing countermeasures, such as strong encryption algorithms, Multi-Factor Authentication and higher passcode complexity, have not fully addressed the cybersecurity problem in Mobile Financial Services (MFS). Literature has identified usable security as key to improving cybersecurity, mainly focusing on web-based and desktop-based solutions. While usable security has been examined in several domains, the focus has been on improving the balance between usability and security. The nature of usable security in MFS and how to address it, considering the MFS ecosystem, has not been thoroughly examined.
This PhD project leveraged Action Research and adopted a human-centred approach to develop a more detailed understanding of the Cybersecurity problem in the MFS Socio-technical system, its implication to end-users and the ecosystem in which it operates. Twelve usable security heuristics were developed iteratively through four studies comprising a survey of 698 MFS users, semi-structured interviews of 37 supply-side actors, including DevOps and bank CIOs and validated through expert review by 14 experts across five countries. These heuristics address inclusivity in usable security, reliability of feedback mechanism and transparency of security controls, amongst others. The heuristics were then subsequently validated in two use cases; the development of Fintech solutions through a hackathon and backbox testing of existing MFS. The research revealed some observable and latent variables that impact usable security for MFS users. It also revealed usable security practices of solution providers and their impact on cybersecurity for MFS. Furthermore, the heuristics revealed some usable security flaws in MFS applications. The result demonstrated that adopting the heuristics developed in this PhD will improve usable security in MFS and serve as a tool to evaluate usable security of MFS.