Contact : 9561854529 Email : submitpaper@ijaea.com editorinchief.ijaea@gmail.com Working Hours: 9am to 9PM

International Journal of Advanced Engineering Application

ISSN: 3048-6807

Submit Paper Apply for Reviewer

Cybersecurity Awareness, Phishing Susceptibility, and Information Security Behaviour Among Indian Banking Employees

Author(s):Ganesh Chandra Sahoo

Affiliation: Department of Information Systems, Utkal University, Bhubaneswar, Odisha, India

Page No: 82-86

Volume issue & Publishing Year: Volume 2, Issue 3, 2026/03/15

Journal: International Journal of Advanced Engineering Application (IJAEA)

ISSN NO: 3048-6807

DOI: https://doi.org/10.5281/zenodo.19352338

Download PDF

Article Indexing:

Abstract:
India’s banking sector is undergoing the most rapid digital transformation in its history: Unified Payments Interface (UPI) processed over 18 billion transactions in a single month in 2024, the Reserve Bank of India’s Central Bank Digital Currency (CBDC) pilot is expanding, and over 540 million Indians accessed banking services digitally in fiscal year 2024. This transformation has simultaneously and dramatically expanded the sector’s cyber attack surface. CERT-In’s 2023 Annual Report recorded a 92% year-on-year increase in cybersecurity incidents targeting Indian financial institutions, with phishing representing the entry vector in over 65% of successfully executed attacks. The weaponisation of generative AI to produce hyper-personalised spear phishing emails, voice phishing (vishing) calls indistinguishable from legitimate bank communications, and QR code-based phishing schemes has rendered traditional signature-based phishing detection training obsolete and positioned the human firewall — the information security behaviour of individual banking employees — as the most consequential and most vulnerable element in the institutional security architecture.
The theoretical framework guiding this investigation is Protection Motivation Theory (PMT; Rogers, 1975; Maddux & Rogers, 1983), which models protective behaviour as a function of two orthogonal appraisal processes: threat appraisal (the product of threat severity and personal vulnerability assessments) and coping appraisal (the product of response efficacy and self-efficacy assessments). Applied to information security behaviour, PMT predicts that employees who simultaneously perceive phishing as a severe and personally relevant threat and who believe that protective responses (following security protocols, reporting suspicious emails, using multi-factor authentication) are effective and within their capability will exhibit the highest levels of compliant security behaviour. Security training, in this framework, functions as a mediating mechanism that enhances both coping appraisal dimensions by improving employees’ knowledge of protective responses and their confidence in executing them.
This study applies the PMT framework to survey data from 1,384 banking employees across public sector banks (State Bank of India, Canara Bank, Indian Bank branches in Tamil Nadu and Andhra Pradesh), private sector banks (HDFC Bank, ICICI Bank, Axis Bank), and Regional Rural Banks (Pallavan Grama Bank, Andhra Pragathi Grameena Bank), examining whether the bank category moderates the protection motivation-to-security behaviour pathway in ways that might explain the dramatically different phishing susceptibility rates observed across institution types in CERT-In and RBI Cyber Security incident databases.

Keywords: cybersecurity, phishing, information security, banking, PMT, Protection Motivation Theory, India, CERT-In, employee behaviour, spear phishing, vishing, digital banking, UPI, RBI, social engineering, security training

Reference:

  • [1] Anderson, C. L., & Agarwal, R. (2010). Practicing safe computing: A multimedia empirical examination of home computer user security behavioral intentions. MIS Quarterly, 34(3), 613-643.
  • [2] CERT-In. (2023). Annual Report on Cybersecurity in India 2023. Indian Computer Emergency Response Team, MeitY.
  • [3] Crossler, R. E., Johnston, A. C., Lowry, P. B., et al. (2013). Future directions for behavioral information security research. Computers & Security, 32, 90-101.
  • [4] Dhingra, A., & Dutta, S. (2024). Phishing attacks on Indian banks: Trends and CERT-In response data 2020-24. Journal of Cyber Policy, 9(1), 44-61.
  • [5] Floyd, D. L., Prentice-Dunn, S., & Rogers, R. W. (2000). A meta-analysis of research on protection motivation theory. Journal of Applied Social Psychology, 30(2), 407-429.
  • [6] Goel, S., Williams, K., & Dincelli, E. (2017). Got phished? Internet security and human vulnerability. Journal of the Association for Information Systems, 18(1), 22-44.
  • [7] Herath, T., & Rao, H. R. (2009). Protection motivation and deterrence: A framework for security policy compliance in organisations. European Journal of Information Systems, 18(2), 106-125.
  • [8] Hu, Q., West, R., & Smarandescu, L. (2015). The role of self-control in information security violations: Insights from a cognitive neuroscience perspective. Journal of Management Information Systems, 31(4), 6-48.
  • [9] IDRBT. (2024). Cybersecurity Framework for Indian Banking Sector 2024. Institute for Development and Research in Banking Technology, RBI.
  • [10] Johnston, A. C., & Warkentin, M. (2010). Fear appeals and information security behaviors: An empirical study. MIS Quarterly, 34(3), 549-566.
  • [11] Kwak, N., Bharat, V., & Soo, H. J. (2023). Generative AI and social engineering: A new threat landscape. IEEE Security & Privacy, 21(4), 34-43.
  • [12] Maddux, J. E., & Rogers, R. W. (1983). Protection motivation and self-efficacy: A revised theory of fear appeals and attitude change. Journal of Experimental Social Psychology, 19(5), 469-479.
  • [13] Purkait, S., De, S. K., & Bhattacharyya, S. (2014). An empirical investigation into the adoption of online banking in India. Information Technology & People, 27(2), 186-217.
  • [14] RBI. (2023). Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices. Reserve Bank of India, Mumbai.
  • [15] Rogers, R. W. (1975). A protection motivation theory of fear appeals and attitude change. Journal of Psychology, 91(1), 93-114.
  • [16] Sasse, M. A., Brostoff, S., & Weirich, D. (2001). Transforming the weakest link: A human/computer interaction approach to usable and effective security. BT Technology Journal, 19(3), 122-131.
  • [17] Singh, P., Verma, A., & Gupta, R. (2024). Cybercrime in India’s banking sector: Trends, vulnerabilities and regulatory responses 2022-24. Vikalpa: The Journal for Decision Makers, 49(1), 34-48.
  • [18] Srite, M., & Karahanna, E. (2006). The role of espoused national cultural values in technology acceptance. MIS Quarterly, 30(3), 679-704.
  • [19] Vishwanath, A., Harrison, B., & Ng, Y. J. (2018). Suspicion, cognition, and automaticity model of phishing susceptibility. Communication Research, 45(8), 1146-1166.
  • [20] Workman, M. (2008). Wisecrackers: A theory-grounded investigation of phishing and pretext social engineering threats to information security. Journal of the American Society for Information Science, 59(4), 662-674.
  • [21] Yazdanmehr, A., & Wang, J. (2016). Employees’ information security policy compliance: A norm activation perspective. Decision Support Systems, 92, 36-46.
  • [22] Zaharia, M., Aranda, B., & Patel, K. (2024). AI-generated phishing: Detection evasion and human susceptibility. ACM Conference on Computer and Communications Security Proceedings, 2024, 1847-1862.