An Assessment of Cyber Risk Management Effectiveness in Zimbabwe's Financial Sector: A Case of National Building Society (NBS)

Abstract

The growing prevalence of cyber threats in the global financial sector has made cybersecurity a central component of institutional resilience and risk governance. This study assessed the effectiveness of cyber risk management strategies employed by the National Building Society (NBS) in Zimbabwe, with a focus on identifying key vulnerabilities, evaluating existing control mechanisms and proposing enhancements to strengthen cyber resilience. The research was guided by four objectives: to establish and categorize the major cyber threats and system vulnerabilities affecting NBS’s operations in the last 10 years, to evaluate the effectiveness of existing cyber risk management controls and policies at NBS in reducing cyber incidents in the past 10 years 3, to assess the likelihood and impact of identified cyber risks on NBS’s operational, financial and reputational performance in the last 10 years and to recommend improved strategies for managing these risks. The study adopted a mixed-methods case study design combining quantitative and qualitative approaches to obtain a comprehensive understanding of the phenomenon. A total of 186 employees were targeted, with 132 valid responses obtained through structured questionnaires and follow-up interviews. Quantitative data was analysed using descriptive statistics, correlation and regression analyses through the latest SPSS version, while qualitative data was subjected to thematic analysis. The findings revealed that although NBS has implemented several cybersecurity measures including incident response planning, employee awareness training and business continuity systems, significant gaps persist in policy communication, phishing prevention and external collaboration with cybersecurity partners. The descriptive results showed that the mean perception of cyber risk management effectiveness was moderate (M = 3.49), indicating room for improvement. Correlation analysis established a significant negative relationship between the effectiveness of cyber risk strategies and exposure to cyber risks (r = -0.474, p < 0.01), suggesting that stronger cybersecurity practices directly reduce perceived vulnerability. Regression results indicated that 22.5% of the variance in exposure to cyber risks could be explained by the effectiveness of NBS’s cyber risk management strategies. Qualitative insights highlighted human factors, outdated legacy systems and limited technological investment as persistent challenges to achieving cyber resilience. The study concludes that while NBS demonstrates commendable progress toward developing a cybersecurity framework, its effectiveness remains constrained by inadequate employee engagement, limited automation and inconsistent risk assessment processes. It recommended adopting a zero-trust security model, strengthening staff training, increasing collaboration with regulatory and law enforcement bodies and integrating cybersecurity governance into enterprise risk management. The study contributed to the understanding of cyber risk management within developing economies and offered practical insights for policymakers and financial institutions seeking to enhance cybersecurity effectiveness in Zimbabwe’s financial sector.