Building a Human-Centric Security Culture in Ghana’s Financial Sector

By 0
Building a Human-Centric Security Culture in Ghana’s Financial Sector

If you manage technology for a bank, fintech, or savings and loans company in Ghana today, you feel the tension. On one hand, we are driving an incredible digital transformation such as mobile money interoperability, instant payments, online banking, among others. On the other, we face a parallel surge in sophisticated social engineering scams, directly targeting the human link in our security chain. Our employees are on the frontline.

For years, our primary defence has been compliance-driven training such as  mandatory annual modules, surprise phishing tests, and sometimes “name-and-shame” lists for those who click. But let’s be honest: this approach is failing. It breeds anxiety, not vigilance. It teaches people to hide mistakes, not report them. In a sector built on trust, we have built a security culture of fear.

It is time for a fundamental shift. We must move beyond tick-box compliance and build a human-centric security culture. One that engages, empowers, and measures real behavioural change. This is not a soft option; it is our most robust defence.

The Limits of the “Checkbox” Culture

The traditional model is simple: train, test, and penalise. If phishing click rates fall, we declare success. But what have we truly achieved? We’ve created employees who are scared of IT emails, not scammers. They see security as a hurdle imposed by the head office, not a shared responsibility.

This is particularly counterproductive in our work environment. In Ghana, our culture is deeply communal and relational. A top-down, punitive approach breaks down the “ubuntu” spirit which is the sense that “I am because we are.” Public shaming for clicking a link erodes the very trust we need to foster. When an employee makes a mistake, our goal should be to turn that moment into a learning opportunity for the entire team, not a solitary mark of failure.

Pillars of a Human-Centric Strategy

So, how do we build this new culture? It will rest on these four pillars: psychology, people, meaningful metrics, and data-driven learning.

Leverage Behavioural Psychology, Not Just Information

Security must be the easy, obvious choice. This means understanding how people work. For instance, instead of enforcing complex, forgettable passwords, promote passphrases. Leading frameworks like the UK’s NCSC advocate for passphrases over passwords, a principle we can adapt locally by using a line from a local proverb or song lyric while throwing in some numbers and symbols. (e.g., “SlowSlowF0wlDrinksWater!”). It’s culturally resonant, easier to remember, and more secure. Frame security as “protecting our community” i.e. our colleagues, our customers, our reputation. This aligns with our communal values and transforms security from an IT ‘rule’ into a point of collective pride.

Cultivate Security Champions

The most powerful voice is not mine from the IT department. It’s the voice of a respected peer. We must identify and empower volunteer Security Champions from business units such as the sharp front-desk officer, the meticulous settlements associate or the assertive trader. These individuals receive extra training and tools to become go-to resources for their teams. They lead short, relevant discussions in team huddles and share alerts in a basic language. They provide the “social proof” that security is everyone’s business. Their recognition should be public and celebrated.

Measure What Matters

We must change our key performance indicators. A low phishing click rate can just mean people are better at hiding errors. Aligning with the NIST Cybersecurity Frameworks’ focus on detection and response, we should track Mean Time to Report (MTTR) i.e. how fast a suspicious email is reported to IT. This is a more meaningful metric than click rates. A short MTTR signals a vigilant, trusting culture. Even more critical is tracking the incident response & resolution time. When employees quickly report a potential breach, our Security Operations Center (SOC) can contain it faster, minimising financial loss and regulatory impact. This is a business outcome that directly speaks to the Board.

Train with Helpdesk Data

Our IT helpdesk is a goldmine of insight. We must integrate ticket data for example, queries like “I can’t open this attachment” or “Is this WhatsApp message from the CEO real?” with our training strategy. Are we seeing repeated confusion around mobile money fraud patterns? Are there spikes in queries about vendor payment scams? While these data allow us to create hyper-targeted, 5-minute micro-learning content (post, video, animation etc) that address real, immediate gaps, it will also mean, users must make it a habit of reporting issues using the appropriate channels. It’s the ‘just-in-time’ learning that sticks. ​This shift from blame to learning is supported by the ‘Just Culture’ model and directly helps us fulfil the Bank of Ghana’s directive for a proactive security culture

A Practical Path Forward

This shift needs not be overwhelming. Start with a deliberate, phased approach.

Phase 1: Listen & Set Baseline (Quarter 1)

  • Run an anonymous survey to measure psychological safety: “Would you report a phishing click without fear?”
  • Analyse three months of IT tickets to identify the top three repeat security confusions.
  • Establish your baseline MTTR.

Phase 2: Pilot with Champions (Quarter 2)

  • Select one pilot branch or department (e.g., Retail Banking).
  • Recruit 2-3 enthusiastic Security Champions. Co-create a positive campaign with them. Spot It, Report It!”
  • Replace one generic training module with a champion-led session on a local scam trend.

Phase 3: Measure, Adapt & Celebrate (Quarter 3)

  • Compare the pilot’s MTTR and ticket trends to your baseline.
  • Publicise wins in company-wide channels: “Thanks to the vigilance of our team on the Finance desk, who reported 15 suspicious attempts last month, we prevented a potential phishing incident.”
  • Use pilot data to refine your approach.

Phase 4: Scale & Integrate (Quarter 4 & Beyond)

  • Expand the Champion network across key departments and offices.
  • Integrate micro-learning from ticket analysis into the onboarding program for all new hires.
  • Present a business case to the Executive Committee, showing reduced operational risk and faster incident containment as a return on investment.

In the end, the financial industry’s currency is trust. Customer trust is the foundation of our deposits, our transactions, our very existence. A human-centric security culture is the ultimate enabler of that trust. It demonstrates to our customers, our regulators, and our staff that we are proactive, vigilant, and resilient.

This is more than an IT initiative; it is a strategic business advantage in Ghana’s competitive financial landscape. Let us move beyond phishing tests and build a culture where every employee feels equipped, empowered, and responsible for safeguarding our community. That is a culture that will not only withstand threats but will also drive our growth with integrity.

Author: Constant Worlanyo Agbeko | IT Support Officer | Member, IIPGH

For any comments, email proagbeko@duck.com or call 0276871387

Recent posts