Cybersecurity Awareness, Phishing Susceptibility, and Information Security Behaviour Among Indian Banking Employees

India’s banking sector is undergoing the most rapid digital transformation in its history: Unified Payments Interface (UPI) processed over 18 billion transactions in a single month in 2024, the Reserve Bank of India’s Central Bank Digital Currency (CBDC) pilot is expanding, and over 540 million Indians accessed banking services digitally in fiscal year 2024. This transformation has simultaneously and dramatically expanded the sector’s cyber attack surface. CERT-In’s 2023 Annual Report recorded a 92% year-on-year increase in cybersecurity incidents targeting Indian financial institutions, with phishing representing the entry vector in over 65% of successfully executed attacks. The weaponisation of generative AI to produce hyper-personalised spear phishing emails, voice phishing (vishing) calls indistinguishable from legitimate bank communications, and QR code-based phishing schemes has rendered traditional signature-based phishing detection training obsolete and positioned the human firewall — the information security behaviour of individual banking employees — as the most consequential and most vulnerable element in the institutional security architecture.The theoretical framework guiding this investigation is Protection Motivation Theory (PMT; Rogers, 1975; Maddux & Rogers, 1983), which models protective behaviour as a function of two orthogonal appraisal processes: threat appraisal (the product of threat severity and personal vulnerability assessments) and coping appraisal (the product of response efficacy and self-efficacy assessments). Applied to information security behaviour, PMT predicts that employees who simultaneously perceive phishing as a severe and personally relevant threat and who believe that protective responses (following security protocols, reporting suspicious emails, using multi-factor authentication) are effective and within their capability will exhibit the highest levels of compliant security behaviour. Security training, in this framework, functions as a mediating mechanism that enhances both coping appraisal dimensions by improving employees’ knowledge of protective responses and their confidence in executing them.This study applies the PMT framework to survey data from 1,384 banking employees across public sector banks (State Bank of India, Canara Bank, Indian Bank branches in Tamil Nadu and Andhra Pradesh), private sector banks (HDFC Bank, ICICI Bank, Axis Bank), and Regional Rural Banks (Pallavan Grama Bank, Andhra Pragathi Grameena Bank), examining whether the bank category moderates the protection motivation-to-security behaviour pathway in ways that might explain the dramatically different phishing susceptibility rates observed across institution types in CERT-In and RBI Cyber Security incident databases.