Live update: Senators discuss governors snubbing summons
Premium
Data protection laws alone can’t end cybercrime
Modern cybersecurity policy assumes that the primary threat is unauthorised access to systems.
Kenya has data protection laws. It has cybercrime legislation, regulators and compliance frameworks on paper. Yet cyber fraud, phishing, SIM swaps and digital impersonation continue to expand faster than legal reform. This contradiction forces an uncomfortable question: if the legal architecture exists, why are citizens still being exploited online?
The answer is not technological. It is human.
Modern cybersecurity policy assumes that the primary threat is unauthorised access to systems. The dominant image is the hacker breaching networks and stealing data. But in Kenya and much of the Global South, most cyber harm does not arise from sophisticated technical intrusion. It arises from social engineering — the deliberate manipulation of human psychology to extract money, information or access. The law protects systems. Cybercriminals exploit people.
Kenya’s Data Protection Act establishes a rights-based framework mirroring global standards: lawful processing, consent, and obligations on institutions. The cybercrime regime criminalises identity theft and digital fraud. Legally, the structure exists. The gap appears in everyday reality. Most victims are not hacked in the technical sense; they are deceived. They voluntarily disclose information because they believe they are interacting with legitimate actors. They respond to urgency, authority or fear. In these moments, the legal assumption that individuals exercise rational, informed consent collapses. Consent manufactured through deception is not meaningful consent, yet current frameworks struggle to conceptualise harm caused by manipulation rather than intrusion. Victims appear to have participated in their own exploitation, and legal remedies become blurred.
Predictable behavioural tendencies
This is not a failure of intelligence. It is a feature of human cognition. Cybercrime succeeds because it targets predictable behavioural tendencies: trust in authority, fear of loss, urgency under pressure and the desire for reward.
Psychological research shows that decision-making under stress is emotional before it is analytical. Social engineering attacks are designed to trigger reflex before reflection. A phishing message does not rely on technical brilliance; it relies on human reaction.
Cybercriminals are not primarily technologists. They are behavioural strategists. Yet most legal frameworks still treat cyber harm as a technological breach rather than a psychological one, leaving enforcement permanently outpaced.
The Global South faces structural conditions that intensify vulnerability. Digital adoption has expanded faster than digital literacy.
Mobile-first economies rely on trust-based transactions, informal financial ecosystems and limited reporting mechanisms.
Millions enter online environments without safety education or meaningful institutional recourse. In such contexts, cybersecurity cannot be separated from socioeconomic reality.
Cybercrime is embedded in inequality, access and governance. Victims are often blamed for negligence instead of recognised as targets of behavioural exploitation.
Cybercrime also persists because it is economically rational. Social engineering is profitable, and low-risk. It requires minimal technical skill and operates across jurisdictions with weak enforcement coordination.
Follow our WhatsApp channel for breaking news updates and more stories like this.
Sharon Kihiu, an Advocate of the High Court of Kenya, is a Cybercrime Specialist and Analyst. [email protected]
