Assessing the gap between policy requirements and information security capacity in the Vietnam People's Credit Funds system

Abstract

This study measures the gap between the minimum required threshold at the 2025 milestone and the actual information security (cybersecurity) capability of Vietnam People’s Credit Funds (PCFs) system, thereby drawing implications for the 2026- 2030 digital transformation period. Based on a valid sample of 1,068 PCFs and an analytical framework integrating institutional theory with the resource-based view (RBV), the findings show that the system-wide average information security score is 1.89 out of 5.0, with 87.73% of units falling below the minimum threshold (E = 2.5). A decomposition using the NIST Cybersecurity Framework indicates that deficiencies are concentrated in deeper operational capabilities, particularly Detect and Recover, while the establishment/compliance layer performs relatively better. The results also suggest a mismatch between the establishment/compliance layer and the operational execution layer, especially among smaller entities. On that basis, the study recommends shifting the regulatory focus from compliance control to capability building through shared services and a proportionality principle tailored to organizational size.