Data Security Preparedness Levels and Online Banking Services: a Case Study of Information Technology Department of Access Bank, Kigali, Rwanda

DATA SECURITY PREPAREDNESS LEVELS AND ONLINE BANKING SERVICES: A CASE STUDY OF INFORMATION TECHNOLOGY DEPARTMENT OF ACCESS BANK, KIGALI, RWANDA

DIEUDONNÉ MUHIRE MIS/0052/13

Research Project Submitted in Partial Fulfillment of the Requirement for the Award of Master of Science in Information Science (Information Communication Technology option) of Mount Kenya University

JUNE 2015

DECLARATION

This thesis is my original work and has not been presented for a degree in any other University or for any other award.

Students Name: Dieudonné MUHIRE Reg No: MIS/0052/13 Sign ……………………………….. Date………………………………..

Weconfirm that the work reported in this thesis was carried out by the candidate under oursupervision.

Supervisor 1: Name: Prof. Raymond WAFULA ONGUS Sign ……………………………….. Date ………………………………..

Supervisor 2: Name: Benson MUGAMBI Sign ……………………………….. Date ………………………………..

DEDICATION

I dedicate this work to my deceased father, to my family and friends, who inspired, encouraged and supported me through the undertaking of this research.

iii

ACKNOWLEDGEMENT

Thanks to the almighty God for sustaining and helping me throughout this thesis. I would like to express my gratitude to the following people for their role in the completion of this research:

I would like to express my deep appreciation to Professor Raymond WAFULA ONGUS and Mr. Benson MUGAMBI for their support, guidance and encouragement over the past few months. I would also like to thank the company, individuals and friends who contributed in this research, for being useful to carry out my research, for their help and cooperation. Without them, I would not have been able to complete my research.

Last but not least, I am forever grateful to my parents for their endless patience and assistance. May God Bless you all

Dieudonné MUHIRE

ABSTRACT

Data security has been the main approach to deal with loss of data. The motivation of this study was inspired by the continuing concern of ineffective data/information security in companies leading to considerable monetary losses. The aim of this study was to examine the main causes of data insecurity, to assess the effectiveness of data security measures, to determine the additional measures to be put in place to improve data security and to establish how data security preparedness levels at Access Bank, Kigali, Rwanda affect online banking services. This study used questionnaires and interviews for data collection. All fifty nine IT employees and their managers at Access Bank represented the total number of population. Therefore the total population of fifty nine (59) was the sample size. As this was a small population size, a census technique was used as a sampling method. After collecting data, the interpretation and the summary of quantitative data was done using statistics such as graphs, frequency tables, weighted means, standard deviations, and percentages to enable describe the relationships established. This was achieved by the use of Statistical Package for the Social Sciences Version 17.0 (SPSS V.17.0) software as the tool of analysis. Findings revealed that internal based attacks are the first major cause of data insecurity in the company as indicated by 50.90% of respondents. Additionally a lack of awareness and training program was mentioned by 70.90 % of respondents as the first main obstacle for carrying out better security compliance. Findings also revealed that 38.20 % of respondents were neutral on the effectiveness of involving users in data security implementation while 69.10% of respondents strongly agreed about the effectiveness of a documented policy introduced in the Bank.Furthermore52.70%of respondents acknowledged that password with biometric authentication could be an additional security measure. The multiple regression found that r the coefficient of correlation was 0.793. This meant that there was strong positive multiple correlation between data security preparedness levels and online banking services at Access Bank, Kigali Rwanda. Moreover the coefficient of determination r2 =0.628 indicated that 62.8% of the total variation in online banking services depended on stochastic model developed whereas the remaining 37.2% was attributed to factors beyond the control of the study.Since the correlation was strong, this relationship was found to be significant. Recommendations were to give regular assistance to customers to avoid identity theft, to provide training to every employee of the Bank and to introduce additional security measures stated in this study to deal with internal incidents.

TABLE OF CONTENTS DECLARATION...... ii DEDICATION...... iii ACKNOWLEDGEMENT ...... iv ABSTRACT ...... v TABLE OF CONTENTS ...... vi LIST OF TABLES ...... ix LIST OF FIGURES ...... x ACRONOMYS AND ABBREVIATIONS ...... xi OPERATIONAL DEFINITION OF KEY TERMS ...... xii CHAPTER ONE: INTRODUCTION ...... 1 1.0 Introduction ...... 1 1.1 Background of the Study ...... 1 1.2 Statement of the Problem ...... 2 1.3 Objectives of the Study ...... 3 1.4 Research Questions ...... 3 1.5 Significance of the Study ...... 4 1.6 Limitations of the Study ...... 4 1.7 Scope of the Study ...... 4 1.7.1 Content Scope ...... 4 1.7.2 Geographical Scope ...... 5 1.7.3 Time Scope ...... 5 1.8 Organization of the Study ...... 5 CHAPTER TWO: REVIEW OF RELATED LITERATURE ...... 6 2.0 Introduction ...... 6 2.1 Theoretical Literature ...... 6 2.1.1 History of Data Security ...... 6 2.1.2 Data Security in Organizations ...... 7 2.1.3 Data Security in Financial Organization ...... 9 2.1.4 Data Security in Rwanda ...... 11 2.1.5 Data Protection Laws in Rwanda ...... 12

2.1.6 Data Security Models ...... 12 2.1.7 Root Causes of Data Theft and Security Breach ...... 16 2.1.8 Data Protection Measures ...... 20 2.1.9 Online Banking Services ...... 22 2.2 Theoretical framework ...... 22 2.2.1 Concepts/Theories of Information Security ...... 23 2.3 Empirical review of Literature ...... 26 2.9 Critical Review and Research Gap Identification ...... 30 2.10 Conceptual Framework ...... 34 2.10.1 Independent Variable ...... 34 2.10.2 Dependent variable ...... 36 2.11 Summary ...... 36 CHAPTER THREE: RESEARCH METHODOLOGY ...... 37 3.0 Introduction ...... 37 3.1 Research Design ...... 37 3.2 Target Population ...... 37 3.3 Sample Design ...... 37 3.3.1 Sample Size ...... 38 3.3.2 Sampling Technique ...... 38 3.4 Data Collection ...... 38 3.5.1 Data Collection Procedure ...... 38 3.5.2 Reliability and Validity ...... 39 3.6 Data Analysis Procedure ...... 41 3.7 Ethical Considerations ...... 41 CHAPTER FOUR: RESEARCH FINDINGS AND DISCUSSION ...... 42 4.0 Introduction ...... 42 4.1 Demographic characteristics of respondents ...... 42 4.1.1 Distribution of respondents per age ...... 42 4.1.2 Gender distribution ...... 43 4.1.3 Education Level ...... 43 4.2 Presentation of Findings ...... 44

vii

4.2.1 Root Causes of Data Insecurity at Access Bank ...... 44 4.2.2 Response and Remediation Plans the Bank Possess ...... 49 4.2.3 Effectiveness of Data Security Measures Currently Used ...... 50 4.2.4 Additional security measures to be put in place to improve data security ...... 53 4.2.5 Determine how Data Security Levels Affect Online Banking Services Delivery ...... 55 4.2.6 Multiple Regression Analysis ...... 61 CHAPTER FIVE: SUMMARY, CONCLUSIONS AND RECOMMENDATIONS ...... 64 5.0 Introduction ...... 64 5.1 Summary of Findings ...... 64 5.1.1 The Root Causes of Data Insecurity ...... 64 5.1.2 The Effectiveness of Data Security Measures that are Currently Used ...... 65 5.1.3 Additional Security Measures Needed to Improve Data Security ...... 65 5.1.4 How Data Security Preparedness Levels Affect Online Banking Services ...... 66 5.2 Conclusions ...... 66 5.2.1 Answers to the Research Questions ...... 66 5.3 Recommendations ...... 67 5.4 Suggestions for Further Study ...... 69 REFERENCES ...... 70 APPENDIX A: AUTHORIZATION LETTER...... 75 APPENDIX B: AUTHORIZATION LETTER ...... 76 APPENDIX C: QUESTIONNAIRE FOR THE IT DEPARTMENTEMPLOYEES ...... 77 APPENDIX D: INTERVIEW GUIDE ...... 83 APPENDIX E: NYARUGENGE DISTRICT MAP ...... 85 APPENDIX F: ORGANIZATIONAL STRUCTURE OF ACCESS BANK ...... 86

viii

LIST OF TABLES Table 3.1: Validity Statistics for six respondents for pilot test ...... 40 Table 4.1: Age of respondents ...... 42 Table 4.2: Gender distribution of respondents ...... 43 Table 4.3: Education Level of Respondents ...... 44 Table 4.4: Major Causes of Security Incidents in the company ...... 45 Table 4.5: Obstacles and concerns in carrying out better security compliance ...... 46 Table 4.6: Number of occasions the following security strategies should be carried out every five months ...... 47 Table 4.7: Data Security Measures ...... 50 Table 4.8: Additional security measures necessary to improve data security ...... 53 Table 4.9: Data Security Mechanisms that affect financial services delivery ...... 55 Table 4.10: Financial services affected by data security mechanisms ...... 59 Table 4.11: Multiple Regression Analysis Model ...... 61 Table 4.12: Model Summaries ...... 62

LIST OF FIGURES Figure 2.1: Access to the Network using security key ...... 8 Figure 2.2: Motives behind external attacks ...... 19 Figure 2.3: Distribution of the benchmark sample by root cause of the data breach ...... 20 Figure 2.4: Data security concepts ...... 25 Figure 2.5: Conceptual Framework ...... 34

ACRONOMYS AND ABBREVIATIONS

ATMs Automatic Teller Machines AGM Annual General Meeting BANCORS.A Banque Commercial du Rwanda Sociète Anonyme BOD Board of Directors BNR Banque National du Rwanda/ National Bank of Rwanda DLP Data Loss Prevention EFS Encrypting File System

FMCG Fast Moving Consumer Goods eGov Electronic Government IT Information Technology IDS Intrusion Detection System IPS Intrusion Prevention System IP Sec Internet Protocol Security ISO/IEC 27002 International Organization for Standardization/International Electrotechnical Commission 27002 PC Personal Computer PIN Personal Identification Numbers RAM Random Access Memory RWF Rwandan Francs Sd Standard Deviation SSL Security Socket Layer SQL Structured Query Language VPN Virtual Private Network TCP/IP Transmission Control Protocol/Internet Protocol

OPERATIONAL DEFINITION OF KEY TERMS

Data: individual facts collected together for analysis.

Data Security/Information Security: means protecting a database against unauthorized access and unauthorized modification and other unwanted actions from users or intruders.

Data Security preparedness: The state of having the data security been completed or prepared for protecting data against data stealing.

Data theft: is the unauthorized or illegal copying or removal of information from a business or other individual.

Financial Services: are economic services provided and offered by financial institutions these include: keeping money safe, personal loans, credit card transactions, internet banking, provide credit facilities to customers, allow financial transactions at branches or by using Automatic Teller Machines (ATMs).

Information: data and fact acquired and learned through a study, experience or from someone.

Online Banking Services: Electronic system that enable customers of financial firms to conduct online financial transactions and lets one to control his account anywhere.

xii

CHAPTER ONE: INTRODUCTION

1.0 Introduction This study covers data security preparedness at Access Bank in Kigali since they carry out online services and transactions. These services which have a high impact on economies and the quality of client’s daily life include paying wages into employee accounts, paying bills, e-Banking, credit card and debit card transactions (Access Bank, 2014). This chapter provides Introduction, details on Background of the Study, Problem Statement, Objectives of the Study, Research Questions, Significance of the Study, Limitations of the Study, Scope of the Study and Organization of the Study

1.1 Background of the Study As financial institutions’ transactions are increasingly relying on information and technology, new threats such as data theft using technology are constantly threatening data stored in databases. This has affected many organizations, and many companies have experienced or witnessed the damage that occurred when an information technology tragedy or a catastrophe struck (Enshasy, 2009). When these companies such as Access Bank try to establish a strong outside obstacle based on security mechanisms (such as firewalls, anti-virus and anti-spyware software, scanning USB sticks and turn off autorun, procedures for setting, changing and protecting passwords, securing wireless network, securing servers) internal employees still need to access information outside the local network and this obstacle has to let some communications go through. Consequently trespassers or intruders outside the network generally take advantage of these characteristics to access the network. In order to prevent data loss and insecurity in financial institutions this study covered data security preparedness at Access Bank in Kigali.

Access Bank is a private commercial bank which was started in 1989 in Nigeria and has acquired three commercial banks that are operating in Cote d’Ivoire, Rwanda, United Kingdom, Ghana, Gambia, Zambia, Sierra Leone and the Democratic Republic of Congo (Access Bank, 2014). The bank was first established in Rwanda in 1995, as BANCOR S.A. The bank named BANCOR S.A, with the authorized capital of 100.000.000RWF

was approved in RWANDA on May 20, 1995 by BNR, following the letter no10/95- 088/KA/Kja of the 20th may, 1995 of Niyitegeka Gerard, then Governor of the National Bank of Rwanda (Access Bank, 2014).

In August 2008, Access Bank Group, the Nigerian financial services provider took 75 per cent shares in Rwanda’s BANCOR S.A for 13.5 million. The remaining 25 per cent share is owned by Rwanda individuals. In January 2009 the bank opened as Access Bank Rwanda with a capital of 5.000.000.000 RWF. Access Bank Rwanda plc intended to play as a strong and aggressive force on the Rwandan financial services market. This objective is consistent with the group’s expansion model of becoming the catalyst for growth across the African continent. The bank counted 150 employees in 2011. It offers the following products and services to its customers: Loans, Western Union Money Transfer, Savings, Cash Advance, Internet Banking, Investments, Visa Credit Cards, Debit Cards, and automatic teller machine (ATM) (Access Bank, 2014).

Therefore data security preparedness levels such as Computer antivirus, Digital signature softwares, Alarm, Firewalls, Physical Guards, and disaster plan and company policy are involved through Head of remedial assets and recovery, Head of compliance department, Head of retail banking department, head of institutional banking divisional department and four parts of Country operations officer department such as information technology department, central processing unit and global trade officer (refer to Appendix F).

1.2 Statement of the Problem Public and private companies all over the world face variety of information threats. Securing their information has become a crucial function within the information systems. Moreover in developed countries, high education researchers have discovered technical issues, non-technical issues of information security as well as their solutions (Salahuddin, 2011). In Africa when it comes to computer security issues, four out of the top ten countries in the world with high level of data insecurity and cybercrime incidence, come from sub-Sahara in Africa (Nigeria, Cameroon, Ghana and South Africa). In terms of solutions to data security issues in Africa, security mechanisms such as: cyber security awareness, capacity and skills improvement, legislative and policy aspects, national

computer security incident response teams and more researches on cyber security have been suggested (Kritzinger, 2012). However when it comes to Rwanda, there is a scarcity of studies conducted on data security systems as well as their security issues.

Previous studies such as the one by Camp (2006),indicate that security mechanisms for protecting economic services are widely available, unfortunately, despite the protective impact of these mechanisms, the problems of data theft, data insecurity and data loss are still rising (Torsteinbø, 2012). Without an effective program for assistance in data security, security incidents will continue resulting in monetary loss. The research problem therefore was an assessment of the effect of data security preparedness levels on online banking services by considering the IT department at Access Bank in Kigali, Rwanda as a case study.

1.3 Objectives of the Study The main objective of this study was to establish how data security preparedness levels at Access Bank, Kigali, Rwanda affect online banking services.

The specific objectives of this study were: i. To assess the root causes of data insecurity at Access Bank, Kigali, Rwanda. ii. To assess the effectiveness of data security measures currently used to implement data security at Access Bank, Kigali, Rwanda. iii. To determine the additional measures to be put in place to improve data security at Access Bank, Kigali, Rwanda. iv. To determine how data security preparedness levels at Access Bank, Kigali, Rwanda affect online banking services.

1.4 Research Questions The research questions were as follows:

i. How are the root causes of data insecurity at Access Bank, Kigali, Rwanda? ii. How effective are data security measures currently used to implement data security at Access Bank, Kigali, Rwanda?

iii. How can additional measures be put in place to improve data security at Access Bank, Kigali, Rwanda? iv. How do data security preparedness levels at Access Bank, Kigali, Rwanda affect online banking services?

1.5 Significance of the Study This study would help the researcher and other researchers, individuals account holders and corporate account holders to gain new knowledge in this field of information security. The outcomes of the study would be important to the government of Rwanda, Rwanda Government Board and Rwanda Revenue Authority for securing online services as well as their data; the outcomes would also help ICT policy makers for implementing policies and security regulations; furthermore stakeholders, development partners, shareholders of the bank companies and investors would gain new knowledge in securing their businesses. The study would help suppliers for securing their services, employees for their job security, organizations such as Access Bank for improving information security awareness; finally this study would be important to National Bank of Rwanda as well as other service providers and their customers for developing, deploying sound information security and for effectively protecting their data.

1.6 Limitations of the Study This study only covered ICT related issues of data security preparedness. This study concentrated only on IT staff of Access Bank because they are responsible of data security preparedness, as far as online banking services are concerned.

1.7 Scope of the Study The scope of the study covered Content Scope, Geographical Scope and Time Scope.

1.7.1 Content Scope The present study examined the data security preparedness and online banking services offered at four branches of Access Bank within Kigali City.

1.7.2 Geographical Scope The study was conducted in Kigali City, Rwanda. It did not cover branches outside Kigali because they were considered to have less information assets and dealt with less volume of online transactions. It was assumed that all components of the security system used at Access Bank are available at all its branches countrywide.

1.7.3 Time Scope The study only focused on data security preparedness from the year 2012, as it was the period in which Rwanda Parliament introduced a new law dealing with data insecurity using technology, according to article 306, 307 and 308, Section five in Chapter one under Second Title of Part one of Rwanda Penal Code (Prime Minister’s Office, 2012).The study was carried out within the approved timeframe as specified by the Mount Kenya University, School of Postgraduate Studies.

1.8 Organization of the Study This chapter introduced the research topic, the background of the study and the problem statement. Furthermore the objectives were defined; the significance as well as the scope of the study was explained. Chapter two includes the review of related literature, chapter three includes the research methodology, chapter four includes research findings and discussion and finally chapter five includes the summary, conclusion and recommendations.

CHAPTER TWO: REVIEW OF RELATED LITERATURE

2.0 Introduction This study examined the literature that has been published on data security and data theft prevention. For the purpose of this study, a significant level of focus was directed to works published by agencies and other organs dealing with data security to prevent data theft crime. The chapter is structured in three parts. The first part is related to data security as well as its models, the second part describe the root causes of data theft and security breaches as well as different threats companies may face and third part describe the data protection measures. Finally the chapter discusses the theoretical review, empirical review, and the critical review of the study.

2.1 Theoretical Literature This section includes: History of Data Security, Data Security in Organizations, Data Security in Financial Organization, Data Security in Rwanda, Data Protection Laws in Rwanda and Data Security Models.

2.1.1 History of Data Security Fifty years before Jesus Christ, Julius Caeser was recognized as the inventor of the Caeser Cipher Mechanism to avoid his private information from being understand should a message fall into the wrong hands. During the Second World War much progression in data security was made and marked the beginning of information security as a professional domain. It introduced the physical protection of information with fences and equipped guards controlling access into information centers. During the War identity checks were also carried out before allowing clearance to confidential information. As the first decade of the 21st century saw malicious internet activity turn into major criminal actions aimed at monetary gain, security software were introduced (Bhavya, 2007).

Nowadays data security has continued to develop with the same route. The software aspect of data security has become very vast. It has included firewalls, antivirus, virtual private network (VPN), intrusion detection, biometric systems and much more. When new viruses emerge, the antivirus is updated to be able to guard against those threats.

This process is the same for firewalls and intrusion detection systems. Despite that software developmenthardware developments are not improving rapidly. Biometric systems and smart cards are the only new hardware technologies that are widely impacting security (Bhavya, 2007).

2.1.2 Data Security in Organizations Data security in companies involves the protection of data and its essential elements, including systems and hardware that utilize, store, and transmit that information/data. Necessary tools for an effective data security involve policy, understanding, training, education, technology. Data or information security goals involve confidentiality, integrity and availability (Ajibuwa, 2010).

The data security is afforded to a computer system in order to attain the objectives of preserving the integrity, availability and confidentiality of information system resources such as hardware, software, firmware, information/data, and telecommunications (Stallings, 2011).

When encouraging information security awareness in companies and building commitment to computer security, we consider security awareness campaigns, publicity, videos, posters and booklets. All these things are important in having the information security awareness, but if you want to gain long-term commitment you will need to do a lot more than print booklets or put posters all over the place. Loyalty to data security involves providing a process which fits in with the culture of the organization (Spurling, 1995).

Data security involves the protection of the computer system and all associated equipment. This includes both physical and logical stores of data. Data security is concerned with the protection of systems from various threats and identification of vulnerabilities of the system. As one of the objectives of data security, Confidentiality ensures that the data stored on a computer system is protected and accessed only to authorized users (Figure2.1), Integrity focuses on preventing unauthorized modification

of data, and Availability is having data and other computing resources readily accessible on demand (Graham&Mills, 1999).

Figure 2.1: Access to the Network using security key Source: (Personal interpretation)

The first step in preparing an effective data security in a general context is to identify the potential threats. The threats of a system could be categorized as interception, interruption, modification and fabrication of data. These four categories include all kinds of threats that a system could encounter. Identifying the threats and the existence of the security mechanisms does not itself insure the security against all threats, but for solid security implementation, human factors should be judged, and covered when necessary (Nikolakopoulos, 2009).

An effective Data Security preparedness involves Data Loss Prevention (DLP) which is based on central policies, identification, monitoring, and protecting data at rest, in motion, and in use through deep content analysis. Most DLP products keep logs of who

accessed what and when, that can be used when pursuing further legal action. Having a DLP in place might discourage intruders or other inside users from committing data theft. If they know such a system is in place, they will also recognize a natural risk for being detected or found when carrying on data theft. Preventing insider attacks is not necessarily something that can be done using DLP technology. Unhappy employees and employees who plan to leave the company are some of the most likely candidates to perform this type of attack (Torsteinbø, 2012). In environments where highly sensitive data is in use, it is important to focus on this human layer. The following points helps in addressing these social issues: Clear security policies, Good training of employee, Background checks employee, Physical security (to make sure that IT infrastructure and storage containing sensitive information is properly locked off) and Building trust by treating employees fairly with trust. DLP works in addition to other security technologies, such as access control, IDS (intrusion detection system) and data encryption, and other security mechanisms (Torsteinbø, 2012).

Data security protects data from unauthorized access, use, disclosure, destruction, modification, or disruption. The terms data security, information security, computer security are frequently used interchangeably. These fields are interrelated and share the common goals of protecting the confidentiality, integrity and availability of information; however, there are some subtle differences between them. These differences lie primarily in the approach to the subject, the methodologies used, and the areas of concentration. Data security deal with the protection of data regardless of the form the data may take: electronic, print, or other forms. Data security can be divided into a number of aspects: Prevention, Detection, Deterrence, Backup Recovery procedures, Correction procedures, Threat avoidance (Ajibuwa, 2010).

2.1.3 Data Security in Financial Organization IT security maintains strong security against intrusions, adapting quickly to protect networks and online transactions in companies. Protecting client information is a top priority. A single case of data loss or theft can compromise trust built over decades; a major incident can bring down a financial organization. Today an aggressive organized

criminal market uses focused attacks on individual companies often aided by dishonest or pressurized employees to steal customer’s information (Symantec Corporation, 2008).

Current and future customers demand flawless delivery of innovative services with assurance that their money is safe and their confidential information secured. Regulators and the public require organized markets and transactions, and rapid, transparent response to public concerns. Management and shareholders expect smooth operations, prudent management of IT and business risks, and fast, confident response to growth, change, or crisis (Symantec Corporation, 2008).

In 2007, Ponemon Institute indicated that lost and stolen laptops and mobile devices caused almost half the data breaches in a 2007 sample; financial Services firms experience the highest losses per compromised record compared to other organizations, and insider error, or malfeasance by disgruntled or compromised employees, can cause large-scale, embarrassing losses of sensitive information(Symantec Corporation, 2008).

Normally Portable media and unprotected endpoints make information easy to steal. Today’s porous networks and mobile devices from laptops and USB drives to mobile phones open additional attack vectors to financial companies (Symantec Corporation, 2008).

Financial Services firms manage performance risk for competitive advantage, not just defense. Fractional performance improvements helps build a firm’s top line and operational efficiencies go straight to the bottom line. Today, major initiatives focus on: Consolidation of servers, storage, and data centers to raise utilization, manageability and effectiveness, Virtualization of servers, storage, and endpoints to improve agility, flexibility, and utilization, while controlling complexity and sprawl, Cost-reduction initiatives to cut operational and capital expenses and the environmental impacts associated with them, provide uninterrupted service to Customers and regulators, even through panics and crises when demands are greatest(Symantec Corporation, 2008).

Nowadays many firms are failing to identify all aspects of the data security risk they face, for three main reasons. First, some do not appreciate the gravity of this risk; second, some

do not have the expertise to make a reasonable assessment of key risk factors and devise ways of mitigating them; and third, many fail to devote or coordinate adequate resources to address this risk. Large and medium-sized firms generally devote adequate resources to data security risk management but there is a lack of coordination among relevant business areas such as information technology, information security, human resources, financial crime, and physical security. There is too much focus on IT controls and too little on office procedures, monitoring and due diligence. This scattered approach, further weakened, when firms do not allocate ultimate responsibility for data security to a single senior manager, results in significant weaknesses in otherwise well-controlled firms (Gruppetta, 2014).

In financial organization, internet is critical to long term plans and high profile incidences are stolen or lost laptops. Staff education, data encryption, hard disk lock passwords and remote kill are strategies introduced to mitigate the impact of these incidences. Furthermore 75% of measured security losses are internal. Internal threats include staff careless, internal fraud and theft. As a result staff education, internal policies, physical security measures, authentication and authorization have been introduced to mitigate the impact of these internal security losses (Performance Solution International, 2008).

2.1.4 Data Security in Rwanda Rwandan companies such as banks have a chip technology to carry out transactions at point of sale in a more secure way. That chip and pin card is believed to offer a highest level of protection against the use of stolen financial credit data. Data Protection Policy in Rwanda aims at: 1. Protecting the elemental rights and freedoms of persons and in particular their right to privacy with respect to the processing of data. 2. Protecting personal data in commercial activities 3. Protecting electronic government (eGov) activities and companies’ Data 4. Exceptions to security Policy statement include those relating to national sovereignty, national security and public policy which should be made known to the public (Ziaka, 2013).

2.1.5 Data Protection Laws in Rwanda Laws protecting the rights of individuals or organizations whose data have been stolen have only been in existence for a few years in Rwanda.These laws are in article 306, 307 and 308 under Section fiveof Chapter one inSecond Title ofPart one of Rwanda Penal Code.The article 306 states that:“Any person who accesses another person’s computer system or other similar devices without authorisation, in order to know recorded or transmitted data, by all means and regardless of the location, shall be liable to a term of imprisonment of six (6) months to two (2) years and a fine of five hundred thousand (500,000) to two million (2,000,000) Rwandan francs or one of these penalties.” Article 307 states that: “Any person who withdraws data stored or sent electronically or through any similar way, which is not meant for him/her, shall be liable to a term of imprisonment of two (2) years to five (5) years and a fine of five hundred thousand (500,000) to three million (3,000,000) Rwandan francs.” (Prime Minister’s Office, 2012, p. 300)

Finally article 308 of Rwanda Penal Code states that: “Any person who, without authorisation, modifies or erases intentionally any recorded or transmitted data through computerised devices or any other similar systems, or makes it useless, shall be liable to a term of imprisonment of three (3) years to five (5) years and a fine of one million (1,000,000) to five million (5,000,000) Rwandan francs.

If acts mentioned in Paragraph One of this Article result in considerable damage to the victim, the judge may increase the term of imprisonment which shall be five (5) years to seven (7) years.

Penalties under paragraph 2 of this Article apply to any person, who introduces intentionally a virus into another person’s computer or similar devices if such virus causes damage.”(Prime Minister’s Office, 2012, p. 301).

2.1.6 Data Security Models Data security models include: State Machine Models, Bell-LaPadula Model, Biba Model, Clark-Wilson Model, Graham-Denning Model, Brewer Nash Model.

i. State Machine Models In state machine models to determine the security of a system, the state is used, which means all current permissions and all current cases of subjects accessing objects must be conducted. If the subjects can only access objects according the security policy, the system is secure. A state of a system is a condition or situation of a system at a given time. Activities that modify this state are called state transition. The developers of an operating system that will execute the state machine model need look at all probable state transitions and evaluate if a system starts up in a safe state, or if any of these proceedings can put the system into an insecure state. If all of the actions that are permitted to happen in the system do not compromise the system and do not put it into an insecure state, then the system executes in a secure state machine model. A system that uses a state machine model would be in a safe condition in every case of its existence. It would boot up into a safe condition, execute commands and transactions safely, allow subjects to access resources only in secure states, and shut down and fail in a secure state (McLean, 1995). ii. Bell-LaPadula Model The Bell-LaPadula model was developed to address the concerns of the security of systems and leakage of classified information. It was the first mathematical model of a multilevel security policy used to define the concept of a secure state machine, modes of access and describe rules of access. Its development was established to provide a framework for computer systems that would be used to store and process confidential data. The model’s main goal is to prevent secret data from being accessed in an unauthorized style. A system that employs the Bell-LaPadula model is called a multilevel security system because users with different permissions use the systems. The level at which data is classified determines the actions that are allowed. A user with high privileges can access confidential and non sensitive data. Confidential is the higher bound and non sensitive is the lower bound of the model. The Bell-LaPadula model is a state machine model deal with the confidentiality aspects of access control. This model involves users, data, access operations (read, write, and read/write), and security levels authorized to users (McLean, 1995).

iii. Biba Model The key problem of the Bell-LaPadula model was that it only dealt with confidentiality of information. Users were able to read all data at his disposition and lower levels of classification. Therefore, shortly after the development of Bell-LaPadula, Ken Biba implemented a model that dealt with data integrity. Concentrating on commercial sector where, at the time, the integrity of data had more significance than its confidentiality, the Biba model deal with preventing data from low integrity environments damaging high integrity data. Biba deals with the integrity of data being threatened. Biba has three properties: the Simple Integrity Property (Subject at a given level of integrity must not read an object at a lower level), the Star Integrity Property (object can be written to a lower integrity level), The Invocation Property (User cannot request or invoke service from a higher integrity level). Biba is Read Up, Write Down. This means that users can view data above their integrity level but cannot modify them. The commercial industry is more concerned about the integrity of its data. An accounting firm is more worried about keeping their numbers straight and making sure decimal points are not dropped or extra zeros are not added in a process carried out by an application. The accounting firm is more concerned about the integrity of this data and is usually under little threat of someone trying to steal these numbers, so they would use the Biba model (McLean, 1995). iv. Clark-Wilson Model The Clark-Wilson model takes some different approaches from Biba to protect the integrity of information by focusing on the following goals: preventing authorized users from making unauthorized modification of data, or commit fraud and errors within commercial applications, preventing unauthorized users from making any modification and maintaining internal and external consistency. In this model, users cannot access and manipulate data directly, but must access the data through a program. This provides another layer of protection between the users and the data and restricts the type of actions that can take place on that data, thus protecting the integrity of the data. This model also involves the separation of tasks; it divides an operation into different parts and requires different users or rules to perform each part. This ensures that a critical task cannot be

carried out by one entity. Auditing is also required in this model to track the information coming in from the outside of the system (McLean, 1995). v. Brewer Nash Model The Brewer Nash model – also known as the Chinese Wall model – provides access controls that change dynamically depending on the previous actions of a user. Once a particular user has accessed a particular object in one half of a data store, their access to the other half is immediately canceled. It was designed to provide controls that mitigate the conflict of interest in commercial organization. In other word it is typically used to protect against conflicts of interest. It provides the capability to keep one company’s data separate from the competitor’s in an integrated database.

Again, Brewer Nash Model is an Information Flow Model, information that flow between two entities could result in a conflict of interest. Subjects can only access objects that do not conflict with standards of fair competition. In financial institutions analysts deal with a number of clients and have to avoid conflicts of interest. The main goal of the model is to protect against users accessing data that could be seen as conflicts of interest (McLean, 1995). vi. Graham-Denning Model Graham-Denning is an information security model that shows how subject and object should be securely created and deleted. It also introduces several critical primitive protection rights. It has eight basic protection rules: Create Object, Create Subject, Delete Object, Delete Subject, Grant Access Right, Delete Access Right, Transfer Access Right. It can be noticed that this model is used in access control mechanisms for distributed systems. Access control systems are a security mechanism that ensures all accesses and actions on system objects by principals are within the security policy. Example question access control systems need to answer is: Can Job read file: /ICT/Matabaro/readme.txt?If yes, we say they are “authorized” or has “permission”, If not they are “unauthorized” and “access is denied”. Only events within the security policy should be authorized. Bell- LaPadula and Biba don’t define how the security and integrity ratings are defined and modified, nor do they provide a way to delegate or transfer access rights. The Graham-

Denning model addresses these issues and defines a set of basic rights in terms of commands that a specific subject can execute on an object (McLean, 1995).

2.1.7 Root Causes of Data Theft and Security Breach A useful way of classifying security attacks is to categorize them in terms of passive attacks and active attacks. A passive attack attempts to access information from the system but does not affect system resources. An active attack attempts to alter system resources or affect their operation. Normally an attack is not always caused by external sources. Internally caused attack is a major concern. In terms of companies, most security violations are internal, caused by users (Williams, 2007).

Passive attacks are in the nature of intercepting, eavesdropping or monitoring communication. The aim of the intruder is to acquire data which is being sent out. Two types of passive attacks are the release of message contents and traffic analysis. As a telephone conversation, an electronic mail message, and a stored or transferred data may contain sensitive or confidential information we would like to prevent an intruder from monitoring the contents of these communications. Passive attacks are very hard to discover, because they do not apply any modification of the data (Stallings, 2011).

Active attacks involve some alteration of the data transmitted after accessing them illegally, the creation of a false data, and interruption of communication between two parties. These attacks can be divided into four groups: masquerade, replay, modification of messages, and denial of service (Stallings, 2011).

The denial of service refers to the interruption of an entire network or either by putting out of action the entire network or by overloading it with messages so as to degrade performance. Masquerade takes place when one intruder or hacker pretends to be a different entity or official user while he/she is not. Replay involves the passive capture of a data and its following retransmission to generate an unauthorized result later. Modification of messages simply means that some piece of a valid message is transformed, or messages are delayed or reorganized, to produce unauthorized result later (Stallings, 2011).

Although IT professionals try to bring security themselves more to the attention of organization personals, the situation in most organizations is that security standards are inadequate in protecting data against intruders. Possible causes include: Data or Information Security is not an issue of one person in the company; this task is most often done between different services within the company and the survey has shown that IT professionals do not spend as much time on security as they should (Corsini, 2009). It was evident from the troubles which were experienced with the administration of security and the comments received that the security approaches were not tackling the challenges of the new environment. The company acknowledged various abuse and actions which tried to bypass its security controls (Spurling, 1995). i. Insider Attack

During the past several years modern companies have relied on computers for a large amount of tasks, including electronic messaging, transaction processing, information retrieval and storage, and electronic commerce. As organizations make effort to remain competitive in a global marketplace, systems are left open to employee manipulation, and without a better internal control policy, the possibility for significant loss is always present. The Association of Certified Fraud Examiners carried on an investigation which found that losses from fraud reached over 9 dollars per day per employee. Another exciting result of the investigation was that men committed more than 75 percent of all data theft, and the losses made by executives were 16 times those of their employees. Recent research shows that 75 per cent of the cost of security failures results from insider attack. (Silic and Back, 2013).

Insider attack refers to any malicious attack on the company system or network where the trespasser is someone who has the authorization to access to data on database and access to the network, and also may have knowledge of the network architecture. The motivation of political view can be one of the causes of insider attack. The documents revealed on WikiLeaks.org are examples of insider attacks (Torsteinbø, 2012). Other reasons for making insider attacks are usually economic gain or having hostility or anger against the employer. The Cyber Security Watch Survey is an annual report which provides statistics associated with insider attacks. In the 2011 survey 43% of 607

responders from many companies reported that an insider incident had occurred. Of these, 57% resulted in accidental exposure of private data or information. If we take away the accidental data losses from the amount of insider incident, we remain with 18.5% malicious insider attacks, and of these 82% suffered theft of intellectual property. From an economic view the report indicates us that costs resulted from insider attacks are comparable to those caused distantly (Torsteinbø, 2012).

An evaluation of factors which caused security breaches has released that sixty five percent of the financial loss in Data Security breaches is caused by human failure, and only three percent from malicious outsiders. As users have access and knowledge about the system, they are themselves a potential point of intrusion; therefore, the security of an Information Technology is deeply affected. Security breaches are often caused by careless and unaware users. The majority of people want to get their jobs done more than they are interested in protecting themselves; a behavioural tendency that gives surface for attacks. Employees could be the greatest cause of Data security breach as they are closest to the organizational data. Employee mistakes can easily lead to revelation of classified data, storage of data in unprotected areas, failure to protect information, to accidental or intentional deletion or modification of data (Nikolakopoulos, 2009). ii. External attack In the Verizon data stealing investigations report for 2012, 98% of 855 data security infringement came from external agents. The 2% correspond to incidents between internal and external parties. External attacks are what most people consider usual hacker attacks. Basically, someone accesses the system via a remote connection, such as the internet, and uses this access to steal data or cause interruption. As Figure 2.2 shows, the reasons behind these attacks are mainly of financial nature (Torsteinbø, 2012).

Causes of External Attacks Financial or personal gain 96%

Disagreement or protest 25%

Fun,curiosity or pride 23%

Grudge or personal offense 2%

0 20 40 60 80 100 120

Number of Infringements in %

Figure 2.2: Motives behind external attacks Source: (Torsteinbø, 2012)

Historical research studies carried on in the public and private sectors over the past thirty years indicates that natural flaws and weaknesses in the design of networks and systems, bugs in security software, human errors and malicious acts of individuals as major contributory causes of the data theft (Goh, 2003). Generally the causes of data theft differ from countries. Some companies in Europe were most likely to experience a malicious or criminal attack whereas companies in South America were most likely to experience breaches caused by human error. Companies in Asia were the most likely to experience a data breach caused by a system problem or business process failure. Malicious or criminal attacks are most often the cause of data theft globally according to Ponemon Institute (2013). Figure 2.3 provides a summary of the main causes of data breach on a consolidated basis for all country samples.

Malicious or criminal attack Human factor 36% 35%

System glitch 29%

Figure 2.3: Distribution of the benchmark sample by root cause of the data breach

Source: (Ponemon Institute, 2013)

Contrary to Ponemon Institute, intruders and other hackers are motivated by the fact that catching those committing identity thefts is tough to do and it takes many hours of law enforcement effort to interview victims and others affected by the crime to build a case in order to prosecute hackers (Bourne, 2004).

2.1.8 Data Protection Measures One of the measures involved in data protection is the company policy. According to Vinod and Sonar (2012) the first step in setting up policies and procedures to ensure the security of confidential data is to know what data hold, where it is kept and what the consequences would be, if that data was lost or stolen. Companies can then establish whether the security measures in place are suitable to the data being kept.

Other measure for protecting data involves the access control to all data centres and server rooms where personal data is stored. Access to data centres should be limited only to staff members that have authorization to work there. This should be possible by using swipe card and/or PIN technology to access the room. Such a system should confirm and record when, where and by whom the server room was accessed. When accessing the data remotely, it must be done via a secure encrypted link such as IPSEC (Internet

Protocol Security), SSL (Secure Socket Layer) and VPN (Virtual Private Network tunnel) with relevant access controls in place and Fax machines should not be used to transfer confidential or personal data.

In additional to that, personal who retire, resign or persons who are suspected should be removed from access control lists, and new staff should be trained before being allowed to access the confidential information or data centres. It is now necessary to educate the users for information security. Their behaviour has to be adapted to security such a degree that they execute their day-to-day works in a safe manner. It is important that this behaviour be automatic. For example logging out whenever they leave their office, ensuring that their password is not accessible to other employees, ensuring that information on the screen is not visible to anyone, making regular backups of important data (Thomson &Von, 1998).

Data protection measure involves also password. A password is used to protect PC, documents and/or databases. All PC should be protected by a password to avoid unauthorised use of data stored on the device. Passwords used on these computers should have enough strength to prevent password cracking or guessing attacks. A password should include numbers, symbols, uppercase and lowercase letters. Password length should preferably be around 12 to 14 characters but at the very minimum 8 characters (Stallings, 2011).

Secure wireless transmission should be established to secure the transmission of data over the network. IT employees should be aware that it is urgent that any wireless technologies/networks utilised, when accessing the company’s systems, should be encrypted with the strongest standard available (Stallings, 2011). Figure 2.1 presents the summary about the access to a Local Area Network using the security key.

Last but not least, protecting data involves techniques such as backup recovery. According to Brocade communication systems, inc. Company (2007) Data backup and recovery involves various strategies and procedures which protect database against data loss and ensure the restoration of the database after any kind of loss. A point-in-time can

be restored in order for business operations to resume. Organizations can choose among numerous backup and recovery methods that are available today such as full backup, differential backup and incremental backup. In Full backups all data on a system is backed up. Full backups are done regularly to make sure that all data is kept on a single piece or a single set of media so that, when restoring information, only the full backup media is required. A full backup is the root for all other types of backup. However a differential backup stores all files that have changed since the last full backup. This method requires less time than full backup.When restoring differential backups, the full backup media and the latest differential media are required. Finally an incremental backup stores all files that have changes since the last backup. When restoring from incremental backup data, the last full backup plus all incremental backup media are required (Brocade communication systems Company, 2007).

2.1.9 Online Banking Services Internet is increasingly used by banks as a channel for receiving instructions and delivering their products and services to their customers. This form of banking is generally referred to as Internet Banking, although the range of products and services offered by different banks vary widely both in their content and sophistication. Internet Banking is a product of financial services. Internet Banking offers different online services like balance enquiry, requests for cheque books, recording stop-payment instructions, balance transfer instructions, account opening and other varieties of banking services. Mostly, these are traditional services offered through Internet as a new delivery channel. Banks are also offering payment services on behalf of their customers who shop in different electronic shops and electronic malls. Internet Banking is offered in two forms: web-based and through the provision of proprietary software (Reserve Bank of India, 2010).

2.2 Theoretical framework Theoretical frame work involves theories and concepts of data security.

2.2.1 Concepts/Theories of Information Security All the concepts, principles and mechanisms are based on these three fundamental theories of confidentiality, integrity, and availability of information also known as the C-I-A triad or information security triad (refer to Figure 2.4). Security is traditionally concerned with the information properties of confidentiality, integrity and availability. These properties emphasize on services such as user Identification, authentication, authorisation, accountability and reliability (Stalling, 2011).

i. Concept of Confidentiality This guarantees that the data is accessed by a limited number of internal users, and should not be known to the majority of workers. Confidentiality, according to Figure 2.4ensuresthat data is accessed by only authorized people. The term access includes knowing the existence of the data and information in database, viewing or printing data (Stallings, 2011).Illegal access to confidential information may have negative impacts, not only to commerce and industry security operations, but also to national security. Main mechanisms of insuring confidentiality of information or data are encryption, Access Control Lists (ACLs) and Firewalls. Examples of threats to confidentiality are malware, intruders, social engineering, insecure networks, and inadequate administered security systems (Williams, 2007). ii. Concept of Integrity Integrity as shown in Figure 2.4 ensures that the data or information can be modified by only authorized users. Modification includes writing transmitted data on the network, changing data, deleting and creating facts and other data in the database. Integrity security mechanisms may be grouped into two types: preventive mechanisms, such as access controls prevent unauthorized modification or change of information, and detective mechanisms, which detect unauthorized modifications or change when preventive mechanisms have failed. If an infringement of integrity is discovered, then the mechanism may report this infringement, and some software or human involvement is required to recover from the infringement. Alternatively, there are mechanisms used to restore at a given point or to recover from the loss and from the violation of integrity of

data. The use of backup recovery mechanisms is typically the more outstanding alternative (Stallings, 2011).

Integrity term covers two related concepts: Data integrity: Assures that information and programs are modified only in a specified and authorized manner.

System integrity: Assures that a system performs its intended function in a safe manner, free from intentional or unintentional unauthorized manipulation of the system (Stallings, 2011). iii. Concept of Availability Availability, as depicted in Figure2.4, means that Data are accessible to authorized user at a time when needed. This refers to Non-Repudiation. Availability would be the protection against the denial of service, where the access to database is denied at a given time. Interruption of the traffic of data on the network leads to the attack of availability (Stallings, 2011).Natural and human made disasters apparently may affect availability of data, though their occurrence and severity greatly differ. Natural disasters are occasional but severe, whereas human errors are recurrent but usually not as severe as natural disasters. In both cases, Backups of data, business continuity and disaster recovery plans (which consist of at least regular backups) are planned to mitigate losses.

Availability of information, even though it is usually cited last, is not the least important concept of data security. Who needs confidentiality and integrity if the certified users of data are not able to use it? Who needs encryption, access controls, firewalls, IPS and IDS if the data being protected is not usable and accessible to authorized users whenever they need it?

The three concepts represent the fundamental security objectives for both data and for information and computing services (Stallings, 2011). These three concepts create what is often referred to as the CIA triad (Figure 2.4).

Figure 2.4: Data security concepts Source: (Stallings, 2011)

Although the use of the CIA triad to define security objectives is well established, some professional in the information security field feel that additional concepts are needed to present a complete scenario. These concepts include: iv. Concept of Identification Identification is the first step in the identify-authenticate-authorize process that is carried out every day by humans and computers when access to information on a device. Identity as one of the property of identification identifies a person or thing before accessing secured information. Identification requires unique name, unique identification number and unique address (Stallings, 2011). v. Concept of Authentication Authentication, which happens just after identification and before authorization, verifies the authenticity and the validity of the identity declared at the identification period. In other words, it is at the authentication stage that you prove that you are certainly the person you claim to be. It focuses on the property of being genuine, authentic and being able to be verified and trusted. This means verifying that users are who they say they are and that each input arriving at the system came from a trusted source (Stallings, 2011).

vi. Concept of Authorization After providing identity to the secure system at the identification step and confirming it at the authentication step, users are given a set of authorizations (also known as rights, privileges, or permissions) with the purpose of defining what they can do on the system. vii. Concept of Accountability Accountability is another important concept of information security that refers to the opportunity of tracing actions and events, back in time performed by the users, systems, or processes. A system may not be considered secure if it does not offer accountability, because it would be impossible to discover who is responsible of security breach actions and what did or did not happen on the system. Accountability in the context of information systems is mainly provided by logs and the audit trail(Stallings, 2011).

Accountability is the security goal that generates historical data about an action performed by an entity which can be used uniquely to trace that entity. This supports non- repudiation, deterrence, intrusion prevention and intrusion detection. Because right secure systems are not yet a realizable goal, one must be able to trace a security violation and its responsible entity. Systems must keep records of their activities to permit later analysis to trace security violation or to aid in transaction problems (Stallings, 2011).

2.3 Empirical review of Literature Organizations today are more susceptible to computer crime and employee fraud than ever before. In their paper Haugen and Selin (1999) present some statistics about the growth on fraud, factors which cause fraud in the workplace, how businesses can protect their assets, and common computer-based frauds, techniques, and controls. Managers of all types of organizations need to be knowledgeable about their internal control system, and make sure it had sufficient checks and balances to ward against employees committing fraudulent acts. They found that no organization was immune from both external and internal threats to the safety and security of their data and information. Therefore, it was imperative that managers understand the problems that fraud can cause and how they can protect the organization.

In his study, Stewart (2005) evaluated the value that security technologies brought to businesses. It provided recommendations for how businesses can best view the role of security technologies within an information security program. The findings in the paper were derived from the observations in his role as an information security consultant working for businesses in numerous vertical markets over the period of the last several years. The principle findings in his paper were that the market for information security technologies was becoming a product market. This meant that data security can be perceived as part of the market development tactic in e-commerce and in online banking. Customers have expressed common worries about secure operations, privacy, integrity and the safety of their data; financial companies with strong data security can influence and control their investment to increase the group of willing buyers and to enhance their market share. Therefore we no longer have to identify data security only as data loss prevention or data loss avoidance: in today’s marketplace good security develops into a competitive advantage that can contribute directly to profits and revenue.This change would create a shift in how businesses view security technologies, as they would begin to focus on achieving security capabilities at the lowest possible cost (Stewart, 2005).

Hewett and Whitaker (2002)’s study examined different information security regulation that are emerging such as ISO/IEC 27002 to support data security implementation by demonstrating how to limit the access to confidential information. The paper documented some of the legislative developments in privacy and data protection and examines what these developments mean for IT professionals. They found that these laws define limits to the use of information collected, stored by both public and private organization. In other words the problem of information privacy has been mitigated by the combination of laws and data security. Therefore the problem of information privacy and confidentiality has been mitigated based on standards.

Recent use of email analysis and data mining of email contents has proven to be useful as a way of improving the information security by detecting threats, fraud determination from terrorists. Moreover, it has been proved to be helpful for decision making, future team co-ordination, fraud detection and tracing the behavior of an employee. Tarushi

(2014) in his paper found how the popular k-means algorithm can be modified to make use of this information (tracing the behavior of employees).

However Younus, Qureshi and Arlsan (2009) outlined some of the information security issues. The purpose of their paper was to study how information technology has had a tough time in making password secure.They found that, when it comes to the area of computer and data security in financial firms there was a deep involvement of passwords. For them the main problems of passwords are: 1) Individual memory is limited and therefore users cannot remember an extended, long and secure passwords as a result they are likely to choose passwords that are too short or easy to remember. 2) Passwords should look random and should be too tough to guess; they should be altered frequently, and should exist differently on diverse accounts of the same user. They should not be written or stored in plain and clear text. But unfortunately users are less likely to go after these practices.

In order to try to address these problems, they determined that the following new authentication techniques were introduced: Token-based authentication techniques and Biometrics systems.

1) Token-based authentication techniques: Token-based authentication mechanisms use a mark or a symbol for identification which is only known to the authenticating machine. An example is that of keycards and smart cards. Many token-based authentication systems also use knowledge-based techniques to enhance security. For example ATM cards are generally used together with a PIN number (Younus, Qureshi and Arlsan, 2009).

2) Biometrics systems: Biometric authentication refers to the technology that measures and analyzes human physical and behavioral characteristics for authentication purposes. Examples of physical characteristics include fingerprints, eye retinas and irises, facial patterns and hand measurements, while examples of mostly behavioral characteristics include signature, the way of moving and typing. Voice is considered a mix of both physical and behavioral characteristics (Younus, Qureshi and Arlsan, 2009).

The purpose of Silic and Back (2013)’s study was to analyze current trends in information security and suggest future directions for research. They found that currently data security in financial organizations cannot prevent insecurity of the network by ensuring confidentiality and integrity of data a hundred percent. If a user forgets one single area the whole system could be compromised. With the recent explosion of connectivity and technology the number of intrusion, theft, sabotage and other attacks has also increased and the security has weakened. With that rising weakness, unfortunately companies sometimes focus more on external vulnerability attacks than on internal ones.

In Africa, Kritzinger(2012) found that many of the users of technology, unfortunately, do not have a small indication on how to protect themselves and their personal information against the intrusions directed at their devices as it requires some basic skills. Furthermore a number of cyber factors have led Africa to become a cybercrime hub. These factors include: Increasing bandwidth, increasing use of wireless technologies and infrastructure, Lack of cyber security awareness, Ineffective legislation and policies, Lack of technical cyber security measures. In his study four different types of cyber problems in Africa have also been mentioned:

1) Lack of Focused Research in information Security; 2) Lack of a Proper Integrated Framework on Legal and Policy Aspects: researchers believe that we need proper and relevant laws, policies and practices if we are to fight cybercrime successfully in this continent. Most African countries have no legal regulations in place to stop or prosecute online crime, thus providing a safe haven for cyber criminals; 3) Lack of information Security Awareness and Regulation.

In this regard, Kritzinger (2012) clearly noticed that almost 80 percent of the population in Africa lacks even fundamental knowledge about computers security. Internet cafés, though commonly, are unable to pay for antivirus software, making them easy targets for hackers.” This is a very dangerous situation and indicates therefore that there is a clear, but certainly not deliberate lack of information security awareness and education to make computer users aware of all possible threats and risks. According to him few users are aware of confidentiality and integrity mechanisms necessary to protect data.

The purpose of the study of Omar, Nermin and Hefny (2014)was to determine how virtualization can address information security issues. They found that in a traditional non-virtualized computer security system the whole software stack is highly vulnerable to security breaches. This was mainly caused by the coexistence of security systems in the same space as the potentially compromised operating system and applications that often run with administrative privileges. In such a structure, compromising, bypassing, disabling, or even weakening deployed security systems are even small. They also found that machine virtualization provides a powerful abstraction for addressing information security issues. Its isolation, encapsulation, and partitioning properties can be leveraged to reduce security breaches. Machine virtualization when employed and synthesized with cryptography would preserve information confidentiality even in a suspected machine. This leads to a novel information security approach called Virtualized Anti-Information Leakage. Its objective is to prevent malicious software and insiders’ information leakage attacks on sensitive files after decryption in potentially compromised computer systems.

2.9 Critical Review and Research Gap Identification In his study Stewart (2005) first he followed Brewer Nash Model by describing data security as part of the market improvement tactic in e-commerce or in online banking since Customers have expressed common worries about secure operations. He secondary emphasized on customer’s privacy, integrity and the safety of data, consequently he followed Bell-LaPadula and Clark-Wilson models too; as described by him financial companies with strong security can influence their investment to enhance the group of willing buyers and to increase their market share. Furthermore He encouraged people to care about data security as some of the data needs to be protected against unauthorized disclosure for legal and competitive reasons. According to him, we no longer have to identify data security only as data loss prevention or data loss avoidance: in today’s marketplace good security need to develop into a competitive advantage that can contribute directly to profits and revenue.

Hewett and Whitaker (2002) were guided by the Bell-LaPadula Model, by indicating that security standards such as ISO/IEC 27002 support data security implementation to mitigate the problem of information privacy and to attempt to limit the access to

confidential information. In other words the problem of information privacy and confidentiality has been mitigated based on ISO/IEC 27002 standards.

In his point of view Haugen and Selin (1999) first followed Bell-LaPadula Models by focusingon some statistics about the growth on fraud, factors which cause fraud in the workplace, how businesses can protect their assets and common computer-based frauds, techniques, and controls.

From Silic and Back (2013)’s point of view they stuck to the Clark-Wilson Integrity and Bell-LaPadula Models. According to them one can never prevent a hundred percent insecurity in the network by ensuring confidentiality and integrity of data. With the recent explosion of connectivity and technology the number of intrusion, theft, sabotage and other attacks has also increased and the security has weakened.

In addition to that, according to Tarushi (2014), recent use of email analysis and data mining of email contents has proven to be useful in some sensitive places like national security agency to detect threats, fraud determination from terrorists and to improve information security. Moreover, it has been proved to be helpful for decision making, future team co-ordination, fraud detection and tracing the behavior of an employee. As a result this technique may reveal the intrusion as well as its cause before it may happen. By introducing this technique he followed Clark-Wilson Integrity Model which involves integrity of the system and integrity of the data.

According to Younus (2009), when it comes to the area of computer security in financials firms there is a deep involvement of passwords. He followed the Bell-LaPadula Model by dealing with the confidentiality using passwords. He stated that the password mechanism presents some weaknesses such as: Human memory is limited and therefore users cannot remember long and secure passwords and passwords should be hard to guess; they should be changed frequently, and should be different on different accounts of the same user. He argued that, in order to address these problems, the following new authentication techniques were introduced: Token-based authentication techniques and Biometrics systems.

In his study Kritzinger (2012), approached the case study of Africa by indicating the problems of information security on the continent. From his point of view he followed Clark-Wilson Integrity and Bell-LaPadula Models. Some of the problems observed are Lack of information Security Awareness and Regulation, Lack of focused research in information Security, Lack of a Proper Integrated Framework on Legal and Policy Aspects.

Meanwhile Omar (2014) chose the Bell-LaPadula Model by focusing on the improvement of computer security by employing virtualization. According to him Machine virtualization when employed and synthesized with cryptography would protect information confidentiality even in a suspected machine.

Through his study,Stewart (2005)described data security as part of the market improvement tactic in e-commerce and online banking however he did not study the protection measures to be taken against identity theft of customers or the procedures to follow in order to find solution to the problem.

Younus (2009) studied the effectiveness and the weakness of passwords but unfortunately he did not cover what procedures to follow in a case staff in a financial company present carelessness to protect files using passwords; and what measures to be taken in a case of violation of policy when organization employees download unnecessary large number of data.

Furthermore,Younus (2009) discovered how to deal with confidentiality of data by using password, biometric systems and token based authentication but he did not deal with issues of availability or how would a flow of information be, once only authorized users are not available. He emphasized on confidentiality and integrity mechanisms but not on availability mechanisms such as back up recovery process in case of disaster. In other words he did not cover a procedure to take in a case security mechanisms have failed. Furthermore he put much of his effort dealing with internal incidents but omits to deal with external incidents.

Tarushi (2014) as well as other researchers focused on providing powerful security mechanisms such as email analysis and data mining for fraud detection and tracing the behavior of an employee,without thinking and investigating first the main causes of insecurity in general. Haugen and Selin (1999) present some statistics about the growth on fraud, factors which cause fraud in the workplace, and common computer-based frauds, techniques, and controls in general without being specific if common computer- based frauds identified are specific to Africa, Europe or America.

Neither he nor others covered additional measures such as IP tracking mechanism, website injection test, temperature and humidity controls mechanisms necessary to deal with fire and humidity; as these additional measures should be to be put in place to improve the existing data security. Moreover researchers did not involve measures such as security Audit, and Monitoring of computer resources (data, assets, network, and facilities) in their studies for improving data security.

Other previous studies emphasized on data security mechanisms such as biometric systems and failed to focus on how data security mechanisms affect online banking services.

Previous studies covered data security as well as their mechanisms but they left out how data security preparedness levels affect online banking services and the main causes of insecurity for example malicious software, software and hardware failures etc... This was the knowledge gap that the study intended to fill particularly in the case of Rwanda, where published materials in this area of interest are few. Therefore the above mentioned gaps are the area that was covered through this study.

2.10 Conceptual Framework

Independent Variable Intervening variables Dependent Variable

Data Security Preparedness Levels Online Banking Services Use of 1. Computer anti-virus

2. Firewalls 3. Digital signatures Online Banking Services 4. Back up and recover 5. Encryption 6. Motion sensors 7. Alarm

8. Physical guards 9. Disaster plan

1. Hardware technology 2. Company policy 3. Cost of security services and security mechanism 4. Employee training

5. Rwanda Government laws

Figure 2.5: Conceptual Framework Source: (Preliminary interpretation)

2.10.1 Independent Variable i. Computer anti-virus This is computer software with the goals of preventing, detecting, and removing malicious software such as computer viruses. A virus may be introduced into a system physically when it arrives on an optical disk and is subsequently loaded onto a computer. Viruses may also arrive over an internet. In either case, once the virus is resident on a computer system, internal computer security tools are needed to detect and recover from

the virus (Stallings, 2011).Therefore successful secure financial services of Access Bank depend on computer antivirus. ii. Firewalls A firewall is any device that prevents or allows a specific type of information from moving between the mistrusted network outside and the trusted network inside. A firewall is a combination of software and hardware that establishes a barrier between trusted network and another network. It should be at the limit of two networks. In addition to that it examines every incoming packet header and selectively filters packets based on address, packet type, port request, and others factors. Firewalls prevent unauthorized internet users from accessing a private network this can limits the exposure of a computer or a private bank network from crackers. Therefore successful secure transactions of Access Bank would depend on firewalls (Corsini, 2009). iii. Encryption Encryption is the transformation of data into a form that is as close to impossible as possible to read without the appropriate knowledge. Its purpose is to ensure privacy and confidentiality by keeping information hidden from anyone for whom it is not intended, only authorized parties can read it. Its role is ensuring authentication, privacy/confidentiality and integrity of Data (Stallings, 2011). iv. Back up and recover It is the process of copying and archiving computer data so that it may be used to restore after data loss event (Brocade communication systems, inc., 2007). v. Digital Signatures This is a way of ensuring that an electronic document such as e-mail, text file is authentic and reliable. Authentic means that you know who the sender of the document is. Digital signatures rely on certain type of encryption to ensure authentication (Corsini, 2009).

vi. Physical guards Physical security describes people responsible to prevent or deter attackers from accessing a facility, equipment, resource, or information stored on physical media, and guidance on how to design structures to resist various hostile acts. vii. Motion sensors These are devices which detect moving object particularly people. viii. Alarm It is system designed to detect an intrusion, unauthorized entry into a building area. ix. Disaster plan This refers to plan that would help financial companies to prepare for and survive a disaster or other incidents.

2.10.2 Dependent variable Secured online banking services refer to the confidentiality and integrity of online transactions, availability of services, quality of services, consistency, and recoverability. Therefore secure online transactions of Access Bank could depend on network encryption, firewall, digital signature, and antivirus.

2.11 Summary The review of literature focused on the introduction of the literature review, the review of past studies where an emphasis was on Data security in general and particularly in financial institutions and in Rwanda. The chapter also covered data protection laws in Rwanda, root causes of data theft and data protection measures. The aim of this review is to look at the field of information security. It includes the theoretical framework, empirical review and the critical review. The next chapter describes the methodology used to explore the actual role of Data Security in protecting the company’s data.

CHAPTER THREE: RESEARCH METHODOLOGY

3.0 Introduction This chapter provides details of the research methodology used. The design of the study, target population, sample design and data collection were covered in this chapter. Lastly validity and reliability issues as well as data analysis strategy were discussed.

3.1 Research Design This study was based on a descriptive case study research design. This research design was chosen because it was felt to be most suitable to clarify a set of security measures, why they were taken, how they were implemented and with what result in the context of the chosen organization. A case study allows a lot of details to be collected that would not normally be easily obtained by other research design. In this study, the case study discovered how the data security is prepared in financial institutions, what existing causes of insecurity they faced (Salahuddin, 2010).

3.2 Target Population The target population is the group or individuals to whom the survey applies or from which samples are obtained (Kitchenham, 2003). The target population for this study is fifty nine (59) staff of Access Bank, Kigali. This number covered four managers (4) and fifty five (55) IT department staff of Access Bank Kigali Rwanda and it was the number of employees responsible for data security preparedness in the company.

3.3 Sample Design Sample design involves sampling procedures. Sample means a set of individuals selected from the population and usually aims to represent the population in a research study. In other words sample is a representative subset of the target population (Kitchenham, 2003). As the number of employees responsible for data security preparedness in Access Bank was small, the census method was used as a sampling method and everyone in the target population was considered as participants in the study. In this case the total population became the sample size.

3.3.1 Sample Size A Sample size is the number of individuals or objects in the sample.The sample size in this study equal to the target population since the number of IT department staff and their managers (the target population) is small. Therefore the sample size was fifty nine (59) staff of Access Bank, Kigali.

3.3.2 Sampling Technique Sampling technique is a technique of selecting a subset of individuals from a target population. The targeted population of IT staff in Access Bank was equal to the sample size. Therefore the sampling technique was a census study.

3.4 Data Collection The first instrument to apply in this study was questionnaire and was distributed to the respondents (employees working in IT department). The second instrument to apply in this study was an interview, which was conducted with managers. A questionnaire is a set of related questions to which respondents answer by giving written information. An interview is a conversation in which one or more persons consult and elicit facts and information from respondents.

In this study, the questionnaire was composed of open and closed questions in order to find the opinion and the view of respondents. Questions were used in this study and prepared according to the objectives of the research. Questionnaires were chosen because they are used to gather data from many respondents within the shortest space of time compared to other data collection methods. The instrument helped to obtain main data that essentially gave reliable data in relation to data security preparedness in protecting the company’s data against intruders.

3.5.1 Data Collection Procedure Firstly the fifty five well-structured questionnaires were distributed to the IT department employees who are responsible of data security preparedness, and secondary an interview schedules were conducted targeting the four managers. They were selected because they

carry out the daily operations and they are more familiar with the situation of the information security. Thus, their responses were constructive and reliable for this study.

3.5.2 Reliability and Validity Reliability is the degree to which a questionnaire or any measurement method produces the same results on repeated experiments in different studies. Reliability of the study ensures errors in the study are minimized. Validity is the precision of the results that can be acquired from data gathered using the research instruments (Miller, 2000). Reliability requires the process of research to be consistent allowing any later researcher to follow the exact same procedures and get the same result (Salhuddin, 2011).

Firstly to ensure that the content of the questionnaires were valid and reliable, first professionals who have knowledge in the area of study were consulted. Their evaluations were included in order to have reliable instruments. Secondly a pilot study was conducted in order to test the questionnaire before collecting the real data. In order to test the internal validity of the different constructs a Cronbach’s alpha test was performed on the questionnaire. i. Pilot Study A pilot study is a pre-test or an initial check of some or all aspect of the instrument to ensure that there are no unexpected complications. Pilot study is done for the following reasons: to determine the suitable elements of analysis, to improve the data collection instruments.

The objective of conducting the pilot study was to check on correctness and the clearness of the questions in the instruments, the language used to construct the questions and the importance of the information which is required. A pilot test was conducted with the help of six data security personnel of Agaseke Microfinance Bank. Due to relatively small population being studied at Access Bank, Agaseke Microfinance Bank which also offers online services to a smaller scale, was find suitable at the time of pilot testing the research instruments. The results of the pilot study were used to improve the research instruments and make them more clearly to the targeted respondents.

The goal of this pre-test was to see variations if the manner of formulating questionnaire brought out similar responses (construct validity). Also this procedure ensured that the whole questionnaire was understood and measured validly.

Table 3.1: Validity Statistics for six respondents for pilot test

Cronbach's Alpha N of Items Effectiveness of data security 0.714 5 measures Root causes of data insecurity 0.648 10 Additional measures to be put in 0.632 4 place How data security preparedness levels affect online banking 0.709 17 services

Source: Preliminary data

From Table 3.1, the root causes of data insecurity Section one of the questionnaire respondents identify 0.648 value of Cronbach's Alpha; effectiveness of data security measures Section two of the questionnaire, respondents identify Cronbach's Alpha of 0.714; how data security preparedness levels affect online banking services Section three of the questionnaire, respondents identify Cronbach's Alpha of 0.709; Additional measures to be put in place Section four of the questionnaire respondents identify 0.632 value of Cronbach's Alpha. As a result the Cronbach's Alpha of all sections is acceptable. It can be deduced that all sections are valid and reliable because the Cronbach's Alpha is greater than 0.5. However section one is more valid and reliable than section two and three.

Based on the comments received from pre-test, modifications were made to the questionnaire for improving their simplicity and clarity before using it in the actual questionnaire. The data collected, comments and suggestions were analysed and gaps between the preliminary questionnaire and the required data were identified.

3.6 Data Analysis Procedure Data analysis is the process of examining, categorizing, transforming and modelling data with the purpose of determining useful information, suggesting conclusions, and supporting decision making based on the processed data. After collecting data, the explanation of all the processing operations was followed including editing, coding, classification and tabulation as listed. Data was summarized using descriptive statistics such as graphs, tables, frequency tables, weighted averages and percentages to enable to describe the relationships established. This was achieved by the use of Statistical Package for the Social Sciences version 17.0 (SPSS V. 17.0). The interview guide was analysed using content analysis.

Furthermore to analyze the relationship between one dependent variable and several independent variables, multiple regression analysis was applied. Therefore multiple regression analysis was a suitable way to check the relationship between the independent variable and the dependent variable in this study.The stochastic model developed was as follows (according to conceptual framework):

Y = b0 + b1 X1 + b2 X2 + …………………… + bk Xk+ ε

Where Xk represents Independent variable, bk represents coefficient and ε represents unknown factor, and Y represents Dependent variable.

3.7 Ethical Considerations The data collected was given on voluntary basis and the respondents were included based on their willingness. The researcher included assurance to the respondents in writing that the information given would be treated with high confidentiality and that the results would be used for academic purposes only.

CHAPTER FOUR: RESEARCH FINDINGS AND DISCUSSION

4.0 Introduction This chapter presents analysis and interpretation of data collected for this study. It gives the key findings after analysis of data. Furthermore it serves as a tool to measure the objectives and the results obtained at field. This chapter is divided into five sections: demographic characteristics of sampled respondents, the root causes which could contribute to data insecurity at Access Bank, the current situation of data security preparedness at Access Bank, the effectiveness of data security measures currently used at Access Bank, additional measures that need to be put in place to improve data security and how data security preparedness levels at Access Bank, Kigali, Rwanda affect online banking services.

4.1 Demographic characteristics of respondents General information studied in the survey included age, education level, gender and language spoken of respondents. These demographic characteristics are significant because they helped to study the characteristics of individual population independently.

4.1.1 Distribution of respondents per age This distribution was of huge importance because with it, knowledge of the category of age which was more involved in security implementation compared to the other categories was possible. Table 4.1shows the age distribution of respondents.

Table 4.1: Age of respondents

Age(years) Frequency Percent 18-25 12 21.80 25-35 39 70.90 Questionnaire 35-45 4 7.30 Total 55 100.00

Source: Field data

Table 4.1 provides the age of respondents based on Questionnaire and Interview.

From questionnaire it shows that 21.80% who represent 12 respondents are between 18 and 25 years; 70.90% who represent 39 respondents are aged between 25 and 35 years; 7.30% who represent4 respondents are aged between 35 and 45 years. Furthermore, it can also be observed that majority of the respondents based on questionnaire were between 25 and 35 years (70.90%). Therefore this category of respondents was the most involved in data security preparedness at Access Bank.

4.1.2 Gender distribution Table 4.2 indicates the distribution of respondents considered based on their gender.

Table 4.2: Gender distribution of respondents

Gender Frequency Percent

Male 50 90.90 Questionnaire Female 5 9.10 Total 55 100.00

Source: Field data

Table 4.2 shows the gender distribution of respondents based on Questionnaire and Interview

Table 4.2 shows that, from the questionnaire, male gender (50 respondents) was 90.90%; while female represented by 5 respondents from a total number of 55, was 9.10%. It can be observed that a large number of male was involved in data security preparedness compared to female.

4.1.3 Education Level Normally an effective data security depends on high educational level of employees responsible of data security preparedness. Table 4.3 shows the distribution of Access Bank employees according to their educational level.

Table 4.3: Education Level of Respondents

Educational Frequency Percent Level Questionnaire Graduate 55 100.00

Source: Field data

Table 4.3 provides the education level of respondents from questionnaire

Table 4.3shows that all respondents (100 %) in our census have graduated and 0 percent of respondents was undergraduates or had high school level. This shows that employees responsible of planning and preparing data security have all graduated. It also ensures us a certain guarantee on the answers provided, that they are reliable.

4.2 Presentation of Findings Questionnaires were distributed to IT department employees. During questionnaire examination process, data were obtained on organizational activities that support the preparation of information security. Data were also obtained based on main causes of insecurity. Furthermore the interview was conducted with managers. It was used to understand further current information security measures used to implement data security and the main causes of data insecurity in Access Bank, Kigali.

4.2.1 Root Causes of Data Insecurity at Access Bank To investigate the root causes which could contribute to data insecurity at Access Bank, the number of intrusions the company has experienced was first considered. Through this study, fifty five respondents of all four branches of Access Bank revealed that the company experienced between one and five intrusion in the last two years.

The causes of insecurity such as computer viruses and malicious software, system or software failure, cyber or internal based attacks, user’s errors or non compliance, system administrator’s errors or non compliance, hardware failure were analysed to find out what were the main threats for the company’s information security system. In Table 4.4, these threats of data security have been evaluated and findings were presented. Furthermore obstacles and concerns in carrying out better security compliance (such as: Lack of

awareness and training program, Lack of inadequate technology, clear direction in security procedures and roles, Lack of motivation programs) were analysed in Table 4.5. Normally these concerns of security compliance lead to data insecurity.

Table 4.4: Major Causes of Security Incidents in the company Ranking and Frequency (%) 1st cause 2nd cause 3rd cause 4th cause 5th cause 6th cause Major Causes of N 1 2 3 4 5 6 Insecurity

Virus and 7 32 11 5 0 0 55 malicious software (12.70%) (58.20%) (20.0%) (9.10%) (0%) (0%)

0 2 7 3 26 17 System or 55 (0%) (3.60%) (12.70%) (5.50%) (47.30%) (30.90%) software failure

28 12 2 2 3 8 Internal based 55 (50.90%) 21.80% (3.60%) (3.60%) (5.50%) (14.50%) attacks 0 6 6 42 1 0 55 User’s errors (0%) (10.90%) (10.90%) (76.40%) (1.80%) (0%) System

17 6 29 3 0 0 Administrator’s 55 (30.90% (10.90%) (52.70%) (5.50%) (0%) (0%) errors or non compliance 0 0 0 0 26 29 55 Hardware failure (0%) (0%) (0%) 0% (47.30%) (52.70%)

Source: Field data Table 4.4 provides a summary of major causes of insecurity at Access Bank possess.

Table 4.4 shows that the first main cause of insecurity was internal based attacks. 28 respondents (50.90 %) considered internal based attacks as the 1stmajor cause of data insecurity in the company. This was followed by viruses and malicious softwares as the second major cause of insecurity. Since 32 (58.20%) respondents out of 55thought that viruses and malicious software are the 2nd cause of data insecurity at the company.

Table 4.4 also revealed that 29 respondents (52.70 %) out of 55 thought that system administrator’s errors or non compliance wasthe 3rd main cause of data insecurity at the company. The fourth main cause of data insecurity was user’s errors as indicated by 42 respondents (76.40 %) out of a total number of 55.

Furthermore Table 4.4 shows that from total number (55) respondents, 26 (47.30 %) highlight the system or software failure asthe 5th cause of data insecurity at the company, while the last cause of data insecurity was hardware failure as indicated by 29 respondents who represent 52.70 %.

Table 4.5: Obstacles and concerns in carrying out better security compliance Ranking and Frequency (%) Obstacles of security 1st place 2nd place 3rd place 4th place N compliance 1 2 3 4

Lack of awareness and 39 11 5 0 55 training program (70.90%) (20.00%) (9.10%) (0%)

7 10 29 9 Lack of adequate technology 55 (12.70%) (18.20%) (52.70%) (16.40%)

6 5 0 44 Clear direction in security 55 (10.90%) (9.10%) (0%) (80.00%) procedures and roles

9 28 16 2 Lack of motivation 55 (16.40%) (50.90%) (29.10%) (3.60%) Programs Source: Field data

Table 4.5 provides a summary of obstacles and concerns in carrying out better security compliance at Access Bank, Kigali. These concerns were analysed since they may lead to data insecurity in financial organizations.

Table 4.5 shows that, out of 55, 39 (70.90%) respondents argued that a lack of awareness and training program wasthe 1st major obstacle in implementing a better data security at the company whereas28 respondents (50.90 %) out of 55 thought that a lack of

motivation programs wasthe 2nd obstacle in carrying out security system at the company. Furthermore out of 55, 29 (52.70%) respondents indicated that a lack of adequate technology wasthe 3rd obstacle, while 44 (80.00%) thought that a clear direction in security procedures and roles wasthe 4th obstacle in carrying out data security.

Managers through interview indicated that Access Bank offer regular trainings to their employees, but human resources and other departments do not take part into these regular information security trainings. Only some employees follow special training once in year in Nigeria but not every employee is trained. This indicated the reason why respondents through questionnaire acknowledged a lack of awareness and training program asthe 1st major obstacle in implementing a better data security

To support the motivation program as the 2nd obstacle, managers through interview highlight that when it comes to motivation the Bank only encourages employees by providing assistance, make them work together, make policy and enforce the related rules and procedures.

Table 4.6: Number of occasions, the following security strategies have been carried out every five months Data Security Very Often Sometimes Rarely Never Weighted strategies N Often Std. 4 3 2 1 Mean 5 provide clarifications to 0 9 21 25 0 55 2.71 0.737 customers on (0%) (16.40%) (38.20%) (45.40%) (0%) security

17 27 11 0 0 conduct security 55 4.11 0.712 violation test (30.9%) (49.10%) (20.00%) (0%) (0%)

11 28 16 0 0 conduct data 55 3.91 0.701 (20.0%) (50.90% (29.10%) (0%) (0%) security audit

55 8 42 5 0 0 4.05 0.488 update security (14.50%) (76.40% (9.10%) (0%) (0%) software

(SD<0.5 or close to zero -Respondents responses crowded around the weighted mean), (SD >0.5 or high -Respondents responses dispersed on the responses)

Source: Field data

Table 4.6 provides a summary of number of occasions data security strategies have been carried out at Access Bank every five months. It involves calculation of weighted means for 5 point Likert scale where the weights are as follows: 5= very often; 4=often; 3=sometimes; 2= rarely; 1= never.

∑(푤푒𝑖푔ℎ푡푠∗표푏푠푒푟푣푒푟푒푑푓푟푒푞푢푒푛푐𝑖푒푠) Weighted mean= ∑ 표푏푠푒푟푣푒푑푓푟푒푞푢푒푛푐𝑖푒푠 i. Provide clarifications to customers on security The view of respondents regarding the number of times the company has provided customers with clarifications on data security fell between sometimes and rarely, with a weighted mean of 2.71. However the standard deviation of 0.737 indicated that respondents are dispersed on their responses. Table 4.6 shows that from a total numberof55, 25 respondents noted that rarely the company provide customers with clarifications on data security whereas 21 respondents pointed that sometimes the company provide customers with clarifications on the security.

The majority’s view was supported by the managers who indicated that the Bank does not provide clarifications on data security because, they felt regular assistance or clarifications are not necessary to customers and may be costly. ii. Conduct security violation test The opinion of the majority of respondents regarding the number of times the company has conducted security violation test, falls between very often and often, with a weighted mean of 4.11. However the standard deviation of 0.712 indicated that respondents are

dispersed on their responses. Table 4.6 illustrates that, out of 55 respondents 27 revealed that the company often conduct a security violation test in order to find the weakness of the system’s security; whereas17 respondents noted that very often the company conduct a security violation test. iii. Conduct data security audit The view of the majority of respondents lies between often and sometimes, with a weighted mean of 3.91. However the standard deviation of 0.701 indicated that respondents are dispersed on their responses.This has been highlighted by the fact that most of respondents 28 argued that the company often conduct a data security audit in order to assess and examine the system’s security compliance, whereas 16 respondents pointed that sometimes the company conduct a data security audit (Table 4.6). iv. Update security software The view of the best part of respondents falls between very often and often, with a weighted mean of 4.05. The standard deviation of 0.488 indicated that respondents’ responses are crowded around the weighted mean. Table 4.6 shows that out of 55 respondents, 42 indicated that the company often update information security software to limit incidents from viruses while 8highlight that very often the company update information security software.

4.2.2 Response and Remediation Plans the Bank Possess Findings from interview clarified that when small issues arise normally IT employees try to clarify security threats and issues to managers and try to let them know what their responsibilities are. In a case there is a big incident the backup recovery mechanism is used. When there is no rule put in place to deal with a situation of insecurity, the issue is handled by managers and heads of department when making decisions (see Appendix F).

Through questionnaires, all respondents revealed that the company possesses the business continuity plan, disaster recovery plan in addition to backup recovery process, as incident response and remediation procedures to handle detected intrusions. These plans do not assess or find potential threats which may occur; they are only involved in recovering or

recuperating the data lost and help in the continuance of business through disaster, tragedy or through security software failure.

Meanwhile every respondent also revealed that the company does not possess the Crisis management plan and Emergency response plan. Generally Crisis and Emergency management plan do not eliminate threats but focus on decreasing or reducing the impact of disaster. Emergency plan prevent and mitigate disasters. It responds, tolerate and terminate a major risk which may occur. If the company does not have the crisis management and Emergency methods which can identify and deal efficiently with a serious situation such as security threats it may be difficult to reduce vulnerability and to deal with disasters before, during and after it may occur.

4.2.3 Effectiveness of Data Security Measures Currently Used To ensure the effectiveness, managers indicated that the use information security standard is involved. Standards define roles and responsibilities to protect and control access to data and help to identify security policies. Their basic principle is that all stored or kept data should be owned so that it is clear whose task is to protect and control access to that data. Table 4.7 provides a summary of how effective data security measures are, when implementing data security.

Table 4.7: Data Security Measures

Data Security N Strongly Agree Neutral Disagree Strongly Weighted Std. Measures Agree Disagree Mean

5 4 3 2 1

End users or Employee involvement in data 15 19 21 0 0 55 3.89 0.809 security (27.30%) (34.50%) (38.20%) (0%) (0%) implementation

Implementation of a 38 17 0 0 0 documented policy 55 4.69 0.466 (69.10%) (30.90%) (0%) (0%) (0%)

Implementation of a 17 24 14 0 0 data loss prevention 55 4.05 0.756 policy (30.90%) (43.60%) (25.50%) (0%) (0%)

procedures to 27 20 8 0 0 discipline employees 55 4.35 0.726 (49.10%) (36.40%) (14.50%) (0%) (0%)

33 21 1 0 55 (0%) 4.58 0.534 Train employee (60.00%) (38.20%) (1.80%) (0%) regularly

(SD<0.5 or close to zero -Respondents responses crowded around the weighted mean), (SD >0.5 or high -Respondents responses dispersed on the responses)

Source: Field data i. End Users or Employee Involvement in Data Security Implementation In general, findings from Table 4.7 revealed that the opinion of the majority of respondents, fell between agree and neutral, with a weighted mean of 3.91. However the standard deviation of 0.809 indicated that respondents are dispersed on their responses.Out of 55 respondents, 21 were neutral on the effectiveness of involving users in data security implementation. However 19 respondents agreed on the effectiveness of involving users or employees in data security implementation.

The majority’s view was backed by managers who argued that they are not sure if involving users, increase data security since only IT employees and managers are involved in its implementation. ii. A Documented Policy From Table 4.7, it can be observed that 38 respondents out of 55, strongly agreed on the effectiveness of documented policy for improving data security system whereas 17 respondents agreed on its effectiveness when protecting data. This washighlightedby weighted average of 4.69 where the opinions of the best part of respondents fell between strongly agree and agree. The standard deviation of 0.466 indicated that respondents’ responses are crowded around the weighted mean.

In addition managers said that a documented policy has been put in place in order to secure efficiently data by avoiding unintentional or intentional disclosures of sensitive business information caused by employees. iii. Implementation of a Data Loss Prevention Policy (DLP) One of DLP policy is a messaging system that insures that employees do not send sensitive data outside the network. It can be used to filter email messages and attachments. It can be shown in Table 4.7 that 24 respondents out of 55, agreed that the company has been protected by the implementation of a data loss prevention policy while 17 respondents strongly agreed. As a result the DLP has been effective. This wasillustrated by the view of respondents regarding the number of times the company has conducted security violation test, which lied betweenstrongly agreeand agree, with a weighted mean of 4.05.However the standard deviation of 0.756indicated that respondents are dispersed on their responses. iv. Identify procedures to discipline employees Table 4.7 shows that, 27 respondents out of 55 strongly agreed on the effectiveness of the procedures put in place to discipline employees who violate the security policy and regulations of the company whereas 20 respondents agreed.However the standard deviation of 0.726indicated that respondents are dispersed on their responses. Since the opinion of respondents regarding the effectiveness of these procedures, fell between strongly agree and agree, with a weighted mean of 4.35, these procedures have been effective. This opinion is backed by managers who indicated that these procedures normally were effective. The Bank implemented these measures by showing employees unwanted behaviour and explained them the consequences. Furthermore the Bank blocked some undesirable websites which holds movies, during the day. However there are no procedures to discipline employees who download unnecessary large amount of data. v. Train employees regularly Table 4.7shows that 33 respondents out of 55 strongly agreed on the effectiveness of regular employee trainings to protect the company’s data while21 respondents only

agreed.The view of the majority of respondents regarding the effectiveness of regular employee trainings, lied between strongly agree and agree, with a weighted mean of 4.58.However the standard deviation of 0.534indicated that respondents are dispersed on their responses.

4.2.4 Additional security measures to be put in place to improve data security To know whether some measures could be added to the existing security mechanisms, respondents were asked to answer if the following measures might be necessary to the company if added to the existing security system. These measures involved extra security mechanisms such as password and biometric authentication, network monitoring software (i.e Microsoft network monitor, BandwithD, IP Scanner) which could be helpful for network monitoring. Furthermore it involved adding IP tracking techniques, encryption skills for database security and SQL injection tests for the company’s website.

Table 4.8: Additional security measures necessary to improve data security Yes No Additional security measures N 2 1 44 11 SQL injection tests 55 (80.00%) (20.00%) 4 51 Anti-malware 55 (7.30%) (92.70%) 35 20 IP tracking techniques 55 (63.60%) (36.40%) 29 26 Password with Biometric authentication 55 (52.70%) (47.30%) 36 19 Network monitoring software 55 (65.50%) (34.50%)

Source: Field data

i. SQL Injection Test Data from Table 4.8 indicated that 80.00% who represent 44 respondents from the total number of 55 argued that, SQL injection tests could certainly be useful if incorporated in security system of the company. Furthermore respondents noted that “it is better to test the quality of the company website by injecting some malicious code to find its weakness”. Therefore SQL injection tests should be added to the existing security system. However 20.00% who represent 11 respondents did not acknowledge the importance of this mechanism as “it may be time consuming and may require higher skills”. ii. Anti-malware Data from Table 4.8 illustrate that 92.70% who represent 51 respondents from the total number of 55 argued that Anti-malware softwares could not improve the existing security of the company. Respondents noted that “antiviruses deployed at every endpoint are sufficient and they can do the same job as anti-malwares”. As only 7.30 % who represent 4 respondents acknowledged the importance of this mechanism these softwares should not be added to the existing security system. iii. IP Tracking Techniques Data from Table 4.8 indicate that 63.60 % who represent 35 respondents from the total number of 55 argued that IP tracking techniques could be very useful if put in place to improve data security. All of them respondents argued that “IP tracking software should be introduced as a new security mechanism in order to help administrator to analyse history and records of a particular IP address”. However 36.40 % who represent 20 respondents did not acknowledge the importance of this mechanism. iv. Biometric authentication Data from Table 4.8 indicate that 52.70%who represent 29 respondents from the total number of 55 acknowledged that password with biometric (Iris and fingerprint recognition) authentication could be very useful to the company if added to the active security system. Generally respondents noted that “using password only to access confidential information is not enough. It is good to introduce new security system such as biometric (Iris and fingerprint recognition) authentication to protect data center”.

However47.30 % who represent 26 respondents did not acknowledge the importance of this mechanism. They argued that “it may be expensive to introduce and install this mechanism”. v. Network monitoring software Data from Table 4.8 demonstrate that 65.50 % who represent 36 respondents from the total number of 55 agreed that network monitoring software could be put in place to improve the existing security system as it can be useful to the company. Respondents noted that “these security softwares should be added to the existing information security in order to control network, employees and analyse intrusions”. However 34.50% who represent 19 respondents did not acknowledge its importance.

4.2.5 Determine how Data Security Levels Affect Online Banking Services Delivery

Table 4.9: Data Security Mechanisms that affect Online Banking Services

Data Security N Strongly Agree Neutral Disagree Strongly Weighted Std. Mechanisms Agree Disagree Mean

5 4 3 2 1

48 7 0 0 0 Computer antivirus 55 4.87 0.336 (87.30%) (12.70%) (0%) (0%) (0%)

6 20 29 0 0 Digital signature 55 3.58 0.686 (10.90%) (36.40%) (52.70%) (0%) (0%)

3 27 25 0 0 Encryption 55 3.60 0.596 (5.50%) (49.10%) (45.50%) (0%) (0%)

40 12 3 0 0 Backup and recovery 55 4.67 0.579 (72.70%) (21.80%) (5.5%) (0%) (0%)

0 10 45 0 0 Motion sensors 55 3.18 0. 389 (0%) (18.20%) (81.80%) (0%) (0%)

0 0 3 16 36 Alarm 55 1.40 0.596 (0%) (0%) (5.50%) (29.10%) (65.50%)

42 13 0 0 0 Firewalls 55 4.76 0.429 (76.40%) (23.60%) (0%) (0%) (0%)

20 34 1 0 0 Physical Guards 55 4.35 0.517 (36.40%) (61.80%) (1.80%) (0%) (0%)

18 28 9 0 0 Disaster plan 55 4.16 0.688 (32.70%) (50.90%) (16.40%) (0%) (0%)

(SD<0.5 or close to zero -Respondents responses crowded around the weighted mean), (SD >0.5 or high -Respondents responses dispersed on the responses) Source :Field data

Table 4.9provides a summary of data security mechanisms which affect online banking services i. Computer antivirus It can be observed from Table 4.9 that 87.30% represented by 48 out of 55 respondents strongly agreed that computer anti viruses deployed on every computer in the whole company affect financial services delivery while 7 respondents (12.70 %) only agreed that they affect online banking services.The respondents’ view regarding on howcomputer anti viruses have affected online banking services, fell between strongly agree and agree, with a weighted mean of 4.87. However the standard deviation 0.336 indicated that respondents’ responses are crowded around the weighted mean. ii. Digital signature From Table 4.9, it can be seen that 52.70% who represent 29 respondents from the total number of 55 were neutral that digital signature software have affected online banking services. Meanwhile 36.40 % who represent 20 respondents agreed on the effectiveness of digital signature software.The respondents’ view regarding ifdigital signature has affected online banking services, fell between strongly agree and neutral, with a weighted mean of 3.58. However the standard deviation 0.686.

iii. Encryption Table 4.9shows that 27 respondents (49.10 %) out of 55 agreed that encryption affect secure online banking services whereas 45.50 % who represent 25 respondents were neutral that encryption affect secure online banking services.Respondents’ opinions, fell between agree and neutral, with a weighted mean of 3.60. However the standard deviation of 0.596 indicated that respondents are dispersed on their responses. iv. Backup and recovery Table 4.9 shows that 40respondents (72.70%) out of 55 strongly agreed that backup and recovery mechanism affect online banking services, whereas 12 respondents (21.80%) only agreed that back up and recover mechanism affect online banking services.Respondents’ opinions regarding ifbackup and recovery mechanism affect online banking services, fell between strongly agreeand agree, with a weighted mean of 4.67. However the standard deviation of 0.579 indicated that respondents are fairly dispersed on their responses. v. Motion sensors In general,45 respondents (81.80 %) from the total population (55) were neutral that motion sensors have affected online banking services while10 respondents (18.20 %)agreed that motion sensors deployed in the company affect online banking (Table 4.9).Respondents’ opinions regarding ifbackup and recovery mechanism affect online banking services, fell between neutral and agree, with a weighted mean of 3.18. However the standard deviation of 0.389 indicated that respondents’ responses are crowded around the weighted mean. vi. Alarm From Table 4.9, it can be seen that 36 respondents (65.50 %) out of the total population of 55 were strongly disagree with the impact, alarm mechanism may have when affecting online banking services, while 16 respondents (29.10 %) only disagreed that alarm affect financial delivery.Respondents’ view regarding ifalarm mechanism affects online banking services, fell between strongly disagree and disagree, with a weighted mean of

1.40. However the standard deviation of 0.596 indicated that respondents are fairly dispersed on their responses. vii. Firewalls Data from Table 4.9 revealed that 76.40%, who represent 42 respondents out of 55, strongly agreed on the effectiveness of firewalls when affecting online banking services while 23.60 % who represent 13 respondents agreed on the effectiveness of firewalls when affecting online banking services delivery. It can be deduced that firewalls have affected secure online banking service according to respondents. Respondents’ opinions regarding iffirewalls mechanisms affect online banking services, fell between strongly agreeand agree, with a weighted mean of 4.76. However the standard deviation 0.429 indicated that respondents’ responses are fairly crowded around the weighted mean. viii. Physical Guards From Table 4.9, it can be observed that 34 respondents (61.80 %) out of 55 agreed that physical guards affect secure online banking services, while 20 respondents (36.40 %) strongly agreed that physical guards affect secure online banking services. This washighlighted by respondents’ opinions regarding howphysical guards affect online banking services delivery, which fell between strongly agreeand agree, with a weighted mean of 4.35. However the standard deviation of 0.517 indicated that respondents are fairly dispersed on their responses. ix. Disaster plan Data from Table 4.9 revealed that 28 respondents (50.9%) out of 55 agreed that the establishment of disaster plan in the company affect online banking services while 32.70 % who represent 18 respondents were strongly agree that the establishment of disaster plan in the company has a direct impact on online banking services. This was highlighted by respondents’ opinions regarding how disaster plan mechanism affect online banking services, which fell between strongly agreeand agree, with a weighted mean of 4.16. However the standard deviation of 0.688 indicated that respondents are fairly dispersed on their responses.

Table 4.10: Financial services affected by data security mechanisms

Financial services N Strongly Agree Neutral Disagree Strongly Mean Std. Agree Disagree

5 4 3 2 1

Keeping money safe 55 26 26 3 0 0 4.42 0.599 (47.3%) (47.3%) (5.4%) (0%) (0%)

Processing of credit 55 27 28 0 0 0 card transactions 4.49 0.505 (49.1%) (50.9%) (0%) (0%) (0%)

Use of debit cards 55 20 35 0 0 0 4.36 0.485 (63.6%) (36.4%) (0%) (0%) (0%)

Financial transactions 55 15 34 6 0 0 using Automatic Teller 4.16 0.601 (27.3%) (61.8%) (10.9%) (0%) (0%) Machines

Electronic fund transfers 55 38 17 0 0 0 4.69 0.466 (69.1%) (30.9%) (0%) (0%) (0%)

Automatic payments for 55 29 26 0 0 0 bills 4.53 0.504 (52.7%) (47.3%) (0%) (0%) (0%)

Online (Internet) banking 55 37 17 1 0 0 services 4.65 0.527 (67.3%) (30.9%) (1.8%) (0%) (0%)

55 20 8 27 0 0

Deposits from customer (35.7%) (14.3%) (48.2%) (0%) (0%) 3.87 0.924 and provide the credit facilities

(SD<0.5 or close to zero -Respondents responses crowded around the weighted mean), (SD >0.5 or high -Respondents responses dispersed on the responses)

Source: Field data

Table 4.10 provides a summary of financial services delivery are affected by data security mechanisms

Economic services provided by financial organizations need to be secured. Table 4.10 shows services affected by data security mechanisms. Respondents’ opinions concerning, how security measures affect financial services delivery were as follows.

Respondents’ view regarding how data security mechanisms affect the way of keeping money safe lied between strongly agree and agree, with a corresponding weighted average of 4.42. However the standard deviation of 0.599 indicated that respondents are dispersed on their responses.

Respondents’ opinions regarding how data security mechanisms affect the way of processing credit card transactions,were between strongly agree and agree, with a weighted average of 4.49. However the standard deviation of 0.505 indicated that respondents are fairly dispersed on their responses.

Respondents’ opinions regarding if data security mechanisms affect the use of debit cards, fell between strongly agree and agree, with a corresponding weighted average of 4.36. However the standard deviation of 0.485 indicated that respondents’ responses are fairly crowded around the weighted mean.

Respondents’ opinions regarding if data security mechanisms affect financial transactions using Automatic Teller Machines, fell between strongly agree and agree, with a corresponding weighted average of 4.16. However the standard deviation of 0.601 indicated that respondents are dispersed on their responses.

Respondents’ opinions regarding if data security mechanisms affect Electronic fund transfers, fell between strongly agree and agree, with a corresponding weighted average of 4.69. However the standard deviation 0.466 indicated that respondents’ responses are fairly crowded around the weighted mean.

Respondents’ opinions regarding on if data security mechanisms affect Automatic payments for bills, fell between strongly agree and agree, with a corresponding weighted average of 4.53. However the standard deviation of 0.504 indicated that respondents are fairly dispersed on their responses.

Respondents’ opinions regarding on if data security mechanisms affect Online banking service, fell between strongly agree and agree, with a corresponding weighted average of 4.65. However the standard deviation of 0.527 indicated that respondents are fairly dispersed on their responses.

Respondents’ opinions regarding on if data security mechanisms affect the deposits from customer and provide the credit facilities, fell between agree and neutral, with a corresponding weighted average of 3.87. However the standard deviation of 0.924indicated that respondents are highly dispersed on their responses.

4.2.6 Multiple Regression Analysis Multiple regression was used to predict the value of a variable based on the value of two or more other variables. The variable which was to be predicted was called the dependent variable. The variables used to predict the value of the dependent variable were called the independent variables. Multiple linear regression attempted to model the relationship between several explanatory variables and a response variable by fitting a linear equation to observed data.

Y = b0 + b1 X1 + b2 X2 + …………………… + bk Xk+ ε

Independent variable: Xk, and Coefficient: bk, Unknown factor: ε, and Dependent variable: Y

Assume that: Y: online banking Service

X1: computer anti-virus , X2: firewalls, X3: digital signatures, X4: Backup and recovery,

X5: encryption, X6: physical policy, X7: motion sensors, X8: Alarms, X9: physical guards,

X10: disaster plan.

Table 4.11: Multiple Regression Analysis Model

Model B Std. Error Beta T Sig. 1 (Constant) -2.542 2.450 -1.038 .305 Computer anti-virus .125 .286 .047 .437 .664 Digital signatures 1.101 .136 .778 8.077 .000

Cryptography .073 .142 .048 .514 .610 Backup and recover .108 .162 .070 .670 .506 Motion sensors -.617 .233 -.266 -2.646 .011 Alarm .015 .143 .010 .103 .919 Firewalls .302 .216 .143 1.399 .169 Physical Guards .103 .174 .059 .593 .556 Disaster plan .202 .133 .154 1.526 .134 a. Dependent Variable: Online Banking Services

Source: Field research data

Y = b0 + b1 X1 + b2 X2 + b3X3 + b4X4+ b5 X5+ b6X6+ b7X7+ b8 X8+ b9 X 9+ Ɛ

Y = -2.542+ 0.125 X1 + 1.101 X2 + 0.073X3+ 0.108 X4-0.617 X5 + 0.015 X6 + 0.302 X7 +

0.103 X8+0. 202 X9+0.602 where Ɛ = 0.602

The general form of the equation to predict online banking Service from Computer anti- virus, Digital signatures, Encryption, Backup and recovery, Motion sensors, Alarm, Firewalls, Physical Guards, Disaster plan is:

Online Banking Service= -2.542+ 0.125 Computer anti-virus + 1.101 Digital signatures + 0.073 Encryption + 0.108 Backup and recovery -0.617 Motion sensors + 0.015 Alarm + 0.302 Firewalls + 0.103 Physical Guards +0.202 Disaster plan+0.602

Table 4.12: Model Summaries

Adjusted R Std. Error of Model R R Square Square the Estimate 1 .793a .628 .554 .602 a. Predictors: (Constant), Disaster plan, Motion sensors, Firewalls, encryption, Alarm, Digital signatures, Physical Guards, Backup and recovery, Computer anti-virus

Source: Field research data

The R-squared value, denoted by R2, is the square of the correlation. It measures the proportion of variation in the dependent variable that can be attributed to the independent

variable. The linear correlation coefficient called r measures the strength between two variables. When r is close to 1 the linear correlation is described as strong positive thus the correlation is positive. When r is close -1 the linear correlation is described as strong negative thus the correlation is negative. The study revealed r = 0.793, this meant that there was a very strong positive multiple correlation between independent variables including disaster plan, Motion sensors, Firewalls, encryption, Alarm, Digital signatures, Physical Guards, Backup and recovery, Computer anti-virus and the dependent variable (online banking services). It showed that r 2= 0.628, which meant that 62.80% of total variation in y could be explained by linear relationship between x and y and the remaining total variation of 37.20% was unexplained. This correlation was generally described as strong one.

4.4. Summary of Research Findings This chapter presents analysed and interpreted data collected for this study. This chapter provided demographic characteristics of sampled respondents, the root causes of data insecurity at Access Bank, the effectiveness of data security measures currently used at Access Bank, additional measures that need to be put in place to improve data security and the relationship between data security mechanisms and online banking services was analysed using multiple regression.

CHAPTER FIVE: SUMMARY, CONCLUSIONS AND RECOMMENDATIONS

5.0 Introduction This chapter provides the conclusion and recommendations which are based on findings in line with research objectives. The conclusion provides a summary of most critical subjects covered in the study such as the current situation of data security preparedness, root causes of data insecurity, determine additional security measures necessary to improve data insecurity at Access Bank Company, Kigali, Rwanda.

5.1 Summary of Findings To a large extent technological issues have been previously developed. However the continuing concerns of data theft, data loss and data insecurity are still rising. As a result the goals of this thesis were to find out the root causes that could contribute to data insecurity at Access Bank, Kigali, to assess the effectiveness of data security measures that are currently used at Access Bank, Kigali, determine additional security measures necessary to improve data security at Access Bank.

5.1.1 The Root Causes of Data Insecurity The first objective was to find out the root causes that could contribute to data insecurity at Access Bank, Kigali. Many threats of information security were examined to find out if they could be the main causes of insecurity and findings showed that few of them could be the main causes of insecurity as presented in chapter Four.

The root causes of data insecurity at Access Bank are firstly based on internal based attacks (system users). 50.90 % of respondents considered internal based attacks as the 1st major cause of data insecurity in the company as indicated in Table 4.4, while 58.20% of respondents considered viruses and malicious softwares as the 2nd major cause of data insecurity at the Bank.

Meanwhile “a lack of Crisis management plan and Emergency response plan” as indicated by the entire number of respondents, may influence the internal or outside

based attacks problem. Therefore it could be another major cause of insecurity in the company.

Furthermore Table 4.5 showed that a lack of awareness and training program was cited by 70.90% of respondents as the first main obstacle for carrying out better security compliance. As a result this obstacle may lead to insecurity. Finally a lack of urgency in providing customers with regular assistances and clarifications about the security of their data, may lead to customer’s data or monetary loss (in a case of identity theft) as shown by 25 respondents (45.40 %) out of 55 in table 4.5. Respondents noted that rarely the company provide customers with clarifications on the security.

5.1.2 The Effectiveness of Data Security Measures that are Currently Used The second objective was to assess the effectiveness of data security measures that are currently used to implement data security at Access Bank, Kigali. Different measures were assessed and findings showed that most of them have been effective when implementing data security.

To assess the effectiveness of current security measures, involved examining the mechanisms put in place for a good preparation of data security. In general respondents acknowledge their efficiency, in implementing data security system. In Table 4.7, 38.20% of respondents were neutral on the effectiveness of involving users in data security implementation. However 69.10 % of respondents strongly agreed about the effectiveness of a documented policy while 49.10 % of respondents strongly agreed on the effectiveness of the procedures put in place to discipline employees who violate the Bank’s policy. However there are no procedures to discipline employees who download unnecessary large amount of data according to their managers.

5.1.3 Additional Security Measures Needed to Improve Data Security The third objective was to determine additional measures necessary to improve data security at Access Bank, Kigali. New different mechanisms were considered to determine if they can be added to the existing security system and findings showed that most of them could be useful if put in place to improve the data security.

Additional security measures discovered to improve data security at Access Bank are password with biometric authentication, network monitoring software (i.e Microsoft network monitor, BandwithD, IP Scanner), SQL injection tests. In Table 4.12, 80.0% of respondents argued that, SQL injection tests could certainly be useful if integrated in the security system of the company. Furthermore 52.70%of respondents acknowledged that password with biometric (Iris and fingerprint recognition) authentication could be very useful to the company if added to the active security system, 65.50 % of respondents noted that network monitoring software could be put in place to improve the network security, while 63.60 % of respondents indicated that IP tracking techniques could be very useful to the company if put in place to improve data security.

5.1.4 How Data Security Preparedness Levels Affect Online Banking Services The last objective was to find out if data security preparedness levels at Access Bank, Kigali affect online banking services. The multiple regression analysis was performed to determine the relationship between the independent variable and the dependent variable. Table 4.11 shows that the "R" column represents the value of R, the multiple correlation coefficient. R can be considered to be one measure of the quality of the prediction of the dependent variable; in this case, online banking services. A value of 0.793, indicates a good level of prediction.

In addition, it was found that coefficient of determination r 2= 0.628, meaning that 62.80% of total variation in online banking services could be explained by linear relationship between data security preparedness levels and online banking services, and the remaining total variation of 37.20% are unexplained (due to factors beyond the research control).

5.2 Conclusions

5.2.1 Answers to the Research Questions The research study was carried out to address the following research questions:

1. How are the root causes of data insecurity at Access Bank, Kigali, Rwanda? The main causes of data insecurity at Access Bank are firstly internal based attacks (system users) as indicated by 50.90 % of respondents in Table 4.4; 58.20% of respondents considered viruses and malicious softwares as the 2nd major cause of data insecurity at the Bank.

2. How effective are data security measures that are currently used at Access Bank, Kigali, Rwanda?

In Table 4.7, the majority of respondents strongly agreed about the effectiveness of a documented policy. However 38.20% of respondents were neutral on the effectiveness of involving users in data security implementationwhile49.10 % of respondents strongly agreed on the effectiveness of the procedures put in place to discipline employees who violate the Bank’s policy.

3. How can are additional security measures be put in place to improve data security at Access Bank, Kigali, Rwanda?

In Table 4.12, majority of respondents argued that, SQL injection tests, password with biometric (Iris and fingerprint recognition) authentication company, network monitoring software and IP tracking techniques could be very useful to the company if put in place to improve data security.

4. How do data security preparedness levels at Access Bank, Kigali, Rwanda affect online banking services?

In this study the Table 4.11 shows thata value of r equal to 0.793, indicates a good level of prediction and the coefficient of determination (r 2) equal to 0.628. Therefore there was a strong positive correlation between data securitypreparedness levels and online banking services.

5.3 Recommendations In short term it is recommended to Access Bank to:

1. Provide training to every employee of the Bank on information security, not only to IT employees; as employees work with data and can be easily manipulated if they are not trained.

2. Provide regular assistance to customers in order to avoid identity theft and the revelation of important information on telephone or on email. Meanwhile it is also recommended to customers to learn about identity theft.

In medium term it is recommended to Access Bank to: 1. Implement Crisis management plan and Emergency response plan which is a strategy to mitigate incidents. In addition to that it is recommended to the Company to apply database, disk, file, and folder encryption and apply back up by copying data off site and encrypt data after copying it.

2. Improve the procedures to discipline employees in a case they download unnecessary large amount of data; this could be done by blocking torrent website.

3. Secure paper based records as they may contain sensitive information too. In long term it is recommended to: i. IT and other employees of Access Bank such as managers responsible of data security, to introduce additional security measures stated in this study to deal with internal incidents as it has been discovered that internal based attacks are the main cause of data insecurity. These mechanisms recommended are Microsoft network monitor, BandwithD, IP Scanner, Nmap software which may be helpful for network monitoring. ii. System administrators of the bank to learn more about IP tracking techniques as they can be useful in locating hackers and unauthorized users’ address. iii. Train employees about email policies are also encouraged. These include never open attachments of an email without knowing its sender, and never respond to spam.

5.4 Suggestions for Further Study Based on the problems met through this study more work should be carried out in the future, in the area of data security in order to improve its efficiency.

1. Since the study dealt with data security, future studies should concentrate on the process of database encryption using SQL especially in the context of software used in Banking industry. 2. Being a case study a more general study should be carried out among other banks 3. A long term study (i.e. Longitudinal study should be carried out on the mentioned topic) about the effect of changing technology of data security on financial services. 4. A study should be carried out on the effect of malicious actions against information systems. 5. A study should be carried out on the traceability of persons and goods on the network. 6. A study on the implementation of biometric system in information security should be carried out.

REFERENCES

Access Bank (2014). Our Products. Retrieved April 25, 2014 from: https//www.accessbankplc.com/ourproducts

Access Bank. (2014). Organizational Structure of Access Bank. Kigali: Author.

Ajibuwa, F. O. (2010). Data and Information Security in Modern Day Businesses. Unpublished master’s thesis, Atlantic International University. Abuja, Nigeria.

Allison, S. F. H. (2003). A Case study of Identity Theft. Unpublished master’s thesis, University of South Florida, Florida, USA.

Bhavya, D. (2007). Network Security: History, Importance, and Future,Unpublished Master’s thesis, University of Florida. Florida, USA.

Bourne, M. (2004).The Dynamics of Identity Theft: A Comparison of Symptomatic and Systemic Solutions. Unpublished Master’s Thesis, James Madison University, Virginia, USA.

Brocade communication systems, inc. (2007). Data protection: understanding the benefits of various data backup and recovery techniques. Retrieved May 20, 2014 from:http://www.brocade.com/downloads/documents/white_papers/Data_protection_ WP_00.pdf

Camp, L. J. (2006). The State of Economics of Information Security. A journal of law and policy, 2(2), 190-200.

Corsini, J. (2009). Analysis and Evaluation of Network Intrusion Detection Methods to uncover data theft. Unpublished master’s thesis, Napier University, Edinburgh, Scotland.

Creswell, J. W. (2003). Research Design Qualitative, Quantitative and Mixed Methods Approaches. London UK: Sage Publications.

Data Protection Commissioner (2013). Twenty-Fifth Annual Report of the Data Protection Commissioner 2013. Retrieved May 20, 2014 from: http://www.dataprotection.ie/docimages/ documents/ Annual%20Report%202013.pdf

Enshasy, M. (2009). Evaluating Business continuity and Disaster recovery planning in information technology departments in Palestinian listed companies. Unpublished Master’s Thesis, The Islamic University, Gaza, Palestine.

Goh, R. (2003). Information Security: The Importance of the Human Element. Unpublished doctoral dissertation, Preston University, Singapore Campus, Singapore.

Google (2015). Nyarugenge DistrictMap. Retrieved April 25, 2015 from: https://www.google.rw/maps/place/Nyarugenge/@1.9707553,30.032463,12z/data=!4 m2!3m1!1s0x19dca5a587d7a5dd:0x732077ad7d5b38b6

Graham, W. S. & Mills, S. E. (1999).Monitoring Information Systems to Enforce Computer Security Policies. Unpublished master’s thesis, Naval Postgraduate School, California, USA.

Gruppetta, R. (2014). Data Securtiy in Financial Servcies. Retrieved April, 2015 from:http://www.nyu.edu/intercep/lapietra/FSA_DataSecurtiyinFinancialServcies.pdf

Haugen, S. & Selin, J. R. (1999). Identifying and controlling computer crime and employee fraud. Industrial Management & Data Systems, 99 (8), 340-344.

Hewet, W.G. & Whitaker, J. (2002). Data protection and privacy: the Australian legislation and its implications for IT professionals. Logistics information management, 15(5), 369-376.

Kessel, P. V. (2012). Fighting to close the gap Ernst & Young’s 2012 Global Information Security Survey. London UK: EYGM Limited.

Kitchenham, B. & Pfleeger, S. L. (2003).Principles of Survey Research Part 6: Data Analysis. Class lecture for Software Engineering Course. Keele University, UK.

Kritzinger, E. (2012).A Framework for Cyber Security in Africa. Journal of Information Assurance & Cyber security, 12 (2), 32-51.

McLean, J. (1995).The Specification and Modeling of ComputerSecurity. Washington, D.C.: Naval Research Laboratory.

Nikolakopoulos, T. (2009). Evaluating the Human Factor in Information SecurityUnpublished Master’s thesis,Oslo University College, Norway.

Olasunkanmi, S. (2014).An Overview of Contemporary Cyberspace Activities and the Challenging Cyberspace Crimes/Threats. International Journal of Computer Science and Information Security, 12, (3), 75-98.

Omar, H., Nermin, H. & Hefny, H. (2014). A Novel Approach to Address Information Leakage Attacks Based on Machine. Journal of Computer Science and Information Security International, 12(9), 31-42.

Performance Solutions International and Financial Insights (2008). Information security within then financial services. Retrieved April 10, 2015from: http://www.idc.com/downloads/3.5.08_Information_Security_Webcast.pdf

Petri, p. (2006). A Design Theory for Information Security Awareness.Unpublished master’s thesis, University of Oulu, Oulu, Finland.

Ponemon Institute LLC (2013). 2013 Cost of Data Breach Study: Global Analysis. Retrieved February 20, 2014 from: http://www.symantec.com/ content/en/us/about/ media/pdfs/b-cost-of-a-data-breach-global-report 2013.en-us.pdf

Prime Minister’s Office (2012). Rwanda Penal Code. Kigali: Author

Reserve Bank of India (2010). Report on Internet Banking. Retrieved March 20, 2015 from:http://rbidocs.rbi.org.in/rdocs/PublicationReport/pdfs/21595.pdf&sa=U&P6x2Vf aREKrmywP_nICIDA&verd=0CBoQiAH&usg=AFQiCNHI54_nDI_XwAZwul0l4m BcM7xQIQ

Salahuddin, M. A. (2011). Information security management: A case study of an information security culture. Unpublished doctoral dissertation, Queensland University of Technology, Brisbane, Australia.

Silic, M. & Back, A. (2013). Information security Critical review and future directions for research. Information Management & Computer Security, 22(3), 279-308.

Spurling, P. (1995).Promoting security awareness and commitment. Information management & computer security, 3(2), 20-26.

Stallings, W. (2011). Network security essentials: applications and standards. (4th ed.). New Jersey: Pearson Education.

Stewart, A. (2005). Information security technologies as a commodity input. Information Management & Computer Security, 13 (1), 5-15.

Symantec Corporation (2008). Financial Services Information Security and IT Risk Management. Retrieved May, 2015 from: http://eval.symantec.com/mktginfo /enterprise/brochures/b-brochure_financial_services_10_2008_14163207.en-us.pdf

Tarushi,S. (2014). Email security using clustering algorithms. International Journal of Computer Science and Information Security, 12(1), 49-54.

Thomson, M. & Von R. (1998). Information security awareness: educating your users effectively. Information Management & Computer Security, 6(4), 167–173.

Torsteinbø, T. (2012). Data Loss Prevention Systems and Their Weaknesses. Unpublished master’s thesis, University of Agder. Kristiansand, Norway.

Vinod, P. & Sonar, R. (2012).Identifying linkages between statements in information security policy, procedures and controls. Information Management & Computer Security, 20(4), 264-280.

Williams, R. (2007). Introduction to: Basic Security Concepts. A Guide for Administrators and Home Users on the design and implementation of security for your network, 9(14), 50-65.

Younus, A., Qureshi, M. & Arlsan,A. K. (2009).Philosophical Survey of Passwords.International Journal of Computer Science and Information Security, 12(1), 8-12.

Ziaka, D. (2013). Support for Harmonization of the ICT Policies in Sub-Sahara Africa. Workshop with Data Protection Stakeholders. Retrieved April 15, 2014 from:http://www.itu.int/en/ITU-D/Projects/ITU-EC-ACP/HIPSSA/Document/In- country%2520support%2520documents/Rwanda_DATA%%2520PROTECTION%% 2520POLICY%%2520FINAL.pdf

APPENDIX A: AUTHORIZATION LETTER

APPENDIX B: AUTHORIZATION LETTER

APPENDIX C: QUESTIONNAIRE FOR THE IT DEPARTMENTEMPLOYEES

Dear responder, My name is Dieudonné MUHIRE; I am a postgraduate student pursuing a Master’s Degree in Information Sciences at Mount Kenya University, Kigali campus. For my research project I am researching on Data Security Preparedness in order to prevent data theft. This research will only take a maximum of 5 minutes of your time and responses will remain strictly confidential. Findings shall be used only for academic purposes. I sincerely thank you for taking time to fill in this questionnaire.

DEMOGRAPHIC DATA(Please tick for answering)

AGE (Tick one option only) EDUCATION LEVEL (Tick one option only) a) 18 – 25  a) High School  b) 25 – 35  b) Undergraduate  c) 35 – 45  c) Graduate  d) 45 and above  d) Other  GENDER (Tick one option only) LANGUAGE SPOKEN (You may tick more than one option) a) Male  b) Female  a) Kinyarwanda  b) French  c) English  d) Others 

THE ROOT CAUSES OF DATA INSECURITY i. How many intrusions has the company experienced in the last 2 years? (Tick for one option only)

More than 5 1-5 intrusions No intrusion  ii. What do you consider to be the major causes of security incidents in the company? Please rank with numbers from 1to 6 (starting from the major cause to the minor cause)

Virus and malicious software System or software failure Cyber or internal based attacks User’s errors or non compliance System administrator’s errors or non compliance Hardware failure iii. What kind of response and remediation procedures do the company has in place to handle any incidents identified through this analysis? (You may tick more than one option)

Emergence response plan Crisis management plan  Disaster recovery plan Business continuity plan  Backup Recovery process No established plan  iv. In your own view what are the two obstacles and concerns in carrying out better security compliance at the Company? Please rank with numbers from 1to 4 (starting from the major cause to the minor cause)

Lack of awareness and training program Lack of inadequate technology Clear direction in security procedures and roles Lack of motivation programs

How many times every five months has the company carried out the following security strategies? (Tick one option only for each row) Security strategies 5=Very 4= 3= 2= 1= often Often Sometimes Rarely Never Provide regular clarifications to customers, helping them to prevent being victimized by robbery or by identity theft Conduct a Security Violation Test in order to find the weakness of the system’s security Conduct the data security audit and assessment Update security softwares such as anti-virus, firewalls and others

EFFECTIVENESS OF DATA SECURITY MEASURESCURRENTLY USED (Tick one option only for each row)

Questions 5= 4= 3= 2= 1= Strongly Agree Neutral Disagree Strongly Agree Disagree Is the involvement of end users or employees in executing an information security effective to the company? Has a documented policy put in place been effective to the company? Has the implementation of data loss prevention policies been effective to the company?

Questions 5= 4= 3= 2= 1= Strongly Agree Neutral Disagree Strongly Agree Disagree Is the clear procedure to discipline employees who violate the company security policy and regulations, effective? Has a regular training of the company employees improved an Information Security?

THE INFLUENCE OF DATA SECURITY PREPAREDNESS LEVELS ON FINANCIAL SERVICES DELIVERY

In your own opinion does the use of the following data security mechanisms affect financial service delivery? (Tick one option only for each row) Security mechanisms 5= 4= 3= 2= 1=

Strongly Agree Neutral Disagree Strongly

agree Disagree

Computer anti-virus

Digital signatures Backup and recovery

Encryption

Motion sensors

Alarm

Firewalls

Physical guards

Establishment of disaster plan

Is the security of the following financial services affected by security mechanisms? 5= 4= 3= 2= 1=

Financial services Strongly Agree Neutral Disagree Strongly agree Disagree

Keeping money safe processing of credit card transactions use of debit cards

Financial transactions using Automatic Teller

Machines

Electronic fund transfers

Automatic payments for bills internet banking system

Accepting the deposits from customer and provide the credit facilities

ADDITIONAL SECURITY MEASURES TO IMPROVE DATA SECURITY (Tick one option only for each row) Can the SQL injection tests be useful if added to the existing security system?