Assessment of Effect of Information System Security Threats on Information Resources in Public Institutions: a Case of Kenya School of Government

ASSESSMENT OF EFFECT OF INFORMATION SYSTEM SECURITY THREATS ON INFORMATION RESOURCES IN PUBLIC INSTITUTIONS: A CASE OF KENYA SCHOOL OF GOVERNMENT

Emma Jepkemboi Kemei

A Thesis Submitted to the school of Post Graduate Studies in Partial Fulfillment of the Requirements for award of Master’s Degree of Information Systems of the Faculty of Information Sciences and Technology, Department of Computing Sciences, Kisii University

September, 2017 Declaration I declare that this is my original work, and it has not been submitted in this or any other college, university or institution.

NAME: EMMA JEPKEMBOI KEMEI ADM NO: MIN11/20353/2014 Signed------Date------

APPROVAL OF RESEARCH THESIS This research thesis has been submitted for examination with our approval as university supervisors.

------Dr. James Ogalo Date Lecturer Faculty of Information Science and Technology Kisii University

------Professor Kibiwott Kurgat Date Dean Faculty of Information Science and Technology Kisii University

ii Plagiarism Declaration

iii Number of Words Declaration

iv Copyright All rights reserved. No part of this thesis or information herein may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the author or Kisii University on that behalf. © 2017, Kemei Emma Jepkemboi

v Dedication To my family for their love, support and encouragement throughout the course of my academic journey

vi Acknowledgement I first give my thanks to the Almighty God for the enlightenment to undertake this study up to this level. I would also wish to acknowledge the support accorded to me by several people while undertaking this study; My supervisors Prof. Kibiwott Kurgat and Dr. James Ogalo for the positive suggestions and encouragement which helped me to come up with a research thesis and complete this work, my entire family for the support and prayers they have given me while undertaking my studies, my course mates for giving me moral support and contributions during the study, Kisii University, Kabarnet Campus for giving me a chance to undertake my studies in their campus.

vii Abstract Information system security is important to consider in an institution whose routine operations expose their information systems to threat. The management of various activities in organizations is the key issue as the perceptions of information system threats increase; however, the basic need for understanding the effect of these threats in an organization’s information resources is often ignored. Therefore, it was the aim of the study to assess the effect of information system security threats in public institutions. The objectives of the study were; to identify the effect of cybercrime on the utilization of information system resources at Kenya School of Government; to establish the effect of strategies employed by Kenya School of Government on Information Resource; to determine the effect of Information Technology policies on Information Resource in Kenya School of Government and to find out challenges Information System threats pose on organizational performance. The study employed the descriptive survey research design. The study was carried out in the Kenya School of Government Headquarters in Kabete and its constituent campuses namely: Embu, Baringo, Matuga and Mombasa, the target population was 100 staff working in the ICT Department, secretaries and records officers who handle information across the five campuses. All these had valuable information in the day to day activities on information management in the campus which was relevant in methodology since they interact with the campuses information systems daily. The study used the questionnaire for data collection. The study employed census sampling where the entire population was included in the study. Data analysis proceeded through four major steps: data cleaning; coding; tabulations; and interpretation of results. Data processing was carried out using Microsoft Excel and the findings were presented using tables and graphs. From the results, it was evident that there are widespread ISS security threats at KSG, with the illegal access to computer system being the highest at 70% and computer related acts causing personal harm being the lowest at 40%. Research findings also indicate that the organizations have not embraced ICT policies and strategies to help secure their systems; this is evidenced by 65% respondents agree that they have an ICT policy in place. Organizational commitment to curb cybercrime was rated highest at 79% which may be attributed to e-government requirements like e-procurement and IFMIS which must be carried out online. Cost was rated as the highest challenge in adopting and implementing ISS at 71%. This study managed to gather several recommendations from the respondents amongst them being training users on ICT usage and its security and strengthening ICT policies.

Table of Contents viii Declaration...... ii

Plagiarism Declaration...... iii

Number of Words Declaration...... iv

Dedication...... vi

Acknowledgement...... vii

Abstract...... viii

Table of Contents...... ix

List of Tables...... xii

List of Figures...... xiv

LIST OF ABBREVIATIONS...... xv

CHAPTER ONE: INTRODUCTION...... 1

1.1 Background of the Study...... 1 1.2 Problem Statement...... 2 1.4 Objectives of Study...... 2 1.4.1 Specific Objectives...... 2 1.5 Research Questions...... 3 1.6 Justification of Study...... 3 1.7 Conceptual Framework...... 3 1.8 Operational Definition of Terms...... 4 CHAPTER TWO: LITERATURE REVIEW...... 6

2.1 Introduction...... 6 2.2 Theoretical Review of Literature...... 6 2.3 The Standards and Technology Model on Information Security...... 9 2.3.1 Service Definitions in the model...... 11 2.4 Information System Security Threats...... 13 2.4.1 Strategies employed on Information Resources...... 16 2.5 Challenges Information System Security threats pose in organizational performance...... 22

ix CHAPTER THREE: RESEARCH METHODOLOGY...... 25

3.1 Introduction...... 25 3.2 Research Design...... 25 3.3 Site of the Study...... 26 3.4 Target Population...... 26 3.5 Sampling Techniques...... 26 3.6 Sample Size...... 27 3.7 Research Iinstrument...... 27 3.8 Validity and Reliability...... 27 3.9 Ethical Considerations...... 27 3.10 Data Collection Procedure...... 27 3.11 Data Processing and Analysis...... 28 CHAPTER FOUR: RESULTS AND DISCUSSION...... 29

4.1 Introduction...... 29 4.2 Common Threats...... 29 4.3 Security Policies and Strategies...... 37

4.3.1 Security Policies...... 38

4.3.2 Information System Security strategies...... 45

CHAPTER FIVE: SUMMARY, CONCLUSION AND RECOMMENDATION...... 52

5.1 Introduction...... 52

5.2 Summary of the Findings...... 52 5.2.1 Common ISS Threats...... 52 5.2.2: IT Policies and Strategies...... 52

5.2.2.1: IT Policies...... 52

5.2.2.2: ISS strategies...... 53

5.2.3: Challenges facing ICT Adoption...... 54 5.3 Conclusions...... 54 5.4 Recommendations...... 55 REFERENCES...... 56 x APPENDIX III: QUESTIONNAIRE...... 60

xi List of Tables Table 1: Level of illegal access to computer system...... 29

Table 2: Level of prohibited Interception, interruption or access of computer data...... 30

Table 3: Illegal data interference or system interference...... 30

Table 4: Level of breach of measures of data protection...... 31

Table 5: Level of computer fraud or forgery...... 32

Table 6: Level of computer related identity offences...... 32

Table 7: Level of offences related to computer copyright and trademark...... 33

Table 8: Level of sending or controlling spam...... 34

Table 9: Level of personal harm that relate to computer...... 34

Table 10: Level of computer related acts involving racism or xenophobia...... 35

Table 11: Level of computer related to creation and dissemination of child pornography...... 35

Table 12: Level of computer acts associated with acts in support of terrorism offences...... 36

Table 13: Security policies...... 38

Table 14: Rate of commitment of the organization in managing cybercrime reports...... 38

Table 15: Rate of technology...... 39

Table 16: Rate of effect posed by people on the implementation of ICT security...... 40

Table 17: Rate of effect posed by processes on the implementation of ICT security...... 40

Table 18: Rate posed by technology...... 41

Table 19: Rate of validity on the increased usage of the system...... 43

Table 20: Rate of validity on improved usage of the system...... 43

Table 21: Rate of validity on decreased system hiccups...... 43

Table 22: Rate of validity on decreased customer compliments...... 44

Table 23: Effect of IS Threats on Organizational Performance...... 45

Table 24: IT Security control measures...... 47 xii Table 25: Cost effect in planning and adoption of ICT...... 47

Table 26: Value of ICT...... 48

Table 27: Difficulty in ICT usage...... 48

Table 28: Company's needs...... 49

Table 29: ICT and business operations improvement...... 49

Table 30: Satisfaction on ICT usage...... 50

Table 31: Barriers and Challenges in ICT Adoption...... 51

xiii List of Figures Figure 1: Conceptual Framework ...... 4

Figure 2: Information Security Services Model...... 10

Figure 3: Graph showing ISS threats...... 37

Figure 4: Elements affecting ISS implementation...... 42

Figure 5: Graph showing IT security control measures...... 46

Figure 6: Barriers and challenges in ICT Adoption...... 50

xiv LIST OF ABBREVIATIONS BSI: British Standards Institute COBIT: Common Objectives for Information and Technology CSL: Computer Systems Laboratory DSS: Data Security Standard EAL: Evaluation Assurance Level ERP: Enterprise Resource Planning ICT: Information Communication Technology IEC: International Electro technical Commission IRS: Information Resources Security IS: Information System ISACA: Information Systems Audit and Control Association ISM: Information System Management ISMS: Information Security Management System ISO: International Standards Organization ISS: Information System Security IT: Information Technology ITGI: Information Technology Governance Institute ITIL: Information Technology Infrastructure Library ITU: Internal Telecommunication Union KSG: Kenya School of Government MIS: Management Information System NIST: National Institute of Standards and Technology SME: Small and Medium Enterprise

xv CHAPTER ONE: INTRODUCTION 1.1 Background of the Study Information technology is globally acknowledged as the engine that drives economy of countries in the world. It enables the government to provide better services to its citizens and enables a country to improve economic productivity (NIST, 2011). Also quite a number of organizations depend exclusively on information systems to successfully undertake their mandate. As a result of the remarkable progress made in the development, adoption and utilization of information technology, it has become necessary to adopt measures that will cushion all concerned institutions against any kind of threats. This is because the new technology is not immuned to roving cyber-threats. This requires them to come up with innovative measures to curb cyberspace crime.

Safety measures against information systems threat is important particularly in the public sector which serves as a large data base for the government (Gurpreet, 1995). Information security management system can be defined as part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security; whereas Information System (IS) can be defined as a processes needed to deliver the client’s business and its client’s requirements in relation to the business plan. Hence, the IS objectives of any organization are to rationalize data pools and information repositories to make that organization work efficiently. By exploring the information security management strategies and process deployed for the sustainable development of e-government all over the world, this research explores the applicability of information system security management systems in e-governments.

Therefore, all governments should become responsible and accountable in managing threats to information systems. Information systems security addresses not just data but the dynamic transformation contexts in which the data is applied (Gurpreet & James, 2000). Owing to the sensitivity of government data, interest in information security has become a mundane issue as reflected in the current standards and certifications on internet security (Bobert & Kenneth, 2009; Whiteman & Mattrod, 2003). According to Bobert and Kenneth (2009) the security of information systems for government institutions is important because such institutions are the

1 targets of cyber-crime. In terms of financial security, it is important to protect institutions from system threats that could negatively impact on organizations’ finances.

According to Narayanan (2014) it is not the information itself that has to be protected but the way it is presented. The obvious practical implication for effective implementation is a need to have a process of continual adaptation and alignment of information security in e-government to reflect changing demands while meeting the priorities of government operations at the respective public institutions. Information is the central asset for government institutions without which there can never be activity (Basie, 2014). Information security is thus critical. Information security has been successfully incorporated by all Internet Service Providers (ISPs) as one of information security management top priorities (Grimson, 2005). Information Security is enforced through the implementation of strong password encryption in critical areas; access lists to control areas of access; and firewalls where necessary. This means that ISPs databases consist of a variety of flat file systems as well as high end relational databases. The ISPs operates a Cisco routing and switching network as well.

Consequently, any education institutions may choose to implement information security in their e-government at any of the defined processes at any stage of maturity. E-government involves application of different technologies. In African countries, e-government implementation is unique because of technological shortcomings. Again, implementation of e-government is challenging given the lack of resources, electrical supply particularly in the rural areas, and even national ICT infrastructure. However, there has been, instead a more strategic approach to implementing e-government to accommodate individual differences and actively engage all users (Basie, 2014). Although all e-government systems are expected to provide mechanisms of access control that limit access to content, unauthorized users can as well gain access through the underlying layers such as the operating system or the database system on which the e- government system is installed. It is therefore necessary to ensure that access control is enforced on all layers including physical access to the servers. Trust in e-government is a necessity. In these cases the security requirements of all stakeholders must be able to rely on the accuracy of the content and protection of the content of the e-government platform deployed against unauthorized modifications. To avoid all these security glitches, implementation of security

2 mechanisms and a policy that clearly states what will be stored, and for how long can reduce this risk for users. However, members of the public tend to trust all sources of information and accept whatever is offered by the government. It is thus very important that the integrity of content, including the author’s identity, is managed, and not just controlled. However, the speed at which technology is evolving makes it difficult to provide reliable protection. In a study by Grimson (2005) on the IS systems currently in use in government departments in Britain, reported that advancements in technology and the need for reliable data networks has fostered a desire to efficiently make use of computing resources for the safety of all users (UNESCO, 2002).

Compared to other countries, Kenyan government relies on common IT platforms and new technologies to increase efficiency and effectiveness of government services. According to Obure (2002) IT has facilitated communication in all government institutions. However, these technologies present threats that pause major security threats. Thus, there was need to find out how the government is securing her cyberspace from information system threats. E-government and the use of ICT is playing key role in shaping service provision in Kenya (Basie, S. H. (2014). Its implementation is providing innovative and creative ways for transfer of services across Kenya. Since the Internet came to Kenya in 1994, the country has experienced phenomenal growth in its use. There are now numerous internet hosts, close to 100 licensed Internet Service Providers and over quarter million internet users in the country (Narayanan, 2014). The latest trend of internet usage shows that usage of internet almost tripled in a span of last two years due to the number of Internet access centers particularly in urban areas. The process of implementing e-government in Kenya is managed by e-government. E-government was established to sustain communication and networking in government institutions in Kenya, facilitates wide use of ICTs in e-government implementation and sharing of other information resources to the general populace at affordable cost (Otieno, 2016). The key objectives of e-government was to develop a comprehensive national portal with an appropriate e-government process that train sufficient ICT support staff, establish a high speed national IP-based network interconnecting all government institutions and to provide sustainable and permanent Internet access to all institutions. After laborious research the government has successfully put in place a high speed national IP-based network interconnecting all government institutions (Kurgat, 2015). As a result there has been a tremendous improvement in the ICT infrastructure. However, effective implementation of e-

3 government infrastructure in Kenyan school of governance has not been achieved due to lack of explicit ICT policy targets, strategic indicators of e-government implementation and information system security threats (Otieno, 2016).

1.2 Problem Statement Most public institutions usually collect and store large volume of vital information and transmit data across distributed network of computers (Katundu, 2014). However, there is an increasing volume of complicated cyber-attacks on such data. For instance, in 2013, 103 government websites were defaced while in 2014 websites and government twitter account were hacked. Since users pause a major threat to information system security, there is need to understand the risk they pause to data held in information resources. Although, information management influences the perceptions of threats, there is need to understand the effect of the threat to information security on an organization’s information resources (Gurpreet, 1995). Many companies are executing ISS to curb cybercrime. Since ISS largely depends on IT, its successful implementation can be measured by its effectiveness in supporting an organization’s information plans (O’Brien, 2004). As organisations adopt IT systems, they must pay special attention to the implementation of measures to curb threat. Previous studies have addressed computer security generally, but there are few studies conducted that have addressed the issue of information system security threats in public organizations in Kenya. The study sought to assess the effects of information system security threats on information resources in public institutions in Kenya.

1.4 Objectives of Study The general objective of this study was to assess the effect of information system security threats on information resources in public institutions.

1.4.1 Specific Objectives i. To identify the effect of cybercrime on the utilization of information resources in Kenya School of Government. ii. To find out the challenges of information system threats on organizational performance in Kenya School of Government.

4 iii. To establish the effect of strategies and policies employed by Kenya School of Government on information resource. iv. To determine the possible strategic solutions which can be put in place by in Kenya School of Government to ensure information resources are protected. 1.5 Research Questions i. What are the common information system Security threats in Kenya School of Government? ii. What challenges do information system threats pose on organizational performance in Kenya School of Government? iii. What are the information resource strategies and policies employed at Kenya School of Government? iv. What are the possible strategies which can be put in place by in Kenya School of Government to ensure that information resource are protected?

1.6 Justification of Study The Kenyan government is promoting the use of ICT in public institutions to enhance accessibility of information to the public. However, ICT adoption exposes a country to emerging information systems threats through hackers, cyber spies and fraudsters who routinely target information systems controlled by governments. Recent studies have not examined the issue of information system security threats particularly in the school of government in Kenya. This study was important as it examined the issue of information system security threats in Kenya focusing on the school of government. This is motivated by the growing dependence on the ICT in spite of the possibility for cyber-attack. Therefore, this study explored the effects of information system threats on information resources in the public institutions in Kenya’s school of government.

1.7 Conceptual Framework The independent variables were the threats to information resources and the security strategies used by organizations to curb information threats. Both variables have a direct effect on the safety of the information resources. The dependent variable is the information resources security. The framework has intervening variables which include policies and organizational dynamics.

5 Independent Variables Intervening Variables Dependent Variable

Information System Information System Resources Security Security Threats Business Continuity Common Threats Value addition Security Cost Reduction Strategies Service delivery Organizational Policies

Organizational Dynamics

Figure 1: Conceptual Framework (2017)

1.8 Operational Definition of Terms Availability: This refers to the presence of and use of information on a government sponsored IT platform without interruption

Closed network: This is a network that provides connectivity only to a specified user

Computer security policy: This referred to guidelines on management of risks to computer information systems

Computer Security: The protection of information system so as to by focusing on integrity, availability and confidentiality of information system resources.

Cybercrime: Any crime that involves computer system and network

Cyberspace: This is a complex computing environment involving interaction of users and software and services as connected by some technological devices

Distributed information system: a system where physical computer components are installed and coordinated to provide some linkages

6 E-government: this is the digital interactions between citizens and government agencies for business and other interactions

Information security strategy implementation: putting in place safety measures to protect and safeguard information and information systems against any threats

Information security: is the practice of safeguarding information against misuse and mismanagement by unauthorized users

Information System Security Threat: Any possible danger that might break security that interrupts computer system security

Information system security: Safety of confidentiality and integrity of information system

Information system: interaction between users and computer systems where of information processing is facilitated.

Policy: Plan or course of action that influences and determines decisions

Public Organization: An institution managed by the government

Security breach: This referred to the undesired act that violates information systems security

System integrity: Ability of information system to function in an unimpaired manner and free from unauthorized manipulation

Threat: is an event that renders information system vulnerable to attack

7 CHAPTER TWO: LITERATURE REVIEW 2.1 Introduction This chapter presents a general review of previous studies, observations and opinions related to the planned study. Therefore, it leads to appreciation and understanding the research that has already been done in the area of interest of the study. Theoretical, empirical and review and gaps are also included in this section.

2.2 Theoretical Review of Literature The digital world offers great benefits but also comes with significant and unprecedented risks. Form a positive point of view, internet technology allows users quick and inexpensive access to a large amount of information provided on websites, digital libraries or other computerized sources. However, the same IT that is replete with numerous benefits, if not properly controlled can leave the information systems vulnerable to system threats like fraud, sabotage and malicious acts. Over the years, a number of security approaches have been developed to help manage ISs threats and limit the possibilities for ISs’ breach. In an organization, IS provides access to essential services anywhere at any time over closed and open networks. Bowen, Joan and Mark (2006) pointed out that constructive efforts can result into security and privacy in the management of the IS. According to Abdulla (2010) found out that information management in public institutions in Canada, was highly appreciated because of the reciprocal support for external clients of e-government systems. According to Wall (2011) information system security helps to understand how the networks of security within the cyberspace and the relationships needed to forge new relationships with the other nodes within the network. The public police in many countries is undergoing a transition period and are exploring how to forge partnerships with other organizations or agencies. This argument is especially noteworthy, not only because of the distributed nature of cybercrime, but also because in reality there are many interest groups who play a role in policing cybercrimes other than the public police, either private organizations or governmental non-police organizations.

According to Abdulla (2010) determining the exact requirements for information system security for a given organization is essential for the proper security measures. A distributed system requires new security management measures and policies to alleviate the threats and challenges occurring from the new technologies, software applications and network devices. The 8 information security attacks of an organization’s information have an expensive impact, loss of customer confidence and negative business reputation (Kumar, Park & Subramanian, 2008). Consequently, e-government implemented in Kenya involves application of different technologies such as interactive, video conferencing; virtual classrooms among others. Some of these learning technologies will involve discussion between teachers and students who are far from each other. There has been, instead a more strategic approach to implementing e- government to accommodate individual differences and actively engage learners in developing their ability to acquire knowledge. Whatever the design, IS is a critical issues in e-government. It is the responsibility of everyone who has the opportunity to control or report the institutions data to support throughout the institution its IS program. Each role has different responsibilities for IS and each individual should be accountable for his or her actions. Accountability requires clear lines of reporting, clear communication of expectations, and the delegation and judicious use of appropriate authority to bring about appropriate compliance with the institution’s policies, standards, and procedures. Thus, every e-government model should be sensitive to the security of the information systems to the level of availability of infrastructure, technical support, and clear policy on implementation, evaluation and curriculum re-orientation, Kenya has successfully implemented e-government institutions. However, the lack of explicit ICT in higher education policy targets and strategic indicators has resulted in weak implementation, monitoring and evaluation framework, which translate into a lack of IS management framework. Successful implementation of ICTs in education strategy requires concrete indicators and a sound institutional framework for implementation, with the requisite capacity for monitoring and evaluation. Based on these findings, it is imperative to note that governmental institutions in e- government implementation to their users (Otieno, 2016)

Operationally, it is the protection of information to ensure confidentiality; integrity and availability. This can be achieved by applying a suitable set of controls namely: policies, processes, procedures, organizational structures, and software and hardware functions. The primary reason why IS is so important within the e-government environment is that e- government is mainly dependent on information as well as ICT. It is the use of ICT however, that can lead to many possible IS risks that can compromise information. For instance, an e- government environment allows students to access a system from remote access points. This the

9 environment that exists, where teachers or students either load course material onto course web sites for students to retrieve, or students retrieve course material and lectures from a course web site, or even submit assignments to a course web site from where lecturers retrieve and mark such assignments. But the IS risks that can arise from the above mentioned examples without proper ISM include alteration of course materials, copying assignments from course websites by unauthorized users, or submitted assignments get deleted by unauthorized users. The IS risks should be addressed by ensuring that e-government IS countermeasures are implemented throughout out the e-government environment.

The ISS plays a vital role in the e-government, e-business and e-commerce operations, enterprise collaboration and management, and strategic success of the organization (Hevner, 2004). According to Ein-Dor and Segev (2016), an IS is applied to improve management by directors of the organisation. During the growth of a competitive global environment, there is considerable pressure on most organizations to make their operational, tactical, and strategic processes more efficient and effective. An information system is a group of components which can increase competitiveness and gain better information for decision making. Therefore, various organizations have chosen to apply this group of components to their associations (Spalding, 1998). Consequently, the organizations decide to implement IS in order to improve the effectiveness and efficiency of the organizations. Information systems have become a major function area of business administration. This system can increase the performance of the management, in this case the IS is referred to as MIS. MIS is a collection of man powers, tools, procedures and software to perform various business tasks at various levels in the organisation. This system has three basic levels: operational, middle management and top management where the information is passed from bottom to top (Tripathi, 2011). Moreover, MIS is one of the important functions of management which plays an important role in providing information that is required for crucial decision making which directly affects the performance of the organisation (Murthy, 2006). Due to a fundamentally changing external environment, several organizations have decided to change their IS strategies by adopting application software packages rather than in-house development (Hong & Kim, 2002). There are several types of MISs but the most commonly adopted one for e-government functions is Enterprise Resource Planning (ERP).

10 According to Davenport (1998) the most significant development in the corporate use of IS is the establishment of enterprise resource planning (ERP) systems. ERP systems are information technology (IT) infrastructures that facilitate the flow of information between all supply chain processes in an organisation (Al-Mashari & Zairi, 2000). ERP systems, moreover, provide the means for management to respond to increased business needs in more effective and efficient ways (Spathis & Constantinides, 2003). Nonetheless, a concern regarding ERP systems regards their flexibility and ability to meet specific organisation and industry requirements. A study by Robert (2011) reveals that the cyber risk scenario is evolving rapidly in many areas. Governments are facing an unprecedented level of cyber-attacks and threats with the potential to undermine national security and critical infrastructure, while businesses that store confidential customer and client information online are fighting to maintain their reputations in the wake of massive data breaches. Businesses across a wide range of industry sectors are exposed to potentially enormous physical losses as well as liabilities and costs as a result of cyber-attacks and data breaches. Some organizations still integrate their systems using conventional unilateral systems (Davenport, 2000). In addition, some organizations have developed their own customized suites of ISs, known as a best of breed (BoB) IT strategy, which offers greater flexibility and closer alignment of software with the business process of the organisation (Light, Holland & Wills, 2001). Therefore, adoption and utilization of ERP and BoB systems should be considered as a significant factor which should be appropriate for the organizations and the current business processes.

The intention of implementing security measures, controls and policies in an organization is to guard its information system security against threats. The main concerns in information system security are the objectives which are confidentiality, integrity and availability, which aid in improving system security (Chen, Shaw & Yang 2006). New threats to information systems arise form unexpected sources when an organization becomes more dependent on it (Nyanchama, 2005). All organizations having information systems on a distributed platform involving websites, intranet and internet are susceptible to a number of security threats, internet being the major threat because hackers can access valuable information easily. Security of information systems is being highly challenged by several threats due to the recent introduction of internet- based applications like online based business. Given the information-intensive characteristics of

11 the modern global economy dominated by the Internet and the World Wide Web, it should be no surprise to learn that information security is a growing spending priority among most companies and government agencies. The growth in spending is occurring in a variety of areas, including software to detect viruses, firewalls, sophisticated encryption techniques, intrusion detection systems, automated data back up, and hardware devices (Abdulla (2010).

Initially, most networks were designed as closed networks. The closed network typically consists of a network designed and implemented in a corporate environment and provides connectivity only to known parties and sites without connecting to public networks. Networks were designed this way in the past and thought to be reasonably secure because of no outside connectivity. With the advent of personal computers, LANs, and the wide-open world of the Internet, the networks of today are more open. As e-government, e-business and Internet applications continue to grow, the key to network security lies in defining the balance between a closed and open network and differentiating the secure and insecure network interconnections. They were soon realizing tremendous cost savings by connecting their services and enterprise resource planning systems to their stakeholders and business partners, and by connecting automation systems to mobile employees, and by providing electronic commerce connections to business customers and consumers. The firewall began to include intrusion detection, authentication, authorization, and vulnerability-assessment systems (Chen, Shaw & Yang, 2006). With the increased number of LANs and personal computers, the Internet began to create untold numbers of security risks. Firewall devices, which are software or hardware that enforce an access control policy between two or more networks, were introduced. This technology gave organizations a balance between security and simple outbound access to the Internet, which was mostly used for communication, e-mail and web surfing. This balance was short-lived as the use of extranets began to grow, which connected internal and external organizations processes.

2.3 The Standards and Technology Model on Information Security According to Gary (2002) an underlying model of information security services is made up of principal services and supporting elements used in implementing information technology security capability. The model categorizes the services according to their primary purposes including support, prevention and recovery functions. The model also encompasses the basic information security factors include authenticity, authorization, privacy and non-repudiation. All 12 these factors hold the key for successfully managing information security in many organizations (Gurpreet & James, 2000). However, users ought to direct their focus on the implementation of these principles in their own information system. The availability of services are those that directly impact the ability of the system to maintain operational effectiveness. An aspect of maintaining effectiveness is protection from unauthorized changes by defining authorized access. Mission effectiveness is also maintained by detecting intrusions, detecting a loss of wholeness, and providing the means of returning to a secure state.

Figure 2: Information Security Services Model Source: NIST Handbook (2001)

2.3.1 Service Definitions in the model As shown in figure 2, supporting services are, by their very nature, are widespread and linked to many other services in an organization such as identification and naming. In order to implement

13 quite a number of essential services in an organization, it is essential that both subjects and objects be clearly identifiable. This provides the capability to uniquely identify users, processes, and information resources. The cryptographic keys in the figure must be securely managed when their functions are implemented in various other services. This is also necessary to safeguard security of the administration in which the security features are to be administered in order to meet the needs of a specific installation and to account for changes in the operational environment. Underlying the different security functional capabilities is a base of confidence in the technical implementation. This safeguards the quality of the implementation from both the perspective of the design processes adopted and the manner in which the implementation is destined to be achieved.

According to Robert and Kenneth (2013) the system protection involves residual information protection, modularity, layering and data minimization. These services can prevent the security breach from ever happening. Protected communications in a distributed system and the ability to accomplish security objectives is highly dependent on reliable communications (Robert & Kenneth, 2013). The protected communication services will ensure integrity and confidentiality of data in transit. In most situations all the three elements are essential requirements, with confidentiality particularly required for data authentication. The authentication service provides the means to verify the identity of a subject while the authorization service enables specification and subsequent management of the allowed actions for a given system. According to Ana-Maria, Mihai and Florin (2010) when the subject requesting access has been validated for access to particular processes, enforcing the defined security policy is still necessary. The access control enforcement service provides this enforcement, and frequently the enforcement mechanisms are distributed throughout the system.

This implies that it is not only the correctness of the access control decision, but also the strength of the access control enforcement that determines the level of security obtained. Checking identity and requesting access against control lists is a common access control enforcement mechanism. As seen in the model, repudiation system accountability depends upon ability to ensure that senders cannot repudiate sending information and recipients cannot refute receiving it as non-repudiation has a service that spans prevention and detection. As a result, this service is typically performed at the point of transmission or reception. The transaction privacy maintains 14 the privacy of individuals using these systems and protects against loss of privacy with respect to transactions being performed by an individual.

Because no set of preventive measures is perfect, it is necessary to detect security breaches and to take actions to reduce their impact. The auditing of security relevant events is a key element for after-the-fact detection of and recovery from security breaches. The intrusion detection and containment help to detect insecure situations in order to respond in a timely manner. Also, detecting a security breach is of little use if no effective response can be initiated. The intrusion detection and containment service provides these two capabilities. The proof of wholeness service determines that integrity has been compromised and the ability exists to detect when information or system state is potentially corrupted. There is also another feature called the restore secure state in which when a security breach occurs, the system is able to return to a secure state.

Generally, the aim of information security governance is to ensure that institutions are proactively implementing appropriate information security controls to support their mission in a cost-effective manner, while controlling evolving information security risks. As such, information security governance has its own set of requirements, challenges, activities and types of possible structures. Information security governance also has a central role in identifying key information security responsibilities and it influences security policy development and oversight and ongoing monitoring activities. To ensure an appropriate level of support of agency missions and the proper implementation of current and future information security requirements, each agency should establish a formal information security governance structure (Groznik, Kovačič & Spremić, 2003).

2.4 Information System Security Threats The advancement in information and communication technologies has facilitated the presence of enormous and vast amounts of information. This has also generated significant risks to computer systems and to other critical operations and infrastructures they support. In spite of the significant advances in the information security area many information systems are still vulnerable to inside or outside attacks (Ana-Maria, Mihai & Florin, 2010). Computer systems are vulnerable to many threats that can inflict various types of damage resulting in enormous losses. 15 This damage can range from human errors harming database integrity to unprecedented accidents destroying entire computer centers. Losses can stem, from the actions of supposedly trusted employees defrauding a system, hackers and crackers, or from careless data entry clerks. Precision in estimating the losses that come with computer security losses is not possible because many losses are never discovered, and others are ignored to avoid unfavorable publicity. The effects of various threats vary considerably: some affect the confidentiality or integrity of data while others affect the availability of a system (Barbara & Edward, 1995).

Threats to information systems and cyber-based critical infrastructures are evolving and growing. These threats come from a variety of sources, such as foreign nations engaged in espionage and information warfare, criminals, hackers, virus writers and disgruntled employees and contractors working within an organization (Gregory, 2009). Personal, government and business applications continue to multiply on the internet, with immediate benefits to end users. However, these network-based applications and services can pose security threats to individuals and to the information resources of companies and governments. According to Vijay (2013) disastrous but prevalent information security control deficiencies continue to place public IS’s at risk by inadvertent or deliberate misuse, unauthorized modification or destruction, inappropriate disclosure and critical operations disruption. An underlying cause for all these weaknesses is that organizations need to effectively transform key elements of their vast information security programs. These consequences have been experienced in many institutions all over the world including Kenya where negative impact has been felt. The influence in Asia is growing rapidly and will continue to do so in the subsequent decades. In a comparative study by Aguiar, Boutenko, Rastogi, Subramanian and Zhou (2010) noted that the largest offline population in terms of supremacy representing 45% of all world’s internet users. This number is anticipated to propagate further largely due to the increase of internet users in China and India (Aguiar, et al., 2010).

In a case study on the technological transformation in organizations, Groznik, Kovačič and Spremić (2003) reported that the use of information systems is mandatory for organizations to efficiently perform the day to day functions. Many institutions often use desktops, PCs, laptops and other network connectivity such as internet and email which are generally available in workplace contexts. This means that the networked information systems are most valuable assets 16 for many organizations. However, recent studies have pointed out that some employees misuse information systems (Groznik, Kovačič & Spremić, 2003). This poses major challenges to the institutions; in severe cases this may lead to loss of productivity and revenue, legal liabilities and other workplace issues. Organizations need effective countermeasures to enforce its appropriate usage policies and minimize its losses and increase productivity (Vijay, 2013).

The connectivity in the world where information is abundant, an evolving new way of viewing the global business landscape is gradually emerging. In a study on the trends and prospects for information systems by Bowen, Joan and Mark (2006) reported that cyber security threats have evolved with unparalleled speed, complexity and impact that organizations are no longer asking how to use it but how they can ensure that the information most important to the business is secure. Given the critical nature of data in all aspects of modern enterprises and the astonishing growth in the rate of cyber-criminal acts whose motive is to undermine organizations, governments are experiencing not simply escalating risk, but the possibility to suffer information security breach. In fact, the harsh reality of today’s security environment means that organizations are likely to experience it, and there may only be two kinds of organizations: those that have been breached and know it, and those that remain dangerously oblivious to it (Robert & Kenneth, 2013). This radical change in business landscape is a powerful wakeup call that should be unequivocally handled by all the people concerned. This is due to the fact that a lot is at stake notably intellectual property, information about customers, operational and financial data and most importantly organizational reputation. Many governments are realizing the importance of essential reconsideration of how information security is conceptualized and positioned within concerned institutions. According to Ernest and Young (2008) ISs expertise must remain an essential ingredient of preparedness for it to help the government leaders to have confidence that pertinent information is sufficiently protected against potential threats. In a world of ever- evolving threats that can cause potentially catastrophic damage and may even lead to an organizational cyber fatality, better protection enhances business performance and ability to operate proactively as well have heightened resilience in the face of continually evolving threats.

According to Ernest and Young (2008) the nature of digital security is best understood from the internal and external threats. Internal threats to information security run from the inadvertent simple user error, loss of mobile devices to the malicious attacks like internal fraud and data 17 theft. As companies support productivity through the rapid integration of personal devices, cloud computing and other aspects of total mobility, there is a corresponding increase in the risk to which the information located on or accessed via these channels is exposed. Not only does the inherent accessibility of these systems breed vulnerabilities, but they also demand more and more complex processes of integration. As IT teams are forced to hang new systems on insufficiently compatible existing frameworks, information security may be compromised albeit unwittingly.

The external threats such as hackers are well-funded, persistent and sophisticated. Nevertheless, in the event that interruption to access is experienced over long periods of time, information insecurity may result into loss of critical and sensitive information, revenue, violation of privacy, access to illegitimate online services and exposure to cyber-attacks and fraud (Tripathi, 2011). It is apparent that cyber criminals are motivated to evolve as quickly as possible. Thus, defenses must be equally responsive to keep pace with the fast-evolving, multidimensional threats across all sectors. The exact risk spectrum varies by industry but what is needed is a strategic understanding of the value of data and the ability for an organization to thrive. Rapid consolidation through mergers and acquisitions implies that a number of organizations will be operating across multiple industries. An organization’s security framework may be sufficient for the intended sector but if the expansion is required it calls for security procedures (Ernest & Young, 2013).

According to Tripathi (2011) computer security is designed to protect an organization's information, hardware, and software. Through the selection and application of appropriate safeguards, security helps the organization's mission by protecting its physical and financial resources, reputation, legal position, employees and other tangible and intangible assets. Nevertheless, security is sometimes viewed as thwarting the mission of the organization by imposing poorly selected, bothersome rules and procedures on users, managers and systems. However, well-chosen security rules and procedures are usually put in place to protect important assets and thereby support the overall organizational mission (Robert & Kenneth, 2013).

18 2.4.1 Strategies employed on Information Resources The structure of cyber attacks response differs from one state to another, and some countries have cyber crisis management systems that put defense and damage restoration above cyber attack attribution. By doing so, it becomes extremely difficult not only in the attribution of a certain cyber attack, but also in generating information about the varying nature of threats, the characteristics and methodologies of threats and emerging threat idiosyncrasies for the purpose of developing response strategies and reallocating resources, as necessary, to accomplish effective prevention (Carter & Schafer, 2005). A key aspect in IS management involves organization’s context, where the occurrence is deployed and operates. Each organization has its unique setting and constraints such as political, social and economic ones. Ultimately these constraints can impose different issues relevant to ISs management.

Most researchers recommend that in an environment of government initiatives and low level of ICT readiness, there would be less emphasis on privacy, security and confidentiality issues (Nour, 2007). Therefore, it is important to gain understanding of the organizational and national dimensions in which the organization operates. Computer systems often critically support the mission of an organization. Protecting them can be as critical as protecting other organizational resources such as money, physical assets or employees. However, incorporating security considerations in the management of information and computers does not completely eliminate the possibility that these assets will be harmed. Ultimately, organization managers have to decide what the level of risk they are willing to accept, taking into account the cost of security controls. As with other resources, the management of information and computers often transcend organizational boundaries. When an organization’s information and computer systems are linked with external systems, management’s responsibility also extends beyond the business. This requires that the management understands the general level of security employed on the external systems or seek assurance that the external system will provide adequate security to the data of the organization (Molla & Ioannis, 2005).

According to Gregory (2011) an organization’s IS deficiencies can be related to user identification, authentication, authorization, boundary protections, cryptography, audit and monitoring, physical security, configuration management, segregation of duties, and contingency planning. Most organizations face a wide range of IR management threats. Securing their 19 information has become an important function within the IS management regime. With an increasing reliance on technologies connected over distributed data networks, an effective ISS management strategy has become a success factor for both public and private organizations (Salahuddin, 2011).

According to Solms (1999) adequate ISM standards provide the basis for safeguarding organization’s essential data. Effective guidelines for IS security also guarantee organizations’ privacy, veracity and accessibility of information. These standards solely provide guidelines and frameworks but not solutions for the management of IS. The guidelines majorly rely on the organization’s risk assessment to on how they should be implemented and therefore require a policy baseline (Hone & Eloff, 2002). Issues related to public sector management require more consideration of organizational environment, culture and stakeholders. The use of security strategies and standards in government agencies not only improves the level of security but also makes it easier for organizations to agree on which security safeguards ought to be implement implemented.

Despite increasing investment in information security and its strategic role in organization’s success, effective implementation of information security strategy still remains one of the top challenges facing global organizations (Ernst & Young, 2008; Fratto, 2009). Businesses have been urged to make information security a strategic issue for organizations to compete and survive in this era of global economy and ever changing enterprise risk (Wood, 1993; Ezingeard, 2005; Amaio, 2009). Success in such demanding business environments depends in large part on implementing an effective information security strategy to protect ISs and information assets. Recent information security researchers recommends organizations employ an overall information security strategy that integrates people, processes, technology, and operations capabilities to ensure effective defenses across the organization (Allen, 2005). Additionally, today’s global connectedness and rapidly advancing information technologies have made technology-driven security solutions inadequate to meet information security challenges (Caralli, 2004; Alberts et al., 2001; Alberts & Hayes, 2003).

In order to face the challenges and to take advantage of new opportunities brought by information technology advances, Caralli (2004) suggests organizations should shift the focus 20 from a technology-based information security strategy to an organizational-based approach that considers a core set of organizational capabilities. Therefore, identification and understanding of organizational capabilities is essential to logically recognize the relationship between information security strategy implementation success and organization performance. In either way IS becomes very important to the business and needs to be aligned with strategic objectives in order to justify massive investments. A number of studies show that investments in IS and underlying IT resulted in added business value only if they are truly connected with strategic business objectives (Weill & Ross, 2004; Groznik, 2003; Spremic, 2002). In that sense proliferation of governance of enterprise IT helps companies manage, or rather, govern IS as a primary business function with executive management involved in making decision about IS and IT. The quality of IT governance is rising with the large number of decisions about IS made by executive management, not IT departments. The more executive management is engaged in making decision about IS and IT, the IT governance is of better quality (Spremic, 2012). Robert and Kenneth (2013) reported that important business outcomes of governance of enterprise IT are improved management of IT-related risks, improved communication and relationships between business and IT and improved business competitiveness. In deed every project is exposed to some risks, overall ISM is an essential task in project management. In the typical security models, the first step is to identify what might be worth protecting. The security concept of e-government can be evaluated, although the implementation of the system remains hidden. There is more security awareness, better security infrastructure especially network security management incorporated in the ICT or IS implemented in government institutions compared to the IS employed in private institutions. The primary e-government implementation is a donor funded project with better ICT strategic and operational management. This means that at least the e-government implementers have taken basic technological measures and achieved security objectives. This may also reflect the government’s increasing dependence on donors and partners in the field of information security technological advances in order to satisfy local demand (Tripathi, 2011). However, it is not necessary to consider whether the asset is really valuable enough to protect or simply create a list of all assets, but to clearly identify what level of security one need to achieve to ensure that the four basic security requirements confidentiality, integrity, availability and non-repudiation are achieved ().

21 According to Robert and Kenneth (2013) IS and IT have become inevitable tool for everyday personal activities and pervasive infrastructure for conducting businesses. Eindor and Segev (2016) reported that 6 out of 10 employees aged 18-35 use a personal device for work, security breaches and cybercrime costs are estimated at $ 1 trillion per year and the average costs for a downtime in 2011 was $ 5.000 per minute or 380 billion $ in total in 2011, while by 2020 there will be 24 billion connected devices. In that sense it is very important to develop holistic business model of governing IS in order to enable executive management involvement in decision making process about IS and IT. It is obvious that IS issues, namely IS security issues are not technical, but business problem that can’t be managed at IT department level, but governed at executive level.

According to Tripathi (2011) security plays an important role in protecting the assets of an organisation. Given that no single formula can guarantee complete security, there is a need for a set of benchmarks or standards to help ensure an adequate level of security is attained, resources are used efficiently, and the best security practices are adopted. Existing studies show that a number of governments and organisations have set up benchmarks, standards and in some cases, legal regulations on information security to help ensure an adequate level of security is maintained, resources are used in the right way, and the best security practices are adopted. Some industries, such as banking, are regulated, and the guidelines or best practices put together as part of those regulations often become a de facto standard among members of these industries. For programs to run normally, we must guarantee that the action performed and value returned by each IS conforms to the application’s model of how system works, ideally, the model would be the same as the standard ISs. However, modeling all behaviors of every system would be tantamount to re-implementing nearly the entire IS. Moreover, there may be behavior that technically complies with the specification, but still violates application assumptions (Ports, 2013).

2.4.2 Information Technology policies on Information Resources Organizations need to develop acceptable policies for computer safety within its environment that emphasizes appropriate usage. This includes what kind of applications users can run, what kind of data they can store, what can they surf on internet, what type of activity is strictly forbidden and the consequences that may arise if the policy is violated (Vijay, 2006). 22 Nevertheless, many organizations consider complying with the law as one of the major justifications for creating and following a security policy (Eindor & Segev, 2016). Consequently, organizations are required to make sure that employees understand not only the rules but also the basis behind the acceptable use policy. Recent studies show that organizations are motivated to review policies on use due to the emergence of new avenues for misuse.

Any business is potentially liable should a hacker or a virus take down its IR. Similarly, if a business is running a publicly held e-business, an attack on its IR seriously impairs the business. An effective information security risk management regulation is an important component of a successful IT security program. The principal goal of an organization’s information risk management process should be to protect the organization and its ability to perform their mission, not just its IT assets (Tripathi, 2011). Therefore, the risk management process should not only be treated as a technical function carried out by the IT experts who operate and manage the IT system, but as an essential management function of the whole organization. Therefore, an organization requires the use of cost-effective information systems security (ISS) measures to respond to the specific threats and vulnerabilities associated with each information system. Government policies and procedures play an important role in the effective implementation of information security programs within the organization and the success of the resulting security measures employed to protect information and information systems. Thus, organizations must develop and promulgate formal, documented policies and procedures governing the minimum security requirements set forth in this standard and must ensure their effective implementation (NIST, 2006). To better secure its information systems and strengthen an organization’s IS security; it should incorporate information security into its corporate governance efforts. Although information security is not solely a technical issue, it is often treated that way. If organizations, educational institutions, and non-profit organizations are to make significant progress securing their information assets, executives must make information security an integral part of core business operations. There is no better way to accomplish this goal than to highlight it as part of the existing internal controls and policies that constitute corporate governance (Tripathi, 2011).

Although there are variety of information security standards available, Tripathi (2011) concur that such standards can only benefit an organization if they are implemented properly. In 23 addition, systems security should be everybody’s concern at all levels including those who are involved in information management systems. Information practitioners, IT professionals and users all have a role to play in ensuring the safety of institutional assets. The realization of data security can be achieved by full involvement of all at different levels of organization’s management. As frequent security incidents are experienced, the need for organizations to take precautionary measures by securing and protecting their information from malicious acts is apparent (Jung, Han & Lee, 2001; Liebmann 2001). Consequently, having a well defined strategic security policy document is necessary in all organizations.

The process of developing a strategic security policy has forced many institutions to identify risks to their data and to plan for any possibility for system’s attack, either from internal or external sources. Failure to do this adequately can lead to a number of problems for organizations (Leinfuss, 1996; Robinson 1997). In this regard information security policy is an essential component of data management governance without which the organization has no substance and rules to enforce. Bowen, Joan and Mark (2006) notes that appropriate information security policy is based on based on a combination of suitable legislation, valid standards and guidance and internal agency requirements 2.4.3 International Standards and Policies for Information Security According to Vijay (2006) the use of security standards not only improves the level of data security but also ensures that organisations concur with which security safeguards to be implemented. Thus, various standards have been developed to help guard against data security for different organizations. The International Organisation for Standardisation (ISO) in collaboration with the International Electrotechnical Commission (IEC) and the International Telecommunication Union (ITU) on information and communications technology (ICT) have recommended a number of codes of practice for information security management. These are intended to be used as a common basis and practical guidelines for developing organizational security standards and effective management practices. Such guidelines are important since they specify the requirements for establishing, implementing, operating, monitoring, reviewing, and improving a documented Information Security Management System (ISMS) in an organisation.

The code of practice also facilitates the selection of adequate and proportionate security controls to protect information. These standards are usually applicable to all types of organisations, 24 including businesses and government agencies. One of the effective standards is the Plan-Do- Check-Act model that aims to monitor and improve the efficacy of the technology adopted by any organization. For instance, ISO/IEC 27001:2005 which is often implemented alongside the ISO/IEC 27002:2005 is not a controls mandatory certification for ISO/IEC 27002, but can be used by any organization in compliant with ISO/IEC 27001 in order to abide by the management process involved in ISMS standards.

According to Bowen, Joan and Mark (2006) the international standard ISO/IEC 15408 which helps evaluate, validate and certify the security assurance of a technological product against the security functional requirements specified in the code of standards involved. Reports in a new study demonstrates that hardware and software can be evaluated against CC requirements in accredited testing laboratories to certify the exact evaluation assurance level the product or system can attain. There are 7 EALs levels include functionally tested, Structurally tested, Methodically tested and checked, Methodically designed, tested and reviewed, Semi-formally designed and tested, Semi-formally verified, designed and tested, and Formally verified, designed and tested. The Information Technology Governance Institute (ITGI) which is relevant in this study allows managers to bridge the gap between control requirements, technical issues and business risks. According to Gregory (2009) COBIT Security Baseline focuses on the specific risks around IT security in a way that is simple to follow and implement for small and large organisations. The Information Technology Infrastructure Library (ITIL) focuses on the service processes of IT and considers the central role of the user. Since 2005, ITIL has evolved into ISO/IEC 2000021. The Payment Card Industry (PCI) and Data Security Standard (DSS) consist of 12 core requirements, which include security management, policies, procedures, network architecture, software design and other critical measures.

2.5 Challenges Information System Security threats pose in organizational performance Organizations involved in governance are reliant on a continuous assortment of data management systems and technologies that enable them to improve efficiency in service delivery (Ernest & Young, 2013). Most of the basic services offered by many organizations such as registration, advertisements and online transmission of tax returns are some of the major activities currently undertaken through e-government initiative. This has necessitated reliant on

25 distributed systems across the globe. However, managing risks associated with government’s growing dependence on information technology is obviously a continuing challenge. On the contrary, every technological advancement is as full of peril as it is of promise, the speed and severity of IS security threats also intensify. Most organizations are yet to implement controls to sufficiently prevent or detect access to computer networks systems. Managing the information security risks is a balancing act between maintaining security and not inhibiting the business (Eric & Goetz, 2007).

Organisations today face a global revolution in governance that directly affects their information management practices. There is an increased need to focus on the overall value of information protected and delivered in terms of enabled services (Eindor & Segev, 2016). Due to the high- profile organizational failures of the past decade, legislatures, statutory authorities and regulators have created a complex array of new laws and regulations designed to force improvement in organizational governance, security, controls and transparency. Previous and new laws on information retention and privacy, coupled with significant threats of information systems disruptions from hackers, worms, viruses and terrorists, have resulted in a need for a governance approach to information management, protecting the organization’s most critical asset sits information and reputation. As computer technology advances, many organizations have become dependent on computerized information systems to carry out their operations and to process, maintain and report essential information. Virtually all their operations are supported by automated systems and electronic data, and agencies would find it difficult, if not impossible, to carry out their missions, deliver services to the public, and account for their resources without these information assets. Information security is thus especially important for organizations to ensure the confidentiality, integrity, and availability of their information and information systems. Conversely, ineffective information security controls can result in significant risk to a broad array of government operations and assets (Gregory, 2009).

According to Frost and Sullivan (2015) the infrastructural platform supporting the digital is growing more complex. Companies increasingly run their computing systems on virtual machines, cloud services have become a standard business practices, and personal mobile devices increasingly creep into the workplace. Yet, despite the influx of technology, there is a significant lack of trained security expertise, which will result in a shortfall. An organization’s 26 computer systems and the information they hold can be compromised in many ways. It may be through malicious or accidental actions, or simply through the failure of software or electronic components (Gregory, 2009). According to Baker (2015) all organisations are vulnerable to attack and no security system is completely immune. The level of vulnerability of an organisation, though, depends on many factors, such as the industry and geographies in which that organisation operates, the nature of the business it conducts, the adequacy of its technology and security systems, processes and procedures, internal compliance with established processes, as well its public profile and supply chain. State owned institutions and financial institutions are particularly susceptible to attack. The risks of security breaches may be heightened depending on an organization’s structure, systems and supply chain, as well as how it does business. Unauthorized access to an organization’s systems and data can cause irreparable damage to its business, its reputation and its value. The scope and severity of the impact of a cyber-attack will depend on the nature of the attack and the organization’s ability to react and minimize its effect. Disclosure requirements and laws mean that in many cases the fact of the attack may have to be disclosed to regulators, data subjects, investors and the public.

The increasing reliance on IT systems and networks dominates nearly every aspect of the society. In particular, the expansion of computer interconnectivity with reference to advancement of the internet has revolutionized the way that organizations communicate and conduct business. However, a study by Frost and Sullivan (2015) noted that in spite of the significant benefits of computer interconnectivity, exclusive dependency on this technology can also create vulnerabilities to cyber-based threats. In the USA for instance, frequent cyber-attacks have inadvertently had devastating impact on government operations. These threats can potentially affect all segments of the society including individual businesses and private institutions. Few studies have been directed towards minimizing these potential harmful effects. A research by Gregory (2012) recommended that information security be labeled as a high hazard resource and expanded to include guarding all computerized systems that support government critical infrastructure.

According to Robert (2014) the cyber risk landscape is evolving rapidly in a many areas. This dynamism poses a great threat to public institutions. In Africa, for instance, governments are facing unprecedented level of cyber-attacks. In the advent of terrorism this is undermining 27 national security and critical infrastructure. Many businesses that store confidential customer and client information online are presented with a struggle to maintain their reputations in the wake of massive data breaches. Economically speaking, the reclusiveness emanating from cyber threat cannot be underestimated. Economists have warned of a digital disintegration, a scenario in which cyberspace could be completely undermined due to strengthening attacks as a result of the failure of the internet to facilitate commercial transaction. Consequently, businesses across a wide range of industries are continually exposed to potentially enormous economic losses as well as liabilities and costs as a result of cyber-attacks and data breaches Frost and Sullivan (2015).

CHAPTER THREE: RESEARCH METHODOLOGY 3.1 Introduction The research methodology covers the research design, site of study, target population, sampling techniques and the sample size. The methodology also outlines the research instruments used for the study and their reliability and validity. Finally, the chapter also presents data collection procedures, data analysis techniques and ethical considerations.

28 3.2 Research Design Research design is the general plan of how one undertakes to find out the answers to the research questions (Polosky & Waller, 2005). The study was based on a descriptive survey design. This involved collecting data in order to draw conclusions, make recommendations concerning the current status of the subjects of study. The Kenya School of Government has installed an ICT Department in each campus to facilitate e-government services, ease training alongside automation of functions in most sections. The study targeted departments that directly offered IT and related services in the campuses which included the ICT department, secretaries and registry department.

3.3 Site of the Study The site of the study was Kenya School of Government Headquarters in Nairobi and its constituent campuses namely Kabete, Embu, Baringo, Matuga and Mombasa.

3.4 Target Population The target population was 100 staff working in the ICT Department, secretaries and records officers who handle information across the six campuses. All these have valuable information in the day to day activities on information management in the campus and they have valuable and relevant information in the methodology.

3.5 Sampling Techniques The sampling plan describes the procedures used in determining the sample size. According to Greer and Kolbe (2003), sample size has been described as the set of quantities which are drawn from an already known population with the sole aim of estimating the characteristics of the population. The study employed the use of census method and the entire population was included in the study.

3.6 Sample Size The sample size of the study included all the target population in the six campuses totaling to 100.

29 3.7 Research Iinstrument Data was obtained only from primary sources using questionnaires. The questionnaires were mainly closed ended for ease of analysis. Questionnaires were used because they are used for obtaining important information about a given population. The questionnaires are advantageous in that they save on time, are confidential, have increased access to populations and eliminate interviewer bias (Kombo & Tromp, 2006). The benefits of using the questionnaires are that it eliminates the interviewer bias, the respondents have adequate time to read through the questions and answer them and it is possible to manage large samples (Kothari, 2000). The questionnaires were self-administered and were dropped to the respondents then later collected. The research employed a semi-structured questionnaire in data collection. This instrument was deemed fit for data collection on account of its ability to give respondents an opportunity to express themselves on key issues in their day to day encounters.

3.8 Validity and Reliability of the Research Instrument According to Hocking, Stacks and McDermott (2003) any selected procedure for collecting data should always be examined critically to assess to what extent it is likely to be reliable and consistent. Reliability is concerned with the extent to which a particular measuring procedure gives similar results over a number of repeated trials. To ensure reliability of the instrument, the researcher first conducted a pilot test using 10 questionnaires.

Validity is the degree to which a data collection instrument measures accurately what it is supposed to measure. Based on the subjective opinion of the supervisors, modification of each and every question was done until the researcher was sure that it provided an accurate measure. Authentication process usually addresses such aspects of the study as accuracy of data collection, processing and instrument validation.

3.9 Ethical Considerations According to Gatara (2010) ethics in research refers to moral principles or codes of behaviour that call for respect of the rights of the research participants by researchers. It’s in this spirit that the researcher first sought informed consent from the authorities in the area and the overall management of the CBOs before starting the research study. This informed the community on the purpose of the study, ensure that there is full support for the study, and clarify any concerns 30 that they may have. The researcher explained to the participants the benefits of the research both to their organizations and to the country’s economic development now and in the future in an honesty way. In addition, the participants were guaranteed confidentiality of the information that they gave during the research study that it was only used for academic purposes. The identities of the participants were made private to prevent any victimization, if any. A statement of strict confidentiality was expressly stated in the questionnaire. The researcher also briefed the respondents on the purpose of the research, their relevance in the research process, and the need for them to provide full, accurate and truthful information.

3.10 Data Collection Procedure Permission to collect data was sought from the relevant institutions. The researcher together with a team of five assistants visited the organization directors, managers and operational managers of the departments carry out the face to face interviews to collect primary data. Secondary data was also collected from books, magazines, journals, publications and newspaper.

3.11 Data Processing and Analysis The analysis of the research data proceeded through four major steps: data cleaning or editing; coding; tabulations; and interpretation of results (Peter, 1994; Collis & Hussey, 2003; Obure, 2002). The returned questionnaires were scrutinized to determine correctness and accuracy of the responses. The findings were coded based on the variables that were studied. Cross tabulations were also generated to explain the various attributes of the variables studied and to represent the quantitative data. In this study descriptive statistics was used in data analysis, with the aid of the latest version of Statistical Package for Social Sciences (SPSS). Descriptive statistics included mean, standard deviations, frequencies and percentages. Data was presented using tables and graphs.

31 CHAPTER FOUR: RESULTS AND DISCUSSION 4.1 Introduction This chapter presents analyzed findings from field through questionnaires administered to the employees of Kenya School of Government. The findings of the study were analyzed in relation to various questions on information system security threats, the IT policies in the organization, ISS security strategies, challenges of adopting ICT and the possible solutions to the ISS threats. The data obtained was entered, cleaned and analyzed using Microsoft Excel. A total sample of 100 participants participated in the study. However, 72 questionnaires were received from the respondents, giving a response rate of 72 percent. According to Hair (1998) in case the response rate is more than 50 percent, it is considered to be acceptable.

4.2 Common Threats In this section the respondents were asked to rate the various ISS threats which affect their ISR utilization in their organization. 32 4.2.1 Various ISS Threats The researcher sought to establish the level of unlawful access to computer system and the results are presented in table 1. Table 1: Level of illegal access to computer system

Rate of illegal access to computer system % Very high 14 High 32 Moderate 24 Low 17 Very Low 6 Negligible 8 Total 100

Majority (32%) of the respondents’ contented that there is illegal access is to computer system is high, whereas 14% agreed that the threat is very high and 24% responded as moderate. This brings to a total of 70% (very high, high and moderate) response that there is illegal access to computer system in the organization; this brings attention to the organizations’ ICT personnel to ensure that safeguards are formulated to curb the threat. The rest of the respondents agreed that there is low threat at 17% and very low 6%. The rest noted that the threat is negligible 8%. Moreover, the researcher asked the respondents to evaluate the level of prohibited interception, Access or Acquisition of Computer Data. The findings are presented in tale 2.

Table 2: Prohibited Interception, interruption or access of computer data Rate of Prohibited access, interception or acquisition of computer % Very high 17 High 25 Moderate 21 Low 21 Very Low 13 Negligible 4 Total 100

When asked about the level of prohibited, interception or access of information, 17% of the respondents agreed that the threat is very high, whereas 25% said that the threat is high, and 21% responded as moderate, this brings at total of 63% response as higher than normal. This rate is 33 dangerous for the safety of the crucial data in the organization, this call for strict measures to all personnel to ensure that data is kept safe and confidential at all times. Further, 21% accepted that the threat is low; another 13% also accepted that the threat is very low. The remainder 4% responded as negligible. The results in table 3 show the level of illegal data interference or system interference.

Table 3: Illegal data interference or system interference Rate of illegal data interference or system interference % Very high 19 High 21 Moderate 19 Low 24 Very Low 11 Negligible 6 Total 100

Majority (24%) of the respondents contented that illegal interference threat is low, whereas 19% agreed that the threat is very high, while 21% agreed that the threat is relatively high, the remainder agreed that the threat is very low at 11% and negligible at 6%. Although majority agreed that the threat is low, a worrying 59% response agree that the there is illegal data interference, this therefore calls for all the respective personnel to put in place measures that data integrity is maintained at all aspects and their IS system is always secured from illegal interference. The level of breach of measures instituted to protect data was also sought as shown in table 4.

Table 4: Level of breach of measures of data protection Rate of breach of privacy or data protection measures % Very high 22 High 22 Moderate 23 Low 11 Very Low 15 Negligible 8 Total 100

34 When asked about the threat of breach of privacy, a similar number (22%) number of respondents contented that the threat is very high and high, 23% agreed that the threat is moderate. This is a 67% response that the threat is higher; this poses a threat to organization’s private data which accessibility may be a reserve to only few individuals. Therefore, the organization should be able to use these findings and enlighten their staff on issues of emerging data safety and privacy technologies in the market. Whereas 11% agreed that the threat is low, the remaining 15% and 8% contented that the threat is very low and negligible respectively. The researcher also sought to ascertain the extent of the impact of computer related fraud or forgery.

Table 5: Level of computer fraud or forgery Rate of computer related fraud or forgery % Very high 13 High 17 Moderate 14 Low 27 Very Low 14 Negligible 15 Total 100

Majority (27%) of the respondents agreed that the level of computer fraud or forgery is low; while 13% contented that the threat is very high and 17% agreed that the threat is high. 14% of the respondents accepted that the threat is moderate, the remaining 14% and 15% contented that the threat is very low and negligible respectively. A total of 54% of respondents agree that computer related fraud and forgery also exists in their organization. This calls for the organization to introduce a method for vigilant verification of important documents generated for use by staff, customers and other stakeholders in the organization. These documents mainly include receipts, cheques, certificates and invitation letters. The results presented in the table 6 shows findings on computer related identity offences.

Table 6: Level of computer related identity offences Rate of computer related identity offences % Very high 17 High 10 Moderate 21 Low 23 35 Very Low 17 Negligible 13 Total 100

When asked about the level of computer related identity offences, 17% of the respondents contented that the threat is very high, whereas 10 % agreed that the threat is high. Another 21% agreed that the threat is moderate, while 23% agreed that the threat is low and the remainder 17% and 13% agreed that the threat is very low and negligible respectively. A total of 48% response that the threat of computer related identity offences exist, this calls for the organization to ensure that all staff are trained on unique identification measures for accessing their ISSs. In table 7 the results on the offences related to computer copyright and trademark.

Table 7: Level of offences related to computer copyright and trademark Level of offences related to computer copyright and trademark % Very high 15 High 18 Moderate 27 Low 21 Very Low 4 Negligible 14 Total 100

Majority (27%) of the respondents contented that the threat of computer related copyright and trademark offences is moderate, whereas 15% of the respondents agreed that the threat is very high, while 18% agreed that the threat is high. This is a 60% response rate in relation to copyright and trademark offences with regard to computer use existed, this serves as benchmark for the organization to adopt modern measures to curb these offences. 21% of the respondents agreed that the threat is low, whereas 4% agreed that the threat is low, the remaining 14% agreed that the threat is negligible. The findings in respect to sending or controlling spam are presented in table 8.

Table 8: Level of sending or controlling spam

36 Rate of sending or controlling SPAM % Very high 7 High 24 Moderate 27 Low 27 Very Low 4 Negligible 11 Total 100

When asked about the threat level of sending or controlling spam, 7% of the respondents contented that the threat is very high, while 24% agreed that the threat is high, another 27% agreed that the threat is moderate. This a total of 58% agreed that the threat of spam exists in their system, this brings to the attention of the ICT department to put up control measures to ensure that each mail and message received is first filtered before it gets into the system. Another 27% agreed that the threat is low, whereas 4% responded as very low and the remainder 11% agreed that the threat is negligible. The researcher also sough to establish the level of cybercrimes regarding personal harm and the results obtained are presented in table 9.

Table 9: Level of personal harm that relate to computer Rate of computer based crimes causing personal harm %

Very high 7 High 19 Moderate 14 Low 27 Very Low 13 Negligible 20 Total 100

In regard to the level of threat posed by computer based crimes causing personal harm, 7% of the respondents agreed that the threat is very high, while another 19% agreed that the threat is high, while 14% agreed that the threat is moderate. This brings to a total of 40% response that the threat exists. Further, 27% of the respondents contented that the threat was low; while the remainder 13% and 20% contented that the threat was low and negligible respectively. This brings to the attention of the organization to ensure they put in place measures that the users of

37 their ISs are protected against any harm caused by sex. Table 10 presents the findings in regard to computer based activities involving racism or xenophobia.

Table 10: Level of computer related acts involving racism or xenophobia Rate of computer related acts involving racism or xenophobia % Very high 4 High 19 Moderate 19 Low 19 Very Low 13 Negligible 27 Total 100

As shown, the level of threat posed by computer associated with actions involving racism or racial intolerance, only 4% of the respondents agreed that the threat is very high, whereas 19% each agreed that the threat as high, moderate and low. There is a total of 42% that the threat exists, this calls for more emphasis on the government to its citizens to promote national values of indiscrimination to its people at all times regardless of color or country of origin. The remaining 13% and 27% agreed that the threat is low and negligible respectively. The results on the computer linked to production and dissemination of child pornography are presented in table 11.

Table 11: Level of computer related to creation and dissemination of child pornography Rate % Very high 16 High 14 Moderate 16 Low 19 Very Low 17 Negligible 19 38 Total 100

When asked about the level of threat posed by computer related creation and dissemination of child pornography, 16% of the respondents contented that the threat is very high, while 14% agreed that the threat is high and 16% agreed that the threat is moderate. This is a total of 46% response; this may be attributed to the fact that there is an increase of children having access to ICT and related gadgets. Control measures should be strictly put in place by all the stakeholders to guarantee that children are excluded from harmful cyber threats and pornography. 19% of the respondents agreed that the threat is low, 17% and 19% agreed that the threat is very low and negligible respectively. Table 12 shows the fining in regards to computer acts associated with acts in support of terrorism offences.

Table 12: Level of computer acts associated with acts in support of terrorism offences Rate of computer acts associated with acts supporting terrorism offences % Very high 14 High 16 Moderate 11 Low 10 Very Low 17 Negligible 31 Total 100

Majority (31%) of the respondents contented that the threat of computer associated acts that appear to support terrorism is negligible in the organization. Although, a total of 41% contented with the fact that the threat exists that is 14% of the respondents agreed that the threat is very high, while 16% agreed that the threat is high and 11% agreed that the threat is moderate. Currently, terrorism has been a major threat to both national security and worldwide, this problem is perpetrated by widespread internet accessibility, which enables faster communication. The remaining 17% agreed that the threat is very low.

39 Figure 3: Summary of ISS threats

Illegal access is rated as the highest ISS threat with 70% response; other threats which had a high response rate were breach of secrecy, unlawful admittance, disruption or procurement of computer data and copyright and trademark offences with 67%, 63% and 60% respectively. The ISS threat which were rated lowest was computer related acts causing personal harm at 40%. Other types of cybercrimes experienced in the organization included scams, potentially unwanted programs, maladvertising, social engineering, hacking and cracking, plagiarism, identity theft, cyber stalking, hardware failures and data IISs, denial of service and child soliciting and abuse.

4.3 Security Policies and Strategies This section presents the results regarding security policies and security strategies. 4.3.1 Security Policies The researcher sough to ascertain whether the respondents were aware that there are ICT Policies within their organization and the results are presented in table 13.

Table 13: Security Policies Response % YES 65

40 NO 32 No response 3 Total 100

Majority of the respondents (65%) are aware that there are ICT Policies within their organization while 32% responded that they don’t have any in their organization, the remainder 3% didn’t respond to the question. The combined 35% could be attributed to lack of understanding on policies that govern ICT activities in their organization among the cross section of the staff. This is also an indication of reluctance to adoption of National ICT policies, therefore appropriate remedies ought to be undertaken by the government to guarantee that policies generated are adapted and implemented.

The respondents were further asked to elaborate more on how cybercrime is handled in the organization in the absence of an ICT Policy. Analysis of the responses revealed that cybercrime was handled in the following ways policies and procedures are handled at management level, few cases of cybercrime issues reported, formulation of ICT Policy currently ongoing, out sourcing of cybercrime experts as cases arise and exchange of information adheres to security protocols. The results on the rate of organization’s commitment are presented in table 14.

Table 14: Rate of commitment of the organization in managing cybercrime reports Rate of commitment % Very effective 17 Satisfactorily 62 Ineffective 17 Don’t know 4 Total 100

The respondents who agreed that they have an ICT Policy in their organization were further asked to rate their organization’s commitment in responding to reports, managing and intervening in cybercrimes. Majority (62%) of the of respondents agreed that their organization’s 41 commitment is satisfactory, while 17% agreed that their commitment is very effective, while 17% contented that the commitment is ineffective and 4% didn’t know of the level of their organization’s commitment. The combined 79% response to the rate of commitment could be attributed to e-government services which run the organizations ranging from financial, payroll, e-procurement among others, therefore vigilance and system protection is highly observed. The findings on the technology used by the organization to curb cybercrime are presented n table 15.

Table 15: Rate of Technology Rate of technology % Very effective 8 Satisfactorily 56 Ineffective 16 Don’t know 19 No response 1 Total 100

The findings showed that 56% of the respondents were contented with the level of technology used by their institutions in handling cybercrime, while 8% agreed that their technology is very effective, this is a total of 64% response that the technology is effective. Further, 16% agreed that their technology is ineffective and 19% didn’t know anything about their technology, 1% didn’t respond. The 36% could be explained by the fact that procurement of ICT and related services and equipment is a reserve for the ICT personnel in many organizations.

4.3.2 Factors that affect implementation of ICT security The respondents were further asked to elaborate some of the factors that determine the implementation of ICT security in organizations. The responses were given by the respondents were Rapid change in technology lack of funds, computer viruses, limited knowledge in ICT and cybercrime, lack of policies, poor planning, illegal access to computer systems and limited human resource.

42 4.3.3 Elements affecting the implementation of ICT security The respondents were also required to assessment the effect of other features likely to affect the implementation of ICT security in their organization in this case the people, processes and technology. The results on the rate of effect posed by people are presented in table 16.

Table 16: Rate of effect posed by people on the implementation of ICT security Rate of effect % Very high 43 High 20 Average 30 Low 4 Very Low 2 Total 100

Research findings reveal that users were often the main key players in the implementation of the ICT security, with a 93% response as both very high, high and average combined, this could be attributed to the fact that people are the main decision makers and also the implementers of the policies. The remainder 4% and 2% responded as low and very low respectively. Table 17 presents the results on rate of effect posed by processes.

Table 17: Rate of effect posed by processes on the implementation of ICT security Rate of effect % Very high 29 High 20 Average 26 Low 20 Very Low 6 Total 100

Research findings reveal that the processes which policies pass through in an organization before their implementation also affect implementation in the ICT sector. 29% of the respondents agreed that processes affect the implementation of ICT security, 20 % and 26% of the respondents that the processes affect highly and averagely respectively. This is a 75% response that implementation of ICT security is also affected by processes in the organization. This is 43 attributed to the fact that there are set procedures which policies pass through in an organization before they are adapted. The remainder 20% and 6% responded as low and very low respectively. In table 18 results on the rate of effect brought about by technology are presented.

Table 18: Rate posed by Technology Rate of effect % Very high 51 High 18 Average 18 Low 4 Very Low 8 Total 100

Research findings reveal that the ICT technology used in the organization mostly determine the implementation of its security, with a 51% response as very high and 18% response as high and 18% average, this shows that technology alone attracted a 87% response that it affects the implementation of ICT security. This may be explained by the fact that technology is an evolving phenomenon which has to be embraced often which is usually expensive. The remainder 4% and 8% responded as low and very low respectively. The results on the elements affecting implementation of ISS are presented in figure 4.

44 Figure 4: Elements affecting ISS implementation

People are rated as the main element affecting implementation of IS security at 93%.

4.3.4 Validity of Change Management Policy in ICT adoption The respondents were asked to rate some factors on the management policy as regard to changes in ICT adoption in their organization. The results on the rate of validity on the increased usage of the system are presented in table 19.

Table 19: Rate of validity on the increased usage of the system Rate of validity % Very valid 18 Valid 47 Moderate 25 Invalid 6 Very invalid 0 No response 4 Total 100

Majority of the respondents (63%) both very valid and valid combined agreed that having a management policy in regard to ICT adoption increases usage of the ICT system, while 25% contented that change will lead to moderate usage of the system. The remaining 6% agreed that it is invalid and 4% did not respond. The results on the rate of Validity on Improved usage of the system are presented in table 20.

Table 20: Rate of validity on improved usage of the system Rate of validity % Very valid 28 Valid 7 Moderate 33

45 Invalid 4 Very invalid 0 No response 4 Total 100

When asked on whether change in management policy in ICT will lead to improved usage of the system, 28% of the respondents agreed that is very valid, 7% agree that it is valid, while 33% contented it will be moderate. Further, 4% agreed that it is invalid, and 4% did not respond. Moreover, the researcher sought to ascertain the rate of validity on decreased system hiccups and the findings are presented in table 21. Table 21: Rate of validity on decreased system hiccups Rate of validity % Very valid 14 Valid 28 Moderate 43 Invalid 8 Very invalid 4 No response 3 Total 100

When asked whether management policy on change in ICT adoption would decrease system hiccups, 14% of the respondents agreed that it is very valid to have a management policy, while 28% agreed that it is valid and 43% agreed that system hiccups would decrease moderately. 8% of the respondents agreed that it is invalid, while 4% contented that it is very invalid and 3% did not respond. The Kenyan Government has already established a significant legislative and regulatory regime around IT security, and is considering additional action. However, it has taken along time to pass this law because IS is often treated solely as a technology issue, when it should also be treated as a governance issue. Lack of progress in this issue is due in part to the absence of an ISM framework, which instructs personnel at different levels about how to implement e-government solutions is crucial (Matunda, 2005). Two common standards that are generally used to focus on an organization’s ISMS are ISO/IEC 27002 (ISO/IEC 17799) and ISO/IEC 27001. The first standard is used as guidance for planning and implementing ISM and a

46 great starting point for developing ISMS (Matunda, 2005). The results on the rate of validity on decreased customer compliments are presented in table 22.

Table 22: Rate of validity on decreased customer compliments Rate of validity % Very valid 7 Valid 26 Moderate 36 Invalid 24 Very invalid 6 No response 1 Total 100

When asked about the rate of validity on the customer compliments, 7% of the respondents agreed that having a management policy on ICT adoption would decrease customer compliments, while 26% agree that is valid and 36% agree that customer compliments would decrease moderately. The remaining 24%, 6% and 1% agree that it is invalid, very invalid and no response respectively. The results in table 23 show the extent of the effect of IS threats on organizational performance.

Table 23: Effect of IS Threats on Organizational Performance Response % Very Strongly agree 4 Strongly agree 31 Agree 44 Disagree 10 Strongly disagree 4 No response 7 Total 100

47 Research findings found out that 79% of the respondents all agree that IS threats hinder their organizational performance. This is elaborated further by the 4% of the respondents who very strongly agree, while 31% strongly agree and 44% agree. This is a clear indication that ISS threats highly affect organization performance. This is attributed to the fact most IRs of an organization relies on computerized systems for management from data creation, processing, storage and transfer among others. The remainder 25% subsequently disagree, strongly disagree and no response at 10%, 4% and 7% respectively.

4.3.5 Information System Security strategies Research findings indicated that most of the respondent’s organizations have varied IT Security control measures as shown in figure 5.

Figure 5: Graph showing IT security control measures

Research findings further shows that the IT Security control adopted by the organizations vary, with 16% of the respondents agreeing that they have updated antivirus in their systems, 10% of the respondents contented that they have an anti-spyware software, while 13% agreed that they have a firewall in their system. Further, other measures in some organizations include secured communication between servers and clients at 11% and hardware for both internal and external users had a 9% response each. Other measures in place included interruption system, regular 48 backup of data and off site data backup had an 8%, 14% and 7% response each. ISO/IEC 27002 provides a program to protect information asset and controls used to implement ISMS. But, ISO 27002 is the standard, which provides management system standard. However, successful ISMS should be a process, which must ensure the continuous verification of all elements of the security system through continuous improvement of all elements of the information and security management system. This process must adopt a plan-Do-Check-Procedure model as its ISMS. The only security management model, which is based on processes management, and compatible with ISO9001, ISO27001, ITIL, CobIT and ISO20000 is ISM3. It has five maturity levels and metrics for IS. This concurs with Matunda (2005) who reported that the security objectives should be expressed in fairly general terms such as use of services, access to storage, and user’s restrictions to authorized assets, making sure that expired or end of life-cycle repositories are permanently destroyed or sanitized, personal information of learners and teachers is accessible for a valid purpose to authorized users on a need-to-know basis, confidential are accessible to authorized users only, appropriately licensing and accessibility to authorized users and physical security to the information repositories and systems, among others (Otieno, 2016). The study also sought to establish the IT Security control measures adopted as shown in table 24. Table 24: IT Security control measures IT security control measures % Virus protection software which is regularly updated 16

Anti-spyware software regularly updated 10 Firewall 13 Secured communication between clients and servers 11 Authentication software or hardware for internal users 9 Authentication software for external users 9 Intrusion detection system 8 Regular back up of data critical to business operations 14 Offsite data backup 7 None of the above 3 Total 100

4.4: Challenges facing Adoption of ICT 49 In regard to the challenges facing implementation of ICT, the respondents were first asked to rate some factors which important in their planning for ICT security. These factors were subdivided into four categories; cost, value, difficulty and company’s needs. The results on cost of planning and adopting ICT are presented in table 25.

Table 25: Cost effect in planning and adoption of ICT Rate of importance % Highly important 23 Very important 26 Important 22 Less important 22 Not important 8 Total 100

When asked about the level of importance of cost of planning and adopting ICT in their organization, majority (71%) of the respondents concurred that the cost was an important factor with 23% of the respondents agreeing that the cost factor was highly important when planning for ICT security, 26% contented that it was very important, while 22% agreed that it was important. This requires adequate budget allocation for ICT services to enable them utilize ICT resources effectively. The remaining 22% and 8% agreed that cost was less important and not important respectively. These findings also confirm the fact that ICT as a regulatory compliance to an organization’s financial and technological accountability, which ensures that institutions achieve their strategies and goals (Otieno, 2016). ICT governance requires strategic planning and governance methodology. ICT governance refers to formal high level processes and structures for ICT strategic planning. Basically put ICT governance revolves around how an organization realigns the IT objective with business strategy to ensure that the organization stays on track to achieve their missions and goals. So, an IT governance framework ensures that the IT department is functioning in a way management needs. It identifies key ISM processes at various levels to allow an institution to tailor its security objectives to its business needs. ISM3 intentionally refuses to define in terms some intrinsic or private essence of an organization, but instead terms like security, vulnerability, weakness, risk, threat, opportunity, incident, attack, error and accident are defined operationally. The maturity spectrum relates cost, risk and threat reduction and enables incremental improvement, benchmarking and long term targets. The lesser

50 the risk the more the process of an ISM progresses to maturity. ISM3 is the best model to evaluate the security implications of the e-government implemented by educational institutions in e-government implementation to their staff and students in Kenya (Matunda, 2005). To understand the security objectives in consideration it was imperative to understand the value of ICT to the organization as presented in table 26.

Table 26: Value of ICT Rate of importance % Highly important 5 Very important 27 Important 14 Less important 27 Not important 27 Total 100

When asked to rate the value ICT planning and adoption will add to their organization, 5% of the respondents agree that it is highly important, 27% agree that is very important, while 14% agree that it is important. This presents a 46% acceptance that planning and adoption of ICT is important to the organization. The remaining 55% responded as less important and not important respectively. It is through well-defined processes that information security is improved and risk is reduced. According to Tripathi (2011) the capabilities of incorporating strategic, tactical, and operational management that ultimately ensures effective management of ICT implementation process in a way that would reduce risk of loss of and integrity of data; ensure availability of E- government resources; and confidentiality of users at the respective institutions. This means that it provides an architecture model applicable at any security level of any size of organization. It can be applied with high sophistication to assure business objectives, which are specifically tailored to security design, implementation, operations, management, and assurance processes. The results on whether ICT is difficult and expensive to use is presented n table 27.

Table 27: Difficulty in ICT usage Rate of importance % Highly important 10 Very important 16

51 Important 29 Less important 27 Not important 19 Total 100

On matters of learning on how to adopt and use ICT, 10% of the respondents agreed that ICT is difficult and expensive to use, 16% agree that it is important, while 29% content that it is important. This presents a 54% response that ICT is indeed difficult and expensive to use; this may be explained by the fact that ICT usage requires prior training in its usage which has cost implications to the user. The remaining 27% and 19% responded as less important and not important respectively. The results in relate to whether it is not meeting the company’s needs in table 28.

Table 28: Company's needs Rate of importance % Highly important 8 Very important 17 Important 27 Less important 21 Not important 27 Total 100 When asked about the, importance of ICT in meeting their company’s needs, majority (52%) of the respondents agree that ICT is important with 8% respondents agree that it is highly important, 17% agree that it is very important and 27% agree that it is important. The remainder 48% content that it is less important and not important respectively. The researcher also sought to ascertain whether ICT and business operations improvement as presented in table 29.

Table 29: ICT and business operations improvement Response % YES 79 NO 21 Total 100

When asked if ICT improves their business operations in their organization, large proportion (79%) of the respondents agree that ICT adoption in their organization improves their business

52 operation. This is may be attributed e-government initiatives on automation of most of the operations in organizations. The remaining 21% contented that ICT did not improve their operations. The researcher also sought to ascertain rate of satisfaction on the organization's ICT usage levels and the findings are presented in table 30.

Table 30: Satisfaction on ICT usage Rate of satisfaction % Very satisfied 15 Satisfied 36 Neutral 25 Dissatisfied 14 Very Dissatisfied 5 No response 5 Total 100

When asked about their satisfaction on ICT usage in their organization, 15% agree that they are very satisfied with their organization’s ICT usage level, 36% agree that they are satisfied. This poses a 51% of the respondents satisfied with their ICT usage in their organization. Whereas 25% of the respondents were neutral, 14% were dissatisfied while 5% were dissatisfied and no response each. These findings concur with previous studies that reported successful application of a model to relatively new e-government implementation in Kenya. In these studies security objectives were expressed in fairly general terms such as use of services, access to storage, and user’s restrictions to authorized assets; making sure that expired or end of lifecycle repositories are permanently destroyed or sanitized. The findings also concurs with Tripathi (2011) who noted that appropriately licensing and accessibility to authorized users; physical security to the information repositories and systems, among others were the major challenges. These barriers are presented in figure 6.

53 Figure 6: Barriers and challenges in ICT Adoption

Technical issues were noted to be the most barriers rated at 34%. This may be attributed to the fact that ICT users require technical skills which one must be trained. Other barriers and challenges in ICT adoption included policy issues at 22% as policies generated often took long to be adopted. Level of access attracted a 20% response. This may be attributed to the fact that ICT equipment and related services like internet are relatively expensive hence accessing them is difficult. The cost of adoption and use had 24% response, this may border around issues to do with change management where people would want to stick with their manual way of processing their work. These findings are in support of the fact that Kenya has successfully put in place an ICT policy framework and implementation strategy, but with no measurable outcomes. Hence, to be able to implement the e-government successfully the ICT infrastructure needs to have a process metric system (Otieno, 2016). The latest addition to this infrastructure has been the installation of a fiber optic backbone network, dial-up links, internet access, computer hardware, e-government devices available, manpower ability to handle the e-government infrastructure. These barriers are further illustrated in table 31.

Table 31: Barriers and Challenges in ICT Adoption Barriers % Technical issues 34 Policy Issues 22 Level of access 20 Cost of adoption and use 24 Total 100

54 From the results in table 31, e-government systems in Kenya present a unique challenge to IS engineers because of their nature and inherently complex architecture. Information system is not just a technical issue, but it is a corporate governance issue that must be addressed before implementation is enforced across all levels of the organization. In any project, it is people in the end that determine the success or otherwise of the project and not technology and its associated issues (Otieno, 2016). ICT infrastructure would have services that include activity authoring and management, tracking and reporting and common services including a wide range of functions such as administrative, collaboration, information management and some core middleware functions. Kenyan ICT implementation is unique because of both the technological shortcomings including technical issues, policy Issues, level of access and cost of adoption and use.

CHAPTER FIVE: SUMMARY, CONCLUSION AND RECOMMENDATION 5.1 Introduction This chapter presents the key findings in the study; common ISS threats in the organization, IT policies and strategies put in place to curb the threats, challenges facing adoption of ICT and possible solutions which can be put in place to improve the ISS at Kenya school of government. The key conclusions and recommendations to the Kenya School of Government have also been given.

5.2 Summary of the Findings 5.2.1 Common ISS Threats Research findings indicate most of ISS threats are above 40% with half giving above 50% response, the level of prohibited access to computer system threat being highest at 70%. Also, a substantial number of respondents agreed that breach of privacy, prohibited access and interception of data and computer related copyright and trademark offences are among the 55 highest threats at 67%, 63% and 60% respectively. These threats may be attributed to the fact that most ISS in the organization have a shared common password which enable colleagues to access another person’s computer over LAN. Other ISS threats are illegal data interference at 59%, spam at 58%, identity offences linked to computer at 48%, child pornography at 46%, computer related fraud or forgery 44%, acts associated with computer involving racism or xenophobia at 42%, acts linked to computer but are described as acts bordering on terrorism at 41% and computer related acts causing personal harm at 40%. Most of these threats are internet related contributed by the fact that there is open access to internet across all the organization’s premises. The respondents gave other ISS threats which are common in their organization such as scams, potentially unwanted programs, maladvertising, social engineering, plagiarism, identity theft, cyber stalking, hardware failures and data lISs, denial of service and child soliciting and abuse.

5.2.2: IT Policies and Strategies 5.2.2.1: IT Policies Majority of the respondents (65%) contented that there is an ICT policy, this is attributed to the fact that ICT policies are adopted from the Ministry of ICT in line with the constitutional requirement for Vision 2030 with the KSG being a flagship project for education and training pillar. Though 32% said they don’t have an ICT policy, 3% don’t know. A combined 35% could be attributed to lack of understanding of the existing policies in their organization. There was 79% response that the organization is committed in managing cybercrime, this is attributed to the fact that most services are e-government oriented. Most services are both online and real time processing namely IPPD, IFMIS and e-procurement just to mention a few hence the need to ensure effective management of their system. The remainder 21% could be attributed to normal system failures like failure in the network, system delays etc. The technology used by the organization to curb cybercrime elicited a 64% response as satisfactory; this shows that the technology is still low. This is attributed to the fact that upgradability of ICT and related equipment is expensive and also the procurement procedures are lengthy mainly done annually. Other factors that affect implementation of ICT security mentioned are evolving ICT technology, inadequate funds, illiteracy, poor planning and limited human resource. The people using the ISS on daily basis posed a 93% effect on the implementation of the ICT security, while processes

56 attracted a 75% response and the technology 87%. This is attributed to the fact that the people are that main drivers in making decisions, developing and implementing policies. Change management policy in ICT adoption attracted a combined response of 63% validity in increased usage of the system, 35% validity in improved usage of the system, 42% validity in decreased system hiccups and 33% validity in decreased customer compliments, while this is attributed to the fact that most processes in government utilize ICT in most of its operations, the response rate is still low because most people are always opposed to change. Majority (79%) of the respondents agreed that ISS threats affect organizational performance. The reliance on ICT for running most organizational processes is directly linked to a proper functional ISS. Failure of one part of the system means that the processes stall. Hence the need to ensure a proper ISS is functioning effectively.

5.2.2.2: ISS strategies Most (97%) of respondents agreed that they have various ISS measures in their systems, with virus checking software at 16%, anti spy software at 10%, firewall at 13%, secured communication at 11%, authentication for both internal and external users combine at 18%, intrusion detection at 8% and backups at 21%. This shows that most organizations have knowledge on the importance of protecting their ISS. The remainder 3% responded that they didn’t have a control measure may be attributed to the fact they are end users of the system unaware of their technicality.

5.2.3: Challenges facing ICT Adoption Cost is the major challenge facing the adoption of ICT at 71%, this is because procurement of ICT is a combines several entities ranging from hardware, software, peripherals, training of users among others all of which are expensive and funds are always limited. This problem may be solved by increasing the budgetary allocation to ICT annually. Other challenges included value of ICT to the organization, ICT is difficult and ICT not meeting the company’s needs at 46%, 54% and 52% respectively. These responses are attributed to the fact that ICT requires skilled personnel. Majority (79%) of the respondents agreed that ICT improves business operations indicating improved automation of services in the organization, though 21% respondents did not concur. This may be a fertile ground for capacity building on change management on ICT usage. This can be done through government initiatives on free IFMIS, IPPD and e-procurement 57 training through the national treasury. Only 51% of respondents are satisfied with ICT usage within the organization, this is a great opportunity for the organization to ensure that staff have access to ICT for use in their operations to increase efficiency and productivity. Technicality of ICT is noted as the greatest barrier at 34% to adoption in ICT, this is an opportunity for the organization to ensure that staff are computer literate in order to embrace ICT fully. Policies, level of access and cost were other factors at 22%, 20% and 24% respectively. Creation and adoption processes of policies should be made short to enable adoption of ICT easier, while on level of access, the organization should improve accessibility of ICT and related services for staff and also increase budgetary allocation for ICT.

5.3 Conclusions ICT systems offer an influential tool for amassing output and cultivating the eminence of work through automated information processing. From the research findings ISS threats are widespread and their management is still wanting as the organization have challenges understanding and managing these threats. There is inadequate organizational commitment to ICT as stated by research findings on limited policies and strategies at KSG. Poor planning on ICT is also a contributing factor because it borders on issues to do with adequate budget allocation, staff recruitment and training. Another major challenge facing adoption of ICT is the issue of change management where people are slow to upgrade their ISS to curb cyber threats which evolve daily.

5.4 Recommendations In order to improve the ISS at the Kenya School of Government, the following recommendations suggested on the basis of the findings of this research; i. Training and development of users on ICT usage and security

ii. Secure more advanced systems in terms of technology iii. Strengthen ICT Policies iv. Proper authentication methods

v. Keeping ICT equipment in lockable rooms from unauthorized access vi. Employing competent ICT personnel

58 vii. Scripting of network processes

viii. Proper mail administration

ix. Setting password policies

x. Developing disaster recovery and business continuity plans

xi. Proper budgeting for ICT needs

xii. Proper backup of information

xiii. Installation of CCTV cameras

xiv. Acquire system protection software

xv. Installation of intrusion detection mechanisms

xvi. Motivate ICT staff

xvii. Training staff on integrity issues xviii. Consider cloud computing for backing up data

59 REFERENCES Aguiar, M., Boutenko, V., Michael, D., Rastogi, V., Subramanian, A., & Zhou, Y. (2010). The Internet's New Billion: Digital Consumers in Brazil, Russia, India, China, and Indonesia. Allen, J. (2005). Governing for Enterprise Security, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA. Al-Mashari, M. & Zairi, M. (2000). Supply-chain re-engineering using enterprise resource planning (ERP) systems: an analysis of a SAP R/3 implementation case, International Journal of Physical Distribution and Logistics Management, 30 (3/4), 296-313 Ana-Maria, S, Mihai B & Florin, G, (2010). Audit for Information Systems Security, Information Economica vol. 14, no. 1/2010, Valahia University of Targoviste, Romania, 2010 Baker, B. (2015). The Future of Cyber-Security- Threats and Opportunities, Global Corporate Venturing, Barbara, G. & Edward, A. (1995). An Introduction to Computer Security: The NIST Handbook, NIST Special Publication 800=12, US Department of Commerce, USA 1995 Beaumaster, S. (2002). Local government IT Implementation issues: a challenge for public administration, Hawaii International Conference on System Sciences, Hawaii, USA. Biddix, J. P. (2014). Development Through Dissent: Campus Activism as Civic Learning, Wiley Periodicals vol., Issue 167,New Jersey. US(2014), pages 73-85 Bowen P., Joan, H. & Mark W. (2006). Information Security Handbook: A Guide for Managers, NIST Special Publication. Caralli, R. A. (2004). Managing for Enterprise Security, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA. Carter, D. L., & Schafer, J. A. (2011). The Future of Law Enforcement Intelligence. In J. A. Schafer (Ed.), Policing 2020: Exploring the Future of Crime, Communities, and Policing: Police Futurists International. p. 235. CERT-UK (2015). Common Cyber Attacks: Reducing the Impact, The Information Security Arm of GHHQ, UK. Chen, C. C., Shaw, R. S. & Yang, S. C. (2006). Mitigating information security risks By increasing user awareness: A case study of information security awareness system. Information Technology, Learning & Performance Journal, 24, 1-14. Dan, P. K. (2013). Towards Application Security on Untrusted Operating Systems, MIT CSAIL &VMware, INC Eindor, P. & Segev, E. (2016). Organizational Context and the Success of Management Information Systems, Management Science, 24 (10), 1064-1077.

60 Eric J. & Goetz, E. (2007). Embedding Information Security into the Organization, Managing Organization Security, IEEE Computer Society, Texas, US. Eric, D., Patrick, H., Nicholas, M. & Rainundas, M. (2012). A systematic Approach to Define the Domain of ISS Risk Management Ernest and Young (2013). Building a Better Working World, EYGM Limited, UK, October 2013 EY (2013). Beating Cybercrime, Security, Insights on Governance and Risk Compliance, EYGM Limited, UK. Fariborz, F., Shamkat B. N, Gunter, P. S, & Philip, H. E. (2005). Assessing the Damages of IS Incidents and Selecting Control Measures, A Case Study Approach, Georgia Institute of Technology Fiona, P. (2007). Certifying Information Security Management Systems, Information Security Corporation. Frost, W. & Sullivan, P. (2015). The 2015 Global Information Security Workforce Study, PDF. Gary, S, (2001). Underlying Technical Models for Information Technology Security, NIST Special Publication 800-833, Gaithersburg. Gary, S. Alice G & Alexis, F. (2002). Risk Management Guide for Information Technology Systems, NIST, Gaithersburg. Gregory, C. W. (2009). Cyber Threats and Vulnerabilities Place Federal Systems at Risk, Testimony Before the Subcommittee on Government Management, Organization and Procurement: House Committee on Oversight and Government Reform, United States Government Accountability Office, Gregory, C. W. (2009). Cyber Threats and Vulnerabilities Place Federal Systems at Risk, United States Government Accountability Office, Washington D.C. Groznik, A., Kovačič, A., Spremić, M., (2003). Do IT Investments a Real Business Value?, Applied Informatics, No.4, pp. 180-189.Washington DC, US. Gurpreet D. & James, B. (2000). Information System Security Management in the New Millenium, Communications of the ACM. Gurpreet, D. S. (1995). Interpreting the management of Information Systems Security, Department of Information Systems, London School of Economics and Political Science, Houghton Street, London Hair, J.F. Jr. , Anderson, R.E., Tatham, R.L., & Black, W.C. (1998), Multivariate Data Analysis, (5th Edition), Upper Saddle River, NJ: Prentice Hall Hevner, A. R., March, S. T., Park, J. & Ram, S. (2004). Design science in information system research, MIS Quarterly, 28 (1), 75–105

61 Hocking, J. E., Stacks, D. W. & McDermott, S. T. (2003). Communication Research. Boston: Pearson Education Holland, C. P. & Light, B. (1999). A critical success factors model for ERP implementation, IEEE Software, 30–36 Hone, K. & Eloff P. (2002), Information Security Policy-What do international Information Security Standards Say? Computers and Security, 21(5):402-409, London Hong, K. K. & Kim, Y. G. (2002). The critical success factors for ERP implementation: an organizational fit perspective, Information & Management, 40, 25-40 ICT Authority, (2014). Kenya National ICT Master Plan, ICT Authority, Nairobi Kenya, 2014 ISACA (2010). Business Model for Information Security, ISACA, Rolling Meadows, Illinois, USA ISACA (2012). Extracting Value from Information Chaos: Why Good Governance Makes Good Sense, CobiT 5, ISACA, Rolling Meadows, Illinois, USA ISG (2014). Corporate Governance Task Force Report on Information Security, National Cyber Security Summit Task Force, US. IT Governance Institute (2006), Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd Edition, United States of America Jane, G. (2005). Distributed IS, Department of Computer Science, Trinity College, Dublin, Ireland Jung, B., Han, I., & Lee, S. (2001). Security threats to Internet: A Korean multi-industry investigation, Information & Management. Kathuri, N.J. & Pals, D.A., (1993). Introduction to Educational Research. Njoro: Egerton University Koskosas, I. (2013). A Short Literature Review in ISS Management Approaches, International Hellenic University, Thessaloniki, Moudania, Greece, 2013 Kumar, R. L., Park, S., & Subramaniam, C. (2008). Understanding the value of countermeasures portfolio IS in information systems security, Journal on Management Information Systems, 25, 241-279, 2008 Lawrence, A. & Martin P. (2002). The Economics of Information System Investment, University of Maryland, Maryland. Leinfuss, E. (1996). Policy over Policing, Infoworld, 18(34), 55 Matunda, N. (2005). Enterprise Vulnerability Management and Its Role in Information Security Management, Information System Security 14(3):29-56, (2005)

62 Michael, E. W. (2003). Enemy at The Gate: Threats to Information Security, ACM, Kennesaw, GA. Michael, K. K. (2014). Overview of Kenya’s Cybersecurity Framework, ITU Workshop on “ICT Security Standardization for Developing Countries, Geneva, Switzerland. Ministry of Information Communications and Technology (2014). Cyber Security Strategy, Government of Kenya, Nairobi. Murthy, C. V. (2006). Management information systems. Mumbai, Himalaya Publishing House NIST (2006). Electronic Authentication Guideline, Recommendations of the National Institute of Standards and Technology, NIST special publication 800-63 Version1.0.2,USA. NIST (2007). Information Security Guide for Government Executives NIST (2008). Information Security-Managing Risk from Information Systems: An Organizational Perspective, Draft NIST Special Publication 800-39. NIST (2011). Managing Information Security Risk: Organization, Mission and Information System Review, Joint Task Force Transformation Initiative, Computer Security Division, Information Technology Laboratory, NIST, Gaithersburg, MD 20899-8930, USA. Nour, M., Abdelrahman A. & Fadlalla A. (2002). A Context-based Integrative Framework for e- government Initiatives, Government Information Quarterly, 25(3):448-46 O’Brien, J. A. (2004). Management information systems: managing information technology in the business enterprise (6th ed.), New York, McGraw-Hill/Irwin Obure, J. M. (2002). Handbook on Data Analysis Using SPSS Version 10.0. Nairobi: M & O Data Experts and Training Consultants Rajagopal, P. (2002). An innovation-diffusion view of implementation of enterprise resource planning (ERP) systems and development of a research model, Information and Management, Vol. 40, pp. 87-114 Robert, M. & Kenneth, W. (2013). The Role of ISS in Growth of small and medium enterprises in Kenya: A survey of ICT firms in Nairobi, European Journal of Business and Innovation, UK. Robert, P. (2014). Cyber Risks: The Growing Threat, Insurance Information Institute, UK. Salahuddin, M. A. (2011). Information Security Management: A case study of an information security culture, Queensland University of Technology. Spalding, J. O. (1998). Transportation industry takes the right-of-way in the supply chain, ILE Solutons, 30 (7), 24-28.

63 Spremic, M. S. (2002). Strategic Information System Planning in Croatia: Organizational and Managerial Challenges, gar, I. International Journal of Accounting Information Systems, Vol. 3, Num. 3, pp. 183-200 Spremić, M. (2012). Measuring IT Governance Performance: A Research Study on CobiT- Based Regulation Framework Usage, International Journal of Mathematics and Computers in Simulation, Volume 1, Issue 6, pp. 17-25 TESPOK, (2014). Kenya Cybersecurity Report, Serianu Ltd, 2014 The Government of Hong Kong Special Administrative Region (2008), An Overview of Information Security Standards, Hong Kong, February 2008 Tripathi, K. P. (2011). Role of management information system in human resource, International Journal of Computer Science and Technology, 2 (1), 58–62. Venter, H. S., Coetzee, M. & Lebuschagne, L. (2009). Information System Security Proceedings. Durban: Academic Press. Vijay, G. (2006). Information System Misuse: Threats and Counter Measures, Riyadh, Saudi Arabia, 2006 Von-Solms, B. (2006). Information Security-The Fourth Wave, Computers and Security, 25(3):165-168 Wall, D. S. (2011). Policing Cybercrimes: Situating the Public Police in Networks of Security Within Cyberspace. Police Practice & Research: An International Journal, 8(2), 183-205 Weill, P., & RISs, J. W. (2004). IT Governance: How Top Performers Manage IT Decision Rights for Superior Results, Harvard Business School Press. Whiteman, M. E., & Mattrod, H. L. (2003). Principles of Information Security, Thomson Learning, Boston: Academic Press. Narayanan, A. (2014). Information Security management Systems (ISMS). A comparison between ISO 27001 and ISM3. Kurgat, W. (2015). Kenya ICT Strategy -Creating an enabling Environment for ICT., Education statistics: Kenya. UNICEF, Division of Policy and Planning, Strategic Information Section Otieno, N. (2016). Threat Model For User Security In E-government Systems: International Journal .International Technologies and Knowledge. Vol. 1/2016. Basie, S. H. (2014). A Framework for Evaluating the Information: Security of E-government Systems UNESCO (2002). Information and Communication technologies in teacher Education: A Planning Guide. UNESCO: Paris.

64 APPENDIX III: QUESTIONNAIRE I am a student at Kisii University carrying out a research study on EFFECT OF INFORMATION SYSTEM SECURITY THREATS ON INFORMATION RESOURCES IN PUBLIC INSTITUTIONS: A CASE OF KENYA SCHOOL OF GOVERNMENT. The information requested in this questionnaire is meant for academic purposes only and shall be treated in confidence. Kindly assist in filling in the questionnaire. Information given on this questionnaire will be held in strict confidence and will be used only for the purpose of the study.

SPECIFIC OBJECTIVES OF THE STUDY Section A: Common ISS Threats 1 a) Please do rate how the following types of cybercrime related cases affect the information system resource utilization in your organization Very High Moderate Low Very Negligible High Low Illegal access to computer System Illegal access, interception or acquisition of computer data Illegal data interference or system interference Breach of piracy or data protection measures Computer-related fraud or forgery Computer-related identity offences Computer-related copyright and trademark offences Sending or controlling spam Computer-related acts causing personal harm Computer-related acts involving racism or xenophobia Computer-related production, distribution or possession of child pornography Computer-related acts in support of 65 terrorism offences

b) What other types of cybercrimes have you experienced in your organization other than the ones mentioned above?

Section B: i) IT Policies 1. a) Does your organization have a policy for dealing with cyber security? Yes No b)If No, how is cybercrime is handled?------c) If Yes, how would you rate the organization in responding to reports, managing and intervening in cyber threats?

Very Effective Satisfactory Ineffective Don’t know 2. How effective is the technology your organization uses to respond to cyber security:

Very Effective Satisfactory Ineffective Don’t know

b. In your own opinion, which are the key factors that affect the implementation of ICT security in your organization………………………………………………………………… c. In your opinion, which are the key factors that affect the implementation of ICT practices at the organization? Very High High Average Low Very low People Processes Technology

3. Rate the validity of each of the following statements as regards to the ICT Management Policy in your organization Very Valid Moderate Invalid Very valid invalid Increased usage of the system Improved usage of the system Decreased system hiccups

66 Decreased customer compliments

4. Organizational information system threats have a negative effect on organizational performance Very strongly agree [ ] Strongly agree [ ]Agree [ ] Disagree [ ] Strongly disagree [ ] ii) Information System Security Strategies 5. Does your business have any of the following IT security control measures in place? Tick all which apply Virus checking or protection software which is regularly updated Anti-spyware software which is regularly updated Firewall Secured communication between clients and servers (e.g.via SSL, SHTTP) Authentication software or hardware for internal users Authentication software or hardware for external users (e.g customers) Intrusion detection system Regular back up of data critical to your business operations Off site data backup None of the above

Section C: Challenges facing adoption of ICT 1. How important are the following reasons for your firm not satisfied with the use ICT? Highly Very Important Less Not important important important important It is costly It is not really adding any value It is difficult and expensive to use It is not meeting company’s

67 needs

2. Do you think that using ICT in your business operations would eventually improve your organization’s performance? Yes No 3. Rate your satisfaction on your organization’s usage levels?

Very Satisfied Neutral Dissatisfied Very dissatisfied What barriers/Satisfied challenges have you encountered in the adoption and use of ICT? (Please tick the appropriate ones) Technical Issues Policy Issues Level of Access Cost of adoption and use Others (please specify)

Section D: Possible Solutions

8. Suggest possible information system strategies, which your organization can employ to protect the information resources ……………………………………………………………………………………………………… ……………………………………………………………………………………………………… ………………………………………………………………………………