Information Security Culture in the Banking Sector in Ethiopia
Abiy Woretaw Abitew
ID: 000652632 Advisor: Lemma Lessa Ferede
A thesis submitted to University of Greenwich and International Leadership Institute in partial fulfillment for the Masters Degree in Business Administration in Information Technology Management (MBA-ITM)
Date: July, 2012 I | P a g e
Acknowledgments
First of all, Id like to thank Information Network Security Agency (INSA) for providing me with this opportunity by sponsoring my MBA study at ILI. Second, my utmost appreciation goes to Mr. Lemma Lessa for advising and guiding me in the entire process of this research. This thesis wouldnt be a reality had it not been for his unreserved involvement. Then I should acknowledge all the 11 banks (Commercial Bank of Ethiopia, Lion International Bank, Dashen Bank, Wegagen Bank, Bank of Abyssinia, Awash International Bank, Construction and Business Bank, Zemen Bank, National Bank of Ethiopia, Development Bank of Ethiopia and Oromia International Bank) and their employees for cooperating to participate in the research. Finally my deepest gratitude goes to Yonas Taddesse and Abdissa Tolla for their moral support. I also owe Ketema Gudeta and Michael Alemayehu for helping me in data collection and peer reviewing respectively. Seblewoyn Tsegaye, Selamyihun Adefris and Desalegn W/Giorgis too deserve credit for supporting me materially. Thank you!
II | P a g e
Acronyms
AOR Adjusted Odds Ratio ATM Automatic Teller Machine CI Confidence Interval ENISA European Network and Information Security Agency FDIC Federal Deposit Insurance Corporation ILI International Leadership Institute IS Information Systems ISC Information Security Culture ISO International Organization for Standardization IT Information Technology ITM Information Technology Management MBA Master of Business Administration SPSS Statistical Package for the Social Sciences (software) US United States
III | P a g e
Table of Contents
Acknowledgments............................................................................................................................ I Acronyms ........................................................................................................................................ II Table of Contents .......................................................................................................................... III List of tables ................................................................................................................................... V List of figures ................................................................................................................................ VI Abstract ........................................................................................................................................ VII CHAPTER I Introduction ............................................................................................................ 1 1.1. Background of the study ...................................................................................................... 1 1.2. Statement of the problem ..................................................................................................... 2 1.3. Objectives of the study ......................................................................................................... 3 1.4. Significance of the study ...................................................................................................... 3 1.5. Scope and limitations of the study ....................................................................................... 4 1.6. Definition of Terms .............................................................................................................. 4 1.7. Organization of the Paper ..................................................................................................... 5 CHAPTER II Literature Review .................................................................................................. 6 2.1. Information Security ............................................................................................................ 6 2.2. Information security risks and threats in the banking sector ................................................ 7 2.3. Information security culture (ISC) ..................................................................................... 10 2.4. Approaches to organizational information security culture ............................................... 12 2.5. Factors that influence information security culture and practices...................................... 13 2.6. Requirements for effective information security culture ................................................... 13 2.7. Information security awareness programs.......................................................................... 14 2.8. Information Security Culture Model .................................................................................. 16 2.9. Summary of the Literature Review .................................................................................... 17 IV | P a g e
CHAPTER III Research Design and Methodology ................................................................... 19 3.1.The Research Design ........................................................................................................... 19 3.2. Instrument of Data Collection ............................................................................................ 19 3.2.1. Questionnaire .............................................................................................................. 19 3.3. Subjects and Sampling ....................................................................................................... 20 3.3.1. Subjects of the research ............................................................................................. 20 3.3.2. Sampling technique .................................................................................................... 21 3.4. Techniques of Data Analysis.............................................................................................. 22 3.5. Ethical Consideration ......................................................................................................... 24 CHAPTER IV Data Analysis and Discussion ............................................................................ 25 4.1. Key concepts in analyzing the data .................................................................................... 25 4.2. Statistical analysis and main findings of the survey .......................................................... 27 4.2.1. Detail findings of information security culture sub-dimensions ................................ 29 4.2.2. Discussion of Results: Interrelationship between the ISC sub-dimensions ................. 38 CHAPTER V Conclusion and Recommendations ..................................................................... 41 5.1. Conclusions ........................................................................................................................ 41 5.2. Recommendations .............................................................................................................. 44 References ..................................................................................................................................... 46 Appendix I Research Questionnaire .......................................................................................... 51 Declaration .................................................................................................................................... 55
Figure 1: Adopted information security culture model..................................................................17 Figure 2: Information security culture dimensions assessment.....................................................28 Figure 3: Information security culture sub-dimensions assessment..............................................29
VII | P a g e
Abstract
Information security has become one of the most vital and demanding issues facing today's financial institutions such as banks. With widespread use of technology and ever increasing connectedness to the global environment, financial institutions are increasingly exposed to several and wide-ranging threats. Extant literatures indicate that many losses are not caused due to lack of technology or faulty technology rather by users of technology and faulty human behavior. Financial institutions in Ethiopia are not exceptions to such security risks. Although technical aspect of information security needs due attention, a more serious yet under-rated aspect of information security is the human aspect. This research is aimed at assessing the practiced information security culture and identifying possible gaps that need management intervention to recommend measures that can be implemented by practitioners. A survey research method is employed that mainly uses quantitative data based on primary data collected from the headquarters of 11 banks in Addis Ababa. The study revealed that the level of information security culture in the banking sector in Ethiopia is unsatisfactory. The main findings of this paper underline the need for enhancing ethical conduct of employees and positive trust environment for effective implementation of information security policies and procedures. Benchmarking local and international standards should be practiced to assist positive change in information security culture. Risk-based information security awareness trainings should be provided at all levels to raise the level of awareness. Bank managers should oversee and recognize positive information security culture change. This research can serve as a spring- board for related researches in the financial as well as other sectors in Ethiopia. Keywords: Information security, information security culture, assessment, security risks, security threats, information security awareness 1 | P a g e
CHAPTER I Introduction
1.1. Background of the study
This chapter introduces the general background of the banking sector in Ethiopia and the significance of studying related security issues. The objective, significance, scope and limitations of the research are also briefly discussed. Todays global society grants power for the most inventive and innovative knowledge workers who are the main value creators of this modern civilization. The value created is represented, stored and communicated in the form of information. Information asset of an organization can be stored in the minds of its personnel, paper documents and digitally in computer systems. Focusing on the banking business, Ula et al (2011) state that information system has become the core element of modern banking and information has become the most valuable asset to protect from insiders, outsiders and competitors. Assuring the security of this information asset maintains competitive advantage in the globally internetworked banking business. The banking sector in Ethiopia is one of the rapidly growing sectors of the countrys economy. Many private banks are established in the past few years. The distribution and diversity of services is widening. This business competition has stirred the advancement of services enabled by information technology. More banks in Ethiopia are implementing Core banking solutions to provided banking services from any of their member branch offices. Provision of such e-banking services is a competitive advantage. Though this technological advancement has facilitated business processes, much attention should be drawn to thwart illegal financial gain efforts of 2 | P a g e
cyber criminals. The security of the banking information systems and critical financial data should be ensured. The banking sector is more sensitive to the issue of security as money is at stake and is lucrative target for malicious attackers. Evolving trends in information security support the incorporation of the human element in ensuring information security of an organization. Promoting a sustainable information security culture is an effective way for organizations to address this aspect of information security. Assessing the existing information security culture level provides a clear picture in finding the gaps to intervene with managerial measures to promote sustainable information security culture. Such a strong information security culture within an organization also serves as a suitable platform to implement technical information security controls.
1.2. Statement of the problem Information security incidents are more common in the banking sector in Ethiopia nowadays. Most information security risks and threats emanate from faulty information security behavior practiced by users of the information systems. Bank employees are one of the main users that have access to the information asset of the banks. Insider threat can either be intentional or unintentional that arises from poor information security culture. In order to promote a strong information security culture, the existing information security beliefs, practices and problems should first be assessed so that critical gaps and areas of improvement are identified to pave the way for policy and management intervention.
3 | P a g e
1.3. Objectives of the study
The research has the following three specific objectives: Assess the perception, attitude and practice of employees towards information security in the banking sector in Ethiopia. Identify possible gaps to pave the way for policy and management intervention Recommend measures that can be implemented by practitioners to enhance the information security culture in the banking sector in Ethiopia.
1.4. Significance of the study As the banking sector in Ethiopia is undergoing fast progress in migrating business processes towards new IT-based services, the notion of establishing and maintaining sustainable information security culture become more appropriate now than ever. Research on information security culture is still in its early stages of development. Issues are still being identified, and, conceptualizations being explored (Alnatheer & Nelson, 2009; Gebrasilase & Lessa, 2011). This hot research area is even more at its infant stage in Ethiopian banking sector context. Promoting strong information security culture in the banking sector in Ethiopia lays suitable ground for implementation of technical information security controls and measures. Due to the sensitivity of financial institutions to security issues, priority is given to assess the level of information security culture in the banking sector in Ethiopia.
4 | P a g e
1.5. Scope and limitations of the study The scope of this paper is assessing the information security culture level in the banking sector in Ethiopia. The subjects of the study are mostly Information Systems department employees and managers from 11 headquarters of banks in Ethiopia. A more inclusive survey of other departments would have made the research findings more comprehensive. The sample size of analyzed data is 100. Yet, sample size of more than 300 would have minimized the margin of error so that the research findings, conclusions and recommendations could be more valid and reliable.
1.6. Definition of Terms Assessment: The evaluation of the level of existing awareness, perception and practice. Culture: the behaviors and beliefs characteristic of a particular social group (STANDS4 LLC, 2012). Likert scale: is an ordered, one-dimensional scale from which respondents choose one option that best aligns with their view. This method of ascribing quantitative value to qualitative data makes it amenable to statistical analysis (The daily biz, 2010). Model: A schematic description of a theory that accounts for its known or inferred properties and may be used for further study of its characteristics (Farlex, 2010). Risk: The possibility of suffering harm or loss; danger (Farlex, 2010). Risk analysis: uses information to identify possible sources of risk. It uses information to identify threats or events that could have a harmful impact. It then estimates the risk by asking: what is 5 | P a g e
the probability that this event will actually occur in the future? And what impact would it have if it actually occurred? (Praxiom Research Group Limited, 2012). Threat: is a potential event. When a threat turns into an actual event, it may cause an unwanted incident. It is unwanted because the incident may harm an organization or system (Praxiom Research Group Limited, 2012). Vulnerability: is a weakness in an asset or group of assets. An assets weakness could allow it to be exploited and harmed by one or more threats (Praxiom Research Group Limited, 2012).
1.7. Organization of the Paper This paper is organized into five chapters. The current chapter dealt with general background, objective, significance, scope and limitations of the study. The literature review of this paper went into the extant literature on information security in general and information security culture in particular to identify the enabling factors and evaluation dimensions of information security culture and also tried to synthesize the outcomes of related studies. Then the research design and methodology chapter explores the research design, instrument of data collection, subjects of the research, sampling technique and ethical considerations taken into account. The data analysis and discussion section presents and discusses the findings of the study and interpretation of the findings. Finally, the paper concludes indicating critical areas of improvement and recommending measures to promote information security culture in the banking sector in Ethiopia. The paper also paves the way for further researches in the area pointing out limitations of this research.
6 | P a g e
CHAPTER II Literature Review
This chapter reviews the extant literature on information security in general and information security culture in particular to identify the enabling factors and evaluation dimensions of information security culture. 2.1. Information Security Information security is the process of protecting and preserving the information asset. It ensures the confidentiality, integrity, availability, authenticity and reliability characteristics of information. Information security encompasses technology, processes and people (Von Solms, 2000). In order to achieve a comprehensive information security, the three aspects should be holistically considered. Technological access control methods and techniques ensure protection against vulnerabilities underlying in the technology (hardware or software). Nonetheless, the business process of organizations can expose information to confidentiality and integrity security breaches. Operational business processes are expected to identify security loopholes and devise mechanisms to prevent information security breaches. Although technical aspect of information security needs due attention, a more serious yet under- rated aspect of information security is the human aspect. Mitnick et al (2002) explain that technical methods of protecting information may be effective in their respective ways; however, many losses are not caused by faulty technology but rather by users of technology and faulty human behavior. Hence, people not only can be part of the problem, but also they can and should be part of the solution. People must be integral part of any organization's information security defense system (Mitnick et al, 2002). In support of this argument, Martins and Eloff (2006) 7 | P a g e
underline that the behavior of employees and their interaction with computer systems have significant impact on the security of information. 2.2. Information security risks and threats in the banking sector Ula et al (2011) convey that espionage through the use of networks to gain competitive intelligence and to extort organizations is becoming more prevalent. Any mishandling of confidential information asset can cause huge financial loss, and the reputation of the bank will be severely damaged. Ula et al (2011) stress that in this globally networked environment, security is a crucial part of banking and financial institutions. Nelson (2005) argues that banks must pursue new technologies and services to survive the business competition. Their customers demand the latest technologies of E-banking, bill pay, ATMs, smart cards, mobile banking, and other future systems. Banks adopt the latest technologies to provide their customers with competitive services. As they adopt new IT empowered services they must also adopt new protective technologies or they will increase their risk to security breaches (Nelson, 2005). IT-based banking services and products increase the security risk, threats and security breach incidents in the global banking environment. Nelson (2005) explains the current trend in financial institutions is to reduce risk by decreasing the range of systems and applications that are available to users. In an attempt to reduce IT-based risk, banks are removing access to such services. Here, it is evident that although technology is increasing its power, the controls are designed to manage and limit human involvement with the technologies. This demonstrates a basic truth: technology is not a threat; humans using technologies are the threat. Nelson (2005) further recommends the need to enforce policies, procedures, and guidelines to manage the human aspect of security. 8 | P a g e
Information security risks have grown with the advent of the marriage between business operations and IT. IT aggravates security risks as it facilitates the ease in processing, storing and communicating data and information. Ula et al (2011) explains that as modern banking increasingly relies on the internet and computer technologies to operate their businesses and market interactions, the threats and security breaches are highly increased in recent years. Ula et al, 2011 mention the Symantec (2010) reported to portray the severity of information security breaches to the global businesses and in particular the banking sector: Security breach and computer viruses cost global businesses $1.6 trillion a year and 39,363 human years of productivity. In 2009, Symantec has detected 59,526 phishing hosts around the globe, that number is increased by 7% compared to phishing hosts detected in 2008. The percentage of threats to confidential information is increased to 98% in 2009 compared to 83% in 2008, 89% of the threats have the ability to export user data and 86% of them have keystroke- logging component (p.1). In a related recent study, FDIC found cyber thieves have cost US companies and their banks more than $15bn in the past five years (Menn, 2012). According to Menn (2012), American regulatory authorities and law enforcement agencies perceive financial institutions as part of the problem in the failure to thwart internet fraud. Menn (2012) further argues although security is generally improving and the banks own systems are rarely penetrated, hackers are increasingly exploiting the weakest link of the computer security chain: the user. William Nelson, chief executive of the Financial Services Information Sharing and Analysis Center says No official statistics shows which types of bank are better at protecting customers but background interviews with executives and other data point to clear patterns. The number of 9 | P a g e
attacks is rising as scammers go after smaller banks, where security is often weaker Menn (2012). However, even big banks that generally do a better job of security are found victims of security breaches. The New York giant bank, Citigroup reported a total of 360,083 North America Citi- branded credit cards were affected in the security breach that occurred in June 2011(Kapner, 2011a; Kapner, 2011b). Citigroup spokesman said the company has about 23.5 million credit- card accounts only in North America. On yet another security compromise reported in August 2011, thieves made off with personal information of 92,408 Citigroup Inc. credit card customers in Japan and sold the data to third parties. It is the second data theft for Citi in three months and the latest sign of the vulnerability of banks and their clients. The scheme in Japan was perpetrated by a third-party vendor that had been given access to Citi's internal systems (Kapner, 2011c). Concerned about increasingly serious attacks from organized crime groups, the US Government wants its banks more secure (Menn et al, 2011). US banks will be forced to upgrade their systems for preventing online fraud in customer accounts under new guidelines issued by financial regulators. Instead of endorsing a specific technology or technique, the guidelines put the responsibility on the banks to assess their information security risks and adapt security measures accordingly (Menn et al, 2011). Such risk-based security approach incorporates the human element of the banks information security by promoting sustainable and strong information security culture. Ethiopia can benefit a late-comers advantage by learning from the global information security trend. Hence, the banking sector in Ethiopia must embark upon technical and non-technical aspects of information security to manage the situation strategically. 10 | P a g e
2.3. Information security culture (ISC) Martins and Eloff (2006) define information security culture as the assumption about acceptable information security behavior and it can be regarded as a set of information security characteristics such as integrity and availability of information. On another literature, Dhillon (1997) describes security culture as the behavior in an organization that contributes to the protection of data, information and knowledge. Peteris Treijs (2006) defines security culture as the assembly of characteristics and attitudes in organizations and individuals which establishes security of information systems and networks as a high priority. Most of the recent researches approach information security culture from theories and models of organizational culture. Organizational culture defines how an employee perceives the organization (Ulich 2001). According to Schlienger and Teufel (2003), organizational culture is a collective phenomenon that grows and changes gradually and, to some extent, it can be influenced or even designed by the management. In line with this, Kuusisto and Ilvonen (2003) emphasize that information security culture is developed over time by changing the behavior in an organization to the desired direction. This takes place both by formalizing the framework of information security as well as by influencing the mental models, attitude, motivation and explicit and especially tacit knowledge of personnel. An organizational culture can have different subcultures depending on the sub-organizations or functions. Information security culture can be treated as a subculture with regard to general organizational culture (Schlienger & Teufel, 2003). Researches on the area have affirmed that the establishment of an organizational information security culture is essential for effective information security (Eloff & Von Solms, 2000; Von Solms, 2000). The importance of establishing an information security culture in an organization has become a well established idea. The aim of such a culture is to address the various human 11 | P a g e
factors that can affect an organizations overall information security practice (Van Niekerk & Von Solms, 2005). Users can be either security asset or exploitable security weak-links for an organization. Hence it is critical that all people who interact with the information system exercise an acceptable information security culture. It is therefore fundamental to understand and manage the psychology of users so that their belief, perception and attitude towards information security is acceptable. According to Schlienger and Teufel (2002), Security culture covers social, cultural and ethical measures to improve the security relevant behavior of the organizational members and considered to be a subculture of organizational culture. Thus it tends to be stable and resistant to change regardless of the security level it guarantees. Information security culture deals with the psychology and behavior of employees in their interaction with the information system. Alnatheer & Nelson (2009) convey that reliable security culture assists the enforcement of information security policies and practices to the organization. As a result, each organizations goal should be to achieve a strong and sustainable information security culture. In order to develop a successful information security culture within an organization, it is essential to understand the existing information security beliefs, practices and problems to identify possible gaps and pave the way for policy and management intervention. An organization has to measure and evaluate its information security culture level. Martins and Eloff (2006) substantiate this notion underlining a certain level of information security culture is already present in every organization where IT is integrated into their business processes, but this culture could be a threat if it is not on an acceptable level. The aim in assessing the information security culture is to advance it positively. This could then aid in minimizing internal and external threats to the information asset in the organization. 12 | P a g e
2.4. Approaches to organizational information security culture Studies have shown that technical solutions alone are not enough to manage internal security incidents. In order to have better security precautions in organizations, both the technical and non-technical aspects of information security need to be addressed (Zakaria et al, 2007). Zakaria et al (2007) further emphasize the importance of management activities in order to establish appropriate information security culture within an organization. IT strategy of an organization is developed in close view to support and enable the core business of an organization achieve its objectives. This strategy includes security as a main component and a dedicated information security strategy is developed. The roles of senior management, allocation of budget, assignment of dedicated function, participation of employees, the enforcement processes and the awareness program are information security tasks needed to establish/enhance ISC (Lim et al, 2009). In their ISC assessment article, Martins and Eloff (2006) describe that: ISC assessment approach consists of an audit process where the perceptions, attitudes, opinions and actions of employees regarding information security can be determined. By analyzing this information, an organization can assess how employees perceive information security activities and which aspects concerning information security culture need attention. (p.5). Martins and Eloff (2006) approach the information security culture audit process by designing ISC questionnaire, actual survey process, data analysis and interpretations and recommendation phases. This approach is adopted by the researcher to assess the information security culture in the banking sector in Ethiopia.
13 | P a g e
2.5. Factors that influence information security culture and practices Alnatheer & Nelson (2009) classified factors that influence security culture and practices into four themes. Corporate citizenship which is achieved by information security awareness and training programs; Legal regulatory environment which deals with information security management standardization, best practices and information security policy; Corporate governance including top management support for information security management, information security compliance and information security risk analysis and Cultural factors like national and organizational culture. 2.6. Requirements for effective information security culture The first step in establishing an information security culture is to recognize the importance of information security to the core business of the organization. This should be championed by the top management and consensus about the need for security should be reached among all employees in an organization. Top management support should be harnessed in planning, adopting and implementing information security programs. However, information security culture will develop and succeed only if there is participation from all levels of employees (Zakaria et al, 2007). Therefore, enforcement of security should be integrated with the empowerment of employees to be responsible about security. Internal support should be given priority and the overall direction should be communicated to employees so that they are intrinsically motivated to support the effort. Delegation of tasks and trust promote employees ownership of the program. External consultants and control mechanisms should only have supporting role in establishing and maintaining information security culture of an organization. 14 | P a g e
The value of information security is elusive as it is abstract and hard to quantify. This is because people tend to give more emphasis on something that happened than something that is prevented to happen. As insightfully described by West (2008), employees are less motivated to exercise secure practices as the benefits of security are generally abstract. In addition to this, secure practices have significant cost on ease of use and resources that tempt employees to ignore secure practices. This calls for motivational factors like reward system and accountability consequences such as penalty for non-adherence. 2.7. Information security awareness programs Once the importance and actual value of information security is ingrained into the corporate culture, information security program can be developed and implemented effectively. This program can be initiated by creating information security awareness as a key method in establishing and maintaining a strong information security culture. Information security awareness programs should be designed to raise the awareness level of all managers and employees in an organization. Security awareness trainings enable employees to rationally analyze security risks and measures they should put in place. Information security awareness training should be designed in alignment with the core topics from the information security policy of the organization. The information security policy of an organization should comply with the international standards and guidelines. Nevertheless, this must not limit the customization of the policy to the existing information system context. Information security policies are developed based on risk assessment of the organization. This risk based approach ensures the coverage of critical vulnerabilities analyzed during risk assessment. 15 | P a g e
International information security standards include a provision for information security awareness programmes (ENISA, 2009). Information security trainings should not only comply with the international standard outlines but also feasibly customized to the context of the organization. Education and awareness raising for financial organizations needs to be carried out internally as well as externally to foster a platform of trust and allow for compliance and governance mandates to be adhered to on a proactive basis (ENISA, 2009). The awareness program should be branded and appealing. Tessem, H.M. and Skaaraas, K.R. (2005) argue that while it has been claimed that we live in the information society, a more accurate claim might be that we live in the entertainment society (p.18). Since people are behaviorally interested with entertaining approach of value delivery, the program should capture the attention of employees and they should develop a sense of affiliation to the program. Security awareness program will deliver security conscious employees who exercise best security practices that comply with information security policies and report incidents accordingly. These employees are intrinsically motivated to defend the information asset of their organizations as they understand the tradeoff between security and cost. Security awareness is relatively a transferrable knowledge across systems. It requires only system-specific details incorporated to accommodate secure usage of new technologies into the information system. The effectiveness of security awareness program should be evaluated periodically. This provides feedback to the level of employees adherence with information security policies and the effectiveness of the awareness training curriculum. The evaluation result can be used to update the information security policy, topics and content of the awareness training. The participation of 16 | P a g e
employees should be enhanced and revised version of the awareness trainings should be delivered annually.
2.8. Information Security Culture Model Recognizing the need to measure information security culture, different assessment tools are proposed by authors. Framework for fostering information security culture in Small and Medium Enterprises developed by Sneza,D., and An Outcomes Based Framework for Culture Change model developed by Frederick, J., et.al are among proposed tools. However a more comprehensive model is Information Security Culture model designed by A. Martins and J. Eloff (2002) which is derived from the organizational behavior model of Robbins (1989). This conceptual information security culture model is derived from the paradigm of approaching information security culture as a sub-culture of organizational culture. Martins and Eloff identified information security controls at individual, group and organizational levels of organizational behavior that could influence information security culture (N. Martins & J. Eloff 2002; A. da Veiga et al 2007). This research assesses the level of information security culture in the banking sector in Ethiopia explicitly from the perspective of this model. The interrelationships between information security culture tasks (dependent and independent variables) at all levels are apparent from Figure 1. 17 | P a g e
Figure 1: Adopted information security culture model
Source: Information security culture model originally developed by Martins, A. & Eloff, J. 2002.
2.9. Summary of the Literature Review This literature review revealed that information security culture is an emerging and yet to be studied topic in information security. This hot research area is even more at its infant stage in Ethiopian banking sector context. Furthermore, it identifies the enabling factors and evaluation dimensions of information security culture and also tried to synthesize the outcomes of related studies. Ultimately people interact directly with information systems and have access to information. Any effort merely in technological and process security measures will be futile if the users aspect of security is not effectively managed. Accordingly, this paper focuses on the human aspect of information systems. To address this socio-cultural aspect of information security, information security culture is recognized as a discipline of information security. 18 | P a g e
The literature review underlined the need for promoting information security culture citing prominent literatures in the area. Risks and threats of information security in the banking sector and different security breaches that occurred with global banks are discussed to demonstrate the need to approach information security in the banking sector comprehensively. The rationale to assess existing information security culture and approaches to assess information security culture are also reviewed from related literature to back researching method of this paper. Well- established factors that influence information security culture are also reviewed to serve as reliable perspectives of data analysis, interpretation, conclusion and recommendation. Information security awareness program is discussed in detail as the issue is compulsory with the research agenda. The gap observed in the literature of information security culture emanates from the unavailability of a comprehensive and working information security culture framework. Most models and frameworks are conceptual and not practically tested in the banking sector. A widely accepted and comprehensive information security culture model originally developed by Martins A. and J. Eloff (2002) is illustrated as it serves as the basis for this research. This model is validated in financial institutions context.
19 | P a g e
CHAPTER III Research Design and Methodology
This chapter explores the research design, instrument of data collection, subjects of the research, sampling technique and ethical considerations taken into account. 3.1. The Research Design A survey research method is employed in order to assess the information security culture in the banking sector in Ethiopia. This research is based on a widely accepted information security culture model originally developed by Martins A. and J. Eloff (2002). As this study is aimed at assessing the existing information security attitudes, perception and practices, it is imperative that a reliable researching method is employed. Although qualitative researching methods like interviewing have feasibility in studying behavioral researches, this research relied on quantitative primary data collected through a validated standard questionnaire developed based on a model to assess information security culture. 3.2. Instrument of Data Collection 3.2.1. Questionnaire
Primary data is collected from headquarters of 11 different banks in Addis Ababa. A questionnaire to assess information security culture, developed by (Martins, 2002), is adopted. This assessment instrument is validated and improved by performing a factor and reliability analysis on the data from an information security culture assessment in a financial organization (Veiga et al, 2007). Factors in the establishment and maintenance of proper information security culture are assessed. Then information security culture in the banking sector in Ethiopia is evaluated by auditing process. 20 | P a g e
The questionnaire (Appendix I) has 41 statements that assess the perceptions, attitudes, opinions and actions of employees regarding information security. A five point Likert scale, which is advisable to assess behavioral patterns, is provided to respond to the information security culture statements. Minor changes were made to contextualize the questionnaire to the target research participants. 3.3. Subjects and Sampling 3.3.1. Subjects of the research
Initially, 15 different banks in Addis Ababa were approached to participate in this research. Four of them declined the offer. Fortunately 11 banks cooperated to participate in the research. Only four of these banks are governmental (Commercial Bank of Ethiopia (CBE), National Bank of Ethiopia (NBE), Construction and Business Bank (CBB) and Development Bank of Ethiopia (DBE)). The seven private banks considered are: Lion International Bank (LIB), Dashen Bank, Wegagen Bank, Bank of Abyssinia, Awash International Bank (AIB), Zemen Bank and Oromia International Bank (OIB). The survey is conducted at headquarters of these banks located at different sites in Addis Ababa. An assumption is made that information security culture in branch banks bear a resemblance to the information security culture practiced at headquarters.
Bank employees in the IT or Information Systems (IS) departments are the main respondents of the survey because these employees directly access the banks valuable and confidential information systems. In addition to this, IT departments serve as a liaison between the managerial and operational staffs. Furthermore, these employees are assumed to have the 21 | P a g e
minimum information security awareness needed to complete the questionnaire. This aids the respondents to perceive the meaning of the statements uniformly. IT professionals, departmental managers and operational staffs of IS/IT department are subjects of this research. The trend with these employees is assumed to heavily influence the information security culture of other departments. Thus, assessing the level of information security culture in IS/IT departments substantiate the findings of the research because the subjects are at the heart of the banks information systems. Hence, conclusions and recommendations made based on research findings from these subjects data are believed to be valid and reliable. 3.3.2. Sampling technique
A non-probability convenience snowball sampling technique is used to collect data from all the banks. The general objective is communicated to contact-persons in all the 11 banks and they steward the data collection. This sampling technique capitalizes on insider experience and so facilitates the data collection process. A larger sample size would have been preferred for the research. Due to the busy working environment in the banking sector, it was not easy to convince banks to complete more than few questionnaires.
It took five weeks to distribute and collect all the completed questionnaires. The challenge arose from the geographic distribution of the banks and bureaucratic procedures followed to accommodate academic research questionnaires. 120 questionnaires were distributed and 102 questionnaires are returned (i.e. a return rate of 0.85). 2 questionnaires are rejected due to significant incompleteness. Finally, 100 questionnaires were encoded into SPSS version_16.0 software for data analysis. 22 | P a g e
3.4. Techniques of Data Analysis Biographical data like bank name, bank type, job level and year of experience in the banking sector are directly encoded from the collected data. The job level variable is further transformed into senior manager, departmental manager, IT professional and operational staff categories and a new variable (Job category) is defined. The year of experience category too is transformed into intervals (0-2 years, 2-5 years, 5-10 years and above 10 years) of experience and a new variable (Year of Experience) is defined. Missing values of biographical data could not be replaced; rather percentage of missing data respondents is computed independently.
Each statement in the questionnaire is treated as a variable. Convenient names are assigned to the variables. The Likert scale response values are encoded numerically [Strongly Disagree=1, Disagree=2, Unsure=3, Agree=4 and Strongly Agree=5]. Missing values are interpreted as Unsure responses. Then, dichotomous values are computed by transforming the five Likert scale values into two dichotomous [Strongly Disagree=1, Disagree=2, Unsure=3 into Unfavorable=0] and [Agree=4 and Strongly Agree=5 into Favorable =1] values.
According to the information security culture model originally developed by Martins A. and J. Eloff (2002), there are three levels [Individual, Group and Organizational] and nine sub- dimensions [Awareness, Ethical conduct, Trust, Management, Risk analysis, Policies and procedures, Benchmarking, budgeting and Change] of information security culture tasks and issues. In line with this, the 41 information security assessment statements are grouped into these nine sub-dimensions. Favorable information security culture values are counted in each sub- dimension. To that end, respondents who scored 3rd quartile and above (>=75%) are 23 | P a g e
categorized as having favorable information security culture while scores less than 3rd quartile (< 75%) were considered unfavorable in relation to the variables of interest. The rationale behind is higher counts are expected from respondents due to the level of simplicity of the statements and the expected security performance in the banking sector.
Then statistical frequency of favorable percentile values is computed for each sub-dimension and dimension. Crosstab features of SPSS are used to discover the association between information security culture sub-dimensions. The observed and expected counts are compared to identify the interdependence of one information security culture task with another. Chi-square tests [<=0.05] are used to establish how reliable it is to draw a conclusion that there is a relationship between the two sub-dimensions. Confidence level of more than 95% is considered reliable. Then, binary logistic regression is computed to further discuss the findings.
Since the data collected is ordinal and merely based on existing information security perceptions, attitudes and practice, inferences can be made using statistical regression analysis. The level of interdependence between dependent and independent sub-dimensions could be observed. The probability of an increase in dependent variable influenced by increase in independent variable can be portrayed with adjusted odds ratio with lower and upper limits of the confidence interval. Binary logistic regression is computed between dependent and independent variables [Adjusted Odds Ratio (95% CI) = the odds ratio (lower limit of the confidence interval, upper limit of the confidence interval)]. The results are interpreted from the perspective of the information security culture conceptual model and related literature review. Then conclusions and recommendations 24 | P a g e
are framed based on the statistical findings and interdependence between information security culture sub-dimensions.
3.5. Ethical Consideration The researcher received a letter of endorsement from International Leadership Institute (ILI) that supported in getting the necessary data from the banks. A copy of the letter is provided to all the banks in request for cooperation. Once informed consent of top management of the bank is earned, contact personnel among research participants are approached and communicated to get their informed consent too. In addition to this, the cover page of the questionnaire (Appendix I) describes the researchers brief profile, topic of concern, overall objective of the research and the guide to complete the questionnaire. These efforts provided subjects of the research full information.
Genuine response is encouraged by ensuring anonymity and confidentiality of the survey. No identifiable information, whatsoever about the respondent, will ever be passed on to any other body. Each research participant was provided with a signed peel and seal envelope to observe the anonymity of the survey. Such efforts contributed to a decent return rate (0.85) and consistency of the collected data thus data quality.
25 | P a g e
CHAPTER IV Data Analysis and Discussion
This chapter presents the findings of the study and discusses and interprets the results in detail. The collected data is analyzed and findings are interpreted based on well established factors that influence information security culture and from the perspective of the adopted information security culture model. 4.1. Key concepts in analyzing the data
In order to effectively analyze the collected data based on the information security culture model, the 41 information security culture statements are categorized into four [individual level, group level, organizational level and change] dimensions. Individual level dimension includes two sub- dimensions called Awareness and Ethical conduct. Awareness sub-dimension statements assess the knowledge, attitude and perception of employees towards information security. Ethical conduct sub-dimension statements assess the adherence of employees to existing information security policy and procedures and their perception towards access to data and intellectual property. The management regard to privacy of employees information is also considered in this sub-dimension.
The Group level dimension includes two sub-dimensions named Management and Trust. Management sub-dimension statements assess the perception and commitment of top management to information security. The establishment of a dedicated information security function in the banks, communication of security information on a need-to-know basis and participation of employees in information security initiatives are also assessed in this sub 26 | P a g e
dimension. Trust sub-dimension statements assess the trust environment between employees and their managers at different levels.
The Organizational level dimension includes four sub-dimensions named Risk analysis, Policies and procedures, Benchmarking and Budget. Risk analysis sub-dimension statements assess the availability of dedicated risk analysis function and perception of employees about the importance of risk analysis in the bank. Policies and procedures sub-dimension statements assess whether the bank has implemented information security plan, policy and procedures. Availability of formal information security incident reporting procedures and access of employees to all these documents is also evaluated. Benchmarking sub-dimension statements assess the evaluation of the banks information security status compared with other banks and its compliance with international standards. Budget sub-dimension statements assess the perception of employees about the importance of budgeting annually for information security as a strategic investment.
Change sub-dimension statements assess the readiness and acceptance of employees to new information security practices and the recognition and organization of the banks management to information security changes.
27 | P a g e
4.2. Statistical analysis and main findings of the survey
The information security culture data is collected from 4(37%) governmental and 7(63%) private banks. The job category distribution of the respondents indicates 12 (12%) department managers, 58(58%) IT professionals, 18 (18%) operational staffs and the remaining 12(12%) respondents did not complete this variable. With regard to the years of experience, all experience levels of employees in the banking sector in Ethiopia are represented. 19(19%) of the respondents have more than 10 years of experience in the banking sector. 22(22%) of the respondents have 5 to 10 years of experience. 28(28%) of the respondents have 2 to 5 years of experience.23( 23%) of the respondents have less than 2 years of experience in the banking sector. The remaining 8(8%) did not respond to this variable. Generally, the information security culture level in the banking sector in Ethiopia is found to be inadequate. Only 25% of the respondents are found to have favorable information security culture [>=32/41]. The remaining 75% have unfavorable information security culture that can expose the information asset of the banks. This shows that holistic and strategic work is needed to promote information security culture in the banking sector in Ethiopia.
28 | P a g e
Figure 2 represents the percentage of respondents who are found favorable and unfavorable about the statements portrayed in the four dimensions of information security culture. The favorable percentages indicate the information security perception, attitude and behavior in the banks that are in line with strong information security culture. The unfavorable percentages indicate the information security perception, attitude and behavior gaps that are possible improvement areas. Larger unfavorable percentage indicates wider gap in the variable of interest that needs serious managerial intervention. From figure 2, it is evident that individual, group and change dimensions are critical developmental areas. The organizational level information security culture dimension scores a slightly better (38%) result.
Figure 2: Information security culture dimensions assessment
Source: Computed, 2012
28% 30% 38% 30% 72% 70% 62% 70% 0% 20% 40% 60% 80% 100% 120% Individual Group Organizational Change Unfavorable Favorable 29 | P a g e
4.2.1. Detail findings of information security culture sub-dimensions
Figure 3 represents the percentage of respondents who are found favorable and unfavorable about the statements portrayed in the nine sub-dimensions. The frequency distributions of the nine sub-dimensions indicate that ethical conduct, trust, benchmarking, policy and procedures, and change are developmental sub-dimensions that need serious managerial attention. On the other hand, frequency distributions of awareness, management, budget and risk analysis sub- dimensions show average results that also need significant improvement.
Figure 3: Information security culture sub-dimensions assessment
Source: Computed, 2012
59% 25% 33% 79% 48% 36% 50% 33% 30% 41% 75% 67% 21% 52% 64% 50% 67% 70% 0% 20% 40% 60% 80% 100% 120% Risk analysis Policy and Procedures Benchmarking Budget Management Trust Awareness Ethical conduct Change Favorable Unfavorable 30 | P a g e
The detail findings of each sub-dimension are reported in tables 1-9. The strongly disagree, disagree and unsure Likert-scare responses of research participants are considered as unfavorable while the Agree and strongly-agree Likert-scare responses of research participants are considered as favorable. Unsure perception and attitude response is considered as a negative response as it lacks consistence. Only the favorable responses are positive results that contribute to promote a sustainable information security culture. The frequency distributions of favorable responses are presented as favorable percentages. Favorable percentages of each statement in the same sub- dimension are listed in tables 1-9.
4.2.1.1. Risk analysis sub-dimension of ISC
Table 1: Risk analysis sub-dimension assessment
No. Statements Favorable percentage 27 I think it is important to perform a risk analysis of information assets in the bank. 94% 28 There is a function/person /team responsible for risk analysis of information assets in the bank. 60% Source: Computed, 2012 - Questionnaire to assess ISC originally developed by (Martins, 2002).
Respondents perceive the importance to perform risk analysis positively (94%). However only 60% of the respondents believe there is a function responsible for risk analysis of information assets in the banks. This implies risk analysis is not conducted formally and imminent information security threats might not be communicated to employees. Every bank should clearly dedicate a function that effectively conducts risk analysis of information assets in the bank. 31 | P a g e
4.2.1.2. Policy and Procedures sub-dimension of ISC
Table 2: Policy and Procedures sub-dimension assessment
No. Statements Favorable percentage 11 The bank has an information security plan. 65% 13 There are formal procedures indicating how I should report information security incidents. 32% 16 The bank has a written information security policy 56% 17 The information security policy reflects the banks objectives. 58% 18 Procedures are implemented to support the information security policy. 48% 19 I can easily obtain a copy of the information security policy. 33% Source: Computed, 2012 - Questionnaire to assess ISC originally developed by (Martins, 2002).
Here, it is evident that formal information security incident reporting procedures (32%) suffer a negative result in the banking sector in Ethiopia. This is partly because security incident reporting procedures are not developed or not effectively disseminated to employees. Access to information security policy and procedures also suffers a poor 33% frequency distribution. The implementation of information security procedures (48%) is not at satisfactory level as security should be approached holistically. Half security is equivalent to no security. Security compromise at one level can mean compromise at every level. Even the relatively better information security plan (65%) is not satisfactory taking the security sensitivity of the banking sector into consideration. Banks in Ethiopia should develop formal procedures indicating how employees report information security incidents. The dissemination and implementation of the information security policies also need serious attention.
32 | P a g e
4.2.1.3. Benchmarking sub-dimension of ISC
Table 3: Benchmarking sub-dimension assessment
No. Statements Favorable percentage 12 Information security is measured on a continuous basis within the bank. 58% 14 The banks information security measures compare favorably with other similar banks information security measures. 23% 15 The banks information security measures comply with international standards. 28% Source: Computed, 2012 - Questionnaire to assess ISC originally developed by (Martins, 2002).
Respondents negatively perceive the compliance of the banks information security measures with international standards (28%). Most respondents are not sure about the level of information security practice compared with other banks. Continuous information security evaluation (58%) also needs to improve. Vulnerability assessment and auditing should be conducted on a continuous basis. Banks in Ethiopia should cooperate to share information security incidents and best practices. Benchmarking international standards can also benefit banks to succeed objective results. International information security standards like code of practice for information security: ISO27002 and specification for an information security management system: ISO27001 should be implemented at organizational level to assist the establishment of reliable information security culture. Compliance with these international standards assists in promoting positive information security culture.
33 | P a g e
4.2.1.4. Budget sub-dimension of ISC
Table 4: Budget sub-dimension assessment
No. Statements Favorable percentage 29 Investment in information security should be seen as a future investment. 80% 30 It is important to budget annually for information security spending/costs. 96% Source: Computed, 2012 - Questionnaire to assess ISC originally developed by (Martins, 2002).
Respondents perceive budgeting annually for information security costs is a strategic investment. This attitude is considered positive to promote the information security change initiatives. This sub-dimension enjoys the highest overall result (79%). However it is worth noting if the budgeting practice in the banks does not match the perception about budgeting, the result can be misleading. If top management of the banking sector in Ethiopia does not practically back the positive budgeting endorsement by employees, this sub-dimension result will be unrealistic. However the fact that information security budgeting is perceived positively indicates information security initiatives are positively endorsed by employees. This provides a suitable ground to participate and delegate information security tasks to employees.
34 | P a g e
4.2.1.5. Management sub-dimension of ISC
Table 5: Management sub-dimension assessment
No. Statements Favorable percentage 9 I know the function/person/team responsible for the information security in the bank. 77% 10 Management assists in the implementations of information security in the bank. 60% 32 Management perceives information security as important. 62% 34 Management communicates information security information on a need to know basis to all job levels. 45% 41 My manager involves me in decisions that affect me. 62% Source: Computed, 2012 - Questionnaire to assess ISC originally developed by (Martins, 2002).
The management sub-dimension is averagely perceived by the respondents. Even though employees generally know the function responsible for information security in the bank (77%), the managers involvement in communication, implementation and harnessing employees participation should be improved. Respondents perceive the understanding (60%) and support (62%) of top management to information security implementation inadequately. The participation of employees in decision making is 62%. However the communication of security information on a need-to-know basis to employees (45%) is perceived negatively. Thus, management should communicate information security procedures and guidelines to all job levels on a need-to-know basis.
35 | P a g e
4.2.1.6. Trust sub-dimension of ISC
Table 6: Trust sub-dimension assessment
No. Statements Favorable percentage 37 I trust my immediate manager. 78% 38 My immediate manager trusts me. 66% 39 I trust top management. 61% 40 I feel that top management trusts employees. 51% Source: Computed, 2012 - Questionnaire to assess ISC originally developed by (Martins, 2002). The trust relationship between employees and their immediate managers is found relatively positive than that of employees and top management. So top management should sometimes directly approach and communicate with employees to build a positive trust environment at all levels. 4.2.1.7. Awareness sub-dimension of ISC
Table 7: Awareness sub-dimension assessment
No. Statements Favorable percentage 1 It is important to determine the banks security needs. 98% 2 Information security should be regarded as a technical issue. 72% 3 Information security should be regarded as a functional (business) issue. 72% 4 I know what the term information security implies. 87% 5 I think it is important to implement information security in the bank 96% 6 I am aware of information security relating to my job role. 86% 7 I am trained in the information security controls I am supposed to use. 52% 8 I have a responsibility towards information security in the bank. 83% Source: Computed, 2012 - Questionnaire to assess ISC originally developed by (Martins, 2002). The perception of respondents about the importance of information security is positive. However, the training of employees in information security controls and measures they are 36 | P a g e
supposed to use (52%) is the lowest score in the Awareness sub-dimension. This shows if information security trainings are provided to employees, banks can even further the level of information security awareness perception, attitude and knowledge of their employees. The training program should be designed based on the output of the information security risk analysis and information security policies and procedures. 4.2.1.8. Ethical conduct sub-dimension of ISC
Table 8: Ethical conduct sub-dimension assessment
No. Statements Favorable percentage 20 I adhere to the banks information security policy. 66% 21 The bank ensures that I adhere to the information security policy. 50% 22 Management regards the privacy of information about employees as important. 63% 23 I think it is important to regard the work I do as part of the banks intellectual property. 86% 24 All information about the bank should be available for employees to access e.g. financial statements, strategies, etc. (44%) 25 All information about the bank should be available for non-employees to access e.g. financial statements, strategies, etc. (69%) 26 I should be held accountable for my actions if I do not adhere to the information security policy. 83% Source: Computed, 2012 - Questionnaire to assess ISC originally developed by (Martins, 2002). N.B. Statements 24 and 25, unlike all other statements, are analyzed inversely.
The information access perception of employees (44%) needs attention as it contributes to unintentional compromise of information asset by insiders. Information access within the bank has to be limited on a need-to-know basis. The adherence of employees with the banks information security policy is only partially (50%) ensured by banks. This auditing measure is also a critical improvement area. 37 | P a g e
4.2.1.9. Change sub-dimension of ISC
Table 9: Change sub-dimension assessment
No . Statements Favorable percentage 31 I am prepared to change my working practices in order to ensure security of information. 83% 33 Change processes relating to information security are accepted positively in the bank e.g. a clear desk policy, use of encryption, making backups every day, etc. 73% 35 The bank organizes and manages the impact of information security change on the bank. 42% 36 The bank recognizes and manages the impact of information security change on the bank. 47% Source: Computed, 2012 - Questionnaire to assess ISC originally developed by (Martins, 2002).
The readiness (83%) and acceptance (73%) of employees to change their information security practices is positive. However the perception towards organization (42%) and recognition (47%) management of information security changes is found to be unsatisfactory in the banking sector in Ethiopia. Hence, positive information security changes should be recognized and rewarded while non-adherence should bear accountability measures. Bank managers should also oversee and recognize the impact of positive information security culture change.
38 | P a g e
4.2.2. Discussion of Results: Interrelationship between the ISC sub-dimensions
As per the results from the computed binary logistic regression, the likelihood of effective implementation of information security policies and procedures due to suitable ethical conduct is positive [AOR (95% CI) = 6.065 (2.278, 16.150)] 1 . This signifies attention should be drawn to enhance the ethical conduct, willingness to adhere with information security policy and guidelines, of employees. The role of management to promote information security awareness is observed imperative [AOR (95% CI) = 2.667 (1.188, 5.985)].This implies that improving the information security awareness of managers influence the overall information security awareness of the bank. Awareness and ethical conduct are information security culture tasks an organization has to enhance in order to advance individual level information security practices. The prevalence of acceptable individual level information security culture in assisting positive change of information security culture in the banks is also observed from the data analysis [AOR (95% CI) = 2.581 (1.036, 6.428)].
Management attributes such as communication of security information on a need-to-know basis and participation of employees in information security initiatives most likely raise a positive trust environment in the banks [AOR (95% CI) = 4.964 (2.032, 12.127)]. Positive trust environment is observed to maintain effective implementation of information security policies and procedures [AOR (95% CI) = 3.066 (1.206, 7.795)]. The role of management in effective implementation of information security policies and procedures is essential [AOR (95% CI) = 5.023 (1.795, 14.053)]. Management and trust are information security factors that constitute group level information security culture. Proper accommodation of group level information security culture
1 [Adjusted Odds Ratio (95% CI) = the odds ratio (lower limit of the confidence interval, upper limit of the confidence interval)]. 39 | P a g e
tasks encourages the readiness and acceptance of employees to change their information security practices that results in positive information security culture change [AOR (95% CI) = 4.571 (1.811, 11.540)].
Policy and procedures are found to coexist with risk analysis [AOR (95% CI) = 5.112 (1.601, 16.325)] 2 . Benchmarking tasks such as information security evaluation and compliance with international standards could only be expected if the bank implements information security policies and procedures [AOR (95% CI) = 7.836 (2.866, 21.421)]. These organizational level information security culture tasks; risk analysis, policy and procedures and benchmarking impact the recognition and management of positive information security change in the banking sector in Ethiopia[AOR (95% CI) = 5.778 (2.281, 14.633)]. Regardless of the other organizational level sub-dimensions, Budget sub-dimension is found to have no association with any of the other eight sub-dimensions. This is probably because the result of the benchmarking sub-dimension (79%) doesnt align with other findings. If the statements assessed the allocated budget rather than the perception of employees about the importance of budgeting, the result would have been different and association could have been observed with other sub-dimensions.
In line with the information security model employed, the information security culture tasks at different levels are statistically analyzed to be interrelated. Organizational level information security culture tasks are built upon individual and group level information security tasks. The likelihood of individual information security culture endorsing organizational information security culture is [AOR (95% CI) = 4.173 (1.678, 10.377)]. The interdependence between group
2 [Adjusted Odds Ratio (95% CI) = the odds ratio (lower limit of the confidence interval, upper limit of the confidence interval)]. 40 | P a g e
and organizational level information security culture tasks is also apparent from the computed binary logistic regression [AOR (95% CI) = 7.275 (2.805, 18.866)] 3 . These findings further validate the model adopted is feasible to assess the information security culture in the context of the banking sector.
The culmination of all the three levels of information security culture tasks result in cultivating a positive information security culture change. It is essential to identify, prioritize and deal with developmental information security culture elements. Identifying the causal link between the information security culture sub-dimensions helps in finding a strategic way to prioritize and invest on information security initiatives. The statistical frequency findings point out the gaps underlying in the existing information security culture in the banking sector in Ethiopia. Integration of statistical frequency findings with association between interdependent sub- dimensions provides a clear understanding that directs effective engagement measures to promote information security culture in the banking sector in Ethiopia.
3 [Adjusted Odds Ratio (95% CI) = the odds ratio (lower limit of the confidence interval, upper limit of the confidence interval)]. 41 | P a g e
CHAPTER V Conclusion and Recommendations
This chapter concludes the paper by forwarding integrated conclusions and recommendations based on the statistical findings and observed interdependence between the variables. Critical areas of improvement are identified and measures to promote information security culture in the banking sector in Ethiopia are recommended.
5.1. Conclusions This research assessed the level of information security culture in the banking sector in Ethiopia from the perspective of the information security culture model originally developed by Martins A. and J. Eloff (2002). A survey research method is employed in order to assess the information security culture in the banking sector in Ethiopia. This research employed quantitative method based on a validated information security culture questionnaire (Appendix I) from previous related literature. A non-probability convenience snowball sampling technique is used to collect data from 11 banks headquarters in Addis Ababa. 100 questionnaires were encoded into SPSS for data analysis. The collected data is analyzed with respect to well established factors that influence information security culture. Statistical frequencies of favorable percentile values are computed for each information security culture sub-dimension. The interdependence between information security culture variables is identified and logistic regression is computed to further discuss the findings. The results of this study have important implications to assess the information security culture, identify possible gaps and recommend measures that can be implemented by practitioners to enhance the information security culture in the banking sector in Ethiopia. 42 | P a g e
Based on the supporting evidences from the statistical findings and interpretation from the perspective of the adopted information security culture model, the following conclusions are derived: The study revealed that the level of information security culture in the banking sector in Ethiopia is unsatisfactory. Only 25% of the respondents are found to have favorable information security culture [>=32/41]. The frequency distributions of the nine sub-dimensions indicate the ethical conduct, trust, policy and procedures, benchmarking and change are developmental sub-dimensions that need serious managerial attention. Nevertheless, awareness, management, budget and risk analysis sub-dimensions show average results that need significant improvement too. Formal information security incident reporting procedures are not sufficiently available in the banking sector in Ethiopia. Most banks in Ethiopia generally do not comply with international standards of information security. However, benchmarking international standards can benefit banks to succeed objective results. Compliance with international standards assists in promoting positive information security culture. The communication of information security information on a need-to-know basis to all job levels by management in the banking sector in Ethiopia is found inadequate. The dissemination and implementation of the information security policies need serious attention. The trust relationship between employees and their immediate managers is found relatively positive than that of employees and top management in the banking sector in Ethiopia. 43 | P a g e
The training of employees in information security controls and measures they are supposed to use is a critical improvement area in the banking sector in Ethiopia. The information access perception of employees in the banking sector in Ethiopia needs attention as it contributes to unintentional compromise of information asset by insiders. The banking sector in Ethiopia poorly organizes, recognizes and manages the impact of information security change. The information security culture tasks at different levels are interrelated. Organizational level information security culture tasks are built upon individual and group level information security tasks. The culmination of favorable performances at all the three levels of information security culture tasks promotes positive information security culture change in the banking sector in Ethiopia.
44 | P a g e
5.2. Recommendations Based on the conclusions above and well established concepts of information security culture, the following recommendations are forwarded: A holistic and strategic work is needed to promote information security culture in the banking sector in Ethiopia. Information security culture tasks (ethical conduct, awareness, trust, management, risk analysis, policy and procedures, budget, benchmarking and change) should be put in effect to enhance the information security culture in the banking sector in Ethiopia. Attention should be drawn to enhance the ethical conduct of employees and positive trust environment for effective implementation of information security policies and procedures. Information security awareness trainings should be provided at all levels to raise the level of awareness. Awareness should be created that employees access to the banks information asset should be limited on a need-to-know basis. Information security programs should be championed by top management to enforce implementation of information security policies. Management should communicate information security procedures and guidelines to all job levels on a need-to-know basis. Top management should sometimes directly approach and communicate with employees to build a positive trust environment at all levels. Bank managers should recognize and oversee positive information security culture change for its sustainability. 45 | P a g e
Banks in Ethiopia should dedicate functions to manage information security programs and participation of all employees in the bank should be harnessed to effectively embrace positive information security culture change. Banks in Ethiopia should clearly dedicate functions that effectively conduct risk analysis of information assets. Banks in Ethiopia should also develop formal procedures indicating how employees report information security incidents. International information security standards like the code of practice for information security: ISO27002 and the specification for an information security management system: ISO27001 should be implemented at organizational level to assist the establishment of reliable information security culture. This paper tried to bridge the gap in researching the information security culture in the banking sector in Ethiopia. Furthermore, this research can serve as a spring-board for related researches in the financial as well as other sectors in Ethiopia. However, it suffers limitations in incorporating all departments in the banks with larger stratified sample size. Therefore, more rigorous researches are needed to frame practical strategies to promote the information security culture in the banking and other sectors in Ethiopia.
46 | P a g e
References
Alnatheer, M. & Nelson, K. (2009), A Proposed Framework for Understanding Information Security Culture and Practices in the Saudi Context, Australian Information Security Management Conference: Security Research Centre Conferences, (pages) 5-17.
Dhillon, G. (1997), Managing Information System Security, MacMillan Press Ltd.
Doherty, N.F. & Fulford, H. (2006), Aligning the Information Security Policy with the Strategic Information Systems Plan, Computers & Security, (Volume/number) 25(2): (pages) 55-63.
Eloff, M., & von Solms, S., H. (2000), Information Security management: A Hierarchical Approach for various frameworks, Computer & Security, (Volume/number) 19(3): (pages) 243-256.
Flowerday, S. & Solms, R. V. (2006), Trust an Element of Information Security, Security Journal of Information Assurance & Cybersecurity and Privacy in Dynamic Environment, (Volume/number) IFIP/SEC2005: (pages) 8797.
Gebrasilase, T. & Lessa, L. (2011), "Information Security Culture in Public Hospitals: The Case of Hawassa Referral Hospital", The African Journal of Information Systems, (Volume /number) 3(3): (pages) 7286.
Kuusisto, T. & Ilvonen, I. (2003), Information Security Culture in Small and Medium Size Enterprises, Frontiers of E-Business Research, (pages) 431-439.
Lim, J. S., Chang, S., Maynard, S. B. & Ahmad, A. (2009). Embedding information security culture emerging concerns and challenges, Proceedings of the 7th Australian Information Security Management Conference, (pages) 463-474. 47 | P a g e
Lim, J. S., Chang, S., Maynard, S. B., & Ahmad, A. (2009), Exploring the Relationship between Organizational Culture and Information Security Culture, In 7th Australian Information Security Management Conference, SECAU Security Congress 2009, (pages) 87- 97.
Martins, A. & Eloff, J. (2002), Promoting information security culture through an information security culture model, Proceedings of Information Security South Africa (ISSA), Johannesburg, South Africa.
Martins, A. & Eloff, J. (2006). Assessing Information Security Culture, Information Security South Africa (ISSA), Johannesburg, South Africa, (pages) 1-12.
Mitnick, K. , Simon, L. & Wozniak, S. (2002), The Art of Deception: Controlling the Human Element of Security, John Wiley & Sons.
Nelson, J. (2005), Information Security Risk in Financial Institutions, World Academy of Science, Engineering and Technology, (pages) 58-60.
Oost, D., & Chew, E. (2007). Investigating the Concept of Information Security Culture, UTS: School of Management, (Volume/number) 2007/6: (pages) 1-12.
Robbins, S. P. (1989) (ed.), Organizational Behavior: Concepts, Controversies, and Applications. New Jersey: Prentice Hall.
Ruighaver, A. B., Maynard, S. B., & Chang, S. (2007), Organizational Security Culture: Extending the End-User Perspective, Computers & Security, (Volume/number) 26(1): (pages) 56-62.
48 | P a g e
Schlienger, T. & Teufel, S. (2002), Information Security Culture: The Socio-Cultural Dimension in Information Security Management, in Proceedings of 17th International Conference on Information Security (SEC2002), (Volume) 214: (pages) 191-202.
Schlienger,T. & Teufel, S. (2003), Information security culture from analysis to change, Proceedings of the 3rd Annual Information Security South Africa Conference, Information Security South Africa (ISSA), Johannesburg, South Africa, (Volume) 2003: (pages) 183196.
Thomson, K., & von Solms, R. (2005), Information Security Obedience: A Definition, Computers & Security, (Volume/number) 24(1): (pages) 69-75.
Thomson, K., von Solms, R., & Louw, L. (2006). Cultivating an Organizational Information Security Culture, Computer Fraud & Security, (Volume/number) 2006(10): (pages) 7-11.
Treijs, P. (2006), Defining Security Culture, State Information Network Agency, Latvia.
Ula, M., Ismail, Z., et.al (2011), A Framework for the Governance of Information Security in Banking, Journal of Information Assurance & Cybersecurity, (Volume/number) 2011 (2011): (pages) 1-12.
Van Niekerk, J., & Von Solms, R. (2005), An holistic framework for the fostering of an information security sub-culture in organizations, Information Security South Africa (ISSA), Johannesburg, South Africa.
Van Niekerk, J., & Von Solms, R. (2006), Understanding Information Security Culture: A Conceptual Framework, Information Security South Africa (ISSA), Johannesburg, South Africa.
49 | P a g e
Van Niekerk, J. F., & Von Solms, R. (2009). Information Security Culture: A Management Perspective, Computers & Security, In Press, Corrected Proof.
Veiga, A. D., Martins , N. & Eloff J.H.P. (2007), Information security Culture- validation of an assessment instrument, Southern African Business Review , (Volume/number) 11(1): (pages) 147-166.
Veiga, A. D., & Eloff, J. H. P. (2009). A Framework and Assessment Instrument for Information Security Culture, Computers & Security, (Volume) 29: (pages) 196-207.
Von Solms, S. H. (2000), Information Security- The Third Wave?, Computer & Security, (Volume) 19: (pages) 615-620.
West, R. (2008), The Psychology of Security: Why do good users make bad decisions?, communications of the ACM, (Volume/number) 51(4): (pages) 34-41.
Zakaria, O., Gani, A. et.al (2007), Reengineering Information Security Culture Formulation Through Management Perspective, In Proceedings of the International Conference on Electrical Engineering and Informatics Institute, Indonesia.
Martins, A. (2002), Information security culture, MCom Thesis, Rand Afrikaans University.
European Network and Information Security Agency (2009), Information security awareness in financial organizations: Guidelines and case studies, Heraclion, Greece.
Kapner,S. (2011a), Citi admits customer data at risk after breach , The Financial Times, 9 June.
Kapner,S. (2011b), Banks urged to boost security from hackers, The Financial Times, 10 June. 50 | P a g e
Kapner,S. (2011c), Citigroup Hit by Data Theft in Japan , The Financial Times, 6 August.
Menn, J. (2012), Bank security: Thieves down the line, The Financial Times, 2 January.
Menn, J. & Kapner,S. (2011), US banks told to upgrade internet security, The Financial Times, 29 June.
Farlex (2010), The Free Dictionary, [Online] Available at: http://www.thefreedictionary.com (Accessed: 2 July 2012).
Praxiom Research Group Limited (2012), ISO 27001 AND ISO 27002 Plain English Definitions, [Online] Available at: http://www.praxiom.com/iso-27001-definitions.htm (Accessed: 2 July 2012). STANDS4 LLC (2012), Definitions.net, [Online] Available at: http://www.definitions.net/definition/culture (Accessed: 3 July 2012). The daily biz (2010), The Likert Scale, [Online] Available at: http://thedailybiz.com/post/2478350964/the-likert-scale> (Accessed: 3 July 2012).
51 | P a g e
Appendix I Research Questionnaire
Questionnaire to assess the information security culture in the banking sector in Ethiopia
Date: April 1, 2012 Dear Research Participant, My name is Abiy Woretaw. I am working in Information Network Security Agency (INSA). Currently I am pursuing my Master of Business Administration in Information Technology Management (MBA-ITM) at International Leadership Institute (ILI) in partnership with the University of Greenwich. In partial fulfillment of the requirements for the degree, I am working on my dissertation project entitled Information Security Culture in the Banking Sector in Ethiopia. The research objective is to understand the existing information security beliefs, practices and identify possible gaps to pave the way for policy and management intervention that can be used by practitioners to enhance the information security culture in the banking sector in Ethiopia. Therefore, this is to kindly ask you participate in the survey that seeks data from employees of the banking sector in Ethiopia to assess issues in relation to knowledge, attitudes, and practice of information security. This survey is anonymous. All the information you provide will be kept completely confidential. No identifiable information, whatsoever about you, will be passed on to any other bodies. Your genuine response is very important for the success of the research. This questionnaire may take about ten minutes of your valuable time to complete. Please write your job level, years of experience and place a cross X sign in the appropriate boxes. After you complete filling the questionnaire, peel the white envelope and seal it with your tri fold questionnaire inside. Finally, please deliver it to the responsible person. If you require any assistance or clarification, please dont hesitate to contact me through either of the following methods. Mobile: +251-911-899929 Email: abiyworetaw@yahoo.com I hope you find filling the questionnaire enjoyable!
52 | P a g e
Your job level or role: ___________________________________________________ How long have you worked in the banking sector? ____________________ No. Statements Strongly Disagree Disagree Unsure Agree Strongly Agree 1 It is important to determine the banks security needs.
2 Information security should be regarded as a technical issue.
3 Information security should be regarded as a functional (business) issue.
4 I know what the term information security implies. 5 I think it is important to implement information security in the bank
6 I am aware of information security relating to my job role.
7 I am trained in the information security controls I am supposed to use.
8 I have a responsibility towards information security in the bank.
9 I know the function/person/team responsible for the information security in the bank.
10 Management assists in the implementations of information security in the bank.
11 The bank has an information security plan. 12 Information security is measured on a continuous basis within the bank.
13 There are formal procedures indicating how I should report information security incidents.
53 | P a g e
No. Statements Strongly Disagree Disagree Unsure Agree Strongly Agree 14 The banks information security measures compare favorably with other similar banks information security measures.
15 The banks information security measures comply with international standards.
16 The bank has a written information security policy 17 The information security policy reflects the banks objectives.
18 Procedures are implemented to support the information security policy.
19 I can easily obtain a copy of the information security policy.
20 I adhere to the banks information security policy. 21 The bank ensures that I adhere to the information security policy.
22 Management regards the privacy of information about employees as important.
23 I think it is important to regard the work I do as part of the banks intellectual property.
24 All information about the bank should be available for employees to access e.g. financial statements, strategies, etc.
25 All information about the bank should be available for non-employees to access e.g. financial statements, strategies, etc.
26 I should be held accountable for my actions if I do not adhere to the information security policy.
54 | P a g e
No. Statements Strongly Disagree Disagree Unsure Agree Strongly Agree 27 I think it is important to perform a risk analysis of information assets in the bank.
28 There is a function/person /team responsible for risk analysis of information assets in the bank.
29 Investment in information security should be seen as a future investment.
30 It is important to budget annually for information security spending/costs.
31 I am prepared to change my working practices in order to ensure security of information.
32 Management perceives information security as important.
33 Change processes relating to information security are accepted positively in the bank e.g. a clear desk policy, use of encryption, making backups every day, etc.
34 Management communicates information security information on a need to know basis to all job levels.
35 The bank organizes and manages the impact of information security change on the bank.
36 The bank recognizes and manages the impact of information security change on the bank.
37 I trust my immediate manager. 38 My immediate manager trusts me. 39 I trust top management. 40 I feel that top management trusts employees. 41 My manager involves me in decisions that affect me. Source: Questionnaire to assess the information security culture originally developed by (Martins, 2002). Thank you for your patience in completing this questionnaire! 55 | P a g e
Declaration
I, the undersigned, declare that this thesis is my original work in partial fulfillment of the requirement for the Degree of Masters of Business Administration in Information Technology Management and has not been presented for a degree in this or any other university. All source of materials used for this thesis and all people and institutions who gave support for this work have been duly acknowledged.
Declared by: Abiy Woretaw Signature: _______________________ Date: __________________________ Place: International Leadership Institute Addis Ababa
This thesis has been submitted for examination with my approval as a university advisor. Name of the advisor: Lemma Lessa Signature: ______________________ Date: _________________________ Place: International Leadership Institute Addis Ababa