Abiy 000652632 Busi 1359 Mba Thesis Isc-Bse

Information Security Culture in the Banking Sector in Ethiopia
Abiy Woretaw Abitew

ID: 000652632
Advisor: Lemma Lessa Ferede

A thesis submitted to University of Greenwich and International Leadership
Institute in partial fulfillment for the Masters Degree in Business
Administration in Information Technology Management (MBA-ITM)

Date: July, 2012
I | P a g e

Acknowledgments

First of all, Id like to thank Information Network Security Agency (INSA) for providing me
with this opportunity by sponsoring my MBA study at ILI. Second, my utmost appreciation goes
to Mr. Lemma Lessa for advising and guiding me in the entire process of this research. This
thesis wouldnt be a reality had it not been for his unreserved involvement.
Then I should acknowledge all the 11 banks (Commercial Bank of Ethiopia, Lion International
Bank, Dashen Bank, Wegagen Bank, Bank of Abyssinia, Awash International Bank,
Construction and Business Bank, Zemen Bank, National Bank of Ethiopia, Development Bank
of Ethiopia and Oromia International Bank) and their employees for cooperating to participate in
the research.
Finally my deepest gratitude goes to Yonas Taddesse and Abdissa Tolla for their moral support. I
also owe Ketema Gudeta and Michael Alemayehu for helping me in data collection and peer
reviewing respectively. Seblewoyn Tsegaye, Selamyihun Adefris and Desalegn W/Giorgis too
deserve credit for supporting me materially. Thank you!

II | P a g e

Acronyms

AOR Adjusted Odds Ratio
ATM Automatic Teller Machine
CI Confidence Interval
ENISA European Network and Information Security Agency
FDIC Federal Deposit Insurance Corporation
ILI International Leadership Institute
IS Information Systems
ISC Information Security Culture
ISO International Organization for Standardization
IT Information Technology
ITM Information Technology Management
MBA Master of Business Administration
SPSS Statistical Package for the Social Sciences (software)
US United States

III | P a g e

Table of Contents

Acknowledgments............................................................................................................................ I
Acronyms ........................................................................................................................................ II
Table of Contents .......................................................................................................................... III
List of tables ................................................................................................................................... V
List of figures ................................................................................................................................ VI
Abstract ........................................................................................................................................ VII
CHAPTER I Introduction ............................................................................................................ 1
1.1. Background of the study ...................................................................................................... 1
1.2. Statement of the problem ..................................................................................................... 2
1.3. Objectives of the study ......................................................................................................... 3
1.4. Significance of the study ...................................................................................................... 3
1.5. Scope and limitations of the study ....................................................................................... 4
1.6. Definition of Terms .............................................................................................................. 4
1.7. Organization of the Paper ..................................................................................................... 5
CHAPTER II Literature Review .................................................................................................. 6
2.1. Information Security ............................................................................................................ 6
2.2. Information security risks and threats in the banking sector ................................................ 7
2.3. Information security culture (ISC) ..................................................................................... 10
2.4. Approaches to organizational information security culture ............................................... 12
2.5. Factors that influence information security culture and practices...................................... 13
2.6. Requirements for effective information security culture ................................................... 13
2.7. Information security awareness programs.......................................................................... 14
2.8. Information Security Culture Model .................................................................................. 16
2.9. Summary of the Literature Review .................................................................................... 17
IV | P a g e

CHAPTER III Research Design and Methodology ................................................................... 19
3.1.The Research Design ........................................................................................................... 19
3.2. Instrument of Data Collection ............................................................................................ 19
3.2.1. Questionnaire .............................................................................................................. 19
3.3. Subjects and Sampling ....................................................................................................... 20
3.3.1. Subjects of the research ............................................................................................. 20
3.3.2. Sampling technique .................................................................................................... 21
3.4. Techniques of Data Analysis.............................................................................................. 22
3.5. Ethical Consideration ......................................................................................................... 24
CHAPTER IV Data Analysis and Discussion ............................................................................ 25
4.1. Key concepts in analyzing the data .................................................................................... 25
4.2. Statistical analysis and main findings of the survey .......................................................... 27
4.2.1. Detail findings of information security culture sub-dimensions ................................ 29
4.2.2. Discussion of Results: Interrelationship between the ISC sub-dimensions ................. 38
CHAPTER V Conclusion and Recommendations ..................................................................... 41
5.1. Conclusions ........................................................................................................................ 41
5.2. Recommendations .............................................................................................................. 44
References ..................................................................................................................................... 46
Appendix I Research Questionnaire .......................................................................................... 51
Declaration .................................................................................................................................... 55

V | P a g e

List of tables

Table 1: Risk analysis sub-dimension assessment........................................................................30
Table 2: Policy and Procedures sub-dimension assessment.........................................................31
Table 3: Benchmarking sub-dimension assessment.....................................................................32
Table 4: Budget sub-dimension assessment..................................................................................33
Table 5: Management sub-dimension assessment........................................................................34
Table 6: Trust sub-dimension assessment.....................................................................................35
Table 7: Awareness sub-dimension assessment............................................................................35
Table 8: Ethical conduct sub-dimension assessment....................................................................36
Table 9: Change sub-dimension assessment.................................................................................37

VI | P a g e

List of figures

Figure 1: Adopted information security culture model..................................................................17
Figure 2: Information security culture dimensions assessment.....................................................28
Figure 3: Information security culture sub-dimensions assessment..............................................29

VII | P a g e

Abstract

Information security has become one of the most vital and demanding issues facing today's
financial institutions such as banks. With widespread use of technology and ever increasing
connectedness to the global environment, financial institutions are increasingly exposed to
several and wide-ranging threats. Extant literatures indicate that many losses are not caused due
to lack of technology or faulty technology rather by users of technology and faulty human
behavior. Financial institutions in Ethiopia are not exceptions to such security risks. Although
technical aspect of information security needs due attention, a more serious yet under-rated
aspect of information security is the human aspect. This research is aimed at assessing the
practiced information security culture and identifying possible gaps that need management
intervention to recommend measures that can be implemented by practitioners. A survey
research method is employed that mainly uses quantitative data based on primary data collected
from the headquarters of 11 banks in Addis Ababa. The study revealed that the level of
information security culture in the banking sector in Ethiopia is unsatisfactory. The main
findings of this paper underline the need for enhancing ethical conduct of employees and positive
trust environment for effective implementation of information security policies and procedures.
Benchmarking local and international standards should be practiced to assist positive change in
information security culture. Risk-based information security awareness trainings should be
provided at all levels to raise the level of awareness. Bank managers should oversee and
recognize positive information security culture change. This research can serve as a spring-
board for related researches in the financial as well as other sectors in Ethiopia.
Keywords: Information security, information security culture, assessment, security risks,
security threats, information security awareness
1 | P a g e

CHAPTER I Introduction

1.1. Background of the study

This chapter introduces the general background of the banking sector in Ethiopia and the
significance of studying related security issues. The objective, significance, scope and limitations
of the research are also briefly discussed.
Todays global society grants power for the most inventive and innovative knowledge workers
who are the main value creators of this modern civilization. The value created is represented,
stored and communicated in the form of information. Information asset of an organization can be
stored in the minds of its personnel, paper documents and digitally in computer systems.
Focusing on the banking business, Ula et al (2011) state that information system has become the
core element of modern banking and information has become the most valuable asset to protect
from insiders, outsiders and competitors. Assuring the security of this information asset
maintains competitive advantage in the globally internetworked banking business.
The banking sector in Ethiopia is one of the rapidly growing sectors of the countrys economy.
Many private banks are established in the past few years. The distribution and diversity of
services is widening. This business competition has stirred the advancement of services enabled
by information technology. More banks in Ethiopia are implementing Core banking solutions to
provided banking services from any of their member branch offices. Provision of such e-banking
services is a competitive advantage. Though this technological advancement has facilitated
business processes, much attention should be drawn to thwart illegal financial gain efforts of
2 | P a g e

cyber criminals. The security of the banking information systems and critical financial data
should be ensured. The banking sector is more sensitive to the issue of security as money is at
stake and is lucrative target for malicious attackers.
Evolving trends in information security support the incorporation of the human element in
ensuring information security of an organization. Promoting a sustainable information security
culture is an effective way for organizations to address this aspect of information security.
Assessing the existing information security culture level provides a clear picture in finding the
gaps to intervene with managerial measures to promote sustainable information security culture.
Such a strong information security culture within an organization also serves as a suitable
platform to implement technical information security controls.

1.2. Statement of the problem
Information security incidents are more common in the banking sector in Ethiopia nowadays.
Most information security risks and threats emanate from faulty information security behavior
practiced by users of the information systems. Bank employees are one of the main users that
have access to the information asset of the banks. Insider threat can either be intentional or
unintentional that arises from poor information security culture. In order to promote a strong
information security culture, the existing information security beliefs, practices and problems
should first be assessed so that critical gaps and areas of improvement are identified to pave the
way for policy and management intervention.

3 | P a g e

1.3. Objectives of the study

The research has the following three specific objectives:
Assess the perception, attitude and practice of employees towards information security in
the banking sector in Ethiopia.
Identify possible gaps to pave the way for policy and management intervention
Recommend measures that can be implemented by practitioners to enhance the
information security culture in the banking sector in Ethiopia.

1.4. Significance of the study
As the banking sector in Ethiopia is undergoing fast progress in migrating business processes
towards new IT-based services, the notion of establishing and maintaining sustainable
information security culture become more appropriate now than ever. Research on information
security culture is still in its early stages of development. Issues are still being identified, and,
conceptualizations being explored (Alnatheer & Nelson, 2009; Gebrasilase & Lessa, 2011). This
hot research area is even more at its infant stage in Ethiopian banking sector context. Promoting
strong information security culture in the banking sector in Ethiopia lays suitable ground for
implementation of technical information security controls and measures. Due to the sensitivity of
financial institutions to security issues, priority is given to assess the level of information
security culture in the banking sector in Ethiopia.

4 | P a g e

1.5. Scope and limitations of the study
The scope of this paper is assessing the information security culture level in the banking sector in
Ethiopia. The subjects of the study are mostly Information Systems department employees and
managers from 11 headquarters of banks in Ethiopia. A more inclusive survey of other
departments would have made the research findings more comprehensive. The sample size of
analyzed data is 100. Yet, sample size of more than 300 would have minimized the margin of
error so that the research findings, conclusions and recommendations could be more valid and
reliable.

1.6. Definition of Terms
Assessment: The evaluation of the level of existing awareness, perception and practice.
Culture: the behaviors and beliefs characteristic of a particular social group (STANDS4 LLC,
2012).
Likert scale: is an ordered, one-dimensional scale from which respondents choose one option that
best aligns with their view. This method of ascribing quantitative value to qualitative data makes
it amenable to statistical analysis (The daily biz, 2010).
Model: A schematic description of a theory that accounts for its known or inferred properties and
may be used for further study of its characteristics (Farlex, 2010).
Risk: The possibility of suffering harm or loss; danger (Farlex, 2010).
Risk analysis: uses information to identify possible sources of risk. It uses information to identify
threats or events that could have a harmful impact. It then estimates the risk by asking: what is
5 | P a g e

the probability that this event will actually occur in the future? And what impact would it have if
it actually occurred? (Praxiom Research Group Limited, 2012).
Threat: is a potential event. When a threat turns into an actual event, it may cause an unwanted
incident. It is unwanted because the incident may harm an organization or system (Praxiom
Research Group Limited, 2012).
Vulnerability: is a weakness in an asset or group of assets. An assets weakness could allow it to
be exploited and harmed by one or more threats (Praxiom Research Group Limited, 2012).

1.7. Organization of the Paper
This paper is organized into five chapters. The current chapter dealt with general background,
objective, significance, scope and limitations of the study. The literature review of this paper
went into the extant literature on information security in general and information security culture
in particular to identify the enabling factors and evaluation dimensions of information security
culture and also tried to synthesize the outcomes of related studies. Then the research design and
methodology chapter explores the research design, instrument of data collection, subjects of the
research, sampling technique and ethical considerations taken into account. The data analysis and
discussion section presents and discusses the findings of the study and interpretation of the
findings. Finally, the paper concludes indicating critical areas of improvement and
recommending measures to promote information security culture in the banking sector in
Ethiopia. The paper also paves the way for further researches in the area pointing out limitations
of this research.

6 | P a g e

CHAPTER II Literature Review

This chapter reviews the extant literature on information security in general and information
security culture in particular to identify the enabling factors and evaluation dimensions of
information security culture.
2.1. Information Security
Information security is the process of protecting and preserving the information asset. It ensures
the confidentiality, integrity, availability, authenticity and reliability characteristics of
information. Information security encompasses technology, processes and people (Von Solms,
2000). In order to achieve a comprehensive information security, the three aspects should be
holistically considered. Technological access control methods and techniques ensure protection
against vulnerabilities underlying in the technology (hardware or software). Nonetheless, the
business process of organizations can expose information to confidentiality and integrity security
breaches. Operational business processes are expected to identify security loopholes and devise
mechanisms to prevent information security breaches.
Although technical aspect of information security needs due attention, a more serious yet under-
rated aspect of information security is the human aspect. Mitnick et al (2002) explain that
technical methods of protecting information may be effective in their respective ways; however,
many losses are not caused by faulty technology but rather by users of technology and faulty
human behavior. Hence, people not only can be part of the problem, but also they can and should
be part of the solution. People must be integral part of any organization's information security
defense system (Mitnick et al, 2002). In support of this argument, Martins and Eloff (2006)
7 | P a g e

underline that the behavior of employees and their interaction with computer systems have
significant impact on the security of information.
2.2. Information security risks and threats in the banking sector
Ula et al (2011) convey that espionage through the use of networks to gain competitive
intelligence and to extort organizations is becoming more prevalent. Any mishandling of
confidential information asset can cause huge financial loss, and the reputation of the bank will
be severely damaged. Ula et al (2011) stress that in this globally networked environment,
security is a crucial part of banking and financial institutions.
Nelson (2005) argues that banks must pursue new technologies and services to survive the
business competition. Their customers demand the latest technologies of E-banking, bill pay,
ATMs, smart cards, mobile banking, and other future systems. Banks adopt the latest
technologies to provide their customers with competitive services. As they adopt new IT
empowered services they must also adopt new protective technologies or they will increase their
risk to security breaches (Nelson, 2005). IT-based banking services and products increase the
security risk, threats and security breach incidents in the global banking environment.
Nelson (2005) explains the current trend in financial institutions is to reduce risk by decreasing
the range of systems and applications that are available to users. In an attempt to reduce IT-based
risk, banks are removing access to such services. Here, it is evident that although technology is
increasing its power, the controls are designed to manage and limit human involvement with the
technologies. This demonstrates a basic truth: technology is not a threat; humans using
technologies are the threat. Nelson (2005) further recommends the need to enforce policies,
procedures, and guidelines to manage the human aspect of security.
8 | P a g e

Information security risks have grown with the advent of the marriage between business
operations and IT. IT aggravates security risks as it facilitates the ease in processing, storing and
communicating data and information. Ula et al (2011) explains that as modern banking
increasingly relies on the internet and computer technologies to operate their businesses and
market interactions, the threats and security breaches are highly increased in recent years.
Ula et al, 2011 mention the Symantec (2010) reported to portray the severity of information
security breaches to the global businesses and in particular the banking sector:
Security breach and computer viruses cost global businesses $1.6 trillion a year
and 39,363 human years of productivity. In 2009, Symantec has detected 59,526
phishing hosts around the globe, that number is increased by 7% compared to
phishing hosts detected in 2008. The percentage of threats to confidential
information is increased to 98% in 2009 compared to 83% in 2008, 89% of the
threats have the ability to export user data and 86% of them have keystroke-
logging component (p.1).
In a related recent study, FDIC found cyber thieves have cost US companies and their banks
more than $15bn in the past five years (Menn, 2012). According to Menn (2012), American
regulatory authorities and law enforcement agencies perceive financial institutions as part of the
problem in the failure to thwart internet fraud. Menn (2012) further argues although security is
generally improving and the banks own systems are rarely penetrated, hackers are increasingly
exploiting the weakest link of the computer security chain: the user.
William Nelson, chief executive of the Financial Services Information Sharing and Analysis
Center says No official statistics shows which types of bank are better at protecting customers
but background interviews with executives and other data point to clear patterns. The number of
9 | P a g e

attacks is rising as scammers go after smaller banks, where security is often weaker Menn
(2012).
However, even big banks that generally do a better job of security are found victims of security
breaches. The New York giant bank, Citigroup reported a total of 360,083 North America Citi-
branded credit cards were affected in the security breach that occurred in June 2011(Kapner,
2011a; Kapner, 2011b). Citigroup spokesman said the company has about 23.5 million credit-
card accounts only in North America. On yet another security compromise reported in August
2011, thieves made off with personal information of 92,408 Citigroup Inc. credit card customers
in Japan and sold the data to third parties. It is the second data theft for Citi in three months and
the latest sign of the vulnerability of banks and their clients. The scheme in Japan was
perpetrated by a third-party vendor that had been given access to Citi's internal systems (Kapner,
2011c).
Concerned about increasingly serious attacks from organized crime groups, the US Government
wants its banks more secure (Menn et al, 2011). US banks will be forced to upgrade their
systems for preventing online fraud in customer accounts under new guidelines issued by
financial regulators. Instead of endorsing a specific technology or technique, the guidelines put
the responsibility on the banks to assess their information security risks and adapt security
measures accordingly (Menn et al, 2011). Such risk-based security approach incorporates the
human element of the banks information security by promoting sustainable and strong
information security culture. Ethiopia can benefit a late-comers advantage by learning from the
global information security trend. Hence, the banking sector in Ethiopia must embark upon
technical and non-technical aspects of information security to manage the situation strategically.
10 | P a g e

2.3. Information security culture (ISC)
Martins and Eloff (2006) define information security culture as the assumption about acceptable
information security behavior and it can be regarded as a set of information security
characteristics such as integrity and availability of information. On another literature, Dhillon
(1997) describes security culture as the behavior in an organization that contributes to the
protection of data, information and knowledge. Peteris Treijs (2006) defines security culture as
the assembly of characteristics and attitudes in organizations and individuals which establishes
security of information systems and networks as a high priority.
Most of the recent researches approach information security culture from theories and models of
organizational culture. Organizational culture defines how an employee perceives the
organization (Ulich 2001). According to Schlienger and Teufel (2003), organizational culture is a
collective phenomenon that grows and changes gradually and, to some extent, it can be
influenced or even designed by the management. In line with this, Kuusisto and Ilvonen (2003)
emphasize that information security culture is developed over time by changing the behavior in
an organization to the desired direction. This takes place both by formalizing the framework of
information security as well as by influencing the mental models, attitude, motivation and
explicit and especially tacit knowledge of personnel. An organizational culture can have different
subcultures depending on the sub-organizations or functions. Information security culture can be
treated as a subculture with regard to general organizational culture (Schlienger & Teufel, 2003).
Researches on the area have affirmed that the establishment of an organizational information
security culture is essential for effective information security (Eloff & Von Solms, 2000; Von
Solms, 2000). The importance of establishing an information security culture in an organization
has become a well established idea. The aim of such a culture is to address the various human
11 | P a g e

factors that can affect an organizations overall information security practice (Van Niekerk &
Von Solms, 2005). Users can be either security asset or exploitable security weak-links for an
organization. Hence it is critical that all people who interact with the information system exercise
an acceptable information security culture. It is therefore fundamental to understand and manage
the psychology of users so that their belief, perception and attitude towards information security
is acceptable.
According to Schlienger and Teufel (2002), Security culture covers social, cultural and ethical
measures to improve the security relevant behavior of the organizational members and
considered to be a subculture of organizational culture. Thus it tends to be stable and resistant to
change regardless of the security level it guarantees. Information security culture deals with the
psychology and behavior of employees in their interaction with the information system.
Alnatheer & Nelson (2009) convey that reliable security culture assists the enforcement of
information security policies and practices to the organization. As a result, each organizations
goal should be to achieve a strong and sustainable information security culture.
In order to develop a successful information security culture within an organization, it is
essential to understand the existing information security beliefs, practices and problems to
identify possible gaps and pave the way for policy and management intervention. An
organization has to measure and evaluate its information security culture level. Martins and Eloff
(2006) substantiate this notion underlining a certain level of information security culture is
already present in every organization where IT is integrated into their business processes, but this
culture could be a threat if it is not on an acceptable level. The aim in assessing the information
security culture is to advance it positively. This could then aid in minimizing internal and
external threats to the information asset in the organization.
12 | P a g e

2.4. Approaches to organizational information security culture
Studies have shown that technical solutions alone are not enough to manage internal security
incidents. In order to have better security precautions in organizations, both the technical and
non-technical aspects of information security need to be addressed (Zakaria et al, 2007). Zakaria
et al (2007) further emphasize the importance of management activities in order to establish
appropriate information security culture within an organization. IT strategy of an organization is
developed in close view to support and enable the core business of an organization achieve its
objectives. This strategy includes security as a main component and a dedicated information
security strategy is developed. The roles of senior management, allocation of budget, assignment
of dedicated function, participation of employees, the enforcement processes and the awareness
program are information security tasks needed to establish/enhance ISC (Lim et al, 2009).
In their ISC assessment article, Martins and Eloff (2006) describe that:
ISC assessment approach consists of an audit process where the perceptions,
attitudes, opinions and actions of employees regarding information security can
be determined. By analyzing this information, an organization can assess how
employees perceive information security activities and which aspects concerning
information security culture need attention. (p.5).
Martins and Eloff (2006) approach the information security culture audit process by designing
ISC questionnaire, actual survey process, data analysis and interpretations and recommendation
phases. This approach is adopted by the researcher to assess the information security culture in

13 | P a g e

2.5. Factors that influence information security culture and practices
Alnatheer & Nelson (2009) classified factors that influence security culture and practices into
four themes. Corporate citizenship which is achieved by information security awareness and
training programs; Legal regulatory environment which deals with information security
management standardization, best practices and information security policy; Corporate
governance including top management support for information security management,
information security compliance and information security risk analysis and Cultural factors like
national and organizational culture.
2.6. Requirements for effective information security culture
The first step in establishing an information security culture is to recognize the importance of
information security to the core business of the organization. This should be championed by the
top management and consensus about the need for security should be reached among all
employees in an organization. Top management support should be harnessed in planning,
adopting and implementing information security programs.
However, information security culture will develop and succeed only if there is participation
from all levels of employees (Zakaria et al, 2007). Therefore, enforcement of security should be
integrated with the empowerment of employees to be responsible about security. Internal support
should be given priority and the overall direction should be communicated to employees so that
they are intrinsically motivated to support the effort. Delegation of tasks and trust promote
employees ownership of the program. External consultants and control mechanisms should only
have supporting role in establishing and maintaining information security culture of an
organization.
14 | P a g e

The value of information security is elusive as it is abstract and hard to quantify. This is because
people tend to give more emphasis on something that happened than something that is prevented
to happen. As insightfully described by West (2008), employees are less motivated to exercise
secure practices as the benefits of security are generally abstract. In addition to this, secure
practices have significant cost on ease of use and resources that tempt employees to ignore
secure practices. This calls for motivational factors like reward system and accountability
consequences such as penalty for non-adherence.
2.7. Information security awareness programs
Once the importance and actual value of information security is ingrained into the corporate
culture, information security program can be developed and implemented effectively. This
program can be initiated by creating information security awareness as a key method in
establishing and maintaining a strong information security culture. Information security
awareness programs should be designed to raise the awareness level of all managers and
employees in an organization. Security awareness trainings enable employees to rationally
analyze security risks and measures they should put in place.
Information security awareness training should be designed in alignment with the core topics
from the information security policy of the organization. The information security policy of an
organization should comply with the international standards and guidelines. Nevertheless, this
must not limit the customization of the policy to the existing information system context.
Information security policies are developed based on risk assessment of the organization. This
risk based approach ensures the coverage of critical vulnerabilities analyzed during risk
assessment.
15 | P a g e

International information security standards include a provision for information security
awareness programmes (ENISA, 2009). Information security trainings should not only comply
with the international standard outlines but also feasibly customized to the context of the
organization. Education and awareness raising for financial organizations needs to be carried out
internally as well as externally to foster a platform of trust and allow for compliance and
governance mandates to be adhered to on a proactive basis (ENISA, 2009).
The awareness program should be branded and appealing. Tessem, H.M. and Skaaraas, K.R.
(2005) argue that while it has been claimed that we live in the information society, a more
accurate claim might be that we live in the entertainment society (p.18). Since people are
behaviorally interested with entertaining approach of value delivery, the program should capture
the attention of employees and they should develop a sense of affiliation to the program.
Security awareness program will deliver security conscious employees who exercise best
security practices that comply with information security policies and report incidents
accordingly. These employees are intrinsically motivated to defend the information asset of their
organizations as they understand the tradeoff between security and cost. Security awareness is
relatively a transferrable knowledge across systems. It requires only system-specific details
incorporated to accommodate secure usage of new technologies into the information system.
The effectiveness of security awareness program should be evaluated periodically. This provides
feedback to the level of employees adherence with information security policies and the
effectiveness of the awareness training curriculum. The evaluation result can be used to update
the information security policy, topics and content of the awareness training. The participation of
16 | P a g e

employees should be enhanced and revised version of the awareness trainings should be
delivered annually.

2.8. Information Security Culture Model
Recognizing the need to measure information security culture, different assessment tools are
proposed by authors. Framework for fostering information security culture in Small and Medium
Enterprises developed by Sneza,D., and An Outcomes Based Framework for Culture Change
model developed by Frederick, J., et.al are among proposed tools. However a more
comprehensive model is Information Security Culture model designed by A. Martins and J. Eloff
(2002) which is derived from the organizational behavior model of Robbins (1989). This
conceptual information security culture model is derived from the paradigm of approaching
information security culture as a sub-culture of organizational culture. Martins and Eloff
identified information security controls at individual, group and organizational levels of
organizational behavior that could influence information security culture (N. Martins & J. Eloff
2002; A. da Veiga et al 2007).
This research assesses the level of information security culture in the banking sector in Ethiopia
explicitly from the perspective of this model. The interrelationships between information security
culture tasks (dependent and independent variables) at all levels are apparent from Figure 1.
17 | P a g e

Figure 1: Adopted information security culture model

Source: Information security culture model originally developed by Martins, A. & Eloff, J. 2002.

2.9. Summary of the Literature Review
This literature review revealed that information security culture is an emerging and yet to be
studied topic in information security. This hot research area is even more at its infant stage in
Ethiopian banking sector context. Furthermore, it identifies the enabling factors and evaluation
dimensions of information security culture and also tried to synthesize the outcomes of related
studies. Ultimately people interact directly with information systems and have access to
information. Any effort merely in technological and process security measures will be futile if
the users aspect of security is not effectively managed. Accordingly, this paper focuses on the
human aspect of information systems. To address this socio-cultural aspect of information
security, information security culture is recognized as a discipline of information security.
18 | P a g e

The literature review underlined the need for promoting information security culture citing
prominent literatures in the area. Risks and threats of information security in the banking sector
and different security breaches that occurred with global banks are discussed to demonstrate the
need to approach information security in the banking sector comprehensively. The rationale to
assess existing information security culture and approaches to assess information security culture
are also reviewed from related literature to back researching method of this paper. Well-
established factors that influence information security culture are also reviewed to serve as
reliable perspectives of data analysis, interpretation, conclusion and recommendation.
Information security awareness program is discussed in detail as the issue is compulsory with the
research agenda.
The gap observed in the literature of information security culture emanates from the
unavailability of a comprehensive and working information security culture framework. Most
models and frameworks are conceptual and not practically tested in the banking sector. A widely
accepted and comprehensive information security culture model originally developed by Martins
A. and J. Eloff (2002) is illustrated as it serves as the basis for this research. This model is
validated in financial institutions context.

19 | P a g e

CHAPTER III Research Design and Methodology

This chapter explores the research design, instrument of data collection, subjects of the research,
sampling technique and ethical considerations taken into account.
3.1. The Research Design
A survey research method is employed in order to assess the information security culture in the
banking sector in Ethiopia. This research is based on a widely accepted information security
culture model originally developed by Martins A. and J. Eloff (2002). As this study is aimed at
assessing the existing information security attitudes, perception and practices, it is imperative
that a reliable researching method is employed. Although qualitative researching methods like
interviewing have feasibility in studying behavioral researches, this research relied on
quantitative primary data collected through a validated standard questionnaire developed based
on a model to assess information security culture.
3.2. Instrument of Data Collection
3.2.1. Questionnaire

Primary data is collected from headquarters of 11 different banks in Addis Ababa. A
questionnaire to assess information security culture, developed by (Martins, 2002), is adopted.
This assessment instrument is validated and improved by performing a factor and reliability
analysis on the data from an information security culture assessment in a financial organization
(Veiga et al, 2007). Factors in the establishment and maintenance of proper information security
culture are assessed. Then information security culture in the banking sector in Ethiopia is
evaluated by auditing process.
20 | P a g e

The questionnaire (Appendix I) has 41 statements that assess the perceptions, attitudes, opinions
and actions of employees regarding information security. A five point Likert scale, which is
advisable to assess behavioral patterns, is provided to respond to the information security culture
statements. Minor changes were made to contextualize the questionnaire to the target research
participants.
3.3. Subjects and Sampling
3.3.1. Subjects of the research

Initially, 15 different banks in Addis Ababa were approached to participate in this research. Four
of them declined the offer. Fortunately 11 banks cooperated to participate in the research. Only
four of these banks are governmental (Commercial Bank of Ethiopia (CBE), National Bank of
Ethiopia (NBE), Construction and Business Bank (CBB) and Development Bank of Ethiopia
(DBE)). The seven private banks considered are: Lion International Bank (LIB), Dashen Bank,
Wegagen Bank, Bank of Abyssinia, Awash International Bank (AIB), Zemen Bank and Oromia
International Bank (OIB). The survey is conducted at headquarters of these banks located at
different sites in Addis Ababa. An assumption is made that information security culture in
branch banks bear a resemblance to the information security culture practiced at headquarters.

Bank employees in the IT or Information Systems (IS) departments are the main respondents of
the survey because these employees directly access the banks valuable and confidential
information systems. In addition to this, IT departments serve as a liaison between the
managerial and operational staffs. Furthermore, these employees are assumed to have the
21 | P a g e

minimum information security awareness needed to complete the questionnaire. This aids the
respondents to perceive the meaning of the statements uniformly. IT professionals, departmental
managers and operational staffs of IS/IT department are subjects of this research. The trend with
these employees is assumed to heavily influence the information security culture of other
departments. Thus, assessing the level of information security culture in IS/IT departments
substantiate the findings of the research because the subjects are at the heart of the banks
information systems. Hence, conclusions and recommendations made based on research findings
from these subjects data are believed to be valid and reliable.
3.3.2. Sampling technique

A non-probability convenience snowball sampling technique is used to collect data from all the
banks. The general objective is communicated to contact-persons in all the 11 banks and they
steward the data collection. This sampling technique capitalizes on insider experience and so
facilitates the data collection process. A larger sample size would have been preferred for the
research. Due to the busy working environment in the banking sector, it was not easy to convince
banks to complete more than few questionnaires.

It took five weeks to distribute and collect all the completed questionnaires. The challenge arose
from the geographic distribution of the banks and bureaucratic procedures followed to
accommodate academic research questionnaires. 120 questionnaires were distributed and 102
questionnaires are returned (i.e. a return rate of 0.85). 2 questionnaires are rejected due to
significant incompleteness. Finally, 100 questionnaires were encoded into SPSS version_16.0
software for data analysis.
22 | P a g e

3.4. Techniques of Data Analysis
Biographical data like bank name, bank type, job level and year of experience in the banking
sector are directly encoded from the collected data. The job level variable is further transformed
into senior manager, departmental manager, IT professional and operational staff categories and
a new variable (Job category) is defined. The year of experience category too is transformed into
intervals (0-2 years, 2-5 years, 5-10 years and above 10 years) of experience and a new variable
(Year of Experience) is defined. Missing values of biographical data could not be replaced;
rather percentage of missing data respondents is computed independently.

Each statement in the questionnaire is treated as a variable. Convenient names are assigned to the
variables. The Likert scale response values are encoded numerically [Strongly Disagree=1,
Disagree=2, Unsure=3, Agree=4 and Strongly Agree=5]. Missing values are interpreted as
Unsure responses. Then, dichotomous values are computed by transforming the five Likert
scale values into two dichotomous [Strongly Disagree=1, Disagree=2, Unsure=3 into
Unfavorable=0] and [Agree=4 and Strongly Agree=5 into Favorable =1] values.

According to the information security culture model originally developed by Martins A. and J.
Eloff (2002), there are three levels [Individual, Group and Organizational] and nine sub-
dimensions [Awareness, Ethical conduct, Trust, Management, Risk analysis, Policies and
procedures, Benchmarking, budgeting and Change] of information security culture tasks and
issues. In line with this, the 41 information security assessment statements are grouped into these
nine sub-dimensions. Favorable information security culture values are counted in each sub-
dimension. To that end, respondents who scored 3rd quartile and above (>=75%) are
23 | P a g e

categorized as having favorable information security culture while scores less than 3rd quartile
(< 75%) were considered unfavorable in relation to the variables of interest. The rationale behind
is higher counts are expected from respondents due to the level of simplicity of the statements
and the expected security performance in the banking sector.

Then statistical frequency of favorable percentile values is computed for each sub-dimension and
dimension. Crosstab features of SPSS are used to discover the association between information
security culture sub-dimensions. The observed and expected counts are compared to identify the
interdependence of one information security culture task with another. Chi-square tests [<=0.05]
are used to establish how reliable it is to draw a conclusion that there is a relationship between
the two sub-dimensions. Confidence level of more than 95% is considered reliable. Then, binary
logistic regression is computed to further discuss the findings.

Since the data collected is ordinal and merely based on existing information security perceptions,
attitudes and practice, inferences can be made using statistical regression analysis. The level of
interdependence between dependent and independent sub-dimensions could be observed. The
probability of an increase in dependent variable influenced by increase in independent variable
can be portrayed with adjusted odds ratio with lower and upper limits of the confidence interval.
Binary logistic regression is computed between dependent and independent variables [Adjusted
Odds Ratio (95% CI) = the odds ratio (lower limit of the confidence interval, upper limit of the
confidence interval)]. The results are interpreted from the perspective of the information security
culture conceptual model and related literature review. Then conclusions and recommendations
24 | P a g e

are framed based on the statistical findings and interdependence between information security
culture sub-dimensions.

3.5. Ethical Consideration
The researcher received a letter of endorsement from International Leadership Institute (ILI) that
supported in getting the necessary data from the banks. A copy of the letter is provided to all the
banks in request for cooperation. Once informed consent of top management of the bank is
earned, contact personnel among research participants are approached and communicated to get
their informed consent too. In addition to this, the cover page of the questionnaire (Appendix I)
describes the researchers brief profile, topic of concern, overall objective of the research and the
guide to complete the questionnaire. These efforts provided subjects of the research full
information.

Genuine response is encouraged by ensuring anonymity and confidentiality of the survey. No
identifiable information, whatsoever about the respondent, will ever be passed on to any other
body. Each research participant was provided with a signed peel and seal envelope to observe the
anonymity of the survey. Such efforts contributed to a decent return rate (0.85) and consistency
of the collected data thus data quality.

25 | P a g e

CHAPTER IV Data Analysis and Discussion

This chapter presents the findings of the study and discusses and interprets the results in detail.
The collected data is analyzed and findings are interpreted based on well established factors that
influence information security culture and from the perspective of the adopted information
security culture model.
4.1. Key concepts in analyzing the data

In order to effectively analyze the collected data based on the information security culture model,
the 41 information security culture statements are categorized into four [individual level, group
level, organizational level and change] dimensions. Individual level dimension includes two sub-
dimensions called Awareness and Ethical conduct. Awareness sub-dimension statements assess
the knowledge, attitude and perception of employees towards information security. Ethical
conduct sub-dimension statements assess the adherence of employees to existing information
security policy and procedures and their perception towards access to data and intellectual
property. The management regard to privacy of employees information is also considered in this
sub-dimension.

The Group level dimension includes two sub-dimensions named Management and Trust.
Management sub-dimension statements assess the perception and commitment of top
management to information security. The establishment of a dedicated information security
function in the banks, communication of security information on a need-to-know basis and
participation of employees in information security initiatives are also assessed in this sub
26 | P a g e

dimension. Trust sub-dimension statements assess the trust environment between employees and
their managers at different levels.

The Organizational level dimension includes four sub-dimensions named Risk analysis, Policies
and procedures, Benchmarking and Budget. Risk analysis sub-dimension statements assess the
availability of dedicated risk analysis function and perception of employees about the importance
of risk analysis in the bank. Policies and procedures sub-dimension statements assess whether the
bank has implemented information security plan, policy and procedures. Availability of formal
information security incident reporting procedures and access of employees to all these
documents is also evaluated. Benchmarking sub-dimension statements assess the evaluation of
the banks information security status compared with other banks and its compliance with
international standards. Budget sub-dimension statements assess the perception of employees
about the importance of budgeting annually for information security as a strategic investment.

Change sub-dimension statements assess the readiness and acceptance of employees to new
information security practices and the recognition and organization of the banks management to
information security changes.

27 | P a g e

4.2. Statistical analysis and main findings of the survey

The information security culture data is collected from 4(37%) governmental and 7(63%) private
banks. The job category distribution of the respondents indicates 12 (12%) department managers,
58(58%) IT professionals, 18 (18%) operational staffs and the remaining 12(12%) respondents
did not complete this variable. With regard to the years of experience, all experience levels of
employees in the banking sector in Ethiopia are represented. 19(19%) of the respondents have
more than 10 years of experience in the banking sector. 22(22%) of the respondents have 5 to 10
years of experience. 28(28%) of the respondents have 2 to 5 years of experience.23( 23%) of the
respondents have less than 2 years of experience in the banking sector. The remaining 8(8%) did
not respond to this variable. Generally, the information security culture level in the banking
sector in Ethiopia is found to be inadequate. Only 25% of the respondents are found to have
favorable information security culture [>=32/41]. The remaining 75% have unfavorable
information security culture that can expose the information asset of the banks. This shows that
holistic and strategic work is needed to promote information security culture in the banking
sector in Ethiopia.

28 | P a g e

Figure 2 represents the percentage of respondents who are found favorable and unfavorable
about the statements portrayed in the four dimensions of information security culture. The
favorable percentages indicate the information security perception, attitude and behavior in the
banks that are in line with strong information security culture. The unfavorable percentages
indicate the information security perception, attitude and behavior gaps that are possible
improvement areas. Larger unfavorable percentage indicates wider gap in the variable of interest
that needs serious managerial intervention. From figure 2, it is evident that individual, group and
change dimensions are critical developmental areas. The organizational level information
security culture dimension scores a slightly better (38%) result.

Figure 2: Information security culture dimensions assessment

Source: Computed, 2012

28%
30%
38%
30%
72%
70%
62%
70%
0%
20%
40%
60%
80%
100%
120%
Individual Group Organizational Change
Unfavorable
Favorable
29 | P a g e

4.2.1. Detail findings of information security culture sub-dimensions

Figure 3 represents the percentage of respondents who are found favorable and unfavorable
about the statements portrayed in the nine sub-dimensions. The frequency distributions of the
nine sub-dimensions indicate that ethical conduct, trust, benchmarking, policy and procedures,
and change are developmental sub-dimensions that need serious managerial attention. On the
other hand, frequency distributions of awareness, management, budget and risk analysis sub-
dimensions show average results that also need significant improvement.

Figure 3: Information security culture sub-dimensions assessment

Source: Computed, 2012

59%
25%
33%
79%
48%
36%
50%
33%
30%
41%
75%
67%
21%
52%
64%
50%
67%
70%
0% 20% 40% 60% 80% 100% 120%
Risk analysis
Policy and Procedures
Benchmarking
Budget
Management
Trust
Awareness
Ethical conduct
Change
Favorable
Unfavorable
30 | P a g e

The detail findings of each sub-dimension are reported in tables 1-9. The strongly disagree,
disagree and unsure Likert-scare responses of research participants are considered as unfavorable
while the Agree and strongly-agree Likert-scare responses of research participants are considered
as favorable. Unsure perception and attitude response is considered as a negative response as it
lacks consistence. Only the favorable responses are positive results that contribute to promote a
sustainable information security culture. The frequency distributions of favorable responses are
presented as favorable percentages. Favorable percentages of each statement in the same sub-
dimension are listed in tables 1-9.

4.2.1.1. Risk analysis sub-dimension of ISC

Table 1: Risk analysis sub-dimension assessment

No.
Statements Favorable
percentage
27 I think it is important to perform a risk analysis of information
assets in the bank.
94%
28 There is a function/person /team responsible for risk analysis of
information assets in the bank.
60%
Source: Computed, 2012 - Questionnaire to assess ISC originally developed by (Martins, 2002).

Respondents perceive the importance to perform risk analysis positively (94%). However only
60% of the respondents believe there is a function responsible for risk analysis of information
assets in the banks. This implies risk analysis is not conducted formally and imminent
information security threats might not be communicated to employees. Every bank should
clearly dedicate a function that effectively conducts risk analysis of information assets in the
bank.
31 | P a g e

4.2.1.2. Policy and Procedures sub-dimension of ISC

Table 2: Policy and Procedures sub-dimension assessment

No.
percentage
11 The bank has an information security plan. 65%
13 There are formal procedures indicating how I should report
information security incidents.
32%
16 The bank has a written information security policy 56%
17 The information security policy reflects the banks objectives. 58%
18 Procedures are implemented to support the information security
policy.
48%
19 I can easily obtain a copy of the information security policy. 33%

Here, it is evident that formal information security incident reporting procedures (32%) suffer a
negative result in the banking sector in Ethiopia. This is partly because security incident
reporting procedures are not developed or not effectively disseminated to employees. Access to
information security policy and procedures also suffers a poor 33% frequency distribution. The
implementation of information security procedures (48%) is not at satisfactory level as security
should be approached holistically. Half security is equivalent to no security. Security
compromise at one level can mean compromise at every level. Even the relatively better
information security plan (65%) is not satisfactory taking the security sensitivity of the banking
sector into consideration. Banks in Ethiopia should develop formal procedures indicating how
employees report information security incidents. The dissemination and implementation of the
information security policies also need serious attention.

32 | P a g e

4.2.1.3. Benchmarking sub-dimension of ISC

Table 3: Benchmarking sub-dimension assessment

No.
percentage
12 Information security is measured on a continuous basis within the
bank.
58%
14 The banks information security measures compare favorably with
other similar banks information security measures.
23%
15 The banks information security measures comply with
international standards.
28%

Respondents negatively perceive the compliance of the banks information security measures
with international standards (28%). Most respondents are not sure about the level of information
security practice compared with other banks. Continuous information security evaluation (58%)
also needs to improve. Vulnerability assessment and auditing should be conducted on a
continuous basis. Banks in Ethiopia should cooperate to share information security incidents and
best practices. Benchmarking international standards can also benefit banks to succeed objective
results. International information security standards like code of practice for information
security: ISO27002 and specification for an information security management system: ISO27001
should be implemented at organizational level to assist the establishment of reliable information
security culture. Compliance with these international standards assists in promoting positive
information security culture.

33 | P a g e

4.2.1.4. Budget sub-dimension of ISC

Table 4: Budget sub-dimension assessment

No.
percentage
29 Investment in information security should be seen as a future
investment.
80%
30 It is important to budget annually for information security
spending/costs.
96%

Respondents perceive budgeting annually for information security costs is a strategic investment.
This attitude is considered positive to promote the information security change initiatives. This
sub-dimension enjoys the highest overall result (79%). However it is worth noting if the
budgeting practice in the banks does not match the perception about budgeting, the result can be
misleading. If top management of the banking sector in Ethiopia does not practically back the
positive budgeting endorsement by employees, this sub-dimension result will be unrealistic.
However the fact that information security budgeting is perceived positively indicates
information security initiatives are positively endorsed by employees. This provides a suitable
ground to participate and delegate information security tasks to employees.

34 | P a g e

4.2.1.5. Management sub-dimension of ISC

Table 5: Management sub-dimension assessment

No.
percentage
9 I know the function/person/team responsible for the
information security in the bank.
77%
10 Management assists in the implementations of information
security in the bank.
60%
32 Management perceives information security as important. 62%
34 Management communicates information security information
on a need to know basis to all job levels.
45%
41 My manager involves me in decisions that affect me. 62%

The management sub-dimension is averagely perceived by the respondents. Even though
employees generally know the function responsible for information security in the bank (77%),
the managers involvement in communication, implementation and harnessing employees
participation should be improved. Respondents perceive the understanding (60%) and support
(62%) of top management to information security implementation inadequately. The
participation of employees in decision making is 62%. However the communication of security
information on a need-to-know basis to employees (45%) is perceived negatively. Thus,
management should communicate information security procedures and guidelines to all job
levels on a need-to-know basis.

35 | P a g e

4.2.1.6. Trust sub-dimension of ISC

Table 6: Trust sub-dimension assessment

No.
percentage
37 I trust my immediate manager. 78%
38 My immediate manager trusts me. 66%
39 I trust top management. 61%
40 I feel that top management trusts employees. 51%
The trust relationship between employees and their immediate managers is found relatively
positive than that of employees and top management. So top management should sometimes
directly approach and communicate with employees to build a positive trust environment at all
levels.
4.2.1.7. Awareness sub-dimension of ISC

Table 7: Awareness sub-dimension assessment

No.
percentage
1 It is important to determine the banks security needs. 98%
2 Information security should be regarded as a technical issue. 72%
3 Information security should be regarded as a functional (business)
issue.
72%
4 I know what the term information security implies. 87%
5 I think it is important to implement information security in the bank 96%
6 I am aware of information security relating to my job role. 86%
7 I am trained in the information security controls I am supposed to use. 52%
8 I have a responsibility towards information security in the bank. 83%
The perception of respondents about the importance of information security is positive.
However, the training of employees in information security controls and measures they are
36 | P a g e

supposed to use (52%) is the lowest score in the Awareness sub-dimension. This shows if
information security trainings are provided to employees, banks can even further the level of
information security awareness perception, attitude and knowledge of their employees. The
training program should be designed based on the output of the information security risk analysis
and information security policies and procedures.
4.2.1.8. Ethical conduct sub-dimension of ISC

Table 8: Ethical conduct sub-dimension assessment

No.
percentage
20 I adhere to the banks information security policy. 66%
21 The bank ensures that I adhere to the information security policy. 50%
22 Management regards the privacy of information about employees as
important.
63%
23 I think it is important to regard the work I do as part of the banks
intellectual property.
86%
24 All information about the bank should be available for employees to
access e.g. financial statements, strategies, etc.
(44%)
25 All information about the bank should be available for non-employees
to access e.g. financial statements, strategies, etc.
(69%)
26 I should be held accountable for my actions if I do not adhere to the
information security policy.
83%
N.B. Statements 24 and 25, unlike all other statements, are analyzed inversely.

The information access perception of employees (44%) needs attention as it contributes to
unintentional compromise of information asset by insiders. Information access within the bank
has to be limited on a need-to-know basis. The adherence of employees with the banks
information security policy is only partially (50%) ensured by banks. This auditing measure is
also a critical improvement area.
37 | P a g e

4.2.1.9. Change sub-dimension of ISC

Table 9: Change sub-dimension assessment

No
.
percentage
31 I am prepared to change my working practices in order to ensure security
of information.
83%
33 Change processes relating to information security are accepted positively
in the bank e.g. a clear desk policy, use of encryption, making backups
every day, etc.
73%
35 The bank organizes and manages the impact of information security
change on the bank.
42%
36 The bank recognizes and manages the impact of information security
change on the bank.
47%

The readiness (83%) and acceptance (73%) of employees to change their information security
practices is positive. However the perception towards organization (42%) and recognition (47%)
management of information security changes is found to be unsatisfactory in the banking sector
in Ethiopia. Hence, positive information security changes should be recognized and rewarded
while non-adherence should bear accountability measures. Bank managers should also oversee
and recognize the impact of positive information security culture change.

38 | P a g e

4.2.2. Discussion of Results: Interrelationship between the ISC sub-dimensions

As per the results from the computed binary logistic regression, the likelihood of effective
implementation of information security policies and procedures due to suitable ethical conduct is
positive [AOR (95% CI) = 6.065 (2.278, 16.150)]
1
. This signifies attention should be drawn to
enhance the ethical conduct, willingness to adhere with information security policy and
guidelines, of employees. The role of management to promote information security awareness is
observed imperative [AOR (95% CI) = 2.667 (1.188, 5.985)].This implies that improving the
information security awareness of managers influence the overall information security awareness
of the bank. Awareness and ethical conduct are information security culture tasks an organization
has to enhance in order to advance individual level information security practices. The
prevalence of acceptable individual level information security culture in assisting positive
change of information security culture in the banks is also observed from the data analysis [AOR
(95% CI) = 2.581 (1.036, 6.428)].

Management attributes such as communication of security information on a need-to-know basis
and participation of employees in information security initiatives most likely raise a positive trust
environment in the banks [AOR (95% CI) = 4.964 (2.032, 12.127)]. Positive trust environment is
observed to maintain effective implementation of information security policies and procedures
[AOR (95% CI) = 3.066 (1.206, 7.795)]. The role of management in effective implementation of
information security policies and procedures is essential [AOR (95% CI) = 5.023 (1.795,
14.053)]. Management and trust are information security factors that constitute group level
information security culture. Proper accommodation of group level information security culture

1
[Adjusted Odds Ratio (95% CI) = the odds ratio (lower limit of the confidence interval, upper limit of the
confidence interval)].
39 | P a g e

tasks encourages the readiness and acceptance of employees to change their information security
practices that results in positive information security culture change [AOR (95% CI) = 4.571
(1.811, 11.540)].

Policy and procedures are found to coexist with risk analysis [AOR (95% CI) = 5.112 (1.601,
16.325)]
2
. Benchmarking tasks such as information security evaluation and compliance with
international standards could only be expected if the bank implements information security
policies and procedures [AOR (95% CI) = 7.836 (2.866, 21.421)]. These organizational level
information security culture tasks; risk analysis, policy and procedures and benchmarking impact
the recognition and management of positive information security change in the banking sector in
Ethiopia[AOR (95% CI) = 5.778 (2.281, 14.633)]. Regardless of the other organizational level
sub-dimensions, Budget sub-dimension is found to have no association with any of the other
eight sub-dimensions. This is probably because the result of the benchmarking sub-dimension
(79%) doesnt align with other findings. If the statements assessed the allocated budget rather
than the perception of employees about the importance of budgeting, the result would have been
different and association could have been observed with other sub-dimensions.

In line with the information security model employed, the information security culture tasks at
different levels are statistically analyzed to be interrelated. Organizational level information
security culture tasks are built upon individual and group level information security tasks. The
likelihood of individual information security culture endorsing organizational information
security culture is [AOR (95% CI) = 4.173 (1.678, 10.377)]. The interdependence between group

2
40 | P a g e

and organizational level information security culture tasks is also apparent from the computed
binary logistic regression [AOR (95% CI) = 7.275 (2.805, 18.866)]
3
. These findings further
validate the model adopted is feasible to assess the information security culture in the context of
the banking sector.

The culmination of all the three levels of information security culture tasks result in cultivating a
positive information security culture change. It is essential to identify, prioritize and deal with
developmental information security culture elements. Identifying the causal link between the
information security culture sub-dimensions helps in finding a strategic way to prioritize and
invest on information security initiatives. The statistical frequency findings point out the gaps
underlying in the existing information security culture in the banking sector in Ethiopia.
Integration of statistical frequency findings with association between interdependent sub-
dimensions provides a clear understanding that directs effective engagement measures to
promote information security culture in the banking sector in Ethiopia.

3
41 | P a g e

CHAPTER V Conclusion and Recommendations

This chapter concludes the paper by forwarding integrated conclusions and recommendations
based on the statistical findings and observed interdependence between the variables. Critical
areas of improvement are identified and measures to promote information security culture in the
banking sector in Ethiopia are recommended.

5.1. Conclusions
This research assessed the level of information security culture in the banking sector in Ethiopia
from the perspective of the information security culture model originally developed by Martins
A. and J. Eloff (2002). A survey research method is employed in order to assess the information
security culture in the banking sector in Ethiopia. This research employed quantitative method
based on a validated information security culture questionnaire (Appendix I) from previous
related literature. A non-probability convenience snowball sampling technique is used to collect
data from 11 banks headquarters in Addis Ababa. 100 questionnaires were encoded into SPSS
for data analysis. The collected data is analyzed with respect to well established factors that
influence information security culture. Statistical frequencies of favorable percentile values are
computed for each information security culture sub-dimension. The interdependence between
information security culture variables is identified and logistic regression is computed to further
discuss the findings. The results of this study have important implications to assess the
information security culture, identify possible gaps and recommend measures that can be
implemented by practitioners to enhance the information security culture in the banking sector in
Ethiopia.
42 | P a g e

Based on the supporting evidences from the statistical findings and interpretation from the
perspective of the adopted information security culture model, the following conclusions are
derived:
The study revealed that the level of information security culture in the banking sector in
Ethiopia is unsatisfactory. Only 25% of the respondents are found to have favorable
information security culture [>=32/41].
The frequency distributions of the nine sub-dimensions indicate the ethical conduct, trust,
policy and procedures, benchmarking and change are developmental sub-dimensions that
need serious managerial attention. Nevertheless, awareness, management, budget and risk
analysis sub-dimensions show average results that need significant improvement too.
Formal information security incident reporting procedures are not sufficiently available in
Most banks in Ethiopia generally do not comply with international standards of
information security. However, benchmarking international standards can benefit banks
to succeed objective results. Compliance with international standards assists in promoting
positive information security culture.
The communication of information security information on a need-to-know basis to all
job levels by management in the banking sector in Ethiopia is found inadequate.
The dissemination and implementation of the information security policies need serious
attention.
The trust relationship between employees and their immediate managers is found
relatively positive than that of employees and top management in the banking sector in
Ethiopia.
43 | P a g e

The training of employees in information security controls and measures they are
supposed to use is a critical improvement area in the banking sector in Ethiopia.
The information access perception of employees in the banking sector in Ethiopia needs
attention as it contributes to unintentional compromise of information asset by insiders.
The banking sector in Ethiopia poorly organizes, recognizes and manages the impact of
information security change.
The information security culture tasks at different levels are interrelated. Organizational
level information security culture tasks are built upon individual and group level
information security tasks.
The culmination of favorable performances at all the three levels of information security
culture tasks promotes positive information security culture change in the banking sector
in Ethiopia.

44 | P a g e

5.2. Recommendations
Based on the conclusions above and well established concepts of information security culture,
the following recommendations are forwarded:
A holistic and strategic work is needed to promote information security culture in the
banking sector in Ethiopia. Information security culture tasks (ethical conduct,
awareness, trust, management, risk analysis, policy and procedures, budget,
benchmarking and change) should be put in effect to enhance the information security
culture in the banking sector in Ethiopia.
Attention should be drawn to enhance the ethical conduct of employees and positive trust
environment for effective implementation of information security policies and
procedures.
Information security awareness trainings should be provided at all levels to raise the level
of awareness.
Awareness should be created that employees access to the banks information asset
should be limited on a need-to-know basis.
Information security programs should be championed by top management to enforce
implementation of information security policies.
Management should communicate information security procedures and guidelines to all
job levels on a need-to-know basis.
Top management should sometimes directly approach and communicate with employees
to build a positive trust environment at all levels.
Bank managers should recognize and oversee positive information security culture
change for its sustainability.
45 | P a g e

Banks in Ethiopia should dedicate functions to manage information security programs
and participation of all employees in the bank should be harnessed to effectively embrace
positive information security culture change.
Banks in Ethiopia should clearly dedicate functions that effectively conduct risk analysis
of information assets.
Banks in Ethiopia should also develop formal procedures indicating how employees
report information security incidents.
International information security standards like the code of practice for information
security: ISO27002 and the specification for an information security management system:
ISO27001 should be implemented at organizational level to assist the establishment of
reliable information security culture.
This paper tried to bridge the gap in researching the information security culture in the
banking sector in Ethiopia. Furthermore, this research can serve as a spring-board for
related researches in the financial as well as other sectors in Ethiopia. However, it suffers
limitations in incorporating all departments in the banks with larger stratified sample size.
Therefore, more rigorous researches are needed to frame practical strategies to promote
the information security culture in the banking and other sectors in Ethiopia.

46 | P a g e

References

Alnatheer, M. & Nelson, K. (2009), A Proposed Framework for Understanding Information
Security Culture and Practices in the Saudi Context, Australian Information Security
Management Conference: Security Research Centre Conferences, (pages) 5-17.

Dhillon, G. (1997), Managing Information System Security, MacMillan Press Ltd.

Doherty, N.F. & Fulford, H. (2006), Aligning the Information Security Policy with the Strategic
Information Systems Plan, Computers & Security, (Volume/number) 25(2): (pages) 55-63.

Eloff, M., & von Solms, S., H. (2000), Information Security management: A Hierarchical
Approach for various frameworks, Computer & Security, (Volume/number) 19(3): (pages)
243-256.

Flowerday, S. & Solms, R. V. (2006), Trust an Element of Information Security, Security
Journal of Information Assurance & Cybersecurity and Privacy in Dynamic Environment,
(Volume/number) IFIP/SEC2005: (pages) 8797.

Gebrasilase, T. & Lessa, L. (2011), "Information Security Culture in Public Hospitals: The Case
of Hawassa Referral Hospital", The African Journal of Information Systems, (Volume
/number) 3(3): (pages) 7286.

Kuusisto, T. & Ilvonen, I. (2003), Information Security Culture in Small and Medium Size
Enterprises, Frontiers of E-Business Research, (pages) 431-439.

Lim, J. S., Chang, S., Maynard, S. B. & Ahmad, A. (2009). Embedding information security
culture emerging concerns and challenges, Proceedings of the 7th Australian Information
Security Management Conference, (pages) 463-474.
47 | P a g e

Lim, J. S., Chang, S., Maynard, S. B., & Ahmad, A. (2009), Exploring the Relationship
between Organizational Culture and Information Security Culture, In 7th Australian
Information Security Management Conference, SECAU Security Congress 2009, (pages) 87-
97.

Martins, A. & Eloff, J. (2002), Promoting information security culture through an information
security culture model, Proceedings of Information Security South Africa (ISSA),
Johannesburg, South Africa.

Martins, A. & Eloff, J. (2006). Assessing Information Security Culture, Information Security
South Africa (ISSA), Johannesburg, South Africa, (pages) 1-12.

Mitnick, K. , Simon, L. & Wozniak, S. (2002), The Art of Deception: Controlling the Human
Element of Security, John Wiley & Sons.

Nelson, J. (2005), Information Security Risk in Financial Institutions, World Academy of
Science, Engineering and Technology, (pages) 58-60.

Oost, D., & Chew, E. (2007). Investigating the Concept of Information Security Culture, UTS:
School of Management, (Volume/number) 2007/6: (pages) 1-12.

Robbins, S. P. (1989) (ed.), Organizational Behavior: Concepts, Controversies, and
Applications. New Jersey: Prentice Hall.

Ruighaver, A. B., Maynard, S. B., & Chang, S. (2007), Organizational Security Culture:
Extending the End-User Perspective, Computers & Security, (Volume/number) 26(1): (pages)
56-62.

48 | P a g e

Schlienger, T. & Teufel, S. (2002), Information Security Culture: The Socio-Cultural
Dimension in Information Security Management, in Proceedings of 17th International
Conference on Information Security (SEC2002), (Volume) 214: (pages) 191-202.

Schlienger,T. & Teufel, S. (2003), Information security culture from analysis to change,
Proceedings of the 3rd Annual Information Security South Africa Conference, Information
Security South Africa (ISSA), Johannesburg, South Africa, (Volume) 2003: (pages) 183196.

Tessem, H.M. & Skaaraas, K.R. (2005), Creating a security culture, Telektronikk , Security
Partner, (pages) 15-22.

Thomson, K., & von Solms, R. (2005), Information Security Obedience: A Definition,
Computers & Security, (Volume/number) 24(1): (pages) 69-75.

Thomson, K., von Solms, R., & Louw, L. (2006). Cultivating an Organizational Information
Security Culture, Computer Fraud & Security, (Volume/number) 2006(10): (pages) 7-11.

Treijs, P. (2006), Defining Security Culture, State Information Network Agency, Latvia.

Ula, M., Ismail, Z., et.al (2011), A Framework for the Governance of Information Security in
Banking, Journal of Information Assurance & Cybersecurity, (Volume/number) 2011 (2011):
(pages) 1-12.

Van Niekerk, J., & Von Solms, R. (2005), An holistic framework for the fostering of an
information security sub-culture in organizations, Information Security South Africa (ISSA),
Johannesburg, South Africa.

Van Niekerk, J., & Von Solms, R. (2006), Understanding Information Security Culture: A
Conceptual Framework, Information Security South Africa (ISSA), Johannesburg, South
Africa.

49 | P a g e

Van Niekerk, J. F., & Von Solms, R. (2009). Information Security Culture: A Management
Perspective, Computers & Security, In Press, Corrected Proof.

Veiga, A. D., Martins , N. & Eloff J.H.P. (2007), Information security Culture- validation of an
assessment instrument, Southern African Business Review , (Volume/number) 11(1): (pages)
147-166.

Veiga, A. D., & Eloff, J. H. P. (2009). A Framework and Assessment Instrument for
Information Security Culture, Computers & Security, (Volume) 29: (pages) 196-207.

Von Solms, S. H. (2000), Information Security- The Third Wave?, Computer & Security,
(Volume) 19: (pages) 615-620.

West, R. (2008), The Psychology of Security: Why do good users make bad decisions?,
communications of the ACM, (Volume/number) 51(4): (pages) 34-41.

Zakaria, O., Gani, A. et.al (2007), Reengineering Information Security Culture Formulation
Through Management Perspective, In Proceedings of the International Conference on
Electrical Engineering and Informatics Institute, Indonesia.

Martins, A. (2002), Information security culture, MCom Thesis, Rand Afrikaans University.

European Network and Information Security Agency (2009), Information security awareness in
financial organizations: Guidelines and case studies, Heraclion, Greece.

Kapner,S. (2011a), Citi admits customer data at risk after breach , The Financial Times, 9
June.

Kapner,S. (2011b), Banks urged to boost security from hackers, The Financial Times, 10 June.
50 | P a g e

Kapner,S. (2011c), Citigroup Hit by Data Theft in Japan , The Financial Times, 6 August.

Menn, J. (2012), Bank security: Thieves down the line, The Financial Times, 2 January.

Menn, J. & Kapner,S. (2011), US banks told to upgrade internet security, The Financial
Times, 29 June.

Farlex (2010), The Free Dictionary, [Online] Available at: http://www.thefreedictionary.com
(Accessed: 2 July 2012).

Praxiom Research Group Limited (2012), ISO 27001 AND ISO 27002 Plain English Definitions,
[Online] Available at: http://www.praxiom.com/iso-27001-definitions.htm (Accessed: 2 July
2012).
STANDS4 LLC (2012), Definitions.net, [Online] Available at:
http://www.definitions.net/definition/culture (Accessed: 3 July 2012).
The daily biz (2010), The Likert Scale, [Online] Available at:
http://thedailybiz.com/post/2478350964/the-likert-scale> (Accessed: 3 July 2012).

51 | P a g e

Appendix I Research Questionnaire

Questionnaire to assess the information security culture in the banking sector in Ethiopia

Date: April 1, 2012
Dear Research Participant,
My name is Abiy Woretaw. I am working in Information Network Security Agency (INSA).
Currently I am pursuing my Master of Business Administration in Information Technology
Management (MBA-ITM) at International Leadership Institute (ILI) in partnership with the
University of Greenwich. In partial fulfillment of the requirements for the degree, I am working
on my dissertation project entitled Information Security Culture in the Banking Sector in
Ethiopia.
The research objective is to understand the existing information security beliefs, practices and
identify possible gaps to pave the way for policy and management intervention that can be used
by practitioners to enhance the information security culture in the banking sector in Ethiopia.
Therefore, this is to kindly ask you participate in the survey that seeks data from employees of
the banking sector in Ethiopia to assess issues in relation to knowledge, attitudes, and practice of
information security.
This survey is anonymous. All the information you provide will be kept completely confidential.
No identifiable information, whatsoever about you, will be passed on to any other bodies. Your
genuine response is very important for the success of the research.
This questionnaire may take about ten minutes of your valuable time to complete. Please write
your job level, years of experience and place a cross X sign in the appropriate boxes. After you
complete filling the questionnaire, peel the white envelope and seal it with your tri fold
questionnaire inside. Finally, please deliver it to the responsible person. If you require any
assistance or clarification, please dont hesitate to contact me through either of the following
methods.
Mobile: +251-911-899929 Email: abiyworetaw@yahoo.com
I hope you find filling the questionnaire enjoyable!

52 | P a g e

Your job level or role: ___________________________________________________
How long have you worked in the banking sector? ____________________
No. Statements Strongly
Disagree
Disagree Unsure Agree Strongly
Agree
1 It is important to determine the banks security
needs.

2 Information security should be regarded as a
technical issue.

3 Information security should be regarded as a
functional (business) issue.

4 I know what the term information security implies.
5 I think it is important to implement information
security in the bank

6 I am aware of information security relating to my
job role.

7 I am trained in the information security controls I
am supposed to use.

8 I have a responsibility towards information security
in the bank.

9 I know the function/person/team responsible for the

10 Management assists in the implementations of

11 The bank has an information security plan.
12 Information security is measured on a continuous
basis within the bank.

13 There are formal procedures indicating how I
should report information security incidents.

53 | P a g e

Disagree
Agree
14 The banks information security measures compare
favorably with other similar banks information
security measures.

15 The banks information security measures comply
with international standards.

16 The bank has a written information security policy
17 The information security policy reflects the banks
objectives.

18 Procedures are implemented to support the
information security policy.

19 I can easily obtain a copy of the information
security policy.

20 I adhere to the banks information security policy.
21 The bank ensures that I adhere to the information
security policy.

22 Management regards the privacy of information
about employees as important.

23 I think it is important to regard the work I do as part
of the banks intellectual property.

24 All information about the bank should be available
for employees to access e.g. financial statements,
strategies, etc.

25 All information about the bank should be available
for non-employees to access e.g. financial
statements, strategies, etc.

26 I should be held accountable for my actions if I do
not adhere to the information security policy.

54 | P a g e

Disagree
Agree
27 I think it is important to perform a risk analysis of
information assets in the bank.

28 There is a function/person /team responsible for risk
analysis of information assets in the bank.

29 Investment in information security should be seen as a
future investment.

30 It is important to budget annually for information
security spending/costs.

31 I am prepared to change my working practices in order
to ensure security of information.

32 Management perceives information security as
important.

33 Change processes relating to information security are
accepted positively in the bank e.g. a clear desk policy,
use of encryption, making backups every day, etc.

34 Management communicates information security
information on a need to know basis to all job levels.

35 The bank organizes and manages the impact of
information security change on the bank.

36 The bank recognizes and manages the impact of
information security change on the bank.

37 I trust my immediate manager.
38 My immediate manager trusts me.
39 I trust top management.
40 I feel that top management trusts employees.
41 My manager involves me in decisions that affect me.
Source: Questionnaire to assess the information security culture originally developed by
(Martins, 2002).
Thank you for your patience in completing this questionnaire!
55 | P a g e

Declaration

I, the undersigned, declare that this thesis is my original work in partial fulfillment of the
requirement for the Degree of Masters of Business Administration in Information Technology
Management and has not been presented for a degree in this or any other university. All source
of materials used for this thesis and all people and institutions who gave support for this work
have been duly acknowledged.

Declared by: Abiy Woretaw
Signature: _______________________
Date: __________________________
Place: International Leadership Institute
Addis Ababa

This thesis has been submitted for examination with my approval as a university advisor.
Name of the advisor: Lemma Lessa
Signature: ______________________
Date: _________________________
Place: International Leadership Institute
Addis Ababa

Abiy 000652632 Busi 1359 Mba Thesis Isc-Bse

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Abiy 000652632 Busi 1359 Mba Thesis Isc-Bse

Uploaded by

Copyright:

Available Formats

Information Security Culture in the Banking Sector in Ethiopia

Abiy Woretaw Abitew

You might also like