abiy 000652632 busi 1359 mba thesis isc-bse

Information Security Culture in the Banking Sector in Ethiopia

Abiy Woretaw Abitew

ID: 000652632

Advisor: Lemma Lessa Ferede

A thesis submitted to University of Greenwich and International Leadership Institute in partial fulfillment for the Masters Degree in Business Administration in Information Technology Management (MBA-ITM)

Date: July, 2012

I | P a g e

Acknowledgments

First of all, Id like to thank Information Network Security Agency (INSA) for providing me

with this opportunity by sponsoring my MBA study at ILI. Second, my utmost appreciation goes

to Mr. Lemma Lessa for advising and guiding me in the entire process of this research. This

thesis wouldnt be a reality had it not been for his unreserved involvement.

Then I should acknowledge all the 11 banks (Commercial Bank of Ethiopia, Lion International

Bank, Dashen Bank, Wegagen Bank, Bank of Abyssinia, Awash International Bank,

Construction and Business Bank, Zemen Bank, National Bank of Ethiopia, Development Bank

of Ethiopia and Oromia International Bank) and their employees for cooperating to participate in

the research.

Finally my deepest gratitude goes to Yonas Taddesse and Abdissa Tolla for their moral support. I

also owe Ketema Gudeta and Michael Alemayehu for helping me in data collection and peer

reviewing respectively. Seblewoyn Tsegaye, Selamyihun Adefris and Desalegn W/Giorgis too

deserve credit for supporting me materially. Thank you!

II | P a g e

Acronyms

AOR Adjusted Odds Ratio

ATM Automatic Teller Machine

CI Confidence Interval

ENISA European Network and Information Security Agency

FDIC Federal Deposit Insurance Corporation

ILI International Leadership Institute

IS Information Systems

ISC Information Security Culture

ISO International Organization for Standardization

IT Information Technology

ITM Information Technology Management

MBA Master of Business Administration

SPSS Statistical Package for the Social Sciences (software)

US United States

III | P a g e

Table of Contents

Acknowledgments............................................................................................................................ I

Acronyms ........................................................................................................................................ II

Table of Contents .......................................................................................................................... III

List of tables ................................................................................................................................... V

List of figures ................................................................................................................................ VI

Abstract ........................................................................................................................................ VII

CHAPTER I Introduction ............................................................................................................ 1

1.1. Background of the study ...................................................................................................... 1

1.2. Statement of the problem ..................................................................................................... 2

1.3. Objectives of the study ......................................................................................................... 3 1.4. Significance of the study ...................................................................................................... 3

1.5. Scope and limitations of the study ....................................................................................... 4

1.6. Definition of Terms .............................................................................................................. 4

1.7. Organization of the Paper ..................................................................................................... 5

CHAPTER II Literature Review .................................................................................................. 6

2.1. Information Security ............................................................................................................ 6

2.2. Information security risks and threats in the banking sector ................................................ 7

2.3. Information security culture (ISC) ..................................................................................... 10

2.4. Approaches to organizational information security culture ............................................... 12

2.5. Factors that influence information security culture and practices...................................... 13

2.6. Requirements for effective information security culture ................................................... 13

2.7. Information security awareness programs.......................................................................... 14

2.8. Information Security Culture Model .................................................................................. 16

2.9. Summary of the Literature Review .................................................................................... 17

IV | P a g e

CHAPTER III Research Design and Methodology ................................................................... 19

3.1.The Research Design ........................................................................................................... 19

3.2. Instrument of Data Collection ............................................................................................ 19

3.2.1. Questionnaire .............................................................................................................. 19

3.3. Subjects and Sampling ....................................................................................................... 20 3.3.1. Subjects of the research ............................................................................................. 20 3.3.2. Sampling technique .................................................................................................... 21

3.4. Techniques of Data Analysis.............................................................................................. 22

3.5. Ethical Consideration ......................................................................................................... 24

CHAPTER IV Data Analysis and Discussion ............................................................................ 25

4.1. Key concepts in analyzing the data .................................................................................... 25

4.2. Statistical analysis and main findings of the survey .......................................................... 27

4.2.1. Detail findings of information security culture sub-dimensions ................................ 29 4.2.2. Discussion of Results: Interrelationship between the ISC sub-dimensions ................. 38

CHAPTER V Conclusion and Recommendations ..................................................................... 41

5.1. Conclusions ........................................................................................................................ 41

5.2. Recommendations .............................................................................................................. 44

References ..................................................................................................................................... 46

Appendix I Research Questionnaire .......................................................................................... 51

Declaration .................................................................................................................................... 55

V | P a g e

List of tables

Table 1: Risk analysis sub-dimension assessment........................................................................30

Table 2: Policy and Procedures sub-dimension assessment.........................................................31

Table 3: Benchmarking sub-dimension assessment.....................................................................32

Table 4: Budget sub-dimension assessment..................................................................................33

Table 5: Management sub-dimension assessment........................................................................34

Table 6: Trust sub-dimension assessment.....................................................................................35

Table 7: Awareness sub-dimension assessment............................................................................35

Table 8: Ethical conduct sub-dimension assessment....................................................................36

Table 9: Change sub-dimension assessment.................................................................................37

VI | P a g e

List of figures

Figure 1: Adopted information security culture model..................................................................17

Figure 2: Information security culture dimensions assessment.....................................................28

Figure 3: Information security culture sub-dimensions assessment..............................................29

VII | P a g e

Abstract

Information security has become one of the most vital and demanding issues facing today's

financial institutions such as banks. With widespread use of technology and ever increasing

connectedness to the global environment, financial institutions are increasingly exposed to

several and wide-ranging threats. Extant literatures indicate that many losses are not caused due

to lack of technology or faulty technology rather by users of technology and faulty human

behavior. Financial institutions in Ethiopia are not exceptions to such security risks. Although

technical aspect of information security needs due attention, a more serious yet under-rated

aspect of information security is the human aspect. This research is aimed at assessing the

practiced information security culture and identifying possible gaps that need management

intervention to recommend measures that can be implemented by practitioners. A survey

research method is employed that mainly uses quantitative data based on primary data collected

from the headquarters of 11 banks in Addis Ababa. The study revealed that the level of

information security culture in the banking sector in Ethiopia is unsatisfactory. The main

findings of this paper underline the need for enhancing ethical conduct of employees and positive

trust environment for effective implementation of information security policies and procedures.

Benchmarking local and international standards should be practiced to assist positive change in

information security culture. Risk-based information security awareness trainings should be

provided at all levels to raise the level of awareness. Bank managers should oversee and

recognize positive information security culture change. This research can serve as a spring-

board for related researches in the financial as well as other sectors in Ethiopia.

Keywords: Information security, information security culture, assessment, security risks,

security threats, information security awareness

1 | P a g e

CHAPTER I Introduction

1.1. Background of the study

This chapter introduces the general background of the banking sector in Ethiopia and the

significance of studying related security issues. The objective, significance, scope and limitations

of the research are also briefly discussed.

Todays global society grants power for the most inventive and innovative knowledge workers

who are the main value creators of this modern civilization. The value created is represented,

stored and communicated in the form of information. Information asset of an organization can be

stored in the minds of its personnel, paper documents and digitally in computer systems.

Focusing on the banking business, Ula et al (2011) state that information system has become the

core element of modern banking and information has become the most valuable asset to protect

from insiders, outsiders and competitors. Assuring the security of this information asset

maintains competitive advantage in the globally internetworked banking business.

The banking sector in Ethiopia is one of the rapidly growing sectors of the countrys economy.

Many private banks are established in the past few years. The distribution and diversity of

services is widening. This business competition has stirred the advancement of services enabled

by information technology. More banks in Ethiopia are implementing Core banking solutions to

provided banking services from any of their member branch offices. Provision of such e-banking

services is a competitive advantage. Though this technological advancement has facilitated

business processes, much attention should be drawn to thwart illegal financial gain efforts of

2 | P a g e

cyber criminals. The security of the banking information systems and critical financial data

should be ensured. The banking sector is more sensitive to the issue of security as money is at

stake and is lucrative target for malicious attackers.

Evolving trends in information security support the incorporation of the human element in

ensuring information security of an organization. Promoting a sustainable information security

culture is an effective way for organizations to address this aspect of information security.

Assessing the existing information security culture level provides a clear picture in finding the

gaps to intervene with managerial measures to promote sustainable information security culture.

Such a strong information security culture within an organization also serves as a suitable

platform to implement technical information security controls.

1.2. Statement of the problem

Information security incidents are more common in the banking sector in Ethiopia nowadays.

Most information security risks and threats emanate from faulty information security behavior

practiced by users of the information systems. Bank employees are one of the main users that

have access to the information asset of the banks. Insider threat can either be intentional or

unintentional that arises from poor information security culture. In order to promote a strong

information security culture, the existing information security beliefs, practices and problems

should first be assessed so that critical gaps and areas of improvement are identified to pave the

way for policy and management intervention.

3 | P a g e

1.3. Objectives of the study

The research has the following three specific objectives:

Assess the perception, attitude and practice of employees towards information security in

the banking sector in Ethiopia.

Identify possible gaps to pave the way for policy and management intervention

Recommend measures that can be implemented by practitioners to enhance the

information security culture in the banking sector in Ethiopia.

1.4. Significance of the study

As the banking sector in Ethiopia is undergoing fast progress in migrating business processes

towards new IT-based services, the notion of establishing and maintaining sustainable

information security culture become more appropriate now than ever. Research on information

security culture is still in its early stages of development. Issues are still being identified, and,

conceptualizations being explored (Alnatheer & Nelson, 2009; Gebrasilase & Lessa, 2011). This

hot research area is even more at its infant stage in Ethiopian banking sector context. Promoting

strong information security culture in the banking sector in Ethiopia lays suitable ground for

implementation of technical information security controls and measures. Due to the sensitivity of

financial institutions to security issues, priority is given to assess the level of information

security culture in the banking sector in Ethiopia.

4 | P a g e

1.5. Scope and limitations of the study

The scope of this paper is assessing the information security culture level in the banking sector in

Ethiopia. The subjects of the study are mostly Information Systems department employees and

managers from 11 headquarters of banks in Ethiopia. A more inclusive survey of other

departments would have made the research findings more comprehensive. The sample size of

analyzed data is 100. Yet, sample size of more than 300 would have minimized the margin of

error so that the research findings, conclusions and recommendations could be more valid and

reliable.

1.6. Definition of Terms

Assessment: The evaluation of the level of existing awareness, perception and practice.

Culture: the behaviors and beliefs characteristic of a particular social group (STANDS4 LLC,

2012).

Likert scale: is an ordered, one-dimensional scale from which respondents choose one option that

best aligns with their view. This method of ascribing quantitative value to qualitative data makes

it amenable to statistical analysis (The daily biz, 2010).

Model: A schematic description of a theory that accounts for its known or inferred properties and

may be used for further study of its characteristics (Farlex, 2010).

Risk: The possibility of suffering harm or loss; danger (Farlex, 2010).

Risk analysis: uses information to identify possible sources of risk. It uses information to identify

threats or events that could have a harmful impact. It then estimates the risk by asking: what is

5 | P a g e

the probability that this event will actually occur in the future? And what impact would it have if

it actually occurred? (Praxiom Research Group Limited, 2012).

Threat: is a potential event. When a threat turns into an actual event, it may cause an unwanted

incident. It is unwanted because the incident may harm an organization or system (Praxiom

Research Group Limited, 2012).

Vulnerability: is a weakness in an asset or group of assets. An assets weakness could allow it to

be exploited and harmed by one or more threats (Praxiom Research Group Limited, 2012).

1.7. Organization of the Paper

This paper is organized into five chapters. The current chapter dealt with general background,

objective, significance, scope and limitations of the study. The literature review of this paper

went into the extant literature on information security in general and information security culture

in particular to identify the enabling factors and evaluation dimensions of information security

culture and also tried to synthesize the outcomes of related studies. Then the research design and

methodology chapter explores the research design, instrument of data collection, subjects of the

research, sampling technique and ethical considerations taken into account. The data analysis and

discussion section presents and discusses the findings of the study and interpretation of the

findings. Finally, the paper concludes indicating critical areas of improvement and

recommending measures to promote information security culture in the banking sector in

Ethiopia. The paper also paves the way for further researches in the area pointing out limitations

of this research.

6 | P a g e

CHAPTER II Literature Review

This chapter reviews the extant literature on information security in general and information

security culture in particular to identify the enabling factors and evaluation dimensions of

information security culture.

2.1. Information Security

Information security is the process of protecting and preserving the information asset. It ensures

the confidentiality, integrity, availability, authenticity and reliability characteristics of

information. Information security encompasses technology, processes and people (Von Solms,

2000). In order to achieve a comprehensive information security, the three aspects should be

holistically considered. Technological access control methods and techniques ensure protection

against vulnerabilities underlying in the technology (hardware or software). Nonetheless, the

business process of organizations can expose information to confidentiality and integrity security

breaches. Operational business processes are expected to identify security loopholes and devise

mechanisms to prevent information security breaches.

Although technical aspect of information security needs due attention, a more serious yet under-

rated aspect of information security is the human aspect. Mitnick et al (2002) explain that

technical methods of protecting information may be effective in their respective ways; however,

many losses are not caused by faulty technology but rather by users of technology and faulty

human behavior. Hence, people not only can be part of the problem, but also they can and should

be part of the solution. People must be integral part of any organization's information security

defense system (Mitnick et al, 2002). In support of this argument, Martins and Eloff (2006)

7 | P a g e

underline that the behavior of employees and their interaction with computer systems have

significant impact on the security of information.

2.2. Information security risks and threats in the banking sector

Ula et al (2011) convey that espionage through the use of networks to gain competitive

intelligence and to extort organizations is becoming more prevalent. Any mishandling of

confidential information asset can cause huge financial loss, and the reputation of the bank will

be severely damaged. Ula et al (2011) stress that in this globally networked environment,

security is a crucial part of banking and financial institutions.

Nelson (2005) argues that banks must pursue new technologies and services to survive the

business competition. Their customers demand the latest technologies of E-banking, bill pay,

ATMs, smart cards, mobile banking, and other future systems. Banks adopt the latest

technologies to provide their customers with competitive services. As they adopt new IT

empowered services they must also adopt new protective technologies or they will increase their

risk to security breaches (Nelson, 2005). IT-based banking services and products increase the

security risk, threats and security breach incidents in the global banking environment.

Nelson (2005) explains the current trend in financial institutions is to reduce risk by decreasing

the range of systems and applications that are available to users. In an attempt to reduce IT-based

risk, banks are removing access to such services. Here, it is evident that although technology is

increasing its power, the controls are designed to manage and limit human involvement with the

technologies. This demonstrates a basic truth: technology is not a threat; humans using

technologies are the threat. Nelson (2005) further recommends the need to enforce policies,

procedures, and guidelines to manage the human aspect of security.

8 | P a g e

Information security risks have grown with the advent of the marriage between business

operations and IT. IT aggravates security risks as it facilitates the ease in processing, storing and

communicating data and information. Ula et al (2011) explains that as modern banking

increasingly relies on the internet and computer technologies to operate their businesses and

market interactions, the threats and security breaches are highly increased in recent years.

Ula et al, 2011 mention the Symantec (2010) reported to portray the severity of information

security breaches to the global businesses and in particular the banking sector:

Security breach and computer viruses cost global businesses $1.6 trillion a year and 39,363 human years of productivity. In 2009, Symantec has detected 59,526 phishing hosts around the globe, that number is increased by 7% compared to phishing hosts detected in 2008. The percentage of threats to confidential information is increased to 98% in 2009 compared to 83% in 2008, 89% of the threats have the ability to export user data and 86% of them have keystroke-logging component (p.1).

In a related recent study, FDIC found cyber thieves have cost US companies and their banks

more than $15bn in the past five years (Menn, 2012). According to Menn (2012), American

regulatory authorities and law enforcement agencies perceive financial institutions as part of the

problem in the failure to thwart internet fraud. Menn (2012) further argues although security is

generally improving and the banks own systems are rarely penetrated, hackers are increasingly

exploiting the weakest link of the computer security chain: the user.

William Nelson, chief executive of the Financial Services Information Sharing and Analysis

Center says No official statistics shows which types of bank are better at protecting customers

but background interviews with executives and other data point to clear patterns. The number of

9 | P a g e

attacks is rising as scammers go after smaller banks, where security is often weaker Menn

(2012).

However, even big banks that generally do a better job of security are found victims of security

breaches. The New York giant bank, Citigroup reported a total of 360,083 North America Citi-

branded credit cards were affected in the security breach that occurred in June 2011(Kapner,

2011a; Kapner, 2011b). Citigroup spokesman said the company has about 23.5 million credit-

card accounts only in North America. On yet another security compromise reported in August

2011, thieves made off with personal information of 92,408 Citigroup Inc. credit card customers

in Japan and sold the data to third parties. It is the second data theft for Citi in three months and

the latest sign of the vulnerability of banks and their clients. The scheme in Japan was

perpetrated by a third-party vendor that had been given access to Citi's internal systems (Kapner,

2011c).

Concerned about increasingly serious attacks from organized crime groups, the US Government

wants its banks more secure (Menn et al, 2011). US banks will be forced to upgrade their

systems for preventing online fraud in customer accounts under new guidelines issued by

financial regulators. Instead of endorsing a specific technology or technique, the guidelines put

the responsibility on the banks to assess their information security risks and adapt security

measures accordingly (Menn et al, 2011). Such risk-based security approach incorporates the

human element of the banks information security by promoting sustainable and strong

information security culture. Ethiopia can benefit a late-comers advantage by learning from the

global information security trend. Hence, the banking sector in Ethiopia must embark upon

technical and non-technical aspects of information security to manage the situation strategically.

10 | P a g e

2.3. Information security culture (ISC)

Martins and Eloff (2006) define information security culture as the assumption about acceptable

information security behavior and it can be regarded as a set of information security

characteristics such as integrity and availability of information. On another literature, Dhillon

(1997) describes security culture as the behavior in an organization that contributes to the

protection of data, information and knowledge. Peteris Treijs (2006) defines security culture as

the assembly of characteristics and attitudes in organizations and individuals which establishes

security of information systems and networks as a high priority.

Most of the recent researches approach information security culture from theories and models of

organizational culture. Organizational culture defines how an employee perceives the

organization (Ulich 2001). According to Schlienger and Teufel (2003), organizational culture is a

collective phenomenon that grows and changes gradually and, to some extent, it can be

influenced or even designed by the management. In line with this, Kuusisto and Ilvonen (2003)

emphasize that information security culture is developed over time by changing the behavior in

an organization to the desired direction. This takes place both by formalizing the framework of

information security as well as by influencing the mental models, attitude, motivation and

explicit and especially tacit knowledge of personnel. An organizational culture can have different

subcultures depending on the sub-organizations or functions. Information security culture can be

treated as a subculture with regard to general organizational culture (Schlienger & Teufel, 2003).

Researches on the area have affirmed that the establishment of an organizational information

security culture is essential for effective information security (Eloff & Von Solms, 2000; Von

Solms, 2000). The importance of establishing an information security culture in an organization

has become a well established idea. The aim of such a culture is to address the various human

11 | P a g e

factors that can affect an organizations overall information security practice (Van Niekerk &

Von Solms, 2005). Users can be either security asset or exploitable security weak-links for an

organization. Hence it is critical that all people who interact with the information system exercise

an acceptable information security culture. It is therefore fundamental to understand and manage

the psychology of users so that their belief, perception and attitude towards information security

is acceptable.

According to Schlienger and Teufel (2002), Security culture covers social, cultural and ethical

measures to improve the security relevant behavior of the organizational members and

considered to be a subculture of organizational culture. Thus it tends to be stable and resistant to

change regardless of the security level it guarantees. Information security culture deals with the

psychology and behavior of employees in their interaction with the information system.

Alnatheer & Nelson (2009) convey that reliable security culture assists the enforcement of

information security policies and practices to the organization. As a result, each organizations

goal should be to achieve a strong and sustainable information security culture.

In order to develop a successful information security culture within an organization, it is

essential to understand the existing information security beliefs, practices and problems to

identify possible gaps and pave the way for policy and management intervention. An

organization has to measure and evaluate its information security culture level. Martins and Eloff

(2006) substantiate this notion underlining a certain level of information security culture is

already present in every organization where IT is integrated into their business processes, but this

culture could be a threat if it is not on an acceptable level. The aim in assessing the information

security culture is to advance it positively. This could then aid in minimizing internal and

external threats to the information asset in the organization.

12 | P a g e

2.4. Approaches to organizational information security culture

Studies have shown that technical solutions alone are not enough to manage internal security

incidents. In order to have better security precautions in organizations, both the technical and

non-technical aspects of information security need to be addressed (Zakaria et al, 2007). Zakaria

et al (2007) further emphasize the importance of management activities in order to establish

appropriate information security culture within an organization. IT strategy of an organization is

developed in close view to support and enable the core business of an organization achieve its

objectives. This strategy includes security as a main component and a dedicated information

security strategy is developed. The roles of senior management, allocation of budget, assignment

of dedicated function, participation of employees, the enforcement processes and the awareness

program are information security tasks needed to establish/enhance ISC (Lim et al, 2009).

In their ISC assessment article, Martins and Eloff (2006) describe that:

ISC assessment approach consists of an audit process where the perceptions, attitudes, opinions and actions of employees regarding information security can be determined. By analyzing this information, an organization can assess how employees perceive information security activities and which aspects concerning information security culture need attention. (p.5).

Martins and Eloff (2006) approach the information security culture audit process by designing

ISC questionnaire, actual survey process, data analysis and interpretations and recommendation

phases. This approach is adopted by the researcher to assess the information security culture in


13 | P a g e

2.5. Factors that influence information security culture and practices

Alnatheer & Nelson (2009) classified factors that influence security culture and practices into

four themes. Corporate citizenship which is achieved by information security awareness and

training programs; Legal regulatory environment which deals with information security

management standardization, best practices and information security policy; Corporate

governance including top management support for information security management,

information security compliance and information security risk analysis and Cultural factors like

national and organizational culture.

2.6. Requirements for effective information security culture

The first step in establishing an information security culture is to recognize the importance of

information security to the core business of the organization. This should be championed by the

top management and consensus about the need for security should be reached among all

employees in an organization. Top management support should be harnessed in planning,

adopting and implementing information security programs.

However, information security culture will develop and succeed only if there is participation

from all levels of employees (Zakaria et al, 2007). Therefore, enforcement of security should be

integrated with the empowerment of employees to be responsible about security. Internal support

should be given priority and the overall direction should be communicated to employees so that

they are intrinsically motivated to support the effort. Delegation of tasks and trust promote

employees ownership of the program. External consultants and control mechanisms should only

have supporting role in establishing and maintaining information security culture of an

organization.

14 | P a g e

The value of information security is elusive as it is abstract and hard to quantify. This is because

people tend to give more emphasis on something that happened than something that is prevented

to happen. As insightfully described by West (2008), employees are less motivated to exercise

secure practices as the benefits of security are generally abstract. In addition to this, secure

practices have significant cost on ease of use and resources that tempt employees to ignore

secure practices. This calls for motivational factors like reward system and accountability

consequences such as penalty for non-adherence.

2.7. Information security awareness programs

Once the importance and actual value of information security is ingrained into the corporate

culture, information security program can be developed and implemented effectively. This

program can be initiated by creating information security awareness as a key method in

establishing and maintaining a strong information security culture. Information security

awareness programs should be designed to raise the awareness level of all managers and

employees in an organization. Security awareness trainings enable employees to rationally

analyze security risks and measures they should put in place.

Information security awareness training should be designed in alignment with the core topics

from the information security policy of the organization. The information security policy of an

organization should comply with the international standards and guidelines. Nevertheless, this

must not limit the customization of the policy to the existing information system context.

Information security policies are developed based on risk assessment of the organization. This

risk based approach ensures the coverage of critical vulnerabilities analyzed during risk

assessment.

15 | P a g e

International information security standards include a provision for information security

awareness programmes (ENISA, 2009). Information security trainings should not only comply

with the international standard outlines but also feasibly customized to the context of the

organization. Education and awareness raising for financial organizations needs to be carried out

internally as well as externally to foster a platform of trust and allow for compliance and

governance mandates to be adhered to on a proactive basis (ENISA, 2009).

The awareness program should be branded and appealing. Tessem, H.M. and Skaaraas, K.R.

(2005) argue that while it has been claimed that we live in the information society, a more

accurate claim might be that we live in the entertainment society (p.18). Since people are

behaviorally interested with entertaining approach of value delivery, the program should capture

the attention of employees and they should develop a sense of affiliation to the program.

Security awareness program will deliver security conscious employees who exercise best

security practices that comply with information security policies and report incidents

accordingly. These employees are intrinsically motivated to defend the information asset of their

organizations as they understand the tradeoff between security and cost. Security awareness is

relatively a transferrable knowledge across systems. It requires only system-specific details

incorporated to accommodate secure usage of new technologies into the information system.

The effectiveness of security awareness program should be evaluated periodically. This provides

feedback to the level of employees adherence with information security policies and the

effectiveness of the awareness training curriculum. The evaluation result can be used to update

the information security policy, topics and content of the awareness training. The participation of

16 | P a g e

employees should be enhanced and revised version of the awareness trainings should be

delivered annually.

2.8. Information Security Culture Model

Recognizing the need to measure information security culture, different assessment tools are

proposed by authors. Framework for fostering information security culture in Small and Medium

Enterprises developed by Sneza,D., and An Outcomes Based Framework for Culture Change

model developed by Frederick, J., et.al are among proposed tools. However a more

comprehensive model is Information Security Culture model designed by A. Martins and J. Eloff

(2002) which is derived from the organizational behavior model of Robbins (1989). This

conceptual information security culture model is derived from the paradigm of approaching

information security culture as a sub-culture of organizational culture. Martins and Eloff

identified information security controls at individual, group and organizational levels of

organizational behavior that could influence information security culture (N. Martins & J. Eloff

2002; A. da Veiga et al 2007).

This research assesses the level of information security culture in the banking sector in Ethiopia

explicitly from the perspective of this model. The interrelationships between information security

culture tasks (dependent and independent variables) at all levels are apparent from Figure 1.

17 | P a g e

Figure 1: Adopted information security culture model

Source: Information security culture model originally developed by Martins, A. & Eloff, J. 2002.

2.9. Summary of the Literature Review

This literature review revealed that information security culture is an emerging and yet to be

studied topic in information security. This hot research area is even more at its infant stage in

Ethiopian banking sector context. Furthermore, it identifies the enabling factors and evaluation

dimensions of information security culture and also tried to synthesize the outcomes of related

studies. Ultimately people interact directly with information systems and have access to

information. Any effort merely in technological and process security measures will be futile if

the users aspect of security is not effectively managed. Accordingly, this paper focuses on the

human aspect of information systems. To address this socio-cultural aspect of information

security, information security culture is recognized as a discipline of information security.

18 | P a g e

The literature review underlined the need for promoting information security culture citing

prominent literatures in the area. Risks and threats of information security in the banking sector

and different security breaches that occurred with global banks are discussed to demonstrate the

need to approach information security in the banking sector comprehensively. The rationale to

assess existing information security culture and approaches to assess information security culture

are also reviewed from related literature to back researching method of this paper. Well-

established factors that influence information security culture are also reviewed to serve as

reliable perspectives of data analysis, interpretation, conclusion and recommendation.

Information security awareness program is discussed in detail as the issue is compulsory with the

research agenda.

The gap observed in the literature of information security culture emanates from the

unavailability of a comprehensive and working information security culture framework. Most

models and frameworks are conceptual and not practically tested in the banking sector. A widely

accepted and comprehensive information security culture model originally developed by Martins

A. and J. Eloff (2002) is illustrated as it serves as the basis for this research. This model is

validated in financial institutions context.

19 | P a g e

CHAPTER III Research Design and Methodology

This chapter explores the research design, instrument of data collection, subjects of the research,

sampling technique and ethical considerations taken into account.

3.1. The Research Design

A survey research method is employed in order to assess the information security culture in the

banking sector in Ethiopia. This research is based on a widely accepted information security

culture model originally developed by Martins A. and J. Eloff (2002). As this study is aimed at

assessing the existing information security attitudes, perception and practices, it is imperative

that a reliable researching method is employed. Although qualitative researching methods like

interviewing have feasibility in studying behavioral researches, this research relied on

quantitative primary data collected through a validated standard questionnaire developed based

on a model to assess information security culture.

3.2. Instrument of Data Collection

3.2.1. Questionnaire

Primary data is collected from headquarters of 11 different banks in Addis Ababa. A

questionnaire to assess information security culture, developed by (Martins, 2002), is adopted.

This assessment instrument is validated and improved by performing a factor and reliability

analysis on the data from an information security culture assessment in a financial organization

(Veiga et al, 2007). Factors in the establishment and maintenance of proper information security

culture are assessed. Then information security culture in the banking sector in Ethiopia is

evaluated by auditing process.

20 | P a g e

The questionnaire (Appendix I) has 41 statements that assess the perceptions, attitudes, opinions

and actions of employees regarding information security. A five point Likert scale, which is

advisable to assess behavioral patterns, is provided to respond to the information security culture

statements. Minor changes were made to contextualize the questionnaire to the target research

participants.

3.3. Subjects and Sampling

3.3.1. Subjects of the research

Initially, 15 different banks in Addis Ababa were approached to participate in this research. Four

of them declined the offer. Fortunately 11 banks cooperated to participate in the research. Only

four of these banks are governmental (Commercial Bank of Ethiopia (CBE), National Bank of

Ethiopia (NBE), Construction and Business Bank (CBB) and Development Bank of Ethiopia

(DBE)). The seven private banks considered are: Lion International Bank (LIB), Dashen Bank,

Wegagen Bank, Bank of Abyssinia, Awash International Bank (AIB), Zemen Bank and Oromia

International Bank (OIB). The survey is conducted at headquarters of these banks located at

different sites in Addis Ababa. An assumption is made that information security culture in

branch banks bear a resemblance to the information security culture practiced at headquarters.

Bank employees in the IT or Information Systems (IS) departments are the main respondents of

the survey because these employees directly access the banks valuable and confidential

information systems. In addition to this, IT departments serve as a liaison between the

managerial and operational staffs. Furthermore, these employees are assumed to have the

21 | P a g e

minimum information security awareness needed to complete the questionnaire. This aids the

respondents to perceive the meaning of the statements uniformly. IT professionals, departmental

managers and operational staffs of IS/IT department are subjects of this research. The trend with

these employees is assumed to heavily influence the information security culture of other

departments. Thus, assessing the level of information security culture in IS/IT departments

substantiate the findings of the research because the subjects are at the heart of the banks

information systems. Hence, conclusions and recommendations made based on research findings

from these subjects data are believed to be valid and reliable.

3.3.2. Sampling technique

A non-probability convenience snowball sampling technique is used to collect data from all the

banks. The general objective is communicated to contact-persons in all the 11 banks and they

steward the data collection. This sampling technique capitalizes on insider experience and so

facilitates the data collection process. A larger sample size would have been preferred for the

research. Due to the busy working environment in the banking sector, it was not easy to convince

banks to complete more than few questionnaires.

It took five weeks to distribute and collect all the completed questionnaires. The challenge arose

from the geographic distribution of the banks and bureaucratic procedures followed to

accommodate academic research questionnaires. 120 questionnaires were distributed and 102

questionnaires are returned (i.e. a return rate of 0.85). 2 questionnaires are rejected due to

significant incompleteness. Finally, 100 questionnaires were encoded into SPSS version_16.0

software for data analysis.

22 | P a g e

3.4. Techniques of Data Analysis

Biographical data like bank name, bank type, job level and year of experience in the banking

sector are directly encoded from the collected data. The job level variable is further transformed

into senior manager, departmental manager, IT professional and operational staff categories and

a new variable (Job category) is defined. The year of experience category too is transformed into

intervals (0-2 years, 2-5 years, 5-10 years and above 10 years) of experience and a new variable

(Year of Experience) is defined. Missing values of biographical data could not be replaced;

rather percentage of missing data respondents is computed independently.

Each statement in the questionnaire is treated as a variable. Convenient names are assigned to the

variables. The Likert scale response values are encoded numerically [Strongly Disagree=1,

Disagree=2, Unsure=3, Agree=4 and Strongly Agree=5]. Missing values are interpreted as

Unsure responses. Then, dichotomous values are computed by transforming the five Likert

scale values into two dichotomous [Strongly Disagree=1, Disagree=2, Unsure=3 into

Unfavorable=0] and [Agree=4 and Strongly Agree=5 into Favorable =1] values.

According to the information security culture model originally developed by Martins A. and J.

Eloff (2002), there are three levels [Individual, Group and Organizational] and nine sub-

dimensions [Awareness, Ethical conduct, Trust, Management, Risk analysis, Policies and

procedures, Benchmarking, budgeting and Change] of information security culture tasks and

issues. In line with this, the 41 information security assessment statements are grouped into these

nine sub-dimensions. Favorable information security culture values are counted in each sub-

dimension. To that end, respondents who scored 3rd quartile and above (>=75%) are

23 | P a g e

categorized as having favorable information security culture while scores less than 3rd quartile

(< 75%) were considered unfavorable in relation to the variables of interest. The rationale behind

is higher counts are expected from respondents due to the level of simplicity of the statements

and the expected security performance in the banking sector.

Then statistical frequency of favorable percentile values is computed for each sub-dimension and

dimension. Crosstab features of SPSS are used to discover the association between information

security culture sub-dimensions. The observed and expected counts are compared to identify the

interdependence of one information security culture task with another. Chi-square tests [

24 | P a g e

are framed based on the statistical findings and interdependence between information security

culture sub-dimensions.

3.5. Ethical Consideration

The researcher received a letter of endorsement from International Leadership Institute (ILI) that

supported in getting the necessary data from the banks. A copy of the letter is provided to all the

banks in request for cooperation. Once informed consent of top management of the bank is

earned, contact personnel among research participants are approached and communicated to get

their informed consent too. In addition to this, the cover page of the questionnaire (Appendix I)

describes the researchers brief profile, topic of concern, overall objective of the research and the

guide to complete the questionnaire. These efforts provided subjects of the research full

information.

Genuine response is encouraged by ensuring anonymity and confidentiality of the survey. No

identifiable information, whatsoever about the respondent, will ever be passed on to any other

body. Each research participant was provided with a signed peel and seal envelope to observe the

anonymity of the survey. Such efforts contributed to a decent return rate (0.85) and consistency

of the collected data thus data quality.

25 | P a g e

CHAPTER IV Data Analysis and Discussion

This chapter presents the findings of the study and discusses and interprets the results in detail.

The collected data is analyzed and findings are interpreted based on well established factors that

influence information security culture and from the perspective of the adopted information

security culture model.

4.1. Key concepts in analyzing the data

In order to effectively analyze the collected data based on the information security culture model,

the 41 information security culture statements are categorized into four [individual level, group

level, organizational level and change] dimensions. Individual level dimension includes two sub-

dimensions called Awareness and Ethical conduct. Awareness sub-dimension statements assess

the knowledge, attitude and perception of employees towards information security. Ethical

conduct sub-dimension statements assess the adherence of employees to existing information

security policy and procedures and their perception towards access to data and intellectual

property. The management regard to privacy of employees information is also considered in this

sub-dimension.

The Group level dimension includes two sub-dimensions named Management and Trust.

Management sub-dimension statements assess the perception and commitment of top

management to information security. The establishment of a dedicated information security

function in the banks, communication of security information on a need-to-know basis and

participation of employees in information security initiatives are also assessed in this sub

26 | P a g e

dimension. Trust sub-dimension statements assess the trust environment between employees and

their managers at different levels.

The Organizational level dimension includes four sub-dimensions named Risk analysis, Policies

and procedures, Benchmarking and Budget. Risk analysis sub-dimension statements assess the

availability of dedicated risk analysis function and perception of employees about the importance

of risk analysis in the bank. Policies and procedures sub-dimension statements assess whether the

bank has implemented information security plan, policy and procedures. Availability of formal

information security incident reporting procedures and access of employees to all these

documents is also evaluated. Benchmarking sub-dimension statements assess the evaluation of

the banks information security status compared with other banks and its compliance with

international standards. Budget sub-dimension statements assess the perception of employees

about the importance of budgeting annually for information security as a strategic investment.

Change sub-dimension statements assess the readiness and acceptance of employees to new

information security practices and the recognition and organization of the banks management to

information security changes.

27 | P a g e

4.2. Statistical analysis and main findings of the survey

The information security culture data is collected from 4(37%) governmental and 7(63%) private

banks. The job category distribution of the respondents indicates 12 (12%) department managers,

58(58%) IT professionals, 18 (18%) operational staffs and the remaining 12(12%) respondents

did not complete this variable. With regard to the years of experience, all experience levels of

employees in the banking sector in Ethiopia are represented. 19(19%) of the respondents have

more than 10 years of experience in the banking sector. 22(22%) of the respondents have 5 to 10

years of experience. 28(28%) of the respondents have 2 to 5 years of experience.23( 23%) of the

respondents have less than 2 years of experience in the banking sector. The remaining 8(8%) did

not respond to this variable. Generally, the information security culture level in the banking

sector in Ethiopia is found to be inadequate. Only 25% of the respondents are found to have

favorable information security culture [>=32/41]. The remaining 75% have unfavorable

information security culture that can expose the information asset of the banks. This shows that

holistic and strategic work is needed to promote information security culture in the banking

sector in Ethiopia.

28 | P a g e

Figure 2 represents the percentage of respondents who are found favorable and unfavorable

about the statements portrayed in the four dimensions of information security culture. The

favorable percentages indicate the information security perception, attitude and behavior in the

banks that are in line with strong information security culture. The unfavorable percentages

indicate the information security perception, attitude and behavior gaps that are possible

improvement areas. Larger unfavorable percentage indicates wider gap in the variable of interest

that needs serious managerial intervention. From figure 2, it is evident that individual, group and

change dimensions are critical developmental areas. The organizational level information

security culture dimension scores a slightly better (38%) result.

Figure 2: Information security culture dimensions assessment

Source: Computed, 2012

28% 30%38%

30%

72% 70%62%

70%

0%

20%

40%

60%

80%

100%

120%

Individual Group Organizational Change

Unfavorable

Favorable

29 | P a g e

4.2.1. Detail findings of information security culture sub-dimensions

Figure 3 represents the percentage of respondents who are found favorable and unfavorable

about the statements portrayed in the nine sub-dimensions. The frequency distributions of the

nine sub-dimensions indicate that ethical conduct, trust, benchmarking, policy and procedures,

and change are developmental sub-dimensions that need serious managerial attention. On the

other hand, frequency distributions of awareness, management, budget and risk analysis sub-

dimensions show average results that also need significant improvement.

Figure 3: Information security culture sub-dimensions assessment

Source: Computed, 2012

59%

25%

33%

79%

48%

36%

50%

33%

30%

41%

75%

67%

21%

52%

64%

50%

67%

70%

0% 20% 40% 60% 80% 100% 120%

Risk analysis

Policy and Procedures

Benchmarking

Budget

Management

Trust

Awareness

Ethical conduct

Change

Favorable

Unfavorable

30 | P a g e

The detail findings of each sub-dimension are reported in tables 1-9. The strongly disagree,

disagree and unsure Likert-scare responses of research participants are considered as unfavorable

while the Agree and strongly-agree Likert-scare responses of research participants are considered

as favorable. Unsure perception and attitude response is considered as a negative response as it

lacks consistence. Only the favorable responses are positive results that contribute to promote a

sustainable information security culture. The frequency distributions of favorable responses are

presented as favorable percentages. Favorable percentages of each statement in the same sub-

dimension are listed in tables 1-9.

4.2.1.1. Risk analysis sub-dimension of ISC

Table 1: Risk analysis sub-dimension assessment

No. Statements Favorable

percentage 27 I think it is important to perform a risk analysis of information

assets in the bank. 94%

28 There is a function/person /team responsible for risk analysis of information assets in the bank.

60%

Source: Computed, 2012 - Questionnaire to assess ISC originally developed by (Martins, 2002).

Respondents perceive the importance to perform risk analysis positively (94%). However only

60% of the respondents believe there is a function responsible for risk analysis of information

assets in the banks. This implies risk analysis is not conducted formally and imminent

information security threats might not be communicated to employees. Every bank should

clearly dedicate a function that effectively conducts risk analysis of information assets in the

bank.

31 | P a g e

4.2.1.2. Policy and Procedures sub-dimension of ISC

Table 2: Policy and Procedures sub-dimension assessment


percentage 11 The bank has an information security plan. 65% 13 There are formal procedures indicating how I should report

information security incidents. 32%

16 The bank has a written information security policy 56% 17 The information security policy reflects the banks objectives. 58% 18 Procedures are implemented to support the information security

policy. 48%

19 I can easily obtain a copy of the information security policy. 33% Source: Computed, 2012 - Questionnaire to assess ISC originally developed by (Martins, 2002).

Here, it is evident that formal information security incident reporting procedures (32%) suffer a

negative result in the banking sector in Ethiopia. This is partly because security incident

reporting procedures are not developed or not effectively disseminated to employees. Access to

information security policy and procedures also suffers a poor 33% frequency distribution. The

implementation of information security procedures (48%) is not at satisfactory level as security

should be approached holistically. Half security is equivalent to no security. Security

compromise at one level can mean compromise at every level. Even the relatively better

information security plan (65%) is not satisfactory taking the security sensitivity of the banking

sector into consideration. Banks in Ethiopia should develop formal procedures indicating how

employees report information security incidents. The dissemination and implementation of the

information security policies also need serious attention.

32 | P a g e

4.2.1.3. Benchmarking sub-dimension of ISC

Table 3: Benchmarking sub-dimension assessment


percentage 12 Information security is measured on a continuous basis within the

bank. 58%

14 The banks information security measures compare favorably with other similar banks information security measures.

23%

15 The banks information security measures comply with international standards.

28%


Respondents negatively perceive the compliance of the banks information security measures

with international standards (28%). Most respondents are not sure about the level of information

security practice compared with other banks. Continuous information security evaluation (58%)

also needs to improve. Vulnerability assessment and auditing should be conducted on a

continuous basis. Banks in Ethiopia should cooperate to share information security incidents and

best practices. Benchmarking international standards can also benefit banks to succeed objective

results. International information security standards like code of practice for information

security: ISO27002 and specification for an information security management system: ISO27001

should be implemented at organizational level to assist the establishment of reliable information

security culture. Compliance with these international standards assists in promoting positive

information security culture.

33 | P a g e

4.2.1.4. Budget sub-dimension of ISC

Table 4: Budget sub-dimension assessment


percentage 29 Investment in information security should be seen as a future

investment. 80%

30 It is important to budget annually for information security spending/costs.

96%


Respondents perceive budgeting annually for information security costs is a strategic investment.

This attitude is considered positive to promote the information security change initiatives. This

sub-dimension enjoys the highest overall result (79%). However it is worth noting if the

budgeting practice in the banks does not match the perception about budgeting, the result can be

misleading. If top management of the banking sector in Ethiopia does not practically back the

positive budgeting endorsement by employees, this sub-dimension result will be unrealistic.

However the fact that information security budgeting is perceived positively indicates

information security initiatives are positively endorsed by employees. This provides a suitable

ground to participate and delegate information security tasks to employees.

34 | P a g e

4.2.1.5. Management sub-dimension of ISC

Table 5: Management sub-dimension assessment


percentage 9 I know the function/person/team responsible for the

information security in the bank. 77%

10 Management assists in the implementations of information security in the bank.

60%

32 Management perceives information security as important. 62% 34 Management communicates information security information

on a need to know basis to all job levels. 45%

41 My manager involves me in decisions that affect me. 62% Source: Computed, 2012 - Questionnaire to assess ISC originally developed by (Martins, 2002).

The management sub-dimension is averagely perceived by the respondents. Even though

employees generally know the function responsible for information security in the bank (77%),

the managers involvement in communication, implementation and harnessing employees

participation should be improved. Respondents perceive the understanding (60%) and support

(62%) of top management to information security implementation inadequately. The

participation of employees in decision making is 62%. However the communication of security

information on a need-to-know basis to employees (45%) is perceived negatively. Thus,

management should communicate information security procedures and guidelines to all job

levels on a need-to-know basis.

35 | P a g e

4.2.1.6. Trust sub-dimension of ISC

Table 6: Trust sub-dimension assessment


percentage 37 I trust my immediate manager. 78% 38 My immediate manager trusts me. 66% 39 I trust top management. 61% 40 I feel that top management trusts employees. 51%


The trust relationship between employees and their immediate managers is found relatively

positive than that of employees and top management. So top management should sometimes

directly approach and communicate with employees to build a positive trust environment at all

levels.

4.2.1.7. Awareness sub-dimension of ISC

Table 7: Awareness sub-dimension assessment


percentage 1 It is important to determine the banks security needs. 98% 2 Information security should be regarded as a technical issue. 72% 3 Information security should be regarded as a functional (business)

issue. 72%

4 I know what the term information security implies. 87% 5 I think it is important to implement information security in the bank 96% 6 I am aware of information security relating to my job role. 86% 7 I am trained in the information security controls I am supposed to use. 52% 8 I have a responsibility towards information security in the bank. 83%


The perception of respondents about the importance of information security is positive.

However, the training of employees in information security controls and measures they are

36 | P a g e

supposed to use (52%) is the lowest score in the Awareness sub-dimension. This shows if

information security trainings are provided to employees, banks can even further the level of

information security awareness perception, attitude and knowledge of their employees. The

training program should be designed based on the output of the information security risk analysis

and information security policies and procedures.

4.2.1.8. Ethical conduct sub-dimension of ISC

Table 8: Ethical conduct sub-dimension assessment


percentage 20 I adhere to the banks information security policy. 66% 21 The bank ensures that I adhere to the information security policy. 50% 22 Management regards the privacy of information about employees as

important. 63%

23 I think it is important to regard the work I do as part of the banks intellectual property.

86%

24 All information about the bank should be available for employees to access e.g. financial statements, strategies, etc.

(44%)

25 All information about the bank should be available for non-employees to access e.g. financial statements, strategies, etc.

(69%)

26 I should be held accountable for my actions if I do not adhere to the information security policy.

83%


N.B. Statements 24 and 25, unlike all other statements, are analyzed inversely.

The information access perception of employees (44%) needs attention as it contributes to

unintentional compromise of information asset by insiders. Information access within the bank

has to be limited on a need-to-know basis. The adherence of employees with the banks

information security policy is only partially (50%) ensured by banks. This auditing measure is

also a critical improvement area.

37 | P a g e

4.2.1.9. Change sub-dimension of ISC

Table 9: Change sub-dimension assessment

No.

Statements Favorable percentage

31 I am prepared to change my working practices in order to ensure security of information.

83%

33 Change processes relating to information security are accepted positively in the bank e.g. a clear desk policy, use of encryption, making backups every day, etc.

73%

35 The bank organizes and manages the impact of information security change on the bank.

42%

36 The bank recognizes and manages the impact of information security change on the bank.

47%


The readiness (83%) and acceptance (73%) of employees to change their information security

practices is positive. However the perception towards organization (42%) and recognition (47%)

management of information security changes is found to be unsatisfactory in the banking sector

in Ethiopia. Hence, positive information security changes should be recognized and rewarded

while non-adherence should bear accountability measures. Bank managers should also oversee

and recognize the impact of positive information security culture change.

38 | P a g e

4.2.2. Discussion of Results: Interrelationship between the ISC sub-dimensions

As per the results from the computed binary logistic regression, the likelihood of effective

implementation of information security policies and procedures due to suitable ethical conduct is

positive [AOR (95% CI) = 6.065 (2.278, 16.150)]1. This signifies attention should be drawn to

enhance the ethical conduct, willingness to adhere with information security policy and

guidelines, of employees. The role of management to promote information security awareness is

observed imperative [AOR (95% CI) = 2.667 (1.188, 5.985)].This implies that improving the

information security awareness of managers influence the overall information security awareness

of the bank. Awareness and ethical conduct are information security culture tasks an organization

has to enhance in order to advance individual level information security practices. The

prevalence of acceptable individual level information security culture in assisting positive

change of information security culture in the banks is also observed from the data analysis [AOR

(95% CI) = 2.581 (1.036, 6.428)].

Management attributes such as communication of security information on a need-to-know basis

and participation of employees in information security initiatives most likely raise a positive trust

environment in the banks [AOR (95% CI) = 4.964 (2.032, 12.127)]. Positive trust environment is

observed to maintain effective implementation of information security policies and procedures

[AOR (95% CI) = 3.066 (1.206, 7.795)]. The role of management in effective implementation of

information security policies and procedures is essential [AOR (95% CI) = 5.023 (1.795,

14.053)]. Management and trust are information security factors that constitute group level

information security culture. Proper accommodation of group level information security culture

1 [Adjusted Odds Ratio (95% CI) = the odds ratio (lower limit of the confidence interval, upper limit of the

confidence interval)].

39 | P a g e

tasks encourages the readiness and acceptance of employees to change their information security

practices that results in positive information security culture change [AOR (95% CI) = 4.571

(1.811, 11.540)].

Policy and procedures are found to coexist with risk analysis [AOR (95% CI) = 5.112 (1.601,

16.325)]2. Benchmarking tasks such as information security evaluation and compliance with

international standards could only be expected if the bank implements information security

policies and procedures [AOR (95% CI) = 7.836 (2.866, 21.421)]. These organizational level

information security culture tasks; risk analysis, policy and procedures and benchmarking impact

the recognition and management of positive information security change in the banking sector in

Ethiopia[AOR (95% CI) = 5.778 (2.281, 14.633)]. Regardless of the other organizational level

sub-dimensions, Budget sub-dimension is found to have no association with any of the other

eight sub-dimensions. This is probably because the result of the benchmarking sub-dimension

(79%) doesnt align with other findings. If the statements assessed the allocated budget rather

than the perception of employees about the importance of budgeting, the result would have been

different and association could have been observed with other sub-dimensions.

In line with the information security model employed, the information security culture tasks at

different levels are statistically analyzed to be interrelated. Organizational level information

security culture tasks are built upon individual and group level information security tasks. The

likelihood of individual information security culture endorsing organizational information

security culture is [AOR (95% CI) = 4.173 (1.678, 10.377)]. The interdependence between group



40 | P a g e

and organizational level information security culture tasks is also apparent from the computed

binary logistic regression [AOR (95% CI) = 7.275 (2.805, 18.866)]3. These findings further

validate the model adopted is feasible to assess the information security culture in the context of

the banking sector.

The culmination of all the three levels of information security culture tasks result in cultivating a

positive information security culture change. It is essential to identify, prioritize and deal with

developmental information security culture elements. Identifying the causal link between the

information security culture sub-dimensions helps in finding a strategic way to prioritize and

invest on information security initiatives. The statistical frequency findings point out the gaps

underlying in the existing information security culture in the banking sector in Ethiopia.

Integration of statistical frequency findings with association between interdependent sub-

dimensions provides a clear understanding that directs effective engagement measures to

promote information security culture in the banking sector in Ethiopia.



41 | P a g e

CHAPTER V Conclusion and Recommendations

This chapter concludes the paper by forwarding integrated conclusions and recommendations

based on the statistical findings and observed interdependence between the variables. Critical

areas of improvement are identified and measures to promote information security culture in the

banking sector in Ethiopia are recommended.

5.1. Conclusions

This research assessed the level of information security culture in the banking sector in Ethiopia

from the perspective of the information security culture model originally developed by Martins

A. and J. Eloff (2002). A survey research method is employed in order to assess the information

security culture in the banking sector in Ethiopia. This research employed quantitative method

based on a validated information security culture questionnaire (Appendix I) from previous

related literature. A non-probability convenience snowball sampling technique is used to collect

data from 11 banks headquarters in Addis Ababa. 100 questionnaires were encoded into SPSS

for data analysis. The collected data is analyzed with respect to well established factors that

influence information security culture. Statistical frequencies of favorable percentile values are

computed for each information security culture sub-dimension. The interdependence between

information security culture variables is identified and logistic regression is computed to further

discuss the findings. The results of this study have important implications to assess the

information security culture, identify possible gaps and recommend measures that can be

implemented by practitioners to enhance the information security culture in the banking sector in

Ethiopia.

42 | P a g e

Based on the supporting evidences from the statistical findings and interpretation from the

perspective of the adopted information security culture model, the following conclusions are

derived:

The study revealed that the level of information security culture in the banking sector in

Ethiopia is unsatisfactory. Only 25% of the respondents are found to have favorable

information security culture [>=32/41].

The frequency distributions of the nine sub-dimensions indicate the ethical conduct, trust,

policy and procedures, benchmarking and change are developmental sub-dimensions that

need serious managerial attention. Nevertheless, awareness, management, budget and risk

analysis sub-dimensions show average results that need significant improvement too.

Formal information security incident reporting procedures are not sufficiently available in


Most banks in Ethiopia generally do not comply with international standards of

information security. However, benchmarking international standards can benefit banks

to succeed objective results. Compliance with international standards assists in promoting

positive information security culture.

The communication of information security information on a need-to-know basis to all

job levels by management in the banking sector in Ethiopia is found inadequate.

The dissemination and implementation of the information security policies need serious

attention.

The trust relationship between employees and their immediate managers is found

relatively positive than that of employees and top management in the banking sector in

Ethiopia.

43 | P a g e

The training of employees in information security controls and measures they are

supposed to use is a critical improvement area in the banking sector in Ethiopia.

The information access perception of employees in the banking sector in Ethiopia needs

attention as it contributes to unintentional compromise of information asset by insiders.

The banking sector in Ethiopia poorly organizes, recognizes and manages the impact of

information security change.

The information security culture tasks at different levels are interrelated. Organizational

level information security culture tasks are built upon individual and group level

information security tasks.

The culmination of favorable performances at all the three levels of information security

culture tasks promotes positive information security culture change in the banking sector

in Ethiopia.

44 | P a g e

5.2. Recommendations

Based on the conclusions above and well established concepts of information security culture, the following recommendations are forwarded:

A holistic and strategic work is needed to promote information security culture in the

banking sector in Ethiopia. Information security culture tasks (ethical conduct,

awareness, trust, management, risk analysis, policy and procedures, budget,

benchmarking and change) should be put in effect to enhance the information security

culture in the banking sector in Ethiopia.

Attention should be drawn to enhance the ethical conduct of employees and positive trust

environment for effective implementation of information security policies and

procedures.

Information security awareness trainings should be provided at all levels to raise the level

of awareness.

Awareness should be created that employees access to the banks information asset

should be limited on a need-to-know basis.

Information security programs should be championed by top management to enforce

implementation of information security policies.

Management should communicate information security procedures and guidelines to all

job levels on a need-to-know basis.

Top management should sometimes directly approach and communicate with employees

to build a positive trust environment at all levels.

Bank managers should recognize and oversee positive information security culture

change for its sustainability.

45 | P a g e

Banks in Ethiopia should dedicate functions to manage information security programs

and participation of all employees in the bank should be harnessed to effectively embrace

positive information security culture change.

Banks in Ethiopia should clearly dedicate functions that effectively conduct risk analysis

of information assets.

Banks in Ethiopia should also develop formal procedures indicating how employees

report information security incidents.

International information security standards like the code of practice for information

security: ISO27002 and the specification for an information security management system:

ISO27001 should be implemented at organizational level to assist the establishment of

reliable information security culture.

This paper tried to bridge the gap in researching the information security culture in the

banking sector in Ethiopia. Furthermore, this research can serve as a spring-board for

related researches in the financial as well as other sectors in Ethiopia. However, it suffers

limitations in incorporating all departments in the banks with larger stratified sample size.

Therefore, more rigorous researches are needed to frame practical strategies to promote

the information security culture in the banking and other sectors in Ethiopia.

46 | P a g e

References

Alnatheer, M. & Nelson, K. (2009), A Proposed Framework for Understanding Information Security Culture and Practices in the Saudi Context, Australian Information Security Management Conference: Security Research Centre Conferences, (pages) 5-17.

Dhillon, G. (1997), Managing Information System Security, MacMillan Press Ltd.

Doherty, N.F. & Fulford, H.

abiy 000652632 busi 1359 mba thesis isc-bse

Documents