Information System Security Practices and Implementation Issues and Challenges in Public Universities



Abstract Views
504

Downloads
416

Citations

Share

##plugins.themes.bootstrap3.article.sidebar##

Submitted Sep 14, 2021
Published Nov 16, 2021
10.24018/compute.2021.1.5.30

Abstract viewed = 504 times

Table of Contents

##plugins.themes.bootstrap3.article.main##

The use of information and communication technology has been providing the competitive edge for universities globally while Kenyan universities are not an exception. This has in turn made the universities targets of cyber-attacks and hence exposure to unprecedented security risks. The universities need to implement information security best practices and standards in their technological environments to remain secure and operational. The research sought to investigate the information security practices adopted in Kenyan public universities to protect themselves. Descriptive survey method was employed while the study was based on Operationally Critical Threats, Assets and Vulnerability Evaluation (OCTAVE) framework and other industry security best practices. The study targeted the 31 chartered public universities, which were clustered based on their year of establishment. Simple random and purposive sampling methods were utilized to select two target universities per cluster and determine respondents respectively. The study had a response rate of 61%. Analysis of data was done via descriptive statistics while presentation of results was done using tables and Likert scale. The study revealed that universities had implemented information security policies, with 47.6% of respondents somewhat agreeing to that. Funding for security was provided 57.6% somewhat agreeing, though the funding was deemed low by 51% of respondents. Training for security staff was deemed somewhat available (44%) thus below par, while involvement of university management on policies development was at 48% though university management participation in policies review was below average. 38% of respondents somewhat agreed that policies governing use of mobile devices existed. Frequency of user awareness and training was below the average, while 48% of respondents somewhat agreed that universities usually share their intelligence reports on threats and responses with other government agencies. 49% of respondents were somewhat in agreement universities had put in place incidence response plans. Application of updates and improvements was below average, though evaluation of effectiveness of controls was average. To remain protected universities management should cause a review of their employed information security practices and address identified gaps through instigation of essential remedial actions.

Keywords: Assets, information security, information security practices, risks, threats

References

  1. Raman A, Kabir F, Hejazi S, Aggarwal K. Cybersecurity in higher education: the changing threat landscape. Performance. 2016; 8(3): 46-53.
     Google Scholar
  2. Andreasson KJ. Cybersecurity: public sector threats and responses. Taylor & Francis, 2011.
     Google Scholar
  3. Australian Computer Society. Cybersecurity: Threats Challenges Opportunities. 2016.
     Google Scholar
  4. BHERT. Cybersecurity Threats and Responses in the Australian Higher Education Sector. 2016. Available from https://www.bhert.com/newsletter/issue-36/cybersecurity-threats-and-responses-in-higher-education-sector.
     Google Scholar
  5. Wagstaff K, Sottile C. (2015). Cyberattack 101: Why hackers are going after universities. NBC News.
     Google Scholar
  6. Pandey SK, Mustafa K. A comparative study of risk assessment methodologies for information systems. Bulletin of Electrical Engineering and Informatics. 2012; 1(2): 111-122.
     Google Scholar
  7. Symantec. Internet Security Threat Report. [Internet] 2015. [cited on August 22 2017] Available from:
     Google Scholar
  8. https://www.symantec.com/content/en/us/enterprise/other_resources/21347933_GA_RPT-internet-security-threat-report-volume-20-2015.pdf.
     Google Scholar
  9. VMware. University Challenge: Cyber Attacks in Higher Education. [Internet] 2016. Available from:
     Google Scholar
  10. https://www.nextgensecurityforeducation.com/wp-content/uploads/VMWare-UK-University-Challenge-Cyber-Security.pdf.
     Google Scholar
  11. CPS Research International (2012). Top 100 East African Universities Survey 2012. Available from http://www.cps-research.com/downloads/
     Google Scholar
  12. Serianu. (2016). Kenya Cyber Security report 2016. Available from http://www.serianu.com/downloads/KenyaCyberSecurityReport2016.pdf.
     Google Scholar
  13. Teng’o, S. Cybersecurity: Rise of the Student hacker. [Internet] 2017. Available from:
     Google Scholar
  14. https://www.standardmedia.co.ke/ureport/article/2001239325/cyber-security-rise-of-the-student-hacker.
     Google Scholar
  15. Wilshusen GC, Powner DA. Cybersecurity: Continued Efforts Are Needed to Protect Information Systems from Evolving Threats. Government Accountability Office Washington DC. 2009.
     Google Scholar
  16. Dorofee CAA. Managing information security risks: the OCTAVE (SM) approach. 2002.
     Google Scholar
  17. Alberts C, Dorofee A, Stevens J, Woody C. Introduction to the OCTAVE Approach. Carnegie Mellon University. 2003.
     Google Scholar
  18. Njoroge PM. An Examination of Threats facing Assets in Use in Kenyan Public Universities. 2021.
     Google Scholar
  19. Njoroge PM. (2020). A Framework for Effective Information Security Risk Management in Kenyan Public Universities. 2020.
     Google Scholar
  20. Ogalo JO. The Impact of Information System Security Policies and Controls on Firm Operation Enhancement for Kenyan SMES. Prime Journal of Business Administration and Management (BAM). 2012; 2(6): 573-581.
     Google Scholar
  21. Wechuli NA, Muketha GM, Matoke N. Cyber Security Assessment Framework: Case of Government Ministries in Kenya. International Journal of Technology in Computer Science and Engineering. 2014; 1: 2349-1582.
     Google Scholar
  22. IBM Security. Security Threats, Frameworks and Mitigation Efforts: How Can You Lower Your Risk. 2016. Available from: https://www.rsaconference.com/writable/presentations/file_upload/sop-05_security_threats_frameworks_and_mitigation_ efforts_how_can_you_lower_your_risk_final2.pdf.
     Google Scholar
  23. Whitman ME, Mattord HJ. Principles of Information Security. Cengage Learning. 2012.
     Google Scholar
  24. WaterISAC. 10 Basic Cybersecurity Measures: Best Practices to Reduce Exploitable Weaknesses and Attacks. 2016. Available from: https://ics-cert.us-cert.gov /sites/default/files/documents/10_Basic_Cybersecurity_Measures-WaterISAC_June2015_S508C.pdf.
     Google Scholar