AN EXAMINATION OF THE INFLUENCE OF NATIONAL CYBERSECURITY

STRATEGIC PRACTICES ON INFORMATION SYSTEMS SECURITY IN

GOVERNMENT AGENCIES IN KENYA; A CASE OF MOMBASA HUDUMA CENTRE

Hamza Yusuf(Masters)
Posted by martin otundo (PhD) for peer reviewing

A Research Concept Paper Submitted For Partial Fulfillment Of The Requirements For
The Award Of A Masters Of Science Degree (ICT Policy And Regulation) Of Jomo
Kenyatta University Of Agriculture And Technology

April , 2016

This is a sample concept paper for masters projects.it has been posted here for peer reviewing
and adjustments from you scholars. Kindly don’t plagiarize

1
1.1 Background of the Study

The relationship between strategic practices and performance of Information Systems Security in
organisations across the globe has become a topic of much concern. This is because; lack of
information security can lead to tremendous effects that can be associated with big losses or even
deaths. The U.S. National Information Systems Security Glossary defines "Information Systems
Security" as the protection of information systems against unauthorized access to or modification
of information, whether in storage, processing or transit, and against the denial of service to
authorized users or the provision of service to unauthorized users, including those measures
necessary to detect, document, and counter such threats. In this definition, there are three widely
accepted elements of information security (mnemonic - "CIA") are: Confidentiality; Integrity;
and Availability (University of Nevada, 2015).

A study by Evan (2015) has indicated that organisations need information security to reduce the
risk of unauthorized information disclosure, modification, and destruction. He continues to add
that with globalization and fast changing trends in technology, organisations need information
security to reduce risk to a level that is acceptable to the business (management). Therefore
organisations need information security to improve the way we do business.

Studies from the global scene have shown that a number of governments-more specifically those
in the developed world-have come up with strict measures and strategies that are aimed at
addressing cyber-crimes and information security; a fact that has seen a number of organisations
do great in terms of managing their information. In the USA for example, the government has
always come up with strategies that have been geared towards protecting the information of its
institutions, A study by OECD (2016) has shown that the government has heavily invested in
ICT infrastructure faces, policies, rules, regulations, awareness and many more that have been
helping in minimizing the cases of information insecurity.

Despite the efforts by governments to come up with strategies to ensure that there is maximum
protection of information in various agencies/organisations across the globe, there is still a
1
challenge of information theft; leaving one to wonder on whether these strategies are effective.
According to Dzazali and Zolait (2012), public organizations also face the challenge of
protecting their information, considering they are environments where there are increasing
complexity, interconnections, uncertainties and dependence on technology. These organizations
also have to carry out their respective missions and comply with standards and guidelines from
central agencies of the government. These organizations also need to ensure confidentiality of
citizens’ data and the availability and integrity of information that need to be accessible to the
society, as well as continuity of public services, many of which are mediated by technology.

A report by the Ministry of Information, Communications and Technology of Kenya (2016)

indicates that information is a critical asset of the government and citizens and as more of this
information is converted into digital formats, it has become imperative that the Government of
Kenya implements a sound operational information security policy to protect its information
assets. Also, organizations need to protect not only information, but also other assets involved in
its processing, storage and transmission. To protect information and other associated assets,
organizations have a set of Information Security measures recommended by international
standards and models widely accepted by professionals and organizations around the country and
the world that guide their operations.

However, a study by the World Bank (2014) has shown that Kenya has weak policies, rules,
regulations, control measures and infrastructure to address the cybercrimes and information
insecurity in the county and beyond. This forced the government to come up with a modified
national cyber security strategy of 2014 which is aimed at guiding the information systems
security in all the private and public organisations in the country. Asserting to this is Tiampati
(2014) who has shown that, as Kenya matures into an information society the nation faces an
increasingly evolving cyber threat landscape. Nation states, criminal organizations, and
hacktivists from all over the world are—and will continue—to exploit ICT vulnerabilities in
Kenya. This is simply a reality that every nation with robust ICT infrastructure faces. While
these actors seek to illicitly access, alter, disrupt, or destroy sensitive personal, business, and
government information, the government is working diligently to evolve its means of protecting
information in order to counter today’s threats as well as those coming from over the horizon.
2
He conclusively shows that, in response to these threats, and in direct support of the national
priorities and ICT goals defined in Vision 2030, Kenya’s ICT Ministry developed a National
Cybersecurity Strategy. The Strategy defines Kenya’s cybersecurity vision, key objectives, and
ongoing commitment to support national priorities by encouraging ICT growth and aggressively
protecting critical information infrastructures. However, despite these concerted efforts by the
government to develop this cybersecurity strategy, Kenya’s information systems security is very
vulnerable to attacks and information loss (Waithaka, 2014).

1.2 The Research Problem

Cybercrime and information systems security attacks are growing global phenomenon, which,
according to a report by Symantec, Corporation issued in 2013, are increasing at a more rapid
rate in Africa than in any other area of the world. Indeed, cybersecurity experts estimate that 80
per cent of personal computers on the African continent are infected with viruses and other
malicious software (Franz-Stefan, 2010). In Africa, Nigeria is the largest target and source of
malicious Internet activities, the consequences of which are unfortunately spilling into the other
countries in the West African subregion. In major African cities, such as Cairo, Johannesburg,
Lagos and Nairobi, the rate of cyberconnected disturbances, such as fraudulent financial
transactions and child kidnappings, especially in Kenya, facilitated through Internet
communications has doubled in the past three years (Jacob, 2013).

Jacob proposes that, African countries need to urgently scale up efforts to combat cybercrimes
through a multi-stakeholder approach involving government, industry and civil society
organizations. International Data Group Connect Africa (2013) did a report showing that Africa
has adopted a new strategic plan to counter the cybercrimes and information systems security
threats. As per the new strategic focus of ECA on evidence-based policy and analytical research,
this policy brief provides options for consideration by member States, within the context of the
African Union Convention on Cyberspace Security and Protection of Personal data to stem the
threats posed by cybecrime and cybercriminals, to their national economic security. However,
there is a big gap in that there is little known research that has focused on the effectiveness of
these strategies despite the fact that governments are heavily investing resources into the same.
3
This is not different in Kenya either. A report by the Ministry of Information, Communications
and Technology of Kenya (2016) has indicated that the adoption of ICT into everyday life is
widespread in Kenya. The Government of Kenya is actively encouraging its continued growth
through national initiatives such as Kenya’s Vision 2030, ICT Master Plan, and the recent
deployment of nationwide fiber-optic network infrastructure. However, these same technologies
can present new risks that can cause widespread damage to national security, economic growth,
and critical infrastructures. Moreover, the reach and impact of cyberspace is accelerating across
the national and international boundaries, making it a complex challenge for any government to
address alone. For this reason, the Government of Kenya has considered securing its national
cyberspace a national priority to continue to facilitate economic growth for the country and its
citizens by coming up with the national cybersecurity strategic plan of 2007 that has already
been implemented and revised in 2014 in line with the new constitution.

However, the few studies on information systems security and cybercrimes in the country (Jacob,
2013; Waithaka, 2014; Tiampati, 2014) still indicate that the country is very vulnerable to
attacks from all over the world for various reasons; good or bad. This has leaves one with a
significant question of whether the proposed strategies have been effective in curbing these
criminal activities? Is the government investing wisely in curbing these crimes; owing to the fact
that national strategies consume a considerable amount of the tax payer’s money? Owing to the
fact that very little research has been done to address the effectiveness and relevance of the
strategic practices outlined in the national cyebercrime security of 2014 this study shall answer
the questions not addressed here. Therefore this study shall be carried out with the aim of
Examining the Influence of National Cybersecurity Strategic Practices on Information Systems
Security in Government Agencies in Kenya; A Case of Mombasa Huduma Centre.

1.3 General Objective of the Study

The general objective of this study is to examine the Influence of National Cybersecurity
Strategic Practices on Information Systems Security in Government Agencies in Kenya; A Case
of Mombasa Huduma Centre.
4
1.4 Specific Objectives

The study is guided by the following objectives:

i. To examine the extent to which nation’s cybersecurity posture strategy influences

the performance of information systems security in government agencies in Kenya.

ii. To establish how national building capability strategy influences the performance
of information systems security in government agencies in Kenya.

iii. To examine the extent to which fostering information sharing and collaboration
strategy influences the performance of information systems security in government
agencies in Kenya.

iv. To establish the influence of national leadership providence strategy on the

performance of information systems security in government agencies in Kenya.

1.5 Research Questions

The study is guided by the following questions:

i. What is the extent to which nation’s cybersecurity posture strategy influences the
performance of information systems security in government agencies in Kenya?
ii. Does national building capability strategy influence the performance of
information systems security in government agencies in Kenya?
iii. To what extent does fostering information sharing and collaboration strategy
influence the performance of information systems security in government agencies in
Kenya?
iv. What is the influence of national leadership providence strategy on the
performance of information systems security in government agencies in Kenya?

5
2.1 Theoretical Framework

This section shall discuss the theories on which the study is anchored. Specifically, the section
discusses three theories that shall be used in the study: general deterrence theory; game theory;
and the technology - organization - environment framework theory.

2.2 Conceptual Framework

The conceptual framework shows the relationship between the independent and dependents
variables as they shall be discussed in the literature review

Independent Variables

 Nation’s Cybersecurity Posture

Strategy
Dependent Variable Dependent Variable

 National Building Capability

Strategy
Performance of performance of
information systems security

 Fostering Information Sharing

And Collaboration Strategy

 National Leadership Providence

Strategy

Figure 2.1: Conceptual Framework

6
3.1 Research Design

This study shall employ a descriptive research design. This survey study shall be chosen as it is
advantageous in demonstrating general conditions as presented by respondents. This type of
descriptive research design determines and reports the way things are and in their ordinary
setting. Descriptive research design is used where there is need for analysis of organizations,
persons, settings or phenomena and reports the elements in their natural settings (Creswell,
2013). The design methods have a set-up to maximize reliability and reduce biasness, thus giving
a true picture of the elements under study (Creswell, 2013).

3.2 Target Population

Population is defined as the total of individuals, elements, households or groups that are to be
studied by the researcher (Cooper & Schindler, 2003). The target population of this study shall be
all the employees in the various 45 units working at the Huduma centre Mombasa. A report from
the Human resource desk indicates that there are 112 employees working at various units but 79
have a fast knowledge and understanding of information security and cybercrime attacks. This is
the number (79) that shall be the target population for this study.

3.3 Sample Size and Sampling Procedure

For this study, the sample is given by the Yamane formula of 1976 as shown below:

n= N

1 + N (e) 2

n = Desired sample size when population is less than 10,000.

e= sampling error

N = Population size

At 95% confidence level, the sampling error is 0.05. Therefore the desired sample is:

7
N= 79 = 65.97 ≅ 66 sample respondents

1 + 79(0.05)2

Given that the target population is heterogeneous due to the nature of working department, a
systematic sampling procedure hall be used so as to pick the 66 respondents who have relevant
information.

3.4 Data Collection Instrument

Primary data shall be collected using structured administered questionnaires consisting of both
closed and open-ended questions. The questionnaire shall be administered through ‘drop and
pick later method’ and in some incidences the respondents who could be accessible immediately
will be emailed with the questions.

3.5 Data Analysis

The completed returned questionnaires from the field shall be evaluated for consistency, cleaned,
and then coded, entered and analyzed using the Statistical Package for Social Scientists (SPSS)
Version 22.0 where the data analysis from the SPSS output shall be presented in tables, cross
tabulation and charts. Descriptive statistics shall be computed whereby means, frequencies and
standard deviations shall be obtained. The study shall apply a regression analysis to establish the
relationship between the independent variables and the independent variable.

8
 REFERENCES

Cooper, D. R., Schindler, P. S., & Sun, J. (2003). Business Research Methods.

Cooper, D.R., & Schindler, P.S. (2003). Business Research Methods. (8th ed.). Boston: 15
McGraw-Hill Irwin.

Creswell, J. W. (2013). Qualitative inquiry and research design: Choosing among five
approaches. Sage.

Evan Francen.(2015). The 5 W’s of Information Security. http://www.frsecure.com/the-5-ws-of-

information-security/

Franz-Stefan Gacy (2010). “Foreign policy: Africa’s internet threat”, National Public Radio.
International Data Group Connect, “Africa( 2013): Cyber-crime, hacking and malware”, White
Paper. Available from www.idgconnect.com/ view_abstract/11401/africa-2013-cyber-crime-
hacking-malware.

Jacob Kushner, Jacob.(2013). “Mall terrorist attack may cost Kenya $200 million in lost tourism
earnings”, The Associated Press, 1 October 2013. Available from www.ctvnews.ca/mall-terrorist-
attack-may-cost-kenya-200- million-in-lost-tourism-earnings-1.1478573.

Ministry of Information, Communications and Technology. (2016).Public Sector Information

Security Policy. http://www.ict.go.ke/public-sector-information-security-policy/

Tiampati ole Musuni. (2014).national cybersecrity strategy of 2014. Ministry of Information,

Communications and Technology. Nairobi Kenya.

9
 University of Nevada. (2015). Definition of Information Security: https://oit.unlv.edu/network-
and-security/definition-information-security
Waithaka Samuel. (2014). Factors Affecting Cyber Security In National Government Ministries
In Kenya. School Of Business, University Of Nairobi.

APPENDIX i: TIME PLAN

ACTIVITY DURATION

March-April April-May May- June June-July July-August

2016 2016 June 2016 2016 2016

2016

Selection of

a topic and

supervisor

allocation
Chapter

one-Chapter

three
Presentation

of proposal
Data

collection
Data

analysis

10
Presentation

of project

11