Abstract
This study explores the status of information security culture (ISC) of small and medium-sized enterprises (SMEs) in sub-Saharan Africa (SSA) using Tanzania as a case. To assess the ISC of SMEs, measurement criteria from organizational and environmental dimensions were compiled from the literature. A combination of quantitative and qualitative methods was employed to collect data. The ISC dimensions were assessed using surveys collected using both paper and online sources, from 39 SMEs in the roundtable and five focus group discussions. The findings indicated lack of information security policy, absence of security education, training and awareness (SETA) programs, lack of human resource, poor risk assessment, and management and lack of national information security culture initiatives. These findings show the immaturity of ISC in SMEs in Tanzania. The results and implications of these findings suggest further research and intervention is necessary to institutionalize ISC in the SME environment.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
References
Verizon Business. 2018 Data breach investigations report, Trends, pp. 1–62 (2018)
Da Veiga, A., Eloff, J.H.: A framework and assessment instrument for information security culture. Comput. Secur. 29(2), 196–207 (2010)
Dojkovski, S., Lichtenstein, S., Warren, M.: Institutionalising information security culture in Australian SMEs : framework and key issues. In: International Symposium on Human Aspects of Information Security and Assurance, pp. 10–24 (2007)
Tolah, A., Furnell, S.M., Papadaki, M.: A comprehensive framework for cultivating and assessing information security culture. In: The Eleventh International Symposium on Human Aspects of Information Security and Assurance (HAISA), pp. 52–64 (2017)
Van Niekerk, J., Von Solms, R.: Understanding information security culture: a conceptual framework. Proc. ISSA 2006(May), 1–10 (2006)
Alnatheer, M., Nelson, K.: Proposed framework for understanding information security culture and practices in the Saudi context. In: 7th Australian Information Security Management Conference (2009)
Thong, J.Y.L., Yap, C.S.: Information technology adoption by small business: an empirical study. In: Kautz, K., Pries-Heje, J. (eds.) Diffusion and Adoption of Information Technology. ITIFIP, pp. 160–175. Springer, Boston, MA (1996). https://doi.org/10.1007/978-0-387-34982-4_12
Schlienger, T., Teufel, S.: Information security culture – from analysis to change. S. Afr. Comput. J. 31, 46–52 (2003)
Ponemon Institute LLC: 2017 State of Cybersecurity in Small & Medium-Sized Businesses (SMB) Sponsored by Keeper Security (2017)
Straub, D., Loch, K., Evaristo, R., Karahanna, E., Srite, M.: Toward a theory-based measurement of culture. J. Glob. Inf. Manag. 10(1), 13–23 (2002)
Karjalainen, M., Siponen, M.T., Petri, P., Suprateek, S.: One size does not fit all: different cultures require different information systems security interventions. In: IFIP 8.11/11.13 Dewald Roode Information Security Research Workshop (2013)
Whitman, M.E., Mattord, H.J.: Principles of Information Security, 4th edn, p. 617. Course Technol, Boston (2012)
Mitnick, K.D., Simon, W.L.: The Art of Deception: Controlling the Human Element of Security. Wiley, Hoboken (2011)
Herath, T., Rao, H.R.: Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness. Decis. Support Syst. 47(2), 154–165 (2009)
Thomson, K.-L., Von Solms, R., Louw, L.: Cultivating an organizational information security culture. Comput. Fraud Secur. 2006(10), 7–11 (2006)
Schein, E.H.: Coming to a new awareness of organizational culture. Sloan Manage. Rev. 2, 3–16 (1984)
Hofstede, G.: Cultural dimensions in management and planning. Asia Pacific J. Manag. 1(2), 81–99 (1984)
Schein, E.H.: Organizational Culture and Leadership, 3rd edn. Jossey-Bass, Hoboken (2004)
Alhogail, A.: Information Security Culture: A Definition and A Literature Review. IEEE (2014)
Martins, N., Da Veiga, A.: Information security culture: a comparative analysis of four assessments. In: European Conference on Information Management and Evaluation no. September, pp. 49–58 (2014)
Knapp, K.J., Marshall, T.E., Kelly, R.R., Nelson, F.F., Rainer, R.K., Ford, F.N.: Information security: management’s effect on culture and policy. Inf. Manag. Comput. Secur. 14(1), 24–36 (2006)
Kinnunen, H., Siponen, M.: Develo** organization-specific information security policies. PACIS 2018, 1–13 (2018)
Chen, Y.A.N., Ramamurthy, K.R.A.M., Wen, K.: Impacts of comprehensive information security programs on information security culture. J. Comput. Inf. Syst. 55(3), 11 (2015)
Siponen, M.T.: Five Dimensions of Information Security Awareness. Comput. Soc., no. June, pp. 24–29 (2001)
Schlienger, T., Teufel, S.: Analyzing information security culture: increased trust by an appropriate information security culture. In: Proceedings of International Conference on Database and Expert Systems Applications DEXA, January 2003, pp. 405–409 (2003)
Enisa: Information security and privacy standards for SMEs. European Union Agency For Network And Information Security, no. December. 2015
Sipior, J.C., Ward, B.T.: A framework for information security management based on guiding standards: a united states perspective. Issues Inf. Sci. Inf. Technol. 5, 51–60 (2008)
Von Solms, B.: Information security—the third wave? Comput. Secur. 19, 615–620 (2000)
Siponen, M.: Information security standards focus on the existence of process, not its content. Commun. ACM 49(8), 97 (2006). Technical Opinion
URT: Small and Medium Enterprise Development Policy. J. SMEs policies, vol. II, no. April, pp. 12–20 (2003)
Ministry of Industry and Trade. National Baseline Survey Report for Micro, Small and Medium Enterprises in Tanzania. Ministry of Trade and Financial Sector Deepening Trust, vol. 53, no. 9 (2012)
Meckel, M., Walters, D., Baugh, P.: Mixed-mode surveys using mail and web questionnaires. Electron. J. Bus. Res. Methods 3(1), 69–80 (2005)
Fan, W., Yan, Z.: Factors affecting response rates of the web survey: a systematic review. Comput. Human Behav. 26(2), 132–139 (2010)
Heiman, G.W.: Basic Statistics for the Behavioral Sciences. Cengage Learning, Boston (2013)
Bougaardt, G., Kyobe, M.: Investigating the factors inhibiting SMEs from recognizing and measuring losses from cyber crime in South Africa. Electron. J. Inf. Syst. Eval. 14(2), 167–178 (2011)
Ghobakhloo, M., Hong, T.S., Sabouri, M.S., Zulkifli, N.: Strategies for successful information technology adoption in small and medium-sized enterprises. Information 3(1), 36–67 (2012)
Chen, D., Zhao, H.: Data Security and Privacy Protection Issues in Cloud Computing. In: 2012 International Conference on Computer Science and Electronics Engineering, no. March 2012, pp. 647–651 (2012)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 IFIP International Federation for Information Processing
About this paper
Cite this paper
Ruhwanya, Z., Ophoff, J. (2019). Information Security Culture Assessment of Small and Medium-Sized Enterprises in Tanzania. In: Nielsen, P., Kimaro, H.C. (eds) Information and Communication Technologies for Development. Strengthening Southern-Driven Cooperation as a Catalyst for ICT4D. ICT4D 2019. IFIP Advances in Information and Communication Technology, vol 551. Springer, Cham. https://doi.org/10.1007/978-3-030-18400-1_63
Download citation
DOI: https://doi.org/10.1007/978-3-030-18400-1_63
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-18399-8
Online ISBN: 978-3-030-18400-1
eBook Packages: Computer ScienceComputer Science (R0)
