The impact of information system security policies and controls on ...

The impact of information system security policies and controls on ...

Prime Journal ong>ofong> Business Administration ong>andong> Management (BAM)

ISSN: 2251-1261. Vol. 2(6), pp. 573-581, June 29 th , 2012

www. primejournal. org/BAM

© Prime Journals

Full Length Research

ong>Theong> ong>impactong> ong>ofong> ong>informationong> ong>systemong> ong>securityong> ong>policiesong> ong>andong>

ong>controlsong> on firm operation enhancement for Kenyan


Ogalo, James Ochieng

Lecturer Kenya Institute ong>ofong> Management (KIM). Email:, Tel: +254721622234

Accepted 29 th May, 2012

ong>Theong> adoption ong>andong> integration ong>ofong> Information ong>andong> Communications Technology (ICT) into the business

processes is indeed spreading rapidly, firms seek to improve their operations efficiency through increased

integration ong>ofong> ICT. Organizations are sometimes skeptical about its absolute adoption in some processes due to

complexity ong>ofong> ICT, the ong>impactong> ong>andong> ong>securityong> ong>andong> ong>controlsong> ong>ofong> its integral processes ong>andong> use. ong>Theong>refore these

studies assessed the ong>impactong> ong>ofong> ong>informationong> ong>systemong> ong>securityong> ong>policiesong> ong>andong> control on firms’ operation

enhancement with specific objectives ong>ofong> exploration ong>ofong> ong>informationong> ong>systemong> infrastructure ong>securityong> control

method, determination ong>ofong> the commonly used ong>informationong> ong>systemong> ong>securityong> control methods ong>andong> establishment

ong>ofong> the effectiveness ong>ofong> ICT management ong>policiesong> by small enterprises (SEs). ong>Theong> study was conducted in

Kisumu City (Central Business Districts) in Kenya using survey research design with a target population ong>ofong> 481

ong>ofong> small enterprises firms in Kisumu City Central Business District. ong>Theong> sample population was stratified into

two strata namely zone eight ong>andong> seven ong>andong> the sample ong>ofong> 144 were selected using purposive sampling method.

ong>Theong> sample size was determined according to Yamane (1967) formula for sample size determination. Data was

collected through the use ong>ofong> questionnaire ong>andong> the results presented in tables. From the findings, it became

evident that organizations should formulate strategy which should give direction ong>andong> establish priorities for the

investments ong>andong> management ong>ofong> ICT infrastructure resources. It should complement an ICT governance

framework for defining the distribution ong>ofong> the decision-making roles ong>andong> responsibilities among different levels

ong>ofong> managers ong>andong> employees in the organization, ong>andong> further establish procedures for implementing ong>andong>

monitoring these strategic decisions. Further constant periodic assessments ong>ofong> ICT risk should be conducted

to identify emerging threats that could negatively affect ICT operations ong>andong> assets utilization.

Keywords: ICT Policies, SMEs, ICT infrastructure


Computer based Information System infrastructure

exposes firms‟ ong>informationong> resources to a no man‟s long>andong>

where anybody could get access if no proper measures

are put in place. ong>Theong>se measures should ensure that no

unauthorized staff is allowed to access any ong>ofong> the Trust‟s

computer ong>systemong>s or ong>informationong> stores; as such access

would compromise ong>informationong> integrity, also

determination ong>ofong> which individuals are to be given

authority to access specific ong>informationong>; levels ong>ofong> access


to specific ong>systemong>s should be based on job function,

independent ong>ofong> status.

Adding to the complexity ong>ofong> ong>informationong> ong>securityong> is the

fact that organizations must enable employees,

customers, ong>andong> partners to access ong>informationong>

electronically to be successful in this electronic world.

Doing business electronically automatically creates

tremendous ong>informationong> ong>securityong> risks for organizations.

Surprisingly, the biggest issue surrounding ong>informationong>

Ogalo 574

ong>securityong> is not a technical issue, but a people issue.

(Haag et al., 2008).

ong>Theong> adoption ong>andong> the use ong>ofong> ICT become one ong>ofong> the

options for re-energizing business processes. Fagerberg,

et al., (2000) argue that what matters for economic

growth is the ability to exploit areas ong>ofong> high technology

opportunity, which in recent decades have been

dominated by ICT.

Depending on the level ong>ofong> ong>securityong>, removable media

used by the staff is disposed ong>ofong> securely ong>andong> in most

cases seeking guidance from the IT Department where

appropriate. To ensure consistence ong>andong> accountability ong>ofong>

what get in ong>andong> out ong>ofong> the ong>systemong>, Checklist for Staff is

completed before an employee leaves a job; that relevant

accounts are closed ong>andong> equipment returned for

example. mobile phones, PDAs, laptops, ong>andong> so on.

ong>Theong>re exist an increasingly need for adequate ICT

control ong>andong> governance, ong>andong> is also growing

tremendously as firms relentlessly step up the pace ong>andong>

increase the value ong>ofong> return on investments in ICT.

Significance ong>ofong> ong>informationong> ong>systemong> ong>securityong> ong>policiesong>

ong>andong> control

Today, our businesses, governments, schools ong>andong>

private associations, such as churches, are incredibly

dependent on ong>informationong> ong>systemong>s ong>andong> are, therefore,

highly vulnerable if these ong>systemong>s should fail. (Laudon

ong>andong> Laudon, 2006). It is therefore obvious that adoption

ong>ofong> Computer based Information System requires a high

degree ong>ofong> conformance to ong>securityong> ong>policiesong> ong>andong> control

measures by the firm to avert unauthorized access,

destruction ong>ofong> the ICT infrastructure ong>andong> business risks.

Such risks include accidental data change or release,

malicious user damage, fraud, theft, failure ong>andong> natural


ong>Theong> report by Craig et al (2003), confirmed that while

the adoption ong>ofong> ICT in businesses ong>ofong> all sizes is

predominately high, there has been limited adoption ong>ofong>

ong>securityong> practices ong>andong> technologies. ong>Theong> ABS have

reported that only 15% ong>ofong> medium sized firms, 4% ong>ofong>

small businesses ong>andong> 2% ong>ofong> micro businesses have

adopted a ong>securityong> policy (ABS, 2003a).

ong>Theong> company needed an advanced threat management

solution that would take fewer resources to maintain ong>andong>

require limited resources to track ong>andong> respond to

suspicious network activity. ong>Theong> company installed an

advanced intrusion detection ong>systemong> allowing it to

monitor all ong>ofong> its network activity including any potential

ong>securityong> breaches (CIO Magazine, 2003).

Security ong>andong> risks ong>ofong> ong>informationong> ong>systemong> resources in

general has never been complete ong>andong> safe at any given

time ong>andong> has to be monitored ong>andong> evaluated continuously

by identifying, quantifying, ong>andong> prioritizing risks against

criteria for risk acceptance ong>andong> objectives relevant to the


organization. ong>Theong> results should guide ong>andong> determine the

appropriate management action ong>andong> priorities for

managing risks ong>andong> for implementing ong>controlsong> selected to

protect against these risks. ong>Theong> process ong>ofong> assessing

risks ong>andong> selecting ong>controlsong> may need to be performed a

number ong>ofong> times to cover different parts ong>ofong> the

organization or individual ong>informationong> ong>systemong>s.

Background ong>ofong> the study

According to Haag et al (2008) point ong>ofong> view, it becomes

undisputable that the technological changes ong>ofong> ICT in

terms ong>ofong> emerging trends ong>andong> technologies are here to

stay, those organizations that can most effectively grasp

the deep currents ong>ofong> technological evolution can use their

experiences to protect the companies against eventual

ong>andong> fatal technological obsolescence. Technology is

advancing at a phenomenal pace. Medical knowledge is

doubling every eight years. Half ong>ofong> what students learn in

their freshman year college about innovation technology

is obsolete, revised, or taken for granted by their senior

years. In fact, all ong>ofong> today‟s technical knowledge will

represent only one percent (1%) ong>ofong> the knowledge that

will be available in 2050. (Haag et al., 2008).

Adopting ICT is a difficult task for companies ong>ofong> all

sizes, whether they are in developed or developing

countries. In fact, a lot ong>ofong> management literature focuses

on the organizational changes that firms must go through

in order to effectively adopt ICT because they change the

way firms do business. While the changes may be

beneficial in the long run, they ong>ofong>ten hurt one department

ong>andong> strengthen another. For example, Zhang Hongwei,

senior consultant with D'Long International Strategic

Investment, comments that “in order to make Enterprise

Resource Planning (ERP„s) cost-saving ong>andong> efficiencybuilding

features work; managers must be willing to take

measures that can be anathema in the state-owned

sector, such as selling businesses, laying ong>ofong>f workers,

ong>andong> changing longstong>andong>ing vendor relationships. All ong>ofong>

this can be tough to do.” (Yinyu, 2004).

Information System ong>securityong> may not be narrowed down

as per see, but may also include Careful assessment ong>andong>

reviewing ong>ofong> firms‟ ICT needs as part ong>ofong> the overall ICT

strategy, drawing up appropriate requirements, detailed

evaluation ong>ofong> suppliers, ong>andong> stringent management

ong>policiesong> ong>ofong> ICT operations as a way ong>ofong> mitigating

operation risks.

ong>Theong>refore on success ong>andong> failure ong>ofong> ong>informationong>

technology, O‟brien (2003) asserts that, ong>informationong>

ong>systemong> heavily dependent on ong>informationong> technologies,

they are designed, operated, ong>andong> used by people in a

variety ong>ofong> organizational settings ong>andong> business

environments. Thus, the success ong>ofong> an ong>informationong>

ong>systemong> should not be measured only by its efficiency interms

ong>ofong> minimizing costs, time ong>andong> the use ong>ofong> ong>informationong>

575 PJ Bus. Admin. Manage.

resources. Success should also be measured by the

effectiveness ong>ofong> ong>informationong> technology in supporting an

organization‟s business value ong>ofong> the enterprise.

Information technology ong>andong> ong>informationong> ong>systemong>s can be

mismanaged ong>andong> misapplied so that ong>informationong> ong>systemong>

performance problems create both technological

business failures.

So to succeed, companies need ong>informationong> ong>systemong>s

that can support the diverse ong>informationong> ong>andong> decision

making needs ong>ofong> their managers ong>andong> business

prong>ofong>essionals. As Schwartz ong>andong> Evans (1997) conclude,

conventional wisdom says knowledge is power, but

knowledge harvesting without focus can render you

powerless. As companies migrate toward responsive e-

business models, they are investing in new data-driven

decision support application frameworks that help them

respond rapidly to changing market conditions ong>andong>

customer needs.

Statement ong>ofong> the problem

Information managed through ICT infrastructure is an

important resource in terms ong>ofong> organizational strategic

positioning ong>andong> therefore, its protection ong>andong> control is a

very crucial aspect for the firms‟ success.

Managing ong>informationong> ong>systemong>s technology ong>andong> corporate

data is more difficult in a distributed networked

environment because ong>ofong> lack ong>ofong> a single, central point

where management can (Laudon ong>andong> Laudon, 2006).

ong>Theong> objective ong>ofong> the study

ong>Theong> general objective ong>ofong> this study was to assess the

ong>impactong> ong>ofong> ICT ong>securityong> ong>policiesong> ong>andong> ong>controlsong> on firm

operation enhancement for Kenyan SMEs.

This study sought to achieve the following specific


- To explore ong>informationong> ong>systemong> infrastructure ong>securityong>

control method used by SEs.

- To determine the commonly used ong>informationong> ong>systemong>

ong>securityong> control methods used by SEs

- To establish the effectiveness ong>ofong> ICT management

ong>policiesong> used by small enterprises

Research questions

What are the ong>informationong> ong>systemong> infrastructure ong>securityong>

control methods used by small enterprises in Kisumu

What are the commonly use ong>informationong> ong>systemong> ong>securityong>

control methods use by small enterprise in Kisumu

Are ICT management ong>policiesong> effectively used by small


Literature review

ICT ong>securityong> ong>andong> ong>policiesong>

ong>Theong> use ong>andong> integration ong>ofong> ICT into the business

mainstream, has revolutionized ong>andong> change the business


dimension. As noted by Curtis ong>andong> Cobham (2008), that

the ong>impactong> ong>ofong> ong>informationong> technology has reshaped the

types ong>ofong> work involved within organizations. Frequently

those with skills for previous jobs do not have the skills

appropriate for the new technology. Many organizations

have developed ong>policiesong> to provide the retraining

necessary to enable employees to move internally. ong>Theong>

drive to develop ong>policiesong> is not just the commercial

consideration ong>ofong> “fire ong>andong> hire” as against the costs ong>ofong>


Despite the massive investments in ong>informationong>

technology in the developed economies, the Information

Technology ong>impactong> on productivity ong>andong> business

performance continues to be questioned. Several studies

have been conducted ong>andong> according to the study

conducted by (Hammer ong>andong> Champy, 1993), the real pay

ong>ofong>fs occur when Information ong>systemong>/Information

Technology development ong>andong> use is linked with the

business reengineering (BPR) efforts coming on stream

in the 1990s. Keen (1991) further discusses measuring

the cost avoidance ong>impactong>s ong>ofong> IT/IS. For him these are

best tracked in terms ong>ofong> business volumes without

increases in personnel. At the strategy level he also

suggests that the most meaningful way ong>ofong> tracking

Information Technology/Information ong>systemong> performance

overtime is in terms ong>ofong> business performance per

employee, for example revenue per employee, prong>ofong>it per

employee, or at a lower level, as one example –

transactions per employee.

Integration ong>ofong> the enterprise has emerged as a critical

issue for organisations in all business sectors striving to

maintain competitive advantage. Integration is the key to

success. It is the key to unlocking ong>informationong> ong>andong> making

it available to any use, anywhere, anytime (Kalakota et

al., 1999).

ICT Implementation ong>andong> Integration

Martin (1991) points out that faster, better, cheaper does

not necessarily mean “quick ong>andong> dirty”. ong>Theong> need for fast

ong>andong> efficient design ong>andong> implementation means that time

– intensive activities must be automated or, at the very

least, supported by appropriate technology.

It was further noted that the world-class enterprise ong>ofong>

tomorrow is built on the foundation ong>ofong> world-class

application clusters implemented today (Kalakota et al

1999). Effective implementation ong>ofong> ong>informationong> technology

would decrease liability by reducing the cost ong>ofong> expected

failures ong>andong> increase flexibility by reducing the cost ong>ofong>

adjustment. ong>Theong> business reaction to the environment

remains to be the vital determinant for its effectiveness.

Leading-edge telecommunications technology ong>andong> the

internet cannot make organisation move effective unless

underlying organizational issues are fully addressed. Old

ways ong>ofong> doing business must also be changed to work

Ogalo 576

effectively with the internet ong>andong> related network

technologies. Such changes in corporate culture ong>andong>

organisational structure are not easy to make. It took

several years ong>ofong> hard work ong>andong> large financial

investments for IBM to makes its business processes

web enabled to convince disparate business units to

adopt a “One IBM” mind-set in which everyone uses

common tools (Kanter, 2001).

One IT manager estimates that it takes 5 to 10 times

more time to reach an understong>andong>ing ong>andong> agreement on

ong>systemong> requirements ong>andong> deliverables when the users

ong>andong> developers are in different countries. This is partially

explained by travel requirements ong>andong> language ong>andong>

cultural differences, but technical limitations also

contribute to the problem (Ives et al., 1991).

Implementing enterprise ong>systemong> in an

organisation/enterprise is like any other change process

in a ong>systemong>. According to O‟Leary (2000), its

implementations fail is believed to be a direct result ong>ofong>

lack ong>ofong> top-level management support. Although

executives do not necessarily need to make decisions

made by project managers. Many problems can arise if

projects fail to grab the attention ong>ofong> top-level

management. In most companies, executive have the

ultimate authority regarding the availability ong>andong>

distribution ong>ofong> resources within the organisation. If

executives do not understong>andong> the importance ong>ofong> the

enterprise ong>systemong>, delays or stoppages are likely to occur

because the necessary resources may not be available

when they are needed (O‟Leary, 2000).

Ethics ong>andong> ong>policiesong> ong>ofong> ICT

Information ong>systemong>s raise new ethical questions for both

individuals ong>andong> societies because they create

opportunities for intense social change, ong>andong> thus threaten

existing distributions ong>ofong> power, money, rights ong>andong>

obligations. (Laudon ong>andong> Laudon, 2006).

Ogalo ong>andong> Nyangara (2011) asserts, that although the

government ong>ofong> Kenya has some ong>policiesong> in place, it must

continue to foster ong>andong> play an active role in encouraging

ong>andong> promoting the use ong>ofong> ICT while ensuring that

coherent enabling ong>policiesong>. Formulating an intensive

national ong>informationong> policy to cater for SMEs up to the

village level, to empower their ong>informationong> base ong>andong> ong>ofong>fer

relevant knowledge ong>andong> training on ICT resources. ong>Theong>

policy should also contain an organ to link ong>andong> partner

with small enterprise to assess ong>informationong>al needs,

business requirements, insecure use ong>ofong> ICT ong>andong> safety

regulation ong>andong> to avail or indentify for them the source ong>ofong>

such ong>informationong>. To include Provision ong>ofong> financial ong>andong>

non-financial incentives to start-up ICT firms; ong>andong> ong>ofong>fer

tax incentives to SMEs that buy ICT products ong>andong>

services from local firms, capacity building ong>andong> skills

development in order to attain national socio-economic


goals, for the benefit ong>ofong> national ong>andong> global development

(Ogalo ong>andong> Nyangara, 2011).

An integrated ICT based ong>informationong> ong>systemong>s have

become ubiquitous. People a well as organisations have

come to depend on them not only for success ong>andong>

survival, but also for the conduct ong>ofong> everyday transactions

ong>andong> activities. Computer ong>systemong>s have invaded nearly

every aspect ong>ofong> our daily lives. As ong>informationong> technology

advances, it creates a continuing stream ong>ofong> new issues

pertaining to those parts ong>ofong> our lives that it ong>impactong>s. In

business arena, ong>informationong> technology has presented

ethical issues in four areas these areas, identified by

Richard Mason, are privacy, property accuracy ong>andong>

access ( Mason, 1991). In addition, ethical issues

surround the ong>impactong> ong>informationong> technology has on us all.

Curtis ong>andong> Cobham (2008) found that organizations

policy decisions on the use ong>ofong> their IT facilities by

employees for non-work- related activities, may cover, for

example, the right ong>ofong> the employee to use e-mail for

personal purposes, during or outside ong>ofong> work time. ong>Theong>

content ong>ofong> the e-mail may also be subject to the policy for

example pornography or whether the e-mail is being used

for personal consultancy purposes.

Over the last decade, ong>informationong> ong>andong> communication

technologies have enabled changes in the way people

live, work, interact ong>andong> acquire knowledge. ong>Theong> take up ong>ofong>

social computing ong>andong> new participative approaches

ong>impactong> public services such as government, the health

sector ong>andong> education ong>andong> training (Osimo, 2008; Ala-

Mutka, 2008; Punie, 2008; Redecker, 2008).In another

study ong>ofong> African ong>andong> Latin American nations, Wallsten,

(2001) observed that regulation had no ong>impactong> on

mainline telephone penetration. ong>Theong> prevailing individual

nation conditions (economic, cultural, social, ong>andong> political)

also should be considered when investigating ICT

adoption in African nations.

ICT policy making in developing countries may suffer

from weaknesses (Maclean et al., 2002). Involving the

business sector can help overcome those gaps.

However, the most important role ong>ofong> the business sector

is to supply to the market, local innovative solutions that

can respond to local specific needs thus diffusing ICT.

Information ong>securityong> ong>andong> ICT governance

Business enterprises have very valuable ong>informationong>

assets to protect. Systems ong>ofong>ten house confidential

ong>informationong> about individual‟s taxes, financial assets,

medical records ong>andong> job performance reviews. ong>Theong>y also

may contain ong>informationong> on corporate operations,

including trade secrets, new product development plans;

ong>systemong>s may store ong>informationong> on weapons ong>systemong>s,

intelligence operations, ong>andong> military targets. ong>Theong>se

ong>informationong> assets have tremendous value, ong>andong> the

repercussions can be devastating if they are lost,

577 PJ Bus. Admin. Manage.

Table 1: Selected small enterprises

Strata No. ong>ofong> small enterprises Sample No. ong>ofong> small enterprises Percentage ong>ofong> No. ong>ofong> small enterprises

Zone seven (7) 310 93 19.38%

Zone Eight (8) 171 51 10.63%

Total 481 144 30.01%

Source: Survey Data

destroyed, or placed in the wrong hong>andong>s. A recent survey

estimates that when the ong>securityong> ong>ofong> a large firm is

compromised, the company loses approximately 2.1

percent ong>ofong> its market value within two days ong>ofong> the ong>securityong>

breach, which translates into an average loss ong>ofong> $1.65

billion in stock market value per incident (Cavusoglu et

al., 2004).

Issues such as perceived investment recovery, comfort

with traditional forms ong>ofong> supply management ong>andong> selling,

perceived levels ong>ofong> risk, ong>securityong> concerns ong>andong> training

costs are cited as being serious barriers to uptake ong>ofong> ICT

by SMEs (Kendall, 2001).

Effective ong>securityong> management can minimize errors,

fraud, ong>andong> losses in the internetworked computer-based

ong>systemong>s that interconnect today‟s e-business enterprises.

(Tate ong>andong> Priscilla, 1998).Companies have very valuable

ong>informationong> assets to protect. Systems ong>ofong>ten house

confidential ong>informationong> about individual‟s taxes, financial

assets, medical records, ong>andong> job performance reviews.

ong>Theong>y also may contain ong>informationong> on corporate

operations, including, trade secrets, new product

development plans ong>andong> marketing strategies.

Government ong>systemong>s may store ong>informationong> assets have

tremendous value, ong>andong> the repercussions can be

tremendous value, ong>andong> the repercussions can be

devastating ong>ofong> they are lost, destroyed or placed in the

wrong hong>andong>s. A recent study estimates that when the

ong>securityong> ong>ofong> large firms is compromised, the company

loses approximately 2.1 percent ong>ofong> its market value within

two days ong>ofong> the ong>securityong> breach, which translates into an

average loss ong>ofong> $1.65 billion in stock market value per

incident (Cavusoglu et al., 2004).

Defrauding telephone companies out ong>ofong> long-distance

toll charges has occurred for many years. Using slugs

instead ong>ofong> real coins, letting the phone ring twice to mean

you go home ok, ong>andong> calling person-to-person for

yourself with some cute message are all ways that

people have swindled common carriers out ong>ofong> toll charges

that were rightly theirs (Emma, 1997).


ong>Theong> study was conducted in Kisumu City, headquarters

ong>ofong> Nyanza province, in the western part ong>ofong> Kenya ong>andong> is

also the third largest City in Kenya. Kisumu is a Lake

Victoria port ong>ofong> Kenya ong>andong> the second most important

town after Kampala within the lake region. It is known for

it being economic hub for most trade conducted in the

East Africa region. Kisumu has an estimated population

ong>ofong> about 665,018 people, ong>ofong> whom 162,354 are male ong>andong>

160,380 Female. (Kenya National Bureau ong>ofong> statistics,

Kenya Population Census, 1999).

ong>Theong> study was based in Kisumu city Central Business

Districts (CBDs), which is divided into two zones namely;

zone seven (7) ong>andong> zone eight (8), according to Municipal

council ong>ofong> Kisumu (MCK) way ong>ofong> classification. Survey

research design was used in the study with a target

population ong>ofong> 481 ong>ofong> small enterprises in Kisumu City

Central Business District. ong>Theong> population was drawn from

the sample list from Municipal Council ong>ofong> Kisumu (MCK)

integrated ong>informationong> ong>systemong> (MCK integrated

ong>informationong> ong>systemong>, 2010). ong>Theong> small enterprises

according to the study are enterprises with employees

between 5 ong>andong> 20.

A sample ong>ofong> 144 small enterprises were respondents

selected from the target population ong>ofong> 481, ong>andong>

distributed in 310 ong>andong> 171 respondents respectively in

each sub-group named zone 7 ong>andong> 8, using stratified

sampling technique. ong>Theong> sample size was determined

according to Yamane (1967:886) formula for sample size

determination. ong>Theong> sample for the study was selected

from the two strata using purposive sampling technique.

Table 1

Purposive sampling technique was further used to

select 5 directors ong>ofong> small enterprises for in-depth

interviews. ong>Theong> informants were selected at the

researchers discretion based on general set up ong>ofong> the ICT

use in order to shed light on a range ong>ofong> issues ong>ofong> interest

to the study. Also interviewed were ICT prong>ofong>essional

dealers who were selected using purposive sampling


In the study open ong>andong> closed ended questionnaires ong>andong>

interviews were the main tools used to collect data. But

the large sample size ong>ofong> 144 respondents used in this

study against the time constraints made ong>ofong> questionnaire

the ideal tool for collecting data within the shortest time

possible. ong>Theong> study used self administered questionnaire.

To ensure reliability ong>ofong> the instruments, 10% ong>ofong> the

instruments were piloted in the small enterprises outside

the CBDs; this in correcting some ong>ofong> the error in the

instruments, thereby improving instrument reliability.


Ogalo 578

Table 2: Existence ong>ofong> ICT ong>securityong> ong>policiesong>.

Details No. ong>ofong> respondents n=144

Yes 129 (90%)

No 10 (7%)

No Comment 5 (3%)

Total 144 (100%)

Source: Survey data

Reliability is a measure ong>ofong> the degree to which a research

instrument yields consistent results or data after repeated

trials (Mugenda ong>andong> Mugenda, 2003).

This pilot testing ong>ofong> the questionnaire improved the

content validity ong>ofong> the instrument, by realigning ong>andong>

adjusting the questions to conform ong>andong> improved its

clarity to the respondents. Opinions ong>ofong> the experts were

also sought to make the instrument yield the expected

results. ong>Theong> data collected were coded, tabulated ong>andong>

analysed using descriptive analysis for measures ong>ofong>

central tendency ong>andong> inferential analysis method to draw

conclusions concerning relationships ong>andong> differences

found in the research results.



In order to explore further to determine the ong>securityong>

ong>policiesong> in the small enterprises, surveyed respondents

were asked to indicate if there exist the required levels ong>ofong>

ong>securityong>. Results showed that 129 (90%) ong>ofong> the

respondents have the required ong>securityong> level which were

the overwhelming majority. Only 10 (7%) were for non

existence ong>ofong> the required ong>securityong> level, while 5 (3%)

decide to remain neutral ong>andong> therefore did not comment

on the same. This supports the fact that most enterprises

have existing ong>securityong> level ong>policiesong> in place, because

90% ong>ofong> the respondents were in support. Management ong>ofong>

implementation ong>andong> effective control ong>ofong> ong>securityong> ong>policiesong>

poses a serious challenge to most firms. Laudon ong>andong>

Laudon (2006), confirmed that many firms lack disaster

recovery ong>andong> business continuity plans or fail to patch

their song>ofong>tware routinely against ong>securityong> vulnerabilities.

Managers do not appreciate the value ong>ofong> a sound ong>securityong>

strategy. Security threats abound, but they are neither

predictable nor finite, making it more difficult to calculate

returns on ong>securityong> investments. Table 2.

ong>Theong> results show that majority 58 (40%) ong>ofong> the small

enterprises strongly disagree that the ICT protection

ong>policiesong> were effective. Another 41 (28%) disagree with

the same, while 7 (5%) did not choose any side but

decided to remain neutral. ong>Theong> remaining 13 (9%) ong>andong> 25

(17%) were ong>ofong> the opinion ong>ofong> strongly agree ong>andong> agree

respectively. This data was further subjected to likert

scale rating, ong>andong> the value stood at 2.3, above neutral

value ong>ofong> 2, ong>andong> this indicates that ICT protection ong>policiesong>


Table 3: Effectiveness ong>ofong> ICT infrastructure protection Policies

Details No. ong>ofong> respondents (Enterprises) n = 144

Strongly Agree 13 (9%)

Agree 25 (17%)

Neutral 7 (5%)

Disagree 41(28%)

Strongly Disagree 58 (40%)

Total 144 (100%)

Source: Survey data

still stong>andong>s in the middle ong>andong> a lot has to be done to

improve its effectiveness. Table 3.

Good ong>informationong> architecture includes a strong

ong>informationong> ong>securityong> plan, along with managing user

access ong>andong> up-to-date antivirus song>ofong>tware ong>andong> patches.

(Martin, 2005). ong>Theong> effectiveness ong>ofong> ong>informationong> ong>systemong>

ong>securityong> require a rigorous training ong>andong> sensitization ong>ofong>

staffs, to shield some ong>ofong> the obvious loophole which in

turns creates a liability to the enterprise.

Many individuals freely give up their Passwords or write

them on sticky notes next to their computers, leaving the

door wide open intruders. (2002 CSI/FBI, 2003). A

detailed ong>informationong> ong>securityong> plan can alleviate people –

based ong>informationong> ong>securityong> issues. An organization should

make a conscientious effort to ensure that all users are

aware ong>ofong> the policy through formal training ong>andong> other


Majority ong>ofong> the respondents according to the above

table shows that 99%, 97% ong>andong> 88% used physical

restriction to access critical ICT component, backup

power unit ong>andong> training ong>ofong> employees on current ICT

needs ong>andong> requirement respectively. Some respondents

constituting ong>ofong> 19%, 2% ong>andong> 30% used firewalls, data

encryption ong>andong> data backup as ong>informationong> ong>systemong>

protection ong>securityong> facilities respectively. Table 4.

Many U.S firms such as banks ong>andong> brokerages are

required by federal law to provide their customers a copy

ong>ofong> their firm‟s privacy policy. It is therefore a fundamental

responsibility for managers who own or use ong>informationong>

resources to protect ong>andong> secure these assets from theft,

damage ong>andong> misuse. IT managers are expected to lead

in establishing IT control ong>policiesong> for the entire firm.

(Frenzel ong>andong> Frenzel 2004). ong>Theong> understong>andong>ing ong>ofong>

managers on the various ong>securityong> protection facilities was

an important element for the successful utilization ong>andong>

management. It was further noted that Control also

means that managers must have routine methods for

comparing actual ong>andong> planned performance. In a wellcontrolled

organization, deviations from planned

performance stong>andong> out ong>andong> are obvious. “Planning ong>andong>

control are inseparable – the Siamese twins ong>ofong>

management” (Harold Koontz ong>andong> Cyrill O‟Donnell 1964).

Frenzel ong>andong> Frenzel (2004) noted that to cope

579 PJ Bus. Admin. Manage.

Table 4: Information ong>systemong> protection ong>securityong> facilities.

Security method

No. ong>ofong> respondents

Firewalls n=144 27 (19%)

Data Encryption n=144 3 (2%)

Data backup n=144 43 (30%)

Physical restriction to access critical ICT components n=144 141 (99%)

Backup power unit n=144 139 (97%)

Training ong>ofong> employees on current ICT ong>securityong> needs ong>andong> requirements n=144 88 (61%)

Source: Survey data

Table 5: ICT infrastructure disruption encountered

ICT Disruption


Yes No No comment

Sabotage (Vong>andong>alism, ong>Theong>ft) n =144 43 (30%) 68 (47%) 33 (23%)

Unauthorized Access n=144 86 (59%) 40 (28%) 18 (13%)

Data loss n =144 121 (84%) 19 (13%) 4 (3%)

ICT abuse (fraud, Crime) n =144 56 (39%) 77 (53%) 11 (8%)

Hardware failure n=144 125 (87%) 16 (11%) 3 (2%)

Song>ofong>tware failure n=144 131 (91%) 8 (6%) 5 (3%)

Virus attack n=144 140 (97%) 3 (2%) 1 (1%)

Interruption ong>ofong> telecommunication links n=144 131 (91%) 7 (5%) 6 (4%)

Source: Survey data

successfully with these challenges, effective managers

must develop a discerning awareness ong>andong> a keen

appreciation ong>ofong> social phenomena, ong>andong> they must

continually fine tune their people management skills. High

performance organizations always find ways to maximize

human productivity. ong>Theong>y recognize that people are the

key to capturing the benefits ong>ofong> technological advances in

today‟s ong>informationong> age.

Table 5 above shows that majority ong>ofong> small enterprise

47% do not experience sabotage as a disruption ong>ofong> ICT

operations. About 30% have encountered sabotage,

while another 23% decline to comment. On unauthorized

access, majority ong>ofong> the firms‟ 59% have encountered this

problem ong>andong> 28% have not, while only 13% decline to

comment. Data loss have a majority ong>ofong> respondents 84%

encountering this problem ong>andong> 13% have encountered

the same ong>andong> 3% declining not to comment. ICT abuse

was represented by 39% ong>andong> 53% respondents citing it

as a hindrance to the smooth operation ong>ofong> the ong>systemong>.

Hardware failure has a majority ong>ofong> 87% ong>ofong> respondents

recognizing it as a problem ong>andong> 11% do not, while only

2% declined to comment.

ong>Theong> results showed above gives elements ong>ofong> existence

ong>ofong> gaps ong>ofong> hindrance ong>ofong> ICT between ICT-disruption

related effects ong>andong> the continuity ong>andong> maximization ong>ofong> ICT

resources. Porter (2001) asserted that new technologies

trigger rampant experimentation, by companies ong>andong> their

customers, ong>andong> the experimentation is ong>ofong>ten economically

unsustainable. As a result, market behavior is distorted


ong>andong> must be interpreted with caution (Porter, 2001). This

raise a lot ong>ofong> questions to be solved by management ong>ofong>

an enterprise, this necessities the prioritization ong>ofong>

strategic action plans to focus on these problems, the

focus should be holistic in nature ong>andong> not thinking that IT

governance, ong>policiesong> implementation ong>andong> related

problems is a restricted responsibility ong>ofong> other reserved

people in the organization. This will ensure that the

organization is driven to provide proactive leadership to

enhance the organizational achievement ong>ofong> the many

benefits ong>ofong> optimizing IT opportunities while protecting

against risks. It was further noted, that in turbulent times,

an enterprise has to be able to withstong>andong> sudden blows

ong>andong> avail itself ong>ofong> unexpected opportunities. This means

that in turbulent times the fundamentals must be

managed ong>andong> managed well. (Drucker, 1980). It was

noted that one problem with risk assessment ong>andong> other

methods for quantifying ong>securityong> costs ong>andong> benefits is that

organizations do not always know the precise probability

ong>ofong> threats occurring to their ong>informationong> ong>systemong>s, ong>andong> they

may not be able to quantify the ong>impactong> ong>ofong> such events

accurately. (Mercuri, 2003).




ong>Theong> culture ong>ofong> good Internal ICT Control should be

inculcated in the entire workforce, which in turn engage

the employees ong>andong> create a sense responsibility,

Ogalo 580

accountability. This essentially creates adequate

procedures, ong>informationong> ong>andong> channels ong>ofong> reporting

amongst others, ong>andong> coupled with proper documentation

ong>ofong> the same for ease ong>ofong> integration in the business


Conclusions ong>andong> Recommendations

Organizations should formulate strategy which should

give direction ong>andong> establish priorities for the investments

ong>andong> management ong>ofong> ICT infrastructure resources. It

should complement an ICT governance framework for

defining the distribution ong>ofong> the decision-making roles ong>andong>

responsibilities among different levels ong>ofong> managers ong>andong>

employees in the organization, ong>andong> further establish

procedures for implementing ong>andong> monitoring these

strategic decisions.

Constant periodic assessments ong>ofong> ICT risk should be

conducted to identify emerging threats that could

negatively affect ICT operations ong>andong> assets utilization.

Information ong>systemong> utilization ong>andong> ong>securityong> policy ong>andong>

procedures should be developed in a clear terms ong>ofong>

reference for its protection ong>andong> the management ong>ofong> data

held in the ong>systemong> should conform ong>andong> adhere to the set

rules ong>andong> regulations.


2002 CSI/FBI computer crime ong>andong> ong>securityong> survey www. accessed November 23, 2003.

ABS (2003a). 8129.0 Business Use ong>ofong> Information

Technology (2001 - 02). Canberra: Australian

Ala-Mutka K, Malanowski N, Punie Y, Cabrera M (2008).

Active Ageing ong>andong> the Potential ong>ofong> ICT for Learning.

Institute for Prospective Technological Studies (IPTS),

JRC, European Commission. EUR 23414 EN.

Bureau ong>ofong> Statistics.

Cavusoglu H, Birendra M, Sriniva SR (2004). “A model

for evaluating IT ong>securityong> investments,”

Communications ong>ofong> the ACM 47(7).

CIO Magazine, Sony Fights Instrusion with “Crystal Ball”,, accessed August 9, 2003.

Craig A, Justin A, Eric B (2003). A framework for the

adoption ong>ofong> ICT ong>andong> ong>securityong> technologies by SME‟s; A

paper for the Small Enterprise Association ong>ofong> Australia

ong>andong> New Zealong>andong> 16th annual Conference, Ballarat,

28 Sept-1 Oct, 2003.

Curtis G, Cobham D (2005). Business ong>informationong>

ong>systemong>s: Analysis, Design ong>andong> Practice, 6 th edition,

Pearson education Limited, Englong>andong>.

Drucker P (1980). Managing in Turbulent Times New

York: Harper ong>andong> Row, 1980.

Emma T (1993). “For whom the Fraud Tolls,

“Telecome Roseller p. 17.”

Fagerberg J Eds. (2000). ong>Theong> Economic Challenge for


Europe, Edward Elgar, Cheltenham.

Frenzel CW, Frenzel JC (2004). Management ong>ofong>

ong>informationong> Technology, 4 th edition, Canada.

Haag S (2008). Business driven technology – Stephen

Haag, Paige Baltzan, Amy philips 2 nd ed. p. 434.

Hammer M, Champy J (1993). Reengineering the

corporation: A manifesto for business Revolution.

Nicholas Brealey, London.

Harold K, Cyrill O (1964). Principles ong>ofong> Management, 3 rd

ed. (New York: McGraw – Hill Company), 73.

Ives B, Sirkka J (1991). “Applications ong>ofong> Global

Information Technology: Key Issues ong>ofong> Management.”

MIS Quarterly.

Kalakota R, Marcia R (1999). E-business Roadmap for

success. Reading, MA: Addison-Wesley.

Kanter RM (2001). “ong>Theong> ten deadly mistakes ong>ofong> Wanna

Dots,” Harvard Business Review (January 2001).

Keen P (1991). Shapping the future: Business Design

Through ong>informationong> technology. Harvard Business

Press, Boston.

Kendall J, Tung LL, Chua KH, Ng DCH, Tan SM (2001).

Electronic Commerce Adoption by SMEs in

Singapore. Paper presented at the 34th Hawaii

International Conference on System Sciences, Hawaii.

Kenya National Bureau ong>ofong> statistics (KNBS), Kenya

Population Census, 1999.

Laudon KC, Laudon JP (2006). Management Information

Systems, Managing the Digital Firm, 9 th Edition,

Prentice-Hall ong>ofong> India Private Limited, New Delhi –


MacLean D, Deane J, Souter D, Lilley S (2002). Louder

Voices, Strengthening Developing Country

Participation in International ICT Decision Making,

Commonwealth Telecommunications Organization

ong>andong> Panos, London, for UK Department for

International Development, 2002.

Martin G (2005). “Manage passwords, ong>informationong> week,

may 20.

Martin J (1991). Rapid Applications Development,

Macmillan Press, New York.

Mercuri RT (2003), Analyzing Security costs,

Communications ong>ofong> the ACM 46(6).

Mugenda MO, Mugenda GA (2003). Research Methods

Quantitative ong>andong> Qualitative Approaches, Acts Press,


O‟Brien JA (2003). Introduction to ong>informationong> ong>systemong>s.

Essentials for the e-business Enterprises, 11 th edition,

McGraw-Hill Irwin, New York.

O‟Leary DE (2000). Enterprise Resource Planning

Systems: System, Life cycle, Electronic Commerce,

ong>andong> Risk. 1 st Ed New York: Cambridge University


Ogalo JO, Nyangara CA (2011). Impact ong>ofong> Information

Communication Technology (ICT) on growth ong>ofong> Small

581 PJ Bus. Admin. Manage.

enterprises (SEs) in Kenya, An exploration ong>ofong> ICT use

in small enterprises in Kisumu city (Central Business

Districts - CBDs) – Lap Lambert Academic Publishing

– Saarbrucken, Germany.

Osimo D (2008). Web 2.0 in Government: Why ong>andong> How

Institute for Prospectice Technological Studies (IPTS),

JRC, European Commission, EUR 23358 EN.


Porter M (2001). “Strategy ong>andong> the internet,” Harvard

Business Review, March 2001.

Punie Y (ed.) (2008). ong>Theong> Socio-economic Impact ong>ofong>

Social Computing. Proceedings ong>ofong> a validation ong>andong>

policy options workshop. IPTS Exploratory Research

on the Socio-economic Impact ong>ofong> Social Computing.

Institute for Prospective Technological Studies (IPTS),

JRC, European Commission, forthcoming.

Redecker C (Forthcoming). Review ong>ofong> Learning 2.0

Practices. IPTS technical report prepared for


Schwartz E (1997). Webonomics. New York: Broadway

Books, 1997.

Wallsten S (2001). Competition, privatization ong>andong>

regulation in telecommunications markets in

developing countries: an economic analysis ong>ofong> reforms

in Africa ong>andong> Latin America. J. Indust. Econs, 49(1): 1-


Yamane T (1967). Statistics, An Introductory Analysis,

2nd Ed., New York: Harper ong>andong> Row.

Yinyu H (2004). „ERP: Not Suitable for China‟ CFO Asia,


More magazines by this user
Similar magazines