Human Factors Affecting Favourable Cybersecurity Culture- a Case of Small and Medium-sized Enterprises Smes Providing Enterprise Wide Information Systems Solutions in Nairobi City County in Kenya

Abstract

Recent news coverage in both print and electronic media clearly indicates that cyberattacks are increasingly on the rise. As compared to large enterprises, SMEs are highly vulnerable to cyberattacks for they lack adequate cybersecurity controls in place to cope up with evolving cyber threats. According to reports from the industry, humans are regarded as the root cause of many cybersecurity incidents in organizations. This study, thus, purposed to examine the key human factors that impact on favourable cybersecurity culture in Kenyan SMEs premised in Nairobi City County and that provides enterprise wide Information Systems(IS) solutions. Primary data was collected through mail survey method from 34 SMEs that were selected from the official 2019 yellow pages Kenya online directory. The data collection tool was a structured questionnaire. To achieve this, quantitative research inform of descriptive research design was conducted. Judgmental sampling technique was used to choose respondents believed to have the required information relating to the objective of the study. As such, the respondents for the study consisted of senior personnel responsible for cybersecurity issues, the Information and Communication Technology (ICT) head, technical ICT staff and a general user of ICTs in each of the selected SME. Statistical Package for Social Sciences version 23(SPSS) was used for data analysis. Descriptive analysis findings established perceptions regarding the current cybersecurity practices in the SMEs studied. The regression analysis results of all the independents variable against the dependent variable jointly accounted for 54.4% (R-square equals to 0.544) of variation in the dependent variable (favourable cybersecurity culture). 45.6% of variation in favourable cybersecurity culture was therefore unexplained for, and this are covered by other factors not considered in the study. The P-value of 0.000(<0.05) implied that the model used to predict the effect of key human factors on favourable cybersecurity culture among SMEs providing enterprise wide IS solutions was statistically significant at the 5% significance level. Further, it was established that top management support and involvement together with reward and deterrence measures are positive and significant predictors of favourable cybersecurity culture among SMEs providing enterprise wide IS solutions and thus form important strategies for instilling favourable cybersecurity culture in SMEs providing enterprise wide IS solutions in Nairobi city county. Other strategies that need to be developed by these SMEs are cybersecurity policy, cybersecurity change management, cybersecurity training and awareness programs, cybersecurity monitoring and audit for they were also found to have a positive effect on favourable cybersecurity culture. The study concludes by emphasizing the need for adequate and consistent top management support and involvement in cybersecurity issues. It recommends that the top management need to strongly recognise their critical role in ensuring favourable culture of cybersecurity in organizations. Similar to road maps that clearly show direction and distance, the roadmap developed from this study can be used by cybersecurity practitioners to benchmark cybersecurity practices and processes in efforts to promote favourable cybersecurity culture in their organizations Keywords: Cyberattacks, enterprise wide IS solutions, human Factors, organizational security culture, cybersecurity roadmap, Small and Medium Enterprises(SMEs)