Security Considerations for Computer Based Financial Information Systems in Kenya: the Case of Banks and Financial Institutions

Abstract

The primary focus of the study was to find out the extent of management awareness of the potential risks facing computer based financial information systems and the preventive measures undertaken. The reviewed literature indicated increased use of computers in the processing of data in the banking industry. It also indicated the increasing magnitude of computer crime in both the number of incidences and losses incurred. This trend is expected to continue. Consequently, management must design effective control measures to eontain these threats. The literature emphasized that security considerations are of paramount importance in computerised financial information systems. The literature also indicated user ignorance of the nature of special kinds of risks facing computerised systems and consequently of the appropriate measures that should be taken to manage and control such risks. The population of interest for this study comprised the 24 commercial banks and 54 financial institutions registered under the Banking Act and operating in Kenya as at 30th June 1988. A census study covering all the 78 institutions was carried out. The findings of the study suggested that most of the risks perceived by management wereofaphysical nature: Fire, power surges and floods. The other more elusive and dangerous risks whose materialization would lead to unauthorised interruption, corruption, destruction, removal or disclosure of data and computer resources were not given sufficient consideration. The observations indicated apparent ignorance of the authorized user or the company's own employees as the major threat facing computerised systems. The findings of the study also suggested that the measures undertaken by management to contain the computer risks placed emphasis on the traditional approach access control, fire guards, power stablizers, etc. ,Operator/clerical errors, machine (hardware) failure, power failure and magnetictredia failure were the most commonly experienced problems. Huge losses were also reported due to frauds and spillage damage. From the study it is apparent that security awareness and control measures were weak. Given the varied nature of actual problems experienced, the study suggested that the measures typical in the traditional approach left unattended the more serious and f,requent security problems. An appreciable proportion of the measures undertaken appeared to be either ineffective or very risky. This situation appeared to increase the potential for error, fraud, sabotage and unauthorised access to confidential information on many computer systems. In conclusion, some suggestions for strengthening security of computer based financial information systems were made. These included increasing the management awareness by attending seminars on computer security organised by auditors, dealers, manufacturers and suppliers of computer hardware and software. Employee awareness could also be increased through continuous staff education on security considerations.