An analysis of Information Technology (IT) security and the adoption of security policies: a case study of Kenyan small and medium enterprises (SMSES).
Abstract
Organizations of all sizes are now significantly reliant upon information technology and networks for the
operation of their business activities. All therefore have a consequent requirement to ensure that their systems
and data are appropriately protected against security threats. Unfortunately, however, there is evidence to
suggest that security practices are not strongly upheld within small and medium enterprise environments.
The purpose of this project was therefore to study the information technology security practices of the Kenyan
Small and Medium Enterprises (SMEs). Particularly the study looked at whether the roles and responsibilities of
Information Technology (IT) security in SMEs were well defined, whether SMEs had documented information
security policies and if employees were aware of these policies. Further the study endeavored to find out
whether SME employees were given adequate and appropriate information security education and training, and
if employees were well informed as to what was considered acceptable and unacceptable usage of the
organization's information systems. This study was motivated by the feeling that IT security best practices were
not widely adopted by majority of Kenyan SMEs and that much more needed to be done ifSMEs were to realize
the benefits of information technology without compromising their security status. The study has come up with
a framework that assists SME owners, practitioners, and even academicians gauge how effective their
information security efforts have been. The study revealed that SMEs are characterized by lack of adequate
attention to IT security, with related responsibility frequently unassigned, or allocated to someone without
appropriate qualification. This is shown to have consequences in terms of adherence to good practice, with the
significant majority of organizations not having developed a security policy or undertaken a risk assessment.
Publisher
School of Computing and Informatics
Description
MSc