A Methodology for Adoption of an Enterprise Information Security Architecture Model: A Case Study of Major Companies in the Oil and Gas Industry in Kenya.
The purpose of this study is to investigate the adoption and assimilation of Enterprise Information Security Architecture (EISA) as an administrative innovation within the Oil and Gas Industry in Kenya. EISA is a subset of Enterprise Architecture (EA), focusing on information security in the enterprise. Several EISA frameworks have been developed and have gained acceptance, particularly in the developed world. However, their adoption rate in Kenya remains undocumented, despite Kenya's relatively well developed ICT infrastructure as compared to other countries within the East African Region. In Kenya, the context in which this study takes place, no literature exists on adoption and assimilation of EISA either as an administrative innovation or technological innovation. Studies show that information security managers, including those in Kenya, have been searching for rationalized security practices to manage risks, preserve the confidentiality, integrity and availability of information and ensure business continuity in their organizations. This is a natural response to the increasing external threats and potential leakage of information. Such efforts can be viewed. conceptually. as a form of administrative innovation as it triggers organizational change. Technological innovation focuses on developments in security technologies whereas EISA fits with the philosophy of administrative innovation. If security were to be treated as a technological innovation, research into adoption and assimilation of EISA would inevitably regarded incorrectly as part of lCT security. This study used administrative adoption models and hypotheses to test the factors that influence the assimilation and adoption of EISA frameworks in Kenya. The results indicate that supervisory authority can playa significant role in stimulating and enforcing the adoption and assimilation of information security architecture as a management practice. This can offer some encouraging evidence for regulators to evaluate the effectiveness of rules and regulations in the area of Information security architecture.