An analysis of Information Technology (IT) security and the adoption of security policies: a case study of Kenyan small and medium enterprises (SMSES).
Makumbi, Leonard Kaveke
MetadataShow full item record
Organizations of all sizes are now significantly reliant upon information technology and networks for the operation of their business activities. All therefore have a consequent requirement to ensure that their systems and data are appropriately protected against security threats. Unfortunately, however, there is evidence to suggest that security practices are not strongly upheld within small and medium enterprise environments. The purpose of this project was therefore to study the information technology security practices of the Kenyan Small and Medium Enterprises (SMEs). Particularly the study looked at whether the roles and responsibilities of Information Technology (IT) security in SMEs were well defined, whether SMEs had documented information security policies and if employees were aware of these policies. Further the study endeavored to find out whether SME employees were given adequate and appropriate information security education and training, and if employees were well informed as to what was considered acceptable and unacceptable usage of the organization's information systems. This study was motivated by the feeling that IT security best practices were not widely adopted by majority of Kenyan SMEs and that much more needed to be done ifSMEs were to realize the benefits of information technology without compromising their security status. The study has come up with a framework that assists SME owners, practitioners, and even academicians gauge how effective their information security efforts have been. The study revealed that SMEs are characterized by lack of adequate attention to IT security, with related responsibility frequently unassigned, or allocated to someone without appropriate qualification. This is shown to have consequences in terms of adherence to good practice, with the significant majority of organizations not having developed a security policy or undertaken a risk assessment.