Assessment of staff compliance to information security policy in the Ngaka Modiri Molema District Municipality

ASSESSMENT OF STAFF COMPL

IANCE TO INFORMATION SECURITY

POLICY IN

THE NGAKA MODIRI MOLEMA DISTRICT MUNICIPALITY

RA SEBETLELE

Min

i-dissertation submitted in partial fulfillment of the requirements for the

degree Master in Business Adm

inistration at the Mafikeng Campus of the

North-West University

Supervisor: Prof. Nehemia

h Mavetera

May 2014

·--LI

BRA

RY

•

MAF

Ji<

f._!!G

C

AM

PUS

2014

-07-

2

3

NOR-.:H-WEST UNIVERSITY

II

II

I/I

II

III

IIIII II

III

IIIII IIIII

llllllll

ll

l

/1/1/lll

lllll

l

lll

North-West University Mafikeng Campus Library

Declaration

.. , Ramo idi Abbisai Sebetlele. hereby declare that:

• The work in this paper is

my

• All sources used or referred to have been documented and recognised; and

• This dissertation has not been previously submitted in fulfillment of the requirements for an equivalent or higher qualification or degree at any other recognised educational institution.

Acknowledgements

Sincere thanks are extended to those people and Ngaka Modiri Molema District

Municipality employees who participated to the successful completion of this research.ln particu Jar assistance of the following is acknowledged:

• Prof. Nehemiah Mavetera for his encouraging, advising and motivating • My wife Morakane Analine, for encouraging. patience and moral support • My children, Lesego, Reabetswe and Rethabile for understanding and sacrificing

Abstract

This research investigates the compliance of staff of a North West Provincial Municipal District Office to the Information Security Policy within the municipality.

This research therefore focused on information security policy. software analysis. strategic planning, implementing, compliance and the use of intra and internet services as to minimize and manage information security threats. ln its investigation on the availability of a policy to manage security on information systems this research proceeded to discuss the problem statement. definition of terms. research objectives. and research question alongside literature reviewed on how other organizations had dealt with the infonnation security problems and how to minimise the risk of the municipality to become vulnerable.

Most of organization employees are ignoring the information security policy hence leading the company information vulnerable to its counter parts and pose an infonnation security threat to its day to day operation or not existence of infonnation security policy. This had led to the main contributing factor of non compliance to infonnation security policy.

This study used a quantitative exploratory descriptive design to identify, analyse and describe factors contributing to an assessment of staff compliance to the information security policy in Ngaka Modiri Molema District Municipality. The study recommends that more training should be provided to the younger employees as the study suggests that older people are in the majority within the NMMDM. Security Awareness should also be put in place to all employees as it is the integral part of information security policy.

Tabl

e of Contents

Chapter 1: Background to the Research Topic ... 1

1. Introduction ... 1

1.2 Background of the study ... 2

1.3 Problem Statement ... 2

1.4 Definition of Terms ... 3

1.5 Research objectives ... 5

1.6 Research questions ... 5

1.7 Summary Chapter ... 6

Chapter 2: literature Review ... 7

2.1 Introduction ... 7

2.2 Data Security Breaches ... 7

2.3 Security Awareness ... 8

2.4 Security Compliance ... 11

2.5 Security Behaviour ... 12

2.6 Organisational Culture ... 14

2.7 Security Policy ... 15

2.8 Advantages of Compliance to Security Policy ... 18

2.9 Disadvantage of Non Compliance to Security policy ... 19

2.10 Security Technology Control Measures ... 20

2.10.1 Access Control ... 20

2.10.2 Firewall ... 22

2.10.3 log Audit ... 23

2.10.4 Security Software ... 25

2.11. Implementing Policy ... 26

2.11.1 Basic Policy Requirements ... 27

2.12 Summary Chapter ... 28

Chapter 3: Research Methodology ... 29

3.1 Introduction ... 29

3.2.1 Research Design and Methodology ... 29

3.3 Population ... 30

3.4 Total Population Technique ... 30

3.5 Data Collection and Analysis ... 30

3.5.1 Questionnaires ... 31

3.5.2 Sample Distribution ... 32

3.6 Data Analysis Method ... 32

3.7 Reliability and Validity Consideration ... 32

3.8 Ethical Requirements ... 33

3.9 Limitation ... 33

3.10 Summary Chapter ... 33

Chapter 4: Data Analysis and Interpretation ... 34

4 .I Introduction ... 34 4.2 Demographic profile ... 34 4.2.1 Gender ... 34 4.2.2 Age ... 35 4.2.3 Qualifications ... 36 4.2.4 Job Level ... 37 4.2.5 Experience ... 38 4.2.6 Race ... 38 4.2.7 Marital Status ... 39

4.3 Section B of the Questionnaire ... 39

4.3.1 Information Technology Security ... 40

4.3.2 Security Awareness ... 41

4.3.3 Security Compliance ... 42

4.3.5 Data Security Breach ... 44

4.3.6 Security Behaviour ... 44

4.3.7 Organisational Culture ... 45

4.3.8 Advantages of to security Policy ... 46

4.3.9 Disadvantages of Non-compliance to Security Policy ... 47

Chapter 5: Discussion, Recommendations and Conclusion ... 50 5.1 5.2 5.2.1 5.2.2 5.2.3 5.2.4 5.2.5 5.3 5.3 Introduction ... 50

Theoretical fmdings and discussion of results ... SO Information Security Policy ... 50

Security Awareness ... SO Security Compliance ... 51 Advantages of Security Policy ... 51

Disadvantages of Non compliance to Security Policy ... 52

Recommendations ... 52

List of Figures ... 34

Section A ... 34

Figure 4.1: Gender ... .34

Figure 4.2: Age ... 35

Figure 4.3 Qualifications ... 36 Figure 4.4: Job level ... 37

Figure 4.5: Experience ... 38

Figure 4.6: Race ... 38

List of Tables ... 40

Table 4.1: Information technology security ... .40

Table 4.2: Security awareness ... 41

Table 4.3: Security compliance ... 42

Table 4.4: Security technology control measures ... .43

Table 4.5: Data security breach ... .44

Table 4.6: Security behavior ... .45

Table 4.7: Organisational culture ... 45

Table 4.8: Advantages of to security policy ... 45

Table 4.9: Disadvantages of non-compliance to security policy ... 46 References ... 53

ANNEXTURE A: LETIER OF CONSENT.. ... 63

Chapter 1: B

a

ckground to th

e

Re

s

e

a

rch

T

opic

1. Introduction

This research investigates the compliance of staff of a North West Provincial Municipal District Office to the Information Security Policy 'vvithin the municipality. It begins by defining strategic information systems· planning as the process of identifying a portfolio of computer-based applications that will assist an organisation in executing its business plans and realizing its business goals (Lederer and Salmela. 1996:237-252).

This study is premised on the observation that there remain some teething challenges in the implementation of information security strategies. For instance, according to Ernst and Young (2007; 2008), PricewaterhouseCoopers (2008), Fratto (2009) and TechAmerica (2009), despite increasing investment in information security and its strategic role in today· s business success. effective implementation of infonnation security strategy still remains one of the top challenges facing global organizations. It is within this context that this study then seeks to establish the compliance of staff at a South African government municipality.

It should be noted that developing of the security planning would involve employer's policies and planning and selecting security technology. The organization should have, procedures. policies and practices in place before implementing latest software technology like firewall in order to secure laptops and secure corporate network against malware interrupts business. reliance on unsecured public networks. Laudon and Laudon (2007) further emphasize that observing these specifications would ultimately result in positive business solutions by improving high performance and reduction of costs as stated by.

This research would therefore focus on infonnation security policy, software analysis,

strategic planning, implementing, compliance and the use of intra and internet services as a means to minimize and manage infonnation security threats. In its investigation on the

availability of a policy to manage security on information systems, this research would

proceed to discuss the problem statement, definition of terms, research objectives, research question alongside literature review on how other organizations have dealt with the information security problems.

1.2 Background of the study

Ngaka Modiri Molema District Municipality is one of the four district municipalities of the North West Province of South Africa. The other three District Municipalities are:

Bojanala Platinum, Dr Ruth Mompati and Dr Kenneth Kaunda. The district is horne to

Mafikeng, the capital of the province. Mafikeng is a rapidly growing, modern, residential, administrative and commercial town that contrasts with its fascinating history. It is situated centrally within the North West Province. The principal towns in the region

include Mafikeng-Mmabatho, Zeerust and Lichtenburg. It is comprised of the five local municipalities of Mafikeng, Ratlou, Rarnotshere Moiloa. Ditsobotla and Tswaing. It

shares an international border with the Republic of Botswana. Its main cities/towns are: Biesiesvlei, Coligny, Delareyville, Groot Marice, Lichtenburg, Mahikeng (Mafikeng),

Mmabatho, Ottosdal, Ottoshoop, Sannieshof and Zeerust.

1.3 Problem Statement

The security of information systems in any organisation is very important. hence plans must be in place to ensure that this is done as failure to succeed in this area might have

serious negative effects to the operations of the organization. With reference to the case study of the South African government department, there are few people who know what aspects are covered by the department's infonnation security policy. As a result, due to this widespread ignorance, the employees are not ensuring the proper protection of all the

information assets and information processing systems of the company. as well as the protection of all the corresponding information processing systems used to process, store and communicate information assets. It is within this context that this study investigates the extent of compliance of staff at the concerned South African government municipality.

Furthermore, this study is informed by King 2 Report that observes that Information Security Governance is an integral patt of Corporate Governance and consists of the management and leadership commitment of the board of top management towards good information security and the proper organization structures for enforcing good infonnation security. According to Corporate Governance, (2002) as stated by King 2. management should ensure that there is proper organization structures for enforcing good information security. full user awareness and commitment towards good infonnation security. The necessary policies, procedures. processes, technologies and compliance enforcement mechanisms all working to ensure that the confidential, integrity and availability (CTA) of a company's electronic assets being data. information. software. hardware and people are maintained at all times should be in place ( Solms. 2009: 165-168). Because there is also an increasing movement towards emergent organizations and an adaptation of Web-based Information Systems (WBIS). such trends raise new requirements for security policy development. One such requirement is that information security policy formulation must become federated and emergent.

This discussion now focuses attention on the definition of terms that are important for the subsequent discussions.

1.4 Definition of Terms

This section defines nine tenns that arc strategic for this study. The terms are:

Awareness: The extent to which a target population is conscious of an innovation and formulates a general perception of what it entails (Dinev and Hu, 2007).

Compliance: The name given to multi-faceted programs designed to ensure that an

organization's culture and collective processes meet legal. regulatory and ethical requirements (Gable. 2005: I).

Compliant information security behaviour: The set of core information security activities that need to be carried out by individuals to maintain information security as defined by infonnation security policies (Chan. Woon and Kankanhalli, 2005:22).

Culture: A phenomenon deeply embedded within the organizational environment and viewed as a deeper, less consciously held set of meanings as compared to climate

(Reichers and Schneider. 1990).

Encryption: The use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without the use of a confidential process or key (HHS guidance on securing protected health information. 2009:7).

Information security: A program that allows an organization to protect a continuously interconnected environment from emerging weaknesses. vulnerabilities. attacks. threats. and incidents. The program must address tangibles and intangibles. Information assets are

captured in multiple and diverse fo1mats, and policies. processes, and procedures must be

created accordingly (Myler and Broadbent, 2006:44).

Infom1ation security awareness: An organizational process aimed at "improving information security by enhancing the adoption of security policies and counte1measures. improving Information Systems users' security behavior. and altering work routine so

that good security habits are applied'" (Tsohou. Kokolakis. Karyd and Kiountouzis,

2008: 272).

Information security governance: "The overall manner in which information security is deployed to mitigate risks'' (Da Veiga and Eloff. 2007: 362).

Information security policy (ISP): "A policy targeted specifically at improving an

organization·s information security level" (Hong. Chi, Chao and Tang. 2006:105).

1.5 Research objectives

This study has three objectives which are to:

1.5.1 Identify the advantages of having an organization effectively implementing the

information security policy.

1.5.2 Investigate the effects of non-compliance by staff to the information security

policy.

1.5.3 Provide recommendations on staff compliance to the government information

security policy.

1.6 Research questions

Drawing from the three objectives above. this study is premised on three research

questions. These are:

1.6.1 What are the advantages of having department staff complying with the Information Security Policy?

1.6.2 What are the effects of non-compliance by department staff to the Information

Security Policy?

1.6.3 Which recommendations could be given to enhance staff compliance to the

government Information Security Policy?

1.6.4 Structure of the dissertation

• Chapter I introduces the research topic, giving the background of the

organisation as well as problem statement. definitions of terms and objectives of the research topic.

Chapter 2: Literature Review

2.1 Introduction

This chapter does the review of literature relevant to the present study. According to Fink (2005) in Booth, Papaioannou and Sutton (20 12: I). literature review is a 'systematic, explicit and reproducible method for identifying, synthesising the existing body of completed and recorded work produced by researchers, scholars, and producers'. Furthermore, Kumar (2005) states that literature review is an integral part of the entire research process as it makes a valuable contribution to almost every operational step. Put in other words. literature review is an ongoing process of obtaining information mainly by reviewing whatever has been published that appears relevant to the research topic (Bless and Craig-Smith, 2000). Therefore, literature review is 'fundamentally scientific activity' aimed at the identification of the problem of a quality research (Ellis and Levy, 2008).

2.2 Data Security Breaches

Security breach is the most common mistake the employees are committing by being careless when handling or storing classified documents and operating equipment. Incidents involving security breaches not only decrease employee productivity, but also damage customer confidence and the organization's reputation, and therefore, adversely affect the future economic performance of affected firms (Campbell, Gordon, Loeb and Zhou. 2003). From Wen and Tarn (1998), an example of security breach by unauthorized use of a corporate network is discussed and is ranked as the most common form of security breach by using social networks. The danger of attack by unauthorized access can be minimized by perfo1ming user authentication and data encryption via a firewall. Sometimes an intruder may attempt to bypass the firewall by pretending to be an authorised user. Furthermore, examples given by Berezina, Cobanoglu, Miller and

Kwansa (20 12) of breaches of hotel guests' personal information can result in identity theft. Identity theft is the misuse of personal information for criminal activities by a third-party in order to obtain a personal gain or to commit a crime (Spendonlife.com. 2009; Federal Trade Commission, 2010). According to the Federal Trade Commission (2010). in 2009 identity theft complaints accounted for 21 percent of all consumer complaints in the US. In the category of identity theft. credit card fraud was the most frequently reported (17 percent). Based on this, credit card information security breaches were committed as the primary focus. to better understand the potential impact of info1mation security breaches on hotel guest behavior.

It is evident from the study by Zhang. Brian, Reithel and Li (2009) that many organizations have applied many security technologies, anti-virus software. firewalls. access control. intrusion detection techniques, encrypted login and biometrics techniques to protect their critical information. A study has shown that human beings remain the weakest link in the information security environment and associated security processes. Siponen. Pahnila and Mahmood (20 I 0) emphasize that the major threat to information security arises from careless employees "vho fail to comply with organizations· information security policies and procedures. They also mention that careless employee behaviour places an organization· s assets and reputation in serious jeopardy in many organizations.

2.3 Security Awareness

Palmer (200 I) states that the Security Awareness Policy is an organization's objective strategy for establishing a formal Security Awareness Program. This means that the policy should ensure that the policy framework elements are properly communicated and accessible at all levels from new hires, employees, and third parties such as contractors, partners, and up until the consultants. This policy also ensures that appropriate education and training are provided to all organization employees for them to be fully equipped with information security.

Security awareness is another way of sensitizing employees of the importance of the security aspects within the company. Tsohou, Kokolaki, Karyda and Kiountouzis (2008 note that Information Security (IS) awareness is mostly regarded as aiming at improving

information security by enhancing the adoption of security policies. rules. regulations and

counter measures. improving IS users' security behaviour. and altering work routine so

that good security habits are applied. Despite the recent increased attention afforded to security incursions, Schmidt (2008) contends that there is a lack of user awareness and understanding of information security. Thus, greater computer security awareness.

education. and training in the context of AMCs is needed (Wade. 2004; Aytes and Connolly. 2004: Kruck and Teer. 2008).

In addition, Pattinson, Anderson and Winkel (2007) agree strongly that instead of addressing only the technical aspects of network security issues. attention needs to be paid to both user awareness and behaviour as a central focus of an information security strategy for an organisation. For example. in a study examining encryption technologies

at a university. Fritsche and Rodgers (2007) found that there is a need to increase security

awareness: offer additional security training; and provide solutions for e-mail encryption and digital signatures. Additionally. as indicated by Rotvold (2008), all users should be aware not only of what their roles and responsibilities are in protecting infonnation

resources. but also of how they can protect infonnation and respond to any potential security threat or issue. Pfleeger and Rue (2008) find that regular testing and updating of

security procedures. combined with practices that increase staff awareness, were critical to maintaining security. Additionally. Pfleeger and Rue note that a lack of staff education

and training within Information and Technology (IT) security divisions and throughout

the organization appeared to be a major obstacle to improved security. Williams (2008)

also concurs that the increasingly electronic medical environment increasingly relies on general practitioners and staff who are not information security trained. thus creating considerable exposure of the medical practice. Williams stresses that a more comprehensive and encompassing approach to security is required.

According to Lineberry (2007), two critical tools for fighting social engineering attacks are security awareness training and social engineering testing, but the effectiveness of these controls will vary based on the quality of their implementation. including follow-up and retraining. Kamal (2008) has a proposal of a five-layer approach to prevent social engineering attacks which includes developing an infonnation security policy; instituting security awareness: holding special training; implementing social engineering detection tools: and then repeating the aforementioned step by step. In an empirical assessment of factors impeding effective password management use, Medlin et al. (2008) determine that social engineering password attacks (social engineering is "the use of trickery, personal relationships. and trust to obtain information"). along with poor password creation and password sharing practices, were potential reasons for department security non-compliance. Within this context. Vroom and von Solms (2002) propose an IS security awareness program as the integral part with the following seven steps to be followed to make it more effective: (I) educating top management about the necessity of IS security awareness; (2) making use of the existing international IS security standards as a guideline for the JS security policies: (3) creating the IS security policies of the company; (4) revie\ ing and maintaining IS security: (5) implementing a fonnal program for IS security awareness: (6) addressing general security measures applicable to all users; and (7) providing guidelines on the protective measures within various departments.

Similarly. Humphreys (2008) mentions that all users should be aware of the risks related to the company's information systems. They also need to be familiar with the organization's security policies and procedures and be able to use these in their day-to-day job function. The institution should establish a comprehensive information security awareness and training. Also, regular awareness briefings. newsletters and circulars should be in place to keep employees up to date with the latest developments. The company should regularly review and update its awareness programme as and when necessary to keep abreast with technology.

2.4 Security Compliance

Security compliance has been a major concern for many organizations that employees

seldom comply with infonnation security procedures. According to Gupta (2007),

policies. especially those involving infonnation securities. are viewed as mere guidelines or general directions to follow rather than 'hard and fast rules· that arc specified as standards (Pahnila. Siponen and Mahmood. 2007). Due to the relatively di cretionary

nature of adherence to these policies. organizations find enforcement of security a critical

challenge. Thus more recently, research in behavioral information security has started focusing attention to employee intentions to follow security policies (Chan. Woon and Kankanhalli, 2005).

On the contrary, Vroom and Solms (2004) state that General Information Security Compliance measurement and enforcement include more than what is provided by such Managed Information security services. Activities which must be managed as far as compliance is concerned include the following aspects:

• The level to which previously identified IT risks are managed and mediated.

• The level of Jnfom1ation Security awareness of users.

• The availability. completeness and comprehensiveness of Information Security policies. procedures and standards.

• The level of compliance to such policies. procedures and standards. • The impact on the fT risk position of the company when policies are not

complied with.

• The compliance to regulatory. legal and statutory requirements. • Software licensing issues.

In addition. Gottshall (2007) stresses that Information Technology has a role to play in

three major components to privacy and the importance of security compliance in communication. The author states that the three aspects in infonnation security are

compliance of corporate policies, assessment and implementation and training should be in place. The author further suggests that IT groups should participate with all the organization's relevant divisions in setting corporate policies to protect data and in training personnel on those policies and their importance.

2.5 Security Behaviour

More attention needs to be given to the social and behavior

ural aspects of information security among AMCs (Hazari, 2005: Huebner and Britt.

2006; Pattinson and Anderson, 2007; Guzman et al.. 2008). According to Ma et al. (2008), because information security is more of a human problem than a pure technical problem. practitioners should pay more attention to the cultural aspects of information security. The author identified numerous user acceptan~e models in the literature, including the Technology Acceptance Model (TAM) and TAM2 (Davis. 1989; Venkatesh and Davis, 2000). Willison (2006) further argues that organizations should focus on the actual behaviours of offenders at various stages of their misuse in order to implement controls (safeguards) that would reduce the employees' ability to misuse the IS at each stage and, in so doing. effectively influence the decision-making processes of their employees.

Ho,.vever, further research on the generalisability of factors associated with technology acceptance (T A) and user behavioural studies is needed (Ball and Levy, 2008). particularly in the domain of infonnation security (Dinev and Hu. 2007: Hazari et al.. 2008; Novakovic et al., 2009). According to Chan et al. (2005), many information security breaches in the workplace have been attributed to the failure of employees to

comply with organizational security policies. As a result, Chan et al. (2005.18) state that attention m:~::us to be paid to learning why non-compliant behaviour takes place so that appropriate measures for curbing the occurrence of such behaviour can be found. Logan and Noles (2008) recommend that the assessment of operations and services enabled by

internal security controls should be tightened because employees are responsible for numerous security breaches.

According to Vroom and Rossouw von Solms (2003), the cultural side of an organization

must be understood, for one to begin to see how it can be changed to a more secure

society. By changing the organization to one that is more in line with information

security, the behaviour of the individual will adapt to incorporate security consciousness.

The aim of behavioural aspects of security governance is to ensure that employees show

conformity with the rules and policies (Solms and Sohns, 2004). Bulgurcu. Cavusoglu

and Benbasat (2009) agree that the employees· abuse and misuse of IS resources have

been identified as the major infonnation security issues related to insiders; however,

most of the earlier empirical studies that investigated end-user behaviours assumed that

employees simply choose to engage in inappropriate behaviours.

Furthennore, Spruit (1998) argues that understanding human behaviours is necessary

when we deal with problems caused by human errors. The TPB has been the most widely

used and the most successful theory in explaining human behaviour (Ajzen, 1985). lt has

been tested in different contexts, i.e. job-search behavior (van Ryn and Vinokur, 1990),

sunscreen use behaviour (Hillhouse et al., 1997), and ethical decision making (Randall

and Gibson, 1991 ). According to TPB, behavioural intention is modeled as a function of

subjective norms, attitudes and perceived behavioural control (PBC). The TPB model

proposes that the more favourable the attitude and the subjective nonn with respect to a behaviour, and the greater PBC, the stronger an individual's intention to perform the behaviours should be (Ajzen. 1991 ). In the information security context, TPB was

explicitly applied to computer abuse problems (Lee and Lee, 2002), security policy

compliance (Pahnila et al., 2007), and insider security contravention (Workman and

Gathegi, 2007). But Lau, Au and Ho (2003) contend that the intention to comply with

organisational policies (security policies. in the current study) may be influenced by some

personal characteristics. For example, gender has been found to be associated with

counterproductive behaviours at work such as absenteeism, and lateness, among others.

with regard to information security would be similar to conducting performance appraisals. Both analyze employee behaviour with regard to certain aspects of the business, except that performance in the workplace is more outcomes-based and so can be more easily evaluated. Yet. even in this type of appraisal. there are a number of documented problems (Szilagyi and Wallace, 1990.527).

2.6 Organisational Culture

According to Schein ( 1999). who is a leader in the study of culture. organizational culture

can be defined as the pattern of basic assumptions that a given group has invented.

discovered, or developed in learning to cope with its problems of external adaptation and

internal integration. and that have worked well enough to be considered valid. and.

therefore to be taught to new members as the correct way to perceive. think, and feel in relation to those problems.' Organizational culture includes the ideas shared by the people of the company and communicated between each other: basically a system of

learned behaviour (Szilagyi and Wallace. 1990:9) and this culture is the single most

important factor accounting for success or failure in an organization (Deal and Kennedy.

1982).

Organizations need to ensure that the interaction among people. as well as between

people and information technology (IT) systems, contributes to the protection of

information assets. Organizations therefore need to assess their employees' behaviour and

attitudes toward the protection of infonnation assets in order to establish whether

employee behaviour is an asset or a threat to the protection of information (Oa Veiga.

Martins and Eloff. 2007).

The first step in the development of an information security culture is the assessment of the current state of the culture. According to Schlienger and Teufel (2003), there is no

unique tool set and method for studying information security culture with regards to what

only in firewalls, passwords and awareness training but also in a culture that views and thinks correctly about information security issues. A culture of information security needs to be embedded into the organizational culture. to allow them to view and think correctly about information security problems. Schein ( 1999) describes culture as existing in three levels which are artifacts espoused values and shared tacit assumptions. This definition however is not specific to infonnation security despite being widely accepted as a general organizational culture definition, hence the enhancement by Van Niekerk and Von Sohns (201 0).

Culture. according to social anthropology theories. is the "collective programming of the

mind'. to distinguish among people of different countries. (Hofstede, 1991 :25). Culture is also defined as the habitual method of doing things over time. Therefore, culture is the product of learning. rather than of inheritance (Hofstede, 1993). Competitive strategies, educational systems, training approaches, symbols, values, perceptions of job security

(Probst and Lawler, 2006); choice of IT applications (Agrawal et al.. 2003); and

managerial approaches are a few manifestations of a national culture within an

organization. Culture influences also include acceptable ways to process information. such as labeling. languages and symbols (Triandis. 1991 ). Moreover. culture defines an individual's societal role and prescribes guiding principles to security threats reaction. Culture has influenced the formation of many security measures, such as national security

policy, infom1ation ethics, security training, and privacy issues.

2. 7 Security Policy

The objective of any organisational policy is to influence and determine employees' course of action (Tejaswini and Rao. 2009). On the other hand. Mishra and Dhillon

(2006) differ by saying policies may be crystal clear and detailed, the result may not turn out to be as desired, especially "''ith regard to infom1ation security.

A security policy consists of statements of ranking information risks, identifying

acceptable security goals and the mechanisms for achieving these goals (Laudon and

Laudon, 2007:274). Within this context, the security policy drives policies determining acceptable use of the firms' information resources and identifying which members of the company have access to its information. Hong, Chi. Chao and Tang, (2006: 1 05) argue that an Jnfonnation Security Policy consists of the rules set-up for the use of information assets, and the statement set-up for the security priorities to achieve organisational objectives; the guideline for the scope of information security; the principle for

information management and resource use; and the principle for supporting security techniques. According to Wen and Tam ( 1998), the first step that an organization must take in an effort to defend itself against an attack from the hackers is to ensure that it has a well-defined, documented and enforceable security policy in place.

In addition, this security policy should include published security guidelines to inform

users of their responsibilities. Since availability, integrity and secrecy of data must be

maintained, security policy defines network access, service access, local and remote user authentication, dial-in and dial-out, disk and data encryption, and virus protection

measures, and employee training (Sanderson and Forcht, 1996).

Furthem10re, Guel (2007) states that a policy is a formal, brief and high-level statement or plan that embraces an organisation's general beliefs, goal, objective and acceptable procedures for a specified subject area. Policy attributes require compliance (mandatory); failure to comply results in disciplinary action:, focus on desired action and: not on

means of implementation and further defined by standards and guide lines. Put in other words, a policy is a document that outlines specific requirements or rules that must be met. In the infonnation/network security realm. policies are usually point-specific, covering a single area. For example, an "Acceptable Use" policy would cover the rules

and regulations for appropriate use of the computing facilities.

Theriault and Heney (1998) emphasize that a security policy, when included within a security plan, helps to ensure that everyone is in sync with the company's needs and

requirements. With a fim1 policy in place. every employee knows what is expected --what the rules are--and how the requirements are to be implemented. The limits are clearly defined and consistent guidance is provided for everyone. Statements within a security plan can help to ensure that each employee knows the boundaries and what the penalties of overstepping those boundaries will be. For example, here are clear. concise rules employees can easily understand and follow:

Always log ofT the system before going to lunch. Never share a password with anyone else. Never write the password on the desk.

Never bring software from home to put on your machine at work.

According to Doherty and Fulford (2005). the strategic information systems plan ensures that new systems and technologies are deployed in a way that will support an organization's strategic goals. whilst the information security policy provides a framework to ensure that systems are developed and operated in a secure manner. The infonnation security policies of the organi.zation deal with the processes and procedures that the employee should adhere to in order to protect the con·fidentiality. integrity and availability of information and other valuable assets (BS 7799. British Standards Institution. 1999: I). They contain the security goals of the company as set by the senior management in accordance with the vision of the organization. In essence. they are the guidelines that dictate the rules and regulations of the organization. which in turn govern the security of information and its related information systems (Halliday and von Solms.

1997: 12) and the auditors use these security policies to carry out their audit.

Siponen. Pahnila and Mahmood (2007) argue that there is a key threat to information

security constituted by careless employees who do not comply with information security policies. To ensure that employees comply with organizations· information security procedures. a number of information security policy compliance measures have been proposed in the past. Prior research has criticized these measures as lacking theoretically and empirically grounded principles to ensure that employees comply with information

security policies.

But Rees, Bandyopadhyay and Spafford (2003) state that security policies are generally high-level, technology neutral, concern risks, set directions and procedures, and define penalties and countermeasures if the policy is transgressed, and must not be confused with implementation specific information, which would be part of the security standards, procedures and guidelines. Security policies are created by empowered organisational representatives from human resources, legal and regulatory matters, information systems. public relations, security and the various lines of business.

Palmer (200 I) argues that an infonnation security policy framework provides an organization with a concise yet high-level and comprehensive strategy to shape its tactical security solutions in relation to business objectives. Hence it clearly defines the value of information assets, represents organization wide priorities and definitively states the underlying business requirements and assumptions that drive security activities. The framework provides a baseline reference model that organizations can customize to address their specific need based on business requirements, culture. industry regulations, and other considerations. Palmer (200 1) concludes that by using the framework as a reference, an organization should review and analyze its existing policy documentation to develop an Initial Policy Framework that translates its currently intertwined policies, standards, guidelines, and procedures into a comprehensive hierarchical framework. Similarly, Whitman, Townsend and Aalberts (200 I) highlight that the initial step to prepare the company against these threats is the developments of systems security policies which provide instruction for the development and implementation of a security posture, as well as provide guidelines for the acceptable and expected uses of the systems.

2.8 Advantages of Compliance to Security Policy

This section spells out some advantages of complying with security policy. A security policy:

• Provides instruction for the development and implementation of a security posture, as well as provides guidelines for the acceptable and expected uses of the systems.

• Provides an organization with a concise yet high-level and comprehensive strategy to shape its tactical security solutions in relation to business objectives.

• Deals with the processes and procedures that the employee should adhere to in order to protect the confidentiality, integrity and availability of infonnation.

• It prevents vulnerabilities m technological assets such as hardware, software, and networking.

• It safeguards and prevents intrusion, information theft, and "denial of service" (An attacker may overwhelm the system resources to the point where legitimate users desiring access will be refused service).

2.9 Disadvantage of Non Compliance·to Security policy

Highlighted here are some disadvantages of failure to comply with organization infonnation security policy. Non compliance:

• Decreases employee productivity, damages customer confidence and the organization's reputation and promotes theft of classified information. • Policy needs to be audited to ensure that they are in line with the

objectives, goals and vision of the organization.

• Carelessness and behaviour of employees, who fail to comply with organizations' infom1ation security policies and procedures put the organisation at infonnation risk.

2.10 Security Technology Control Measures

It is widely believed that organjzational efforts to manage Information System security are typically focused on vulnerabilities in technological assets such as hardware, software. networking, at the expense of managing other sources of vulnerabilities. such as people, policies, processes. and culture (Halliuay, Badenhorst and von Solm. 1996).

A computer system's security can be compromised in many ways. The ways may be a denial-of-service attack that can make a server inoperable, a worm can destroy a user's private data. or an eavesdrop per can reap financial rewards by inserting himself in the communication link between a customer and her bank through a man-in-the-middle (M ITM) attack (Falcarin, Coli berg. Atallah and Jakubowski, 20 I I). As security is always a major concern in most of the networked computer systems, embedded systems should provide security features to defend the attack and protect the confidential and sensitive data. Many Trojan Horses and viruses use the security holes of exception to trigger attack. such as buffer overflow attack (Yau. Tan Fong and Mok. 2008).

2.10.1 Access Control

Access control consists of all policies and procedures a company uses to prevent improper access to systems by unauthorized insiders and outsiders. To gain access a user must be authorized and authenticated by (Laudon and Laudon, 2007) the system. Authentications technologies such as tokens. smart cards. biometric authentication can be used to overcome some of these problems. Following the events of September ll'h. The Canadian Transport minister announced Restricted Area Identification Card (RAIC) program requiring airport workers to have identity cards containing biometric infonnation replacing prior Restricted Area Pass (RAP) System that was designed and managed on an individual airport basis (http://www.catasa.acsta.gc.ca: Canadian Implementation of Interoperable Biometric Access Control Public and Safety Conference Arlington, VA October 20-21.2008).

A I so, Humphreys (2007) mentions that strategic access to information should be given to staff based upon the person's job role and what information they need-to-know and access

to perform their duties. For example, those dealing with accounting and payroll should have access to infonnation relating to their work in this capacity that most other

employ~::t:s should not have access to. There could be many different types of information

an organisation has that are either sensitive or critical. This type of information requires

information to be accessed on a need-to-know or need-to-have-access basis. Examples of

this type of information include financial, personneL company secrets, research results.

development plans and customer information. All access requests and rights should be

fonnally documented and approved by whoever has the authority to grant such access

rights. There are several objects of access: information, applications. operating systems.

network services and physical assets including buildings. offices and equipment.

Consideration should be taken regarding IT roles such as developers, system and

application administrators, etc. For example, this means that for access to sensitive

systems. a require approval is needed.

Organisations can configure building access cards to restrict personnel to the areas and

time periods required in perfonnance of their duties. Each quarter ask managers to

formally sign-off on the privileges of their direct reports. This also means that employees who move to new positions in an organization should have their access rights reviewed to

ensure they do not retain privileges and rights beyond what they need to carry out their

new job function.

Back-ups, especially those that are not managed properly, are critical points of weakness

for the insider to exploit. Disgruntled or unhappy employees have been known to

blackmail their employer by comtpting critical data and waiting for the change to spread

through off-site backup rotation. Back-ups, if not properly protected by effective management controls and procedures as well as technical controls. are a good target for

insiders that want to carry out a sabotage attack.

One additional precaution is to take back-ups of work stations to provide a record of employee activity, in particular of an employee who might be suspected of being an

insider threat. Another best practice is to encrypt backup tapes and usee-vaulting of data to keep sensitive information confidential while off-site to help in minimising the insider threat. In considering this option the organisation needs to check whether there is any applicable legislation dealing with this situation (www.gideonrasmussen.com/ article-html).

2.10.2 Firewall

According to Laudon. and Laudon (2007) the firewall prevents users from accessing private network and it is made of software and hardware that contTols the flow of incoming and outgoing network traffic and in addition to introduce intrusion detection systems. antivirus and antispyware software and Unified Threat Management Systems. Faronics Anti Virus has been developed from the ground up and combines anti-virus, anti-rootkit and now a firewall to provide a coordinated, preemptive response to advanced mal ware (Computer Security Update; 20 I I). Powers of Lancope (20 I I) argues that with traditional corporate perimeter rapidly dissolving, organizations need to look to technologies such as encryption. next-generation the firewalls. network monitoring, network zoning and providing secure wireless access as well as user education.

According to Bagchi and Udo (2003), firewalls placed between the company network and the Internet. provide ongoing protection by denying suspicious traffic. Another system. called the intrusion detection system (rDS). is needed to inform companies when they are under attack. The IDS examines all packets and prepares a Jog file. Desai, Richards and von der Embse (2002) concur that a firewall provides an important tool for protecting a corporate network from Internet intrusions. A network firewall is a hardware/software barrier between a corporate network and the Internet (Kokka. 1998). A firewall is also an intelligent device that controls traffic between two or more networks for security purposes. Basically, a firewall, working closely with a router program. filters all network packets to determine whether to forward them to their destination. A firewall is a set of

related programs, located at a network gateway server that protects the resources of a private network from users from other networks. It is the first line of defense for many firms. yet many small businesses shun firewalls because of their cost (McCollum, 1997).

Mobile devices such as laptops, phones. USB sticks, MP3 players and other technologies used to store large amounts of st::nsitivt:: information makes it easier for the staff to

remove this information off-site for their own use. This is a sure route for information theft and for an insider to collaborate with an external user and engage in a combined attack against the organisation. The insider might sell the information onto another company hoping to avoid being tracked down using the lntemet to pass the information

on. The insider might possibly have his own business. which he is building up and intends to use the organisation's information for his own business needs. Again ISOnEC provides various recommendations that can help to minimise the risks of using mobile devices both inside and outside the organization (Humpreys, 2008).

2.10.3 Log Audit

Log audit is meant to strengthen the information security as a monitoring/ logging mechanism to ensure compliance with regulations and to detect abnormalities, security breaches, private violations, however. auditing to many events causes over whelming use

of systems resources and impacts performance (AI- Fedaghi and Mahdi (20 I 0). But Jagdish and Robinson (20 I 0) view auditing as a specialized service conducted in the context of e-business technologies. business process and people involved.

IT auditing has developed as a result of infonnation technology increasingly being utilized in all aspects of business and the need to address the risks associated with information processing through technology. The Committee of Sponsoring Organization of the Treadway Commission (COSO) defines the objective of IT auditing as using appropriate technological tools and expertise, evaluate the adequacy and effectiveness of

control systems addressed to the risks emanating from an organization's application of

technology in support of its business objectives (Paliotta. 1999).

In essence, the role of the IT auditor has evolved from the traditional auditor in that it

now focuses on information technology and the technical infrastructure of the organization. For example. software is used to track events on the network, such as

modifying directory entries, directory creation and detection among others. Any

violations that occur are then logged and the IT auditor can then review these audit logs

using special filters. which produce reports showing specific activities (Sheldon, 2001).

In order to carry out their activities. such as the one above, the auditors make use of the security policies as a baseline from which to operate (Fraser, 1997:8). The security policy

of the organization is a formal statement containing the security rules of the company and

concems all people who have access to the technology and infom1ation assets (Fraser,

1997:8). Then, Information Security auditing involves "providing independent

evaluations of an organization's policies, procedures, standards. measures and practices

for safeguarding electronic information from loss, damage, unintended disclosure, or denial of availability" (Langelier and Ingram. 200 I :8). These audits are performed when the specific audit objective is to evaluate the security of information or the audit objectives are broader, but evaluating security is a necessary part of the audit plan. This

form of auditing has become an important aspect in auditing the organization today. It is

useless to audit a company's financial accounts without first evaluating and verifying that

the security involved in protecting this information is appropriate and adequate

(Langelier and Ingram. 2001 :6)

Vroom and Solms (2004) state that the forms of auditing that have been examined only deal with the technological. strategic or operational side of the organization. IT auditing

addresses the technological side and the infrastructure of the business and IS security

auditing contends with the actual security issues with regard to information and the other

They further continue that each of these fonns of auditing deals only with the technical aspects of the organization. The finances, technology. security and infrastructure of the business are all dealt with, but one aspect is not addressed. that of the human factor. Whether paper-based or computerized transactions occur. this auditing is technical in nature and it tends to ignore the human side of operations. The behaviour of the employee is not taken into consideration, only the results of the behaviour. For example. if an unauthorized employee attempts to access infonnation, the audit logs will record this. Unfortunately. it may go undetected until the auditor reviews the documentation. The results of the employee's behaviour and actions have been detected and audited. but not the behaviour itself. This demonstrates that auditing verifies only the consequences of the behaviour. not the actual behaviour.

2.10.4 Security Software

Software protection is increasingly becoming an important requirement for industrial software development, especially building systems for government. national infrastructure and medical informatics as mentioned by Falcarin, Collberg, Attalah and Jakubowski (20 I I). Jha. Kapur. Sal i and Kumar (20 I 0) strongly believe that most industries are highly dependent on computers for basic day to day functioning. Safe and reliable software are essential requirement for many systems across different countries. The number of functions to be included in a software system is decided during the software development.

Security software is software which used to protect computers against malicious types of viruses. To define them more accurately. there are four types of security software:

• Antivirus software: used to prevent detect. or remove computer malware such as viruses, wonns. and trojan horses.

• Cryptographic software: This is software whose main role is to encrypt and decrypt data.

• Firewall: is designed to block unauthorized access while permitting authorized communications.

• Spyware remover: is a type of malware that is installed on computers and

collects little bits of information at a time about users without their

knowledge.

Types of Security Software and Their Main Uses

There are several types of security software available in the market. They all do different

jobs, yet serve the same purpose. Explained below are some of the main types of security

software with their uses. Antivirus

Antivirus software is an application that guards computers against virus attacks. It is very

common for computers to get infected as viruses are almost everywhere, in e-mails and

often on websites as well. A computer may get infected just with a click on a phishing link if antivirus is not installed and activated.

Antivirus block such files from entering the computer by either removing the virus or

blocking access to such files. For example. if a file you are trying to open has a virus the

antivirus will scan it and wam you about the consequences or quarantine the file, if

possible. In order to get the best results. it is recommended that one uses a complete

version of an antivirus and keeps it activated at all hours. Additionally. it is also

important to have it updated so that it provides the best possible protection.

2.11. Implementing Policy

According to Stair. Reynolds and Chesney (2008:478). the policies often focus on the

implementation of source data automation and the use of data editing to ensure data

accuracy and completeness and the assignment of responsibility for data accuracy within

procedures have to ensure that users throughout an organization are following established procedures: the next is to monitor routine practices, take corrective action if necessary and hence review policies. procedures and rules. Some useful policies to minimize waste and mistakes include the following:

• Change to critical table. HTML and URLs should be tight, with all changes authorized by responsible owners and documented.

• A user manual should be available that covers operating procedures and documents the managennent and control of the application.

• Each report should indicate its general content in its title and specify the time period it covers.

• The control should have· controls to prevent invalid and unreasonable data entry. • Control should exist to ensure that data input, HTML and URLs are valid.

applicable, and posted in the right time frame.

• Users should implement: proper procedures to ensure correct data input. • Security awareness programme.

User awareness is essential to good business practice. All users should be aware of the risks related to the organisation·s information systems. They also need to be familiar with the organisation· s security policies and procedures and be able to use these in their day-to-day job function. The orgamisation should establish a comprehensive infonnation security awareness and training. Also. regular awareness briefings. newsletters and circulars should also be in place to keep employees up to date with the latest developments. The organisation should review and update its awareness programme as and when necessary. Also. Siponen and Vance (20 I 0) believe that formal sanctions serve an important role in the implementation and enforcement of IS security policies for any organisation to survive.

2.11.1 Basic Policy Requireme~nts

• Be implementable and enforceable. • Be concise and easy to understand. • Balance protection with productivity.

Policies should:

• State reasons why policy is needed. • Describe what is covered by the policies. • Define contacts and responsibilities. • Discuss how violations will be handled.

2.12 Summary Chapter

The literature studied indicates that there is lot of non-compliance of security policy by employees and it is placing the organisation information security at risk. That would lead to the compromise of the availability, integrity and privacy of the classi tied information. The main objective of security policy is to provide management and rest of employees support and direction to information security and management should demonstrate their commitment to information security through the issue of corporate security policy (Nordquist, 2002).

There is a need for the department to review its information security policy continuously and awareness workshops be conducted regularly to sensitize the staff about the importance of the security information. The following Research Methodology chapter would be used to test ideas and theories about social life collected from the department. The following chapter deals with Research Methodology.

Chapter 3:

R

es

earch

Methodology

This chapter deals with the research methodology of the study, including the research design and methodology, population. sampling techniqut:. <.lata collection. data analysis. reliability and validity consideration and ethical requirement. The chapter also reflects an

outline of the methodology used in the study and explains the rationale behind the

methodology employed and how the research was conducted. Research methodology of

collecting of data, necessitates a reflection on the planning, structuring and execution of the in order to discover the truth regarding a specific problem (Brynard and Hanekom. 1997:28).

3.2 Research Method

3.2.1 Research Design and Methodology

The quantitative method was used for the study. This study used a quantitative

exploratory descriptive design to identify. analyse and describe factors contributing to an assessment of staff compliance to the information security policy in govemment

departments. The research is a blue print or outline for conducting the study in such a way that maximum control will be exercised over factors that could interfere with the validity of the research results (Pol it and Hungler. 1999: 155). Struwig and Stead (2004)

have a different way of defining quantity method. They define it as a form of conclusive research involving a big representative samples and fairly structured data collection

procedure.

3.3 Population

The research population for this study was the Ngaka Modiri Molema District Municipality employees in Mahikeng. North West Province. The population consists of 80 (Eighty) employees.

3.4 Total Population Technique

There are several ways of sampling techniques that can be used for the study including the following: purposive sampling, stratified sampling, cluster sampling, systematic sampling. quota sampling and convenience sampling. Total population sampling is a type of purposive sampling technique where you choose to examine the entire population (the total 80 NMMDM employees) that has a particular set of characteristics (e.g., specific experience. knowledge, skills, exposure to an event. etc.). In such cases, the entire population is often chosen because the size of the population that has the particular set of

characteristics that you are interest 111 is very small

(http:/ /d issertat ion.laerd .com/purposive-sam pi in g. php ).

3.5 Data Collection and Analysis

The purpose of data collection was to seek additional information about the problems or

needs identified in the systems investigation report. Data collected might require a number of tools and techniques such as interview. direct observation and questionnaires as indicated by Stair et at. (2008). The quantitative method was applied regarding the research topic.

The data collection procedures were followed and questionnaires were distributed. Municipal staff members who qualified as respondents were asked to complete the questionnaire. The odd number Likert Scale type and box type questions " as used to collect data.

3.5.1 Questionnaires

As the research study deals with quantitative approach. the researcher employed the most effective and efficient instrument which is a questionnaire. The questionnaire consists of close-ended questions for simplicity interpretation of findings and for the respondents. Eighty (80) questionnaires were distributed in order to interrogate the literature covered. According to Popper (2004). there are advantages and disadvantages of questionnaire: The following are advantages of questionnaires:

• Questionnaires are practiical.

• Large amounts of infonnation can be collected from a large number of people in a short period of time and in a relatively cost effective way.

• II can be carried out by the researcher or by any number of people with limited affect to its validity and reliability.

• The results of the questionnaires can usually be quickly and easily quantified by either a researcher or through the use of a software package.

• It can be analysed mo1re 'scientifically' and objectively than other fo1ms of research.

The following are disadvantages of questionnaires:

• It is argued to be inadequate to understand some forms of information - 1.e. changes of emotions. behaviour. feelings etc.

• Phenomenologists state that quantitative research is simply an artificial creation

by the researcher. as it is asking only a limited amount of information without explanation.

• It lacks validity.

• There is no way to tell how truthful a respondent is being.

• There is no way of telling how much thought a respondent has put in.

• The respondent may be forgetful or not thinking within the full context of the situation.

• People may read differently into each question and therefore reply based on their own interpretation of the question - i.e. what is 'good' to someone may be 'poor' to someone else. therefore there is a level of subjectivity that is not acknowledged.

3.5.2 Sample Distribution

The sample distribution was based on the compliance of lnfonnation Security Policy; Human Resource Management. lnfonnation Technology, Finance, Infrastructure Development and Maintenance.

3.6 Data Analysis Method

The purpose of data collection is to seek additional infonnation about the problems or needs identified in the systems investigation report and data collected might require a number of tools and techniques, such as interview, direct observation and questionnaires as indicated by Stair et al. (2008). The quantitative method was applied regarding the research topic. Data was analysed by using a statistical method. meaning the statistical software packages such as SPSS and Excel could be employed. The packages are able to produce survey analysis through such techniques as frequencies and descriptive statistics.

3.7 Reliability and Validity Consideration

For the researcher to establish the validity and reliability of the research instrument, it is necessary to clarify these concepts and to relate it to this research.

According to Jaeger ( 1990:378). reliability is considered an instrument measure concept that represents the consistency with which an instrument measures a given performance or behaviour. The questions are structured in way to ensure that all are fully and clearly

written to ensure that each question has a consistent meaning to all respondents and each question is constructed to ask one question.

3.8 Ethical Requirements

The research ensured as well as the anonymity and confidentiality of all participants. All

respondents would not divulge their particulars in order to keep high level of

confidentiality or written on questionnaires.

The Municipal Management granted permission for the distribution of questionnaires to relevant structures. The information obtained will be used for academic research only other than any purpose.

3.9 Limitation

The research was limited to Ngaka Modiri Molema District (NMMDM) Office in the North West Province and findings may not necessarily be the same for the whole country.

3.10 Summary Chapter

The nature of the problem detennines the type of the instrument to be used in the collection of data and the reason for choosing the questionnaire as a tool for data collection in this study were given. The next chapter focuses on the data analysis and

interpretation.