See

discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/279623661

Information Security Culture in the Banking

Sector in Ethiopia

Conference Paper · June 2012

READS

109

2 authors, including:

Lemma Lessa
Addis Ababa University
22 PUBLICATIONS 23 CITATIONS

SEE PROFILE

All in-text references underlined in blue are linked to publications on ResearchGate, Available from: Lemma Lessa
letting you access and read them immediately. Retrieved on: 05 July 2016
ISC in the Banking Sector in Ethiopia ICT 2012

Information Security Culture in the Banking Sector in Ethiopia

Abiy Woretaw Lemma Lessa

Information Network Security Agency, Addis Ababa University,
Ethiopia Ethiopia
e-mail: abiyworetaw@yahoo.com e-mail: lemma.lessa@gmail.com

Abstract

Information security has become one of the most vital and demanding issues facing today's
financial institutions such as banks. With widespread use of technology and ever increasing
connectedness to the global environment, financial institutions are increasingly exposed to
several and wide-ranging threats. Financial institutions in Ethiopia are not exceptions to such
security risks. Technical controls can provide substantial protection against many of these
threats, but they alone do not provide a comprehensive solution. Extant literatures indicate that
many losses are not caused by lack of technology or faulty technology rather by users of
technology and faulty human behavior. Literatures in the area of information security also claim
that research on information security culture is still in its early stage. Hence, this research is
aimed at assessing the practiced information security culture; identify key problems in order to
figure out the gap that needs management and policy intervention so that effective information
security culture can be established. A survey research method is employed that mainly uses
quantitative data based on primary data collected from the head quarters of 11 banks in Addis
Ababa. In addition to disclosing the information security gaps that need policy and management
intervention, this research can serve as a spring-board for related researches in the financial as
well as other sectors in the country. The main findings of this paper underline the need for
effective information security awareness, trust environment and communication to promote
sustainable change in information security culture which enables proper information security
governance and implementation that complies with local and international standards.

Keywords: Information Security, information security culture, security behavior, security

threats, security risks

1
ISC in the Banking Sector in Ethiopia ICT 2012

Introduction

Ethiopian banking sector is one of the rapidly growing sectors of the country’s economy. Many
private banks are established in the past few years. The distribution and diversity of services is
widening. Provision of e-banking services is considered as a competitive advantage. This
business competition has stirred the advancement of services enabled by information technology.
Though this technological advancement has facilitated business processes, much attention should
be drawn to thwart illegal financial gain efforts of cyber criminals. The security of the banking
information systems and critical financial data should be ensured. The banking sector is more
sensitive to the issue of security as money is at stake and is lucrative target for malicious
attackers for financial gain.

Although technical aspect of information security needs due attention, a more serious and under-
rated aspect of information security is the human element. The evolving trend in information
security triggers the incorporation of the human element in ensuring information security of an
organization. Promoting a sustainable information security culture is an effective way for
organizations to address this aspect of information security. As the banking sector in Ethiopia is
undergoing fast progress in migrating business processes towards new IT-based services, the
notion of establishing and maintaining sustainable information security culture become more
appropriate now than ever.

This study is aimed at assessing the existing information security beliefs, practices and problems
to identify possible gaps to pave the way for policy and management intervention by
recommending measures that can be implemented by practitioners to enhance the information
security culture in the banking sector in Ethiopia. As financial institutions are more sensitive to
security issues, priority is given to assess the level of information security culture of the banking
sector in the country.

The paper is organized into four parts. In the literature review, we went into the extant literature
on information security in general and information security culture in particular to identify the
enabling factors and evaluation dimensions of information security culture and also tried to
synthesize the outcomes of related studies. Then the research design and data collection method
employed are briefly described in the methodology sub section. The data analysis and discussion
section deals with the main findings of the study. Finally, the paper indicates possible areas of
improvement and recommends measures to promote information security culture in the banking
sector in Ethiopia. The significance and limitations of the research are also pointed out to pave
the way for further researches in the area.

2
ISC in the Banking Sector in Ethiopia ICT 2012

Literature Review

Information security culture

Martins and Eloff (2006) define information security culture as the assumption about acceptable
information security behavior and it can be regarded as a set of information security
characteristics such as confidentiality, integrity and availability of information. Most of the
recent researches approach information security culture from theories and models of
organizational culture. Schlienger and Teufel (2003) perceive organizational culture as a
collective phenomenon that grows and changes overtime. An organizational culture can have
different subcultures based on sub organizations or functions. Information Security Culture is a
subculture in regard to general corporate functions (Schlienger & Teufel, 2003). In line with this,
Kuusisto and Ilvonen (2003) emphasize that Information security culture is developed over time
by changing the behavior in an organization to the desired direction. This takes place both by
formalizing the framework of information security as well as by influencing the mental models,
attitude, motivation and explicit and especially tacit knowledge of personnel.

According to Mitnick et al (2002), technological methods of protecting information may be

effective in their respective ways; however, many losses are not caused by lack of technology or
faulty technology but rather by users of technology and faulty human behavior. Hence, people
must be an integral part of any organization's information security defense system (Mitnick et al,
2002). In support of this argument, Martins and Eloff (2006) underline that the behavior of
employees and their interaction with computer systems have a significant impact on the security
of information.

Users can be either security asset or exploitable security weak-links for an organization. Hence it
is critical that all people who interact with the information system exercise an acceptable
information security culture. It is therefore fundamental to understand and manage the
psychology of users so that their belief, perception and attitude towards security are safe and
secure. Researches on the area have affirmed that the establishment of an organizational
information security culture is necessary for effective information security (Eloff & Von Solms,
2000; Von Solms, 2000). The importance of establishing an information security culture in an
organization has become a well established idea. The aim of such a culture is to address the
various human factors that can affect an organization’s overall information security efforts (Van
Niekerk & Von Solms, 2005). Zakaria and Gani (2003) found that information security culture
can lead an employee to act as a “human firewall” in order to safeguard organizational
information assets.

3
ISC in the Banking Sector in Ethiopia ICT 2012

Information security culture deals with the psychology and behavior of employees in their
interaction with the information system. Alnatheer & Nelson (2009) implicate that security
cultures assist the enforcement of information security policies and practices to the organization.
As a result, an organization’s goal is to be able achieve an effective information security culture.

In order to develop a successful information security culture within an organization, it is

essential to understand the existing information security beliefs, practices and gaps. An
organization has to measure and evaluate its information security culture level. Martins and Eloff
(2006) substantiate this notion underlining a certain level of information security culture is
already present in every organization using information technology; but this culture could be a
threat if it is not on an acceptable level. The aim in assessing that culture is to advance it to an
adequate level. This could then aid in minimizing internal and external threats to information in
the organization.

Information security risks and threats in the banking sector

Ula et al (2011) argue that information system has become the heart of modern banking in our
world today and information has become the most valuable asset to protect from insiders,
outsiders and competitors. Information security encompasses technology, processes and people
(Von Solms, 2000; Tessem and Skaraas, 2005). In order to achieve a comprehensive information
security, all the three aspects should be holistically considered. Ula et al (2011) further convey
that espionage through the use of networks to gain competitive intelligence and to extort
organizations is becoming more prevalent. Any mishandling of confidential information asset
can cause huge financial loss, and the reputation of the bank will be severely damaged. Ula et al
(2011) emphasize that in today’s technological and social environment, security is a very
important part of banking and financial institution systems.

Nelson (2005) argues that banks must adopt technologies to survive. Banks don’t have a choice;
customers will demand the latest technologies of Internet banking, bill pay, ATMs, smart cards,
voice response systems, cell phone banking, and unknown future systems. Banks adopt the latest
technologies to provide their customers with competitive services. As they adopt new
technologically based services they must also adopt new protective technologies or they will
increase their risk to hacking (Nelson, 2005). Technology not only determines what services and
products a bank offers, but that the adoption of competitive technologies also determines the
nature of banking risks. Technology determines the risks and dictates that more technologies will
be used to mitigate and control the risk (Nelson, 2005).

4
ISC in the Banking Sector in Ethiopia ICT 2012

Nelson (2005) explains the current trend in financial institutions is to reduce risk by decreasing
the range of system and user applications that are available at the desktop. In an attempt to
reduce technologically based risk, banks are removing access to powerful technologies. Here we
see that although technology is increasing its power, the controls are designed to manage and
limit human involvement with the technologies. This demonstrates a basic truth: technology is
not a threat; humans using technologies are the threat. Nelson (2005) further recommends the
need to put policies, procedures, and practices in place to manage the unmanageable.

Approaches to organizational information security

According to Lim et al (2009), the roles of senior management, the delineation of

responsibilities, the enforcement processes, the awareness program and training, and allocation
of budget of organizations in relation to security practices are ways of promoting information
security culture to protect organizational information. Information security culture assessment
approach consists of an audit process where the perceptions, attitudes, opinions and actions of
employees regarding information security can be determined. By analyzing this information, an
organization can assess how employees perceive information security activities and which
aspects concerning information security culture need attention (Martins and Eloff, 2006).

Requirements for Effective Information security Culture

The first step in establishing an information security culture is to recognize the importance of
information security to the core business of an organization. This should be championed by the
top management and consensus should be reached among all employees of an organization. Top
management support should be fostered in planning, adopting and implementing information
security initiatives.

However, security culture will develop and succeed only if there is involvement from all levels
of employees (Zakaria et al, 2007). Internal endorsement should be given priority and the overall
direction should be communicated to employees on a need to know basis so that they are
intrinsically motivated to support the effort. Therefore, enforcement of security should be
combined with the empowerment of employees to be responsible for security. Delegation of
tasks and trust promote employees’ ownership of the program. Motivational factors like reward
system and accountability consequences such as penalty for non-adherence further ensure the
enhancement of information security culture in an organization.

5
ISC in the Banking Sector in Ethiopia ICT 2012

Factors that influence information security culture and practices

Alnatheer & Nelson (2009) classified factors that influence security culture and practices into
four themes. Corporate citizenship which is achieved by information security awareness and
training programs; Legal regulatory environment which deals with information security
management standardization, best practices and information security policy; Corporate
governance including top management support for information security management,
information security compliance and information security risk analysis and Cultural factors like
national and organizational culture.

Our literature review revealed that information security culture is an emerging and yet to be
studied topic in information security. Ultimately people interact directly with information
systems and have access to information. Accordingly, this paper focuses on the human aspect of
information security. Any effort merely in technological and process security measures will be
futile if the users’ aspect of security is not effectively managed. To address this socio-cultural
aspect of information security, information security culture is recognized as a discipline of
information security.

Methodology

A survey research method is employed in order to assess the information security culture in the
banking sector in Ethiopia. A primary data is collected from headquarters of 11 different banks
in Addis Ababa. Our study is based on a widely accepted information security culture model
originally developed by (Martins, 2008). A questionnaire to assess information security culture,
also developed by (Martins, 2008), is adopted. This assessment instrument is validated and
improved by performing a factor and reliability analysis on the data from an information security
culture assessment in a financial organization (Viega et al, 2007). Factors in the establishment
and maintenance of proper information security culture are assessed. Then information security
culture in the banking sector in Ethiopia is evaluated by auditing process. This researching
approach is believed to effectively assess the information security culture and practice of
employees in the banking sector in Ethiopia.

The questionnaire has 41 statements designed to assess the knowledge, information security
governance, communication, change management, performance management and trust level. A
five point Likert scale, which is advisable to assess behavioral patterns, is provided to answer the
information security culture statements. Minor changes were made to contextualize the
questionnaire to the target research participants.

6
ISC in the Banking Sector in Ethiopia ICT 2012

Initially, 15 different banks in Addis Ababa were approached to participate in this research. Four
of them declined the offer. Fortunately 11 banks cooperated to participate in the research. Only
four of these banks are governmental (National bank of Ethiopia (NBE), Commercial Bank of
Ethiopia (CBE), Development Bank of Ethiopia (DBE) and Construction and Business Bank
(CBB)). The seven private banks considered are: (Awash International Bank (AIB), Dashen
Bank, Wegagen Bank, Bank of Abyssinia, Lion International Bank (LIB), Zemen Bank and
Oromia International Bank (OIB)). It took five weeks to distribute and collect all the
questionnaires. The challenge arose from the geographic distribution of the banks and
bureaucratic details followed to accommodate academic research questionnaires.

A non-probability convenience snowball sampling technique is used to collect data from all the
banks. The general objective is communicated to contact persons in all the 11 banks and they
steward the data collection. This sampling technique capitalizes on insider experience and so
facilitates the data collection process. Bank employees in the IT or Information Systems (IS)
departments are the main participants of the survey because these employees directly access the
banks’ information systems. Moreover, IT departments work as a bridge between the managerial
and operational staffs.

Generally 120 questionnaires were distributed and 102 questionnaires are returned (i.e. a return
rate of 0.85). 2 questionnaires are rejected due to significant incompleteness. Finally, 100
questionnaires were encoded into Statistical Package for the Social Sciences (SPSS) software for
data analysis. A larger sample size would have been preferred for the research. Due to the busy
working environment of the banking sector, it was not easy to convince banks to complete more
than few questionnaires. However, maximum effort was exerted to get the completed
questionnaires returned. For instance, a uniform peel and seal envelopes were provided for
participants to ensure the anonymity of the survey. Such efforts probably contributed to a decent
return rate and consistency of data collected thus data quality.

We used chi-square test and crosstab features of SPSS to identify the association between
different variables and defined information security dimensions. Once associations are observed,
binary logistic regression is computed and the data is interpreted from the perspective of the
information security culture conceptual model.

7
ISC in the Banking Sector in Ethiopia ICT 2012

Data Analysis and Discussion

In order to effectively analyze the collected data with the theoretical model, the 41 information
security culture statements are categorized into six main dimensions. Knowledge and/or
Perception score dimension statements assess the knowledge, attitude and perception of the
employee towards information security. Information security governance and/or management
dimension statements assess the bank’s information security management policy, plan,
procedures and implementation level. It also covers top management information security
perception and commitment. Communication dimension statements assess training and
information dissipation regarding information security policies and procedures. Performance
management dimension statements assess the compliance of the banks information security
measures to international standards and adherence of employees to the existing information
security policy. Change management dimension statements assess the readiness of employees to
embrace cultural change & recognition and management of information security changes in the
bank. Trust dimension statements assess the trust relationship between employees and their
managers at different levels.

These dimensions are computed by transforming the related variables using summation (strongly
disagree-strongly agree encoded into 1-5 numeric values). The continuous scores were
dichotomized. To that end, respondents who scored 3rd quartile and above (≥75%) were
categorized as having satisfactory while scores less than 3rd quartile (< 75%) were considered
unsatisfactory in relation to the variables of interest.

Statistical analysis and findings of the survey

The information security culture data is collected from 4 governmental (37%) and 7 private
(63%) banks. 12 (13.6%) of the respondents are department managers. 58(65.9%) are IT
professionals. 18 (20.5%) are operational staffs. The remaining 12 respondents did not complete
this variable. Considering these 100 research participants, only 31(31%) of the respondents are
found to have adequate information security awareness. The remaining 69(69%) lack the level of
security awareness required. Proper performance management also suffers a mediocre 31(31%)
score. Only 32(32%) of the collected data indicates there is a proper information security
governance implemented in the banking sector in Ethiopia. Communication dimension indicated
a slightly better score of 37(37%). The trust relationship between employees and managers in the
banking sector is 35(35%). In line with this, the level of readiness to embrace information
security changes records a slightly promising 38(38 %). Generally, the dimensional frequency
analysis shows more strategic work is needed to promote information security culture in the
banking sector in Ethiopia.

8
ISC in the Banking Sector in Ethiopia ICT 2012

As per the results from the binary logistic regression computed, it is observed that effective
communication more likely affects the information security awareness development in the banks
[Adjusted Odds Ratio (95% CI) = the odds ratio(lower limit of the confidence interval, upper
limit of the confidence interval)].[AOR (95% CI) = 4.486(1.823, 11.040)]. This signifies the
possibility of strategic investment on information security training and communication in
creating security conscious employees in the banking sector. Effective communication is also
observed to have created a positive trust environment [Adjusted Odds Ratio (95% CI) = the odds
ratio (lower limit of the confidence interval, upper limit of the confidence interval)]. [AOR (95%
CI) = 4.594 (1.904, 11.084)]. This shows better trust environment could be cultivated as a result
of effective communication to employees on a need to know basis. On the other hand, positive
trust relationship among employees and bank management seem to promote information security
culture change [Adjusted Odds Ratio (95% CI) = the odds ratio (lower limit of the confidence
interval, upper limit of the confidence interval)]. [AOR (95% CI) = 3.481 (1.470, 8.245)]. This
shows the importance of participation, delegation and trust environment towards the
implementation of information security initiatives.

The prevalence of information security awareness to change management is also observed from
the data analysis [Adjusted Odds Ratio (95% CI) = the odds ratio (lower limit of the confidence
interval, upper limit of the confidence interval)]. [AOR (95% CI) = 5.152 (2.071, 12.812)].
Effective information security communication positively influences the readiness of employees
to change their information security culture [Adjusted Odds Ratio (95% CI) = the odds ratio
(lower limit of the confidence interval, upper limit of the confidence interval)]. [AOR (95% CI)
= 6.462 (2.629, 15.878)]. The likelihood of proper information security governance
establishment due to effective performance management is also observed [Adjusted Odds Ratio
(95% CI) = the odds ratio (lower limit of the confidence interval, upper limit of the confidence
interval)]. [AOR (95% CI) = 6.821 (2.660, 17.486)]. This underlines the compliance of the
bank’s information security policies and procedures to international standards and adherence of
employees with these policies is closely linked with the existence of strong information security
governance.

9
ISC in the Banking Sector in Ethiopia ICT 2012

Conclusions

This paper assessed the level of existing information security culture in the banking sector in
Ethiopia. It employed quantitative method based on a validated information security culture
questionnaire from previous related literature. The collected data is analyzed with respect to well
established factors that influence information security culture. The study revealed that the
information security awareness in the banking sector in Ethiopia is unsatisfactory. This possibly
emanates from inadequate information security communication and training. There is also a
significant space to enhance the trust environment between managers and employees that can
promote change in information security culture. Consequently, the level of proper information
security governance in the banking sector in Ethiopia is a critical area of improvement.

Hence, we strongly recommend that banks in Ethiopia should invest in effective information
security communication methods like training employees with information security measures and
information security policy awareness programs. International information security governance
standards like ISO27002 and information security management standards like ISO27001 should
be implemented at organizational level to assist the establishment of reliable information security
culture. Compliance with these international standards ensures moving in the right direction.
Information security initiatives should be championed by top management to boost the
implementation of information security policies. A dedicated team should be responsible to
manage the initiatives and participation of all employees in the bank should be fostered to
effectively embrace positive information security culture change. Research on information
security culture is still in its early stages of development. Issues are still being identified, and,
conceptualizations being explored (Alnatheer & Nelson, 2009; Gebrasilase & Lessa, 2011). This
hot research area is even more at its infant stage in Ethiopian banking sector context. This paper
tried to bridge the gap in researching the information security culture in the banking sector in
Ethiopia. However, it suffers limitations in incorporating all departments in the banks with larger
sample size. Therefore, more rigorous researches are needed to frame practical strategies to
enhance the information security culture in the banking sector in Ethiopia.

10
ISC in the Banking Sector in Ethiopia ICT 2012

References
Alnatheer, M. & Nelson, K. (2009), “Proposed Framework for Understanding Information Security Culture and
Practices in the Saudi Context”, Security Research Centre Conferences.

Eloff, M., M., and von Solms, S., H. (2000), “Information Security management: A Hierarchical Approach for
various frameworks” Computer & Security, 19(3), 243-256.

Gebrasilase, T. & Lessa, L. (2011), "Information Security Culture in Public Hospitals: The Case of Hawassa
Referral Hospital," The African Journal of Information Systems: Vol. 3: Iss. 3, Article 1.

Kuusisto, T. & Ilvonen, I. (2003), “Information Security Culture in Small And Medium Size Enterprises” , Frontiers
of E-Business Research.

Lim, J. S., Ahmad, A., Chang, S., Maynard, S. B. & (2009). “Embedding information security culture emerging
concerns and challenges”.

Martins, A. (2008). Information security culture; DigiSpace at the University of Johannesburg; available
at: http://ujdigispace.uj.ac.za:8080/dspace/handle/10210/292; viewed on Sept. 5, 2011.

Martins, A. & Eloff, J. (2006). “Assessing Information Security Culture”, Johannesburg, South Africa: Rand
Afrikaans University.

Mitnick, K. , Simon, L. & Wozniak, S. (2002), “ The Art of Deception: Controlling the Human Element of
Security”, John Wiley & Sons.

Nelson, J. (2005), “Information Security Risk in Financial Institutions”, World Academy of Science, Engineering
and Technology.

Schlienger,T. & Teufel, S. (2003), “Information security culture – from analysis to change” , iimt (international
institute of management in telecommunications) University of Fribourg.

Ula, M., Ismail, Z., et.al (2011), “A Framework for the Governance of Information Security in Banking”, System
Engineering Faculty, Universitas Malikussaleh, Reuleut, Indonesia.

Van Niekerk, J., & Von Solms, R. (2005), “An holistic framework for the fostering of an information security sub-
culture in organizations”, Information Security South Africa (ISSA), Johannesburg, South Africa.

Viega ,A. da, Martins , N. & Eloff J.H.P. (2007), “Information security Culture- validation of an assessment
instrument”, Southern African Business Review ,Volume 11 Number 1.

Von Solms, S. H. (2000), “Information Security- The Third Wave?”, Computer & Security, 19, 615-620.

Zakaria, O., Jarupunphol, P., and Gani, A. (2003), “Paradigm Mapping for Information Security Culture Approach”,
Paper presented at the 4th Australian Information Warfare and IT Security Conference Adelaide, Australia.

Zakaria, O., Gani, A. et.al (2007), “Reengineering Information Security Culture Formulation Through Management
Perspective”, In Proceedings of the International Conference on Electrical Engineering and Informatics Institute,
Indonesia.

11