See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/335292223

A Cybersecurity Culture Framework and Its Impact on Zimbabwean

Organizations

Article · October 2018

CITATIONS READS

4 4,095

1 author:

Gabriel Kabanda
Zimbabwe Academy of Sciences
48 PUBLICATIONS   136 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

E-commerce and E-banking View project

All content following this page was uploaded by Gabriel Kabanda on 21 August 2019.

The user has requested enhancement of the downloaded file.

 e-ISSN: 2455-7013
Asian Journal of Management, Engineering & Computer Sciences
(AJMECS)
Vol. 3(4), October 2018: 17-34
URL: http://www.crsdindia.com/ajmecs.html
Email: crsdindia@gmail.com

RESEARCH PAPER

A Cybersecurity Culture Framework and Its Impact on Zimbabwean Organizations

Gabriel Kabanda
Atlantic International University, 900 Fort Street Mall 40, Honolulu, Hawaii 96813, USA
Email: gabrielkabanda@gmail.com, profgkabanda@hotmail.com

ABSTRACT
Cybersecurity is the protection of internet-connected systems, including hardware, software and
data, from cyberattacks. Cybersecurity culture is a set of the attitudes, assumptions, beliefs, values
and knowledge that people use in their interaction with the information assets. In Zimbabwe not
much has been done in terms of cultivating a culture of cyber security in organisations although
giant steps have been taken to adopt and use ICTs. The lack of a framework to provide direction,
focus, guidance and a standardised way of addressing cybersecurity issues in Zimbabwe is one of the
challenges being faced in the ICT industry. With no cybersecurity framework in place, dealing with
cybersecurity issues becomes problematic as there is no guidance and direction on how to prevent,
respond and reduce cybersecurity breaches and risk as well as improve personnel awareness. A
cybersecurity framework that will support a cybersecurity culture to prevent cyber-attacks in
Zimbabwe is therefore required under these circumstances. The research question is “How can a
cyber security culture framework be developed to solve cybersecurity problems for grassroot users
of cyberspace in Zimbabwe?” In that regard, the contextual nature of the problem that this research
seeks to solve can only be addressed from an Interpretivist position. In this research, an
Interpretivist or Constructivist paradigm was used. A qualitative research methodology was used
and Focus Group discussions were used as the research design in a workshop environment.
Key words: Cybersecurity, Compute, Security, Zimbabwean Organizations, internet-connected
systems

Received: 18th June 2018, Revised: 24th July 2018, Accepted: 30th July 2018
©2018 Council of Research & Sustainable Development, India
How to cite this article:
Kabanda G. (2018): A Cybersecurity Culture Framework and Its Impact on Zimbabwean
Organizations. AJMECS, Vol. 3[4]: Oct., 2018: 17-34.

INTRODUCTION
Cybersecurity is the protection of internet-connected systems, including hardware,
software and data, from cyberattacks. Cybersecurity protects the data and integrity of
computing assets belonging to or connecting to an organization’s network. Gercke (2012)
defined cybercrime as a computer related crime, and Oxford English Dictionary (2019)
defined it as criminal activities carried out by means of computers or the internet.
Governments, companies, organisation and individuals throughout the world are
struggling to deal with cybercrimes, and the most forms of cyberattacks are ransomware,
email phishing, cyber bullying, online extortions, etc (Yedaly and Wright 2016; Norton
Symantec, 2017). Cyber security culture is defined as the beliefs, assumptions, attitudes,
values, perceptions and knowledge that people have pertaining to cyber security and how
these manifest in their interaction with ICTs (European Union Agency for Network and
Information Security, 2017). Technology alone cannot be a cushion against cyber- threats,
but instead humans should occupy a centre stage through cyber security culture (Gcaza,
et al, 2017). A strong cyber security culture changes the mindsets of people and their
 Kabanda

security behaviour (European Union Agency for Network and Information Security, 2017)
and will stand as a human firewall against threats without coercion.
The emergence of information and communication technologies (ICTs) has precipitated a
dependent information society supportive of business management, information sharing
and provision of electronic services (Malyuk and Miloslavskaya, 2016). In Africa, most
organizations are not ready to respond to information security threats (Africa Cyber
Security Report, 2016). These range from online visa applications to e-government
platforms and this has made them prime targets for cyber-attacks (Africa Cyber Security
Report, 2017). New technologies and business process automation is being done without
ensuring that adequate security controls are put in place to safeguard these systems
(Africa Cyber Security Report, 2016). There is a dire need to nurture an information
society that exhibits a culture of respecting values, rights and freedoms in terms of
accessing information so as to build confidence and trust in the use of ICTs in Africa
(United Nations, 2014). In Africa, twenty-one countries have Data Protection Legislations
and 13 have both Data and Cyber Security Legislation.
Zimbabwe is one of the emerging countries that has embraced the use of technology in the
last two decades, which saw the internet penetration rate rising up to 55.4% in the last
quarter of year 2018 (Potraz, 2018). In Zimbabwe not much has been done in terms of
cultivating a culture of cyber security in organisations although giant steps have been
taken to adopt and use ICTs. Internet connectivity in Zimbabwe has been availed through
the undersea fibre optic network provided by WACS, EASSy and SEACOM (Zimbabwe
National Policy for ICT 2016-2020, 2016). On the other hand Community Information
Centres are being set up countrywide as a way of bridging the digital divide and spreading
ICT uptake (ICT Ministry, 2015). The Community Information Centers offer internet
access, printing, photocopying, scanning, faxing, laminating as well as gaming services
(http://zarnet.ac.zw/, 2017). The human factor remains the weakest link in relation to
cyber security (Da Veiga, A., 2016) and as such, certain secure ways of behaving and using
the cyberspace ought to be engraved in users of cyberspace (Bada and Sasse, 2014).
Meanwhile, the statistics according to the Postal and Telecommunications Regulatory
Authority of Zimbabwe (Potraz, 2017) indicate that the mobile penetration rate in the
third quarter of 2017 increased by 3.5% to reach 100.5% from 97% recorded in the
second quarter following a 3.7% increase in subscriptions. Accordingly, the active
internet penetration rate also increased by 0.9% in the third quarter of 2017, to reach
49.5% from 48.6% recorded in the second quarter following a 1.9% increase in active
subscriptions. On the other hand, mobile Internet data usage rose up 39.1% in the third
quarter of 2017 to record 4,129.4 Terabytes from 2,968.2 Terabytes recorded in the
second quarter of 2017. These statistics prove beyond any reasonable doubt that the
Zimbabwean economy is fast becoming an internet economy and any digital gap has to be
closed for the development of the economy. However, the internet is also a jungle where
cybercriminals fully exploit and take advantage of others.
The increase in internet penetration and electronic transactions means that computers
are fast becoming accessories for committing crime. In Zimbabwe’s National Risk
Assessment (NRA) Report of 2015, cybercrime is listed as one of the crimes contributing
to the US$1,8 billion estimated of illicit proceeds generated from criminal activity
annually in Zimbabwe (RBZ, 2015). The Reserve Bank of Zimbabwe highlighted that from
2011-2015, over 140 cases of cybercrimes were reported. These include phishing, credit
card fraud, identity theft, unauthorized access, hacking, and telecommunications piracy.
The Zimbabwe National Policy for ICT 2016-2020 (2016) also indicates that mobile
money transfer platforms, e-commerce platforms and social media platforms have also
been widely adopted in Zimbabwe. In Zimbabwe, the Cyber Protection Bill was drafted
and is now in its final stages of approval (ICT Ministry, 2015). This is a positive indication
of government’s efforts through the Ministry of Information Communication Technology
and Courier Services to secure Zimbabwean cyberspace against cyber-attacks (MISA,

AJMECS ~ 18 ~ Vol. 3(4): Oct. 2018

 Kabanda

2017). However, as for Zimbabwe a lot has to be done in order to come up with a
framework that suits its cybersecurity needs.
In their annual report on cyber security, one of the leading cyber security company,
Norton Symantec (2017) revealed that 978 million people in 20 countries were affected
by cybercrime in 2017, and 44% of consumers were impacted by cybercrime in the last
12 months. As a result, consumers who were victims of cybercrime globally lost $172
billion- and average of $142 per victim. The most common cybercrimes experienced by
consumers or someone they know include:
1. Having a device infected by a virus or other security threat (53%)
2. Experiencing debit or credit card fraud (38%)
3. Having an account password compromised (34%)
4. Encountering unauthorized access to or hacking of an email or social media account
(34%)
5. Making a purchase online that turned out to be a scam (33%)
6. Clicking on a fraudulent email or providing sensitive (personal/financial) information
in response to a fraudulent email (32%)
At the time of this research, cybercrimes in Zimbabwe were being dealt with using the
country’s constitution and the Criminal Law (Codification and Reform) Act [Chapter 9:23].
The following Bills relating to cybercrimes were still to be gazetted into law by the
President:
1. Computer Crime and Cyber Crime Bill
2. Data Protection Bill
3. Electronic Transactions and Electronic Commerce Bill
4. National ICT Policy
5. Draft Child Online Protection Guidelines

STATEMENT OF THE PROBLEM

The increased use of internet-based technologies has resulted in companies being
subjected to cyberattacks. These attacks were further propelled by vulnerabilities found
in the information systems of these organisations. Zimbabwean companies have
embraced the use of internet based technologies, which includes emails, cloud computing,
web portals, social media, internet banking, internet of things, etc. The use of these
technologies has created opportunities for cybercriminals, and the majorities of the cases
has not been reported and are not known to the public. The lack of a framework to
provide direction, focus, guidance and a standardised way of addressing cybersecurity
issues in Zimbabwe is one of the challenges being faced in the ICT industry. The
protection of valuable information, infrastructure and individuals from cyber-attacks has
become key as most countries including Zimbabwe are developing into information
societies. In Zimbabwe a lot of effort has been invested in the adoption of ICTs,
computerisation of various institutions and the establishment of internet connectivity
even in the most remote parts of the country in an effort to bridge the digital divide
(Zimbabwe National Policy for ICT 2016-2020, 2016). These efforts have also exposed the
beneficiaries of these initiatives to cyber-attacks. With no cybersecurity framework in
place, dealing with cybersecurity issues becomes problematic as there is no guidance and
direction on how to prevent, respond and reduce cybersecurity breaches and risk as well
as improve personnel awareness. A cybersecurity framework that will support a
cybersecurity culture to prevent cyber-attacks in Zimbabwe is therefore required under
these circumstances.

PURPOSE OF STUDY
1. The purpose of this research is to develop a cybersecurity culture framework and
evaluate its impact on Zimbabwean organisations.

AJMECS ~ 19 ~ Vol. 3(4): Oct. 2018

 Kabanda

RESEARCH OBJECTIVES
The objectives of this research are to-
1. Ascertain the cybersecurity challenges being faced in Zimbabwe
2. Determine the common types of cybersecurity vulnerabilities, cyberattacks and
threats
3. Investigate cybersecurity needs of grassroot users of cyberspace in Zimbabwe
4. Find out the requirements of a cybersecurity culture framework
5. Assess existing cybersecurity frameworks that are being used to prevent cyber
attacks
6. Develop a cybersecurity culture framework and Cybersecurity strategies suitable for
Zimbabwean organizations.

RESEARCH QUESTIONS
The research questions are crafted with the view of guiding the research process so as to
achieve the objectives of this study.
MAIN RESEARCH QUESTION:
1. What Cybersecurity culture framework is required for Zimbabwean
organizations and the grassroot users?
To answer this there is need to answer the following sub research questions:
SUB RESEARCH QUESTIONS:
1. What are the cybersecurity challenges being faced in Zimbabwe?
2. What are the common types of cybersecurity vulnerabilities, cyberattacks and
threats?
3. What are the cybersecurity needs of grassroot users of cyberspace in Zimbabwe?
4. What are the requirements of a cyber security culture framework?
5. What are the existing cybersecurity frameworks that are currently in use for cyber
threat prevention?
6. How can a cybersecurity culture framework and Cybersecurity strategies be
developed for Zimbabwean organizations and the grassroot users?

CONCEPTS IN CYBERSPACE
According to Williams (2014), cyberspace is a human made information environment
created when computers and related telecommunication equipment and other
components that allow fast movement of large amounts of data are connected. The
Internet is the most notable network that resides in cyberspace. The cyberspace
landscape includes objects such as radio waves, cell phones, fiber optic cables, satellites,
laser beams, software, firmware and anything that can be linked together to form a
network (Magee, 2013). These objects can be in one physical location or different
locations. They can also be physically moved, reconfigured or changed logically. The use
of IP addresses exposes the nonphysical nature of cyberspace. In the physical domain,
addresses reference a physical location but IP addresses tell the user where to go, without
necessarily pointing to a physical location. Cyberspace also describes systems and
services connected directly or indirectly to the Internet, telecommunications and
computer networks (Wamala, 2011). All the interconnected devices and data that
comprise cyberspace are manmade, from the ICT infrastructure to the software, protocols
and resident data. Cyberspace is categorized into three layers namely the physical layer,
the logical layer and the social layer. The exponential rise of the Internet of Things (IoT)
support the fact that cyberspace is growing at an exponential rate and will continue to
grow with no sign of slowing down.

AJMECS ~ 20 ~ Vol. 3(4): Oct. 2018

 Kabanda

INTERNET OF THINGS (IoT)

The Internet of Things (IoT) relates to interconnected devices via communication
channels and methods that transmit and communicate with each other. The transmission
method can be wired or wireless depending on the devices. According to Symantec
(2016), the Internet of Things is now a prime target for hackers. Opportunities for
Internet of Things will arise through technological integration and collaboration which
will continue to increase in complexity and complexity breeds cybersecurity risk (Ernst
and Young, 2015). Risks include data falsification, data manipulation, data and identity
theft or IP theft. The number of Internet of Things (IoT) devices is increasing and those
devices are being used every day (Concierge Security report, 2018).The Internet of Things
(IoT) industry is expected to be worth $US19 trillion by 2020 globally (ACS, 2016).
Furthermore, the growth in big data and cloud computing industries also present great
chances for the Internet of Things (IoT) industry to flourish. However, cybersecurity is a
key challenge in the Internet of Things (IoT) realm. This is because hackers can penetrate
an organization’s network through the Internet of Things (IoT) devices (MacAfee, 2018)
or through the cloud environment which the Internet of Things (IoT) devices heavily rely
on (KPMG, 2018).The security of those devices together with the people that use them is
very important as cybersecurity risk is high (Concierge Security report, 2018).

CLOUD COMPUTING
According to Fehling, et al, (2014), the cloud symbol is usually used to symbolize the
internet. Cloud computing is now frequently used to describe the delivery of software,
middleware platforms, infrastructure, whole business processes and storage services
over the internet. These services are delivered when they are needed in the quantity
needed at a certain time. Put differently, cloud computing is very much similar to the rent-
a-car model. The cost effectiveness and efficiency of the cloud platforms is tempting most
organizations to migrate to the cloud and enjoy a wide range of benefits (Sharma, 2012)
which according to KPMG (2018) include:
 free capital expenditure
 accessibility from anywhere at anytime
 no maintenance headaches
 improved control over documents as files will be centrally managed

Fig. 1: Projection of growth of the Cloud Computing market. Source: KPMG (2018)

AJMECS ~ 21 ~ Vol. 3(4): Oct. 2018

 Kabanda

The cloud computing market is expected to grow 4 times between 2015 and 2020 from
US73 billion to US270 billion as depicted in Figure 1 above (KPMG, 2018). Cybersecurity
is also a key challenge in this industry as cybercriminals use cloud services as warehouses
to store their malicious software and as targets that will be used as launchpads for Denial
of Service (DOS) attacks (MacAfee, 2018).

CYBERCRIME
Cybercrime has matured with a big market with several stakeholders and is unlikely to
stop as it is very rewarding. Online criminal marketplaces have gone to the extent of
selling ransomware services and products. End users of technology continue to fail to
adhere to basic security norms and this sustains the cybercrime market (MacAfee, 2018).
Cybercrime features on the top 10 global risks together with terrorist attacks, natural
disasters and extreme weather patterns KPMG (2018). According to MacAfee (2014) and
World Economic Forum (2017) as cited by KPMG (2018), cybercrime costs the world $US
575 billion annually which constitute 0.5% of the world’s Gross Domestic Product. The
damage caused by cybercrime is also expected to reach US$6 trillion by 2021 (KPMG,
2018). Cybercrime is expected to grow taking advantage of poor security of the Internet
of Things (IoT) devices (MacAfee, 2018). Cybercriminals are also riding on Artificial
Intelligence (AI) to make and replicate malicious software as well as identifying weak
targets. Table 2 shows several forms of cybercrime and their associated estimated daily
activity.

Table 1: Table of cybercrimes and their estimated daily activity

Cybercrime Estimated Daily Activity

Ransomware 4 000
Phishing 33 000
New malicious software/malware 300 000
Records lost to hacking 780 000
Malicious scans 80 billion
Source: MacAfee (2018)

Ransomware erupted in 2015 and is likely to continue to be very popular going forward
whilst improving in sophistication. It is anticipated that businesses are going to be facing
ransomware attacks every 14 seconds by 2019 and the attacks on healthcare systems is
expected to quadruple by 2020 (Concierge Security report, 2018).

CYBERSECURITY MARKET
According to KPMG (2018), the global cybersecurity market is expected to grow from
US75 billion to US203 billion by 2021. The major factors driving the industry (KPMG,
2018) include:
 the increase in the number of people being connected to the internet
 cybercrimes
 the need to be cushioned against cybercrime,
 rapid adoption of Internet of Things (IoT) as well as the cloud.
However, these digital trends have an effect of increasing vulnerability of systems and
risks and will therefore continue to boost the cybersecurity industry (KPMG, 2018).

CYBER SECURITY VS INFORMATION SECURITY

Figure 2 below shows the difference between information security and cybersecurity.
Cyber security is the protection of information and non-information assets as well as
interests of an individual, society or nation from risks associated with interaction with
cyberspace (Reid and Van Niekerk 2014). Information security is the protection of
information and information systems from threats so as to uphold their integrity,

AJMECS ~ 22 ~ Vol. 3(4): Oct. 2018

 Kabanda

availability and confidentiality (Reid and Van Niekerk, 2014). Information security culture
consist of perceptions, attitudes, assumptions, values and knowledge that guide the
interaction of people with organisational information assets with the mandate of securing
information (Al Hogail, 2015). On the other hand cyber security culture is defined as the
beliefs, assumptions, attitudes, values, perceptions and knowledge that people have
pertaining to cyber security and how these manifest in their interaction with Information
Communication Technologies (European Union Agency for Network and Information
Security, 2017).

Fig. 2: Differences between Information Security and Cybersecurity. Source: Center for
Cyber and Information Security (https://ccis.no/cyber-security-versus-information-
security/)

In order to come up with a cybersecurity culture framework, the researcher will take into
account the following factors:
 Cybersecurity
 Cybersecurity culture
 Requirements of a cybersecurity framework
 Cybersecurity challenges being faced by grassroot users of cyberspace
Cybersecurity needs of grassroot users of cyberspace
These factors will serve as input to the successful crafting of a cybersecurity culture
framework for the grassroot users of cyberspace. These factors are also part and parcel of
the objectives of this study and will also guide the researcher by way of depicting main
issues to look at in the research.

THEORETICAL FRAMEWORK
A theoretical framework is a guide for a research that is used by a researcher to come up
with his/her research inquiry and also serves as a foundation upon which research is
built (Grant and Osanloo, 2014). Krainovich-Miller (2010) views a theoretical framework
as similar to a map that guides a traveler towards a particular destination. According to
Imenda (2014) absence of a theoretical framework in a research deprives it of direction to
the search of appropriate literature and scholarly discussions that arise from research

AJMECS ~ 23 ~ Vol. 3(4): Oct. 2018

 Kabanda

findings. The theories that are going to guide this research are the National Institute of
Standards and Technology (NIST) Cybersecurity Framework, General Deterrence Theory
and Game Theory.

NIST CYBERSECURITY FRAMEWORK

According to National Institute of Standards and Technology (NIST, 2018), the NIST
Cybersecurity framework was crafted with the view of reducing cyber risk and improve
security to critical infrastructure. It is based on standards such as Control Objectives for
Information and Related Technologies (COBIT), International Organization for
Standardization (ISO) and International Electrotechnical Commission (IEC). It seeks to
provide organizations with a common way to:
 describe their current (as-is) cybersecurity state or posture
 describe their desired cybersecurity state
 identify and prioritize opportunities for improvement within the context of a
continuous and repeatable process
 make progress assessment towards a desired cybersecurity state
 make internal or external communication to stakeholders about cybersecurity risk
This framework is not a one size fits all (Purdy, 2016) framework since different
organizations face different cybersecurity risks. The framework targets companies, Non-
Governmental Organizations, government agencies as well as communities regardless of
their size and focus. The framework consists of three main components which are: the
framework core, implementation tiers and the framework profile.
The National Institute of Standards and Technology (2018) indicates that this component
of the framework consists of five sub- components or activities which are identify,
protect, detect, respond and recover as shown below in Figure 3.

Fig. 3: NIST Cybersecurity Framework Core components. Source: National Institute of

Standards and Technology (2018)

The framework core can also be viewed as a set of cybersecurity activities, desired
outcomes and references applicable and common across all sectors. Each function has
categories (total of 22) and subcategories (total of 98) (Angelini, et al, 2017).
Subcategories are basically practical activities that have to be done such as data collection
on the organization’s software and hardware or even documenting legal requirements for

AJMECS ~ 24 ~ Vol. 3(4): Oct. 2018

 Kabanda

cybersecurity (Angelini, et al, 2017). Informative references are the international

standards that are associated with each category and subcategory. The implementation of
all the subcategories by an organization will result in a high cybersecurity level.
However, it is important to note that the cybersecurity framework was primarily
designed for critical infrastructure although it can be used by smaller companies and
communities. According to Alcaraz and Zeadally (2015), critical infrastructure is made up
of assets and systems which can be either virtual or physical that are so important to a
nation such that any interruption of their services could have a serious impact on
economic well-being, national security, public health or safety or a combination of all of
these. Critical infrastructure includes power grids, hospital systems as well as public
transportation. The major drive behind this framework was to safeguard this critical
infrastructure for United States of America which is way more advanced than that which
we have in Zimbabwe. For instance, our infrastructure such as our public transportation
system is not yet connected to cyberspace and there is a low risk of cyber-attacks. In that
regard, it is therefore important to note that a framework that takes into consideration
the cyber security position of grassroot users of cyberspace in Zimbabwe will be more
pragmatic and supportive of their plight. This research comes in to come up with a home
grown solution that is tailor-made to suit the needs of Zimbabwean grassroot users.
Furthermore, some of the National Institute of Standards and Technology (NIST)
Cybersecurity framework subcategories that are obligatory for critical infrastructure may
not be useful for smaller companies or communities. As such, a Zimbabwean grassroot
user informed framework could be helpful in addressing cybersecurity issues and hence
this study becomes very important.

GENERAL DETERRENCE THEORY (GDT)

The General Deterrence Theory posits that people can be dissuaded from doing crooked
self-centered acts through the use of counter means such as strong deterrents and
penalties relative to the act (Schuessler, 2009). Counter measures that include training
and education, backups and disaster recovery measures can be adopted to eliminate the
threats and mitigate against such risks. Deterrence activities promote activities that
counteract criminal abuse of cyberspace through awareness initiatives for cyberspace
users (Alanezi, et al, 2014). The main components of the General Deterrence Theory are
Deterrence, Prevention, Detection and Remedy as illustrated in Figure 4 below (Alanezi,
et al, 2014).

Fig. 4: Elements of the General Deterrence Theory (GDT). Source: Alanezi et al (2014)

AJMECS ~ 25 ~ Vol. 3(4): Oct. 2018

 Kabanda

The risk management approach to cybersecurity unpacked by the General Deterrence

Theory makes it a good pillar for this study as the study is aimed at coming up with a
technical blueprint that ensures that grassroot users of cyberspace are shielded against
cyber-attacks.

GAME THEORY
Game theory describes multi-person decision scenarios as games in which each player
chooses actions that result in the best possible rewards for self, while expecting the
logical actions from the other opponents. According to Chukwudi, et al., (2017), a game is
a narrative or an account of the strategic reciprocal actions between opponents including
payoffs of and constraints for actions that players can undertake but doesn’t specify the
exact actions taken. A player is the primary entity of a game responsible for making
decisions and then taking action and can represent a machine, a person, or a group of
persons within a game (Chukwudi, et al, 2017). In the field of cybersecurity, game theory
will take into account the wrangle between the cyber attackers and the cyber victims
where their decision strategies are closely related. An important element in this theory is
the capacity to analyze the possible large number of cyber threat scenarios in a cyber
system (Hamilton, 2002). In this research this theory will help in the provision of the
much needed direction in the allocation of resources and the putting in place measures
that take into consideration the dynamic nature of cybersecurity threats and cyberspace.
It will also provide a constant reminder that the cyber attackers and grassroot users of
cyberspace are the key players in the game and for the grassroot users of cyberspace to
emerge victorious, they have to be a step ahead of the cyber attackers.

CYBERSECURITY CHALLENGES IN DEVELOPING COUNTRIES

The cybersecurity challenges that are being faced in developing countries include the
following:
1. Infrastructure (International Telecommunications Union, 2009)
2. Legal frameworks (Norwegian Institute of International Affairs, 2018)
3. Harmonization of legislation (Bande, 2018).
4. Balancing harmonization and country specific needs (ITU, 2012)
5. Systems (Schia, 2018)
6. Education and awareness (Tagert, 2010), (Schia, 2018)
7. Cybersecurity knowledge (The United Nations Economic Commission for Africa Policy
Brief, 2014)
8. Affordability and funding (Muller, P. L, 2015)
9. Perceived low susceptibility to attacks (Tagert, 2010)
10. Lack of adequate frameworks that speak to their cybersecurity needs (Tagert, 2010)
11. Reporting cybercrime (The Republic of Mauritius Cybercrime strategy 2017-2019,
2017)
12. Data sharing

REQUIREMENTS OF A CYBERSECURITY FRAMEWORK

A cybersecurity culture addresses major economic, legal and social issues relating to
cyber security so as to help societies to get prepared to face challenges related to the use
and misuse of ICT technologies (International Telecommunication Union, 2009). The
building blocks of cybersecurity culture are: training awareness, policy makers, justice
and police professionals, managers, Information Communication Technology (ICT)
professionals, acceptable practices, end users and effective cooperation (International
Telecommunication Union, 2009). According to the Ghana National Cybersecurity Policy
and Strategy (2014), the following are pillars of a cybersecurity blueprint:
1. Effective governance and public and private partnership
2. Legislative and regulatory framework

AJMECS ~ 26 ~ Vol. 3(4): Oct. 2018

 Kabanda

3. Cyber security technology framework

4. Security culture and capacity building
5. Research and development
6. Cybersecurity emergency readiness
7. International cooperation

RESEARCH METHODOLOGY AND DESIGN

The Research Methodology section presents the research paradigm or philosophy that
underpins this study, the associated research design, methodology and methods that are
going to be employed in order to address the objectives of this study and its purpose.
According to Lather (1986) as cited by Kivunja and Kuyini (2017) a research paradigm
gives a reflection of the researcher’s opinions or beliefs about the world that s/he exists in
or wants to exist in. According to Lincoln and Guba (1985) as cited by Kivunja and Kuyini
(2017) a paradigm has four parts which are explained below.
A. EPISTEMOLOGY OF A PARADIGM:
The word epistemology has its roots in Greek which means knowledge (Kivunja and
Kuyini, 2017) and is concerned with the theory of knowledge (Walliman, 2011).
B. ONTOLOGY OF A PARADIGM:
According to Scotland (2012) as cited by Kivunja and Kuyini (2017), ontology is a division
of philosophy that deals with the assumptions that are put in place in order to believe that
something is real or makes sense. These assumptions assist the researcher in
conceptualising the form and nature of reality and what s/he believes can be known
about that reality.
C. METHODOLOGY OF A PARADIGM:
According to Keeves (1997) as cited by Kivunja and Kuyini (2017), methodology is an
umbrella term used to cover research methods, research design and procedures used in a
planned investigation to find out something. It clearly spells out the logic and flow of
systematic processes followed when doing research in order to get knowledge about the
research problem.
D. AXIOLOGY OF A PARADIGM:
Axiology refers to the ethical issues that have to be factored in when doing research
(Kivunja and Kuyini, 2017). Ethical considerations focus on four key concepts that have to
be respected when dealing with data and participants. According to Slote (1985) cited in
Kivunja and Kuyini (2017), these are Privacy, Accuracy, Property and Accessibility and
the acronym that denotes them is PAPA.
Many paradigms have been brought forward and they fall in four main categories which
are, Positivist, Interpretivist, Critical and Pragmatic (Kivunja and Kuyini, 2017).These
paradigms are briefly explained below.
E. POSITIVIST PARADIGM:
Kivunja and Kuyini (2017) state that the positivists believe that truth is out there and can
be revealed through research and the role of the researcher is to find it and explain it.
They also believe that theory is universal and can be applied in all settings or contexts.
The positivist paradigm defines a worldview called the scientific method (Shah and Al-
Bargi, 2013) of investigation which is anchored on an experimental methodology.
F. INTERPRETIVIST/CONSTRUCTIVIST PARADIGM:
Lincoln and Guba (1985) and Morgan (2007) cited in Kivunja and Kuyini (2017),
presented this paradigm as one where in the world numerous realities are in existence
and reality is too complex to control every variable. In this regard context is extremely
important for knowledge and understanding.

AJMECS ~ 27 ~ Vol. 3(4): Oct. 2018

 Kabanda

G. CRITICAL /TRANSFORMATIVE PARADIGM:

This paradigm follows a worldview that centres its research in issues of social injustice
(Shah and Al-Bargi, 2013) and aims at addressing political, economic and social issues
which lead to oppression, conflict and struggle. It strives to change politics in order to
address inequality and injustice hence the name transformative (Kivunja and Kuyini,
2017). According to Guba and Lincoln (1988) and Martens (2015) cited in (Kivunja and
Kuyini, 2017), researchers who use the critical paradigm make efforts to address issues of
power, repression and trust among respondents.
H. PRAGMATIC PARADIGM:
Philosophers inclined to the pragmatic paradigm subscribe to the worldview that says it
is impossible to access the truth of the real world by employing a single scientific method
as supported by the Positivist paradigm or construct social reality under Interpretivist
paradigm. According to Cresswell (2003) and Martens (2015) cited in Kivunja and Kuyini
(2017) this world view puts it clearly that research must be feasible and the researcher
should use what works given the research problem without worrying about whether the
questions are exclusively quantitative or qualitative. The best approaches to the
acquisition of knowledge and every methodology that helps knowledge discovery should
be used as guided by the purpose of the study. In this research, an Interpretivist or
Constructivist paradigm was used.

INTERPRETIVIST PARADIGM/CONSTRUCTIVIST PARADIGM

The aim of this paradigm according to Guba and Lincoln (1989) as cited by Kivunja and
Kuyini (2017) is to understand the viewpoint of the subject under study so as to interpret
what the subject is thinking or the meaning that s/he is making of the situation or setting.
It is based on the idea that reality is socially constructed and there is no single reality or
truth hence the name constructivist paradigm. There is also need to understand the
individuals than just to follow laws that are generic and for that reason theory does not
come before research but follows it based on data generated from the research.
Cybersecurity is a huge area for consideration and in order to address problems within it,
there is need for contextualisation. Various cybersecurity frameworks have been
developed in several contexts such as critical infrastructure, health information systems,
Small to Medium Enterprises (SMEs) and cybersecurity profession among many others.
This is a clear indication that there are multiple realities out there in the world of
cybersecurity as supported by the Interpretivist paradigm. Cybersecurity has to be
studied in the context of grassroot users of cyberspace in Zimbabwe in order to develop
concepts or even theories that are informed by reality on the Zimbabwean ground.

RESEARCH METHODOLOGY
A research methodology can be viewed as a procedural or step by step outline or
framework within which research is done, according to Remenyi, et al., (1998) as cited by
Mohajan (2018). Research methodology can be quantitative, qualitative or mixed. In this
research, a qualitative research methodology was used in order to fulfill the objectives of
this study.
The choice of the qualitative research methodology in this research is guided by the
underlying Interpretivist paradigm that seeks to understand the thought process of
respondents in a certain context and generate new concepts or theories. According to
Willig (2001) as cited by Hossain (2011), qualitative research is mostly concerned about
contextual meaning which blends well with the world views of the Interpretivists that
there are multiple realities that exist and have to be studied in contexts. The purpose of
this study is to develop a cybersecurity culture framework to cushion grassroot users of
cyberspace against cyberattacks. The framework that this research seeks to come up with
has to be informed by grassroot users of cyberspace hence the contextual nature of this

AJMECS ~ 28 ~ Vol. 3(4): Oct. 2018

 Kabanda

research demands a qualitative methodology as underpinned by the interpretivist

philosophy.
RESEARCH DESIGN OR METHODS:
A research design symbolises advance planning or a research master plan (Kothari,
2004). This planning caters for the research methods to be used, techniques to analyse
the data whilst addressing the objectives of the research and taking into account the
resources available. Research design is required because it helps the smooth flow of the
several research processes, thereby making research efficient in getting more information
with less investment in time, effort and money (Kothari, 2004). In this research a
descriptive research design of focus group discussions was used to answer the research
questions. A total of 8 participants attended a Cybersecurity Workshop facilitated by the
researcher at the Harare International Conference Centre (HICC), on Thursday 7th and
Friday 8th March, 2019.
DATA COLLECTION/GENERATION THROUGH FOCUS GROUPS:
A focus group is a qualitative data collection method in which a researcher or researchers
and respondents assemble to discuss a certain research topic (Freitas et al, 1998).
According to Hancock, et al., (2007), focus groups look a lot like interviews but focus
group records can be analysed so as to discover the ways in which the participants
interact with each other and influence each other’s voiced ideas which does not happen in
a one on one interview. Topic guides are normally used so as to avoid loss of focus on the
topic under study. According to Kitzinger (1995) as cited by Dilshad and Latif (2013),
focus groups are mostly favourable when a researcher wants to find out the people‘s
understanding and experiences about the problem and reasons behind their particular
pattern of thinking. Focus groups give a chance to the marginalized groups of the society
to divulge their feelings about their needs and problems. In this research, focus groups
were used and the researcher led the discussion and respondents responded to open
ended questions. A sample size is the number of respondents from which the researcher
gets the required information (Kumar, 2011). The sample size is 8.

RESULTS AND DISCUSSION

The Focus Group discussion gave the following responses to the research questions
raised.
PROBLEMS WITH CYBERSECURITY IN ZIMBABWE:
The Focus Group gave the following as the problems with Cybersecurity in Zimbabwe:
1. There is a problem on the clarity on responsibilities or wwnership of who deals with
what with regards to Cybersecurity. Some regard it as an ICT problem or technical
problem and yet it is more social than technical.
2. The Ubiquitous nature of technology and advances in the Internet of Things (IoT)
presents serious challenges, where many smaller devices are now accessing the
internet and yet present a high risk on cybersecurity. Telecommuting has become
more common worldwide and so one cannot tell whether the device scanning your
organisation is from home, down the street or from any part of the world.
3. Security is being regarded as an after thought, i.e. Cybersecurity strategy is not part
of the Business Strategy of the organizations.
4. Over dependence on one service provider is not safe, e.g. Ecocash. In the unlikely
event of a breakdown, the whole nation cannot do financial transactions. A national
payment system is required and should be provided by the Government or national
system to guarantee assurance of services for services of national signficance.
5. The African culture in Zimbabwe is still weak and has had very little exposure on the
cyber space, and has not matured on the use of plastic money. Cyber criminals often
take advantage of such a situation.

AJMECS ~ 29 ~ Vol. 3(4): Oct. 2018

 Kabanda

6. We must demand redundance from the service providers and so Service Level
Agreements (SLAs) must be enforced and followed through.
7. Affordability and availability of electricity to only 3% of the population and internet
access to only 47% of the population in Zimbabwe gives room to manipulation by all
kinds of criminals.
8. There is need for technical measures and clear Cybersecurity Visions that are
implementable in our environment.
9. The awareness training programmes need to be conducted more frequently even up
to the grassroots level to raise awareness in Zimbabwe.
10. There is need for a national skills audit on Cybersecurity so that we swiftly address
the skills gaps and delinquency in the competence levels. Furthermore, the few
Zimbabweans well exposed to Cybersecurity are suffering from Brain Drain as they
are targeted for employment in other countries.
11. The national ICT Policies and Cybersecurity policies are not simplified enough for
ordinary citizens and people at grassroots levels to understand and implement.
12. Our own education system is too weak on Cybersecurity skills. There is need to
introduce mandatory Cybersecurity courses at certificate, diploma and degree levels.
For non-graduates, the courses can be introduced somehow.
13. The awareness on cybersecurity laws and legal frameworks is almost zero, and so the
nation needs to be equipped to handle cybercrime.

CYBERSECURITY FRAMEWORK:
From the Focus Group discussions, the following were agreed as the key components of a
Cybersecurity Framework with the supportive strategies, as shown on Table 3:

Table 2: The Cybersecurity Framework elements

Cybersecurity Framework Identify I Protect I Detect I Respond I Recover is a series of

Governance, Risk & Compliance
Incident Response & Governance
Operations & Administration
Communication Strategy & Planning
Strategy
documented processes that are used to define policies and procedures
around the implementation and ongoing management of information
security controls in an enterprise environment.
The umbrella covering the organization's approach across these three
areas: Governance, risk management, and compliance.
An organized approach to addressing and managing the aftermath of a
security breach or cyberattack.
The task of identifying an organization's information assets and the
documentation needed for policy implementation, standards,
procedures, and guidelines to ensure confidentiality, integrity, and
availability.
A detailed process that involves initial assessment, planning,
implementation and constant monitoring.
The definition of the need for an action, the impact of that particular
action and driving forces behind the action

A Cybersecurity Framework provides a logical structure for the creation of strategy, lays
out a sequence of activities required to implement the plan and provides meaningful
target measures against which the strategy and key efforts are assessed.
The clearer understanding of the difference between Information Security and
Cybersecurity is that:
 Information Security is the protection of information and information systems from
unauthorized access, use, disclosure, disruption, modification, or destruction in order
to provide confidentiality, integrity, and availability.

AJMECS ~ 30 ~ Vol. 3(4): Oct. 2018

 Kabanda

 Cybersecurity is the ability to protect or defend the use of cyberspace from cyber
attacks.

CYBERSECURITY VISION:
Today’s cyber attacks are becoming more numerous, more frequent and existentially
more threatening than ever before.The new generation of attackers are no longer always
motivated simply by stealing funds and holding companies’ information hostage. Instead,
their aim can be to infiltrate and manipulate not just an individual company but the entire
ecosystem to which it belongs. Cyber risks are heightened as institutions transform their
operations via new digital channels, automation and other advanced technologies.
Companies need to devote significant investments in securing gaps in their internal,
online and digital frameworks, as those who want to exploit the weaknesses are getting
smarter, bolder and more destructive. In response, regulators are heavily focused on
managing systemic cyber risk and potential contagion (spread) across organizations and
third parties. Contemporary cybersecurity extends beyond protecting sensitive
information and systems from malicious external attack, into guarding identities, data
privacy and vulnerability management on a vast scale. For individual businesses, a new
strategy for addressing cybersecurity is clearly needed.

Fig. 5: Cybersecurity Vision

AJMECS ~ 31 ~ Vol. 3(4): Oct. 2018

 Kabanda

The Cybersecurity Vision consists of the following five elements, and which are shown by
the schema on Figure 5 below:
1. Talent centricity: Build a culture that makes cybersecurity part of everyone’s job
and create a Chief Information Security Officer (CISO) role that is fit for the purpose
of your organization.
2. Strategy and innovation: Put cybersecurity at the heart of business strategy and
ensure that new digital innovation includes cybersecurity at the outset.
3. Risk focus - Understand broad trends and new regulations that will impact how cyber
risk governance needs to evolve. Implement a three-lines-of-defense (3LoD)
approach with clearly defined roles and responsibilities to manage cyber risk
effectively.
4. Intelligence and agility: Develop internal knowledge capabilities to use
contemporary insights and information to assess the greatest cybersecurity threats.
Deliver timely threat identification with a sharp focus on protecting the critical assets
of the organization.
5. Resilience and scalability: Be prepared to recover rapidly from a cyber breach
while holding your ecosystem to the same cybersecurity standards that you follow as
an organization.

CONCLUSION
The purpose of this research was to develop a cybersecurity culture framework and
evaluate its impact on Zimbabwean organisations. ‘Cyber Risk’ means any risk of financial
loss, disruption or damage to the reputation of an organization from some sort of failure
of its information technology systems. Cybersecurity consists of technologies, processes
and controls that are designed to protect systems, networks and data from cyber attacks.
Cyber security culture is defined as the beliefs, assumptions, attitudes, values, perceptions
and knowledge that people have pertaining to cyber security and how these manifest in
their interaction with ICTs (European Union Agency for Network and Information
Security, 2017). With no cybersecurity framework in place, dealing with cybersecurity
issues becomes problematic as there is no guidance and direction on how to prevent,
respond and reduce cybersecurity breaches and risk as well as improve personnel
awareness. A cybersecurity framework that will support a cybersecurity culture to
prevent cyber-attacks in Zimbabwe is therefore required under these circumstances. The
research question was “How can a cyber security culture framework are developed to
solve cybersecurity problems for grassroot users of cyberspace in Zimbabwe?” In that
regard, the contextual nature of the problem that this research sought to solve could only
be addressed from an Interpretivist position. A strong cyber security culture changes the
mindsets of people and their security behaviour (European Union Agency for Network
and Information Security, 2017) and will stand as a human firewall against threats
without coercion (Al Hogail, 2015). A cybersecurity framework that will support a
cybersecurity culture to prevent cyber-attacks in Zimbabwe is therefore required under
these circumstances. According to National Institute of Standards and Technology (2018),
the NIST Cybersecurity framework was crafted with the view of reducing cyber risk and
improve security to critical infrastructure. A cybersecurity culture addresses major
economic, legal and social issues relating to cyber security so as to help societies to get
prepared to face challenges related to the use and misuse of ICT technologies
(International Telecommunication Union, 2009).

REFERENCES
1. ACS (2016): Cybersecurity: Opportunities, Threats and Challenges.
2. Akaraz C. and Zeadally S. (2015): Critical Infrastructure Protection: Requirements and Challenges for the
21st Century. Journal of Critical Infrastructure Protection (IJCIP), volume 8, Elsevier Science, pp. 53-66,
01/2015.

AJMECS ~ 32 ~ Vol. 3(4): Oct. 2018

 Kabanda
3. Al Hogail M. (2015): How is the ministry fostering public-private partnerships (PPPs) with local private
developers?,https://oxfordbusinessgroup.com/interview/right-home-obg-talks-majed-al-hogail-minister-
housing.
4. Alanezi A.A. (2014): Development of an Orally Disintegrating Mini-Tablet (ODMTs) Containing
Metoclopramide HCl to Enhance Patient Compliance, Master of Science Thesis, University of Toledo, 2014,
http://rave.ohiolink.edu/etdc/view?acc_num=mco1417861431.
5. Angelini, et al., (2017): CRUMBS: a Cybersecurity Framework Browser.
6. Bada M. and Sasse A. (2014): Cyber Security Awareness Campaigns: Why do they fail to change behaviour?
Global Cyber Security Capacity Centre: Draft Working Paper.
7. Bande S. (2018): Legislating against Cyber Crime in Southern African Development Community: Balancing
International Standards with Country-Specific Specificities. International Journal of Cyber Criminology,
Vol. 12, Issue 1, January-June 2018.
8. Chukwudi L., Lopez R., Wager T.D., Silvers J.A. and Buhle J.T. (2014): Cognitive Reappraisal of Emotion: A
Meta-Analysis of Human Neuroimaging Studies, Cerebral Cortex, 24(11): 2981–2990.
9. Concierge (2018): Concierge Security Report. Cybersecurity: Trends from 2017 and Predictions for 2018.
10. Da Veiga A. (2016): Cybersecurity Culture Research Philosophy and Approach to Develop a Valid and
Reliable Measuring Instrument.
11. Dilshad M.R. and Latif I.M. (2013): Focus Group Interview as a Tool for Qualitative Research: An Analysis.
Pakistan Journal of Social Sciences (PJSS), 33(1): 191-198.
12. Elleithy K.M. (2000): Denial of Service Attack Techniques: Analysis, Implementation and Comparison.
3(1): 66–71.
13. Ernst and Young (2015): Cybersecurity and the Internet of Things.
14. Fehling C., Leymann F., Retter R., Schupeck W. and Arbitter P. (2014): Cloud Computing Patterns.
Fundamentals to Design, Build, and Manage Cloud Applications. Springer-Verlag Wien.
15. Freita A.L. (1998): Resilience: A Dynamic Perspective, Geraldine Downey, First Published June 1, 1998,
https://doi.org/10.1080/016502598384379.
16. Gcaza N., Solms R. Von and Vuuren J. Van. (2015): An Ontology for a National CyberSecurity Culture
Environment. In Proceedings of the Ninth International Symposium on Human Aspects of Information
Security & Assurance (HAISA 2015) (1-10).
17. Gercke M. (2012): Cybercrime Understanding Cybercrime. Understanding cybercrime: phenomena,
challenges and legal response.
18. Ghana National Cybersecurity Policy and Strategy (2014): https://www.sbs.ox.ac.uk/cybersecurity-
capacity/system/files/Ghana_Cyber-Security-Policy-Strategy_Final_0.pdf.
19. Government of Zimbabwe (2004): Criminal Law (Codification and Reform) Act. Zimbabwe.
20. Government of Zimbabwe (2013): Constitution of Zimbabwe. Zimbabwe.
21. Hamilton L. (2002): Early professional development in the Scottish context: pre-service high school
teachers and the management of behaviour in classrooms, Teacher Development, 19(3): 328.
22. Hancock B., Windridge K. and Ockleford E. (2007): An Introduction to Qualitative Research. The NIHR RDS
EM / YH, 2007. https://www.rds-yh.nihr.ac.uk/wp-content/uploads/2013/05/5_Introduction -to-
qualitative -research-2009.pdf.
23. Hossain N. (2011): Exports, Equity, and Empowerment: The Effects of Readymade Garments
Manufacturing Employment on Gender Equality in Bangladesh, World Bank Paper.
24. Imenda S. (2014): Is there a Conceptual difference between Conceptual and Theoretical Frameworks?
Journal of Social Science, 38(2):185-195.
25. International Telecommunication Union (2009 & 2012): Global Security Report.
26. Kivunja C. and Kuyini B. (2017): Understanding and Applying Research Paradigms in Educational
Contexts. International Journal of Higher Education, 6(5).
27. Kothari C. (2004): Research Methodology Methods and Techniques, 2nd Edition. New Age International
Publishers.
28. Kothari C.R. (2004): Research Methodology Methods and Techniques 2nd Revised Edition .New Age
International Publishers.
29. KPMG (2018): Clarity on Cybersecurity. Driving growth with confidence.
30. Krainovich-Miller B. (2010): Gathering and appraising the literature. In LoBiondo-Wood G, Haber J. (Eds)
Nursing research: methods and critical appraisal for evidence based practice. Seventh Edition, Mosby
Elsevier, Missouri, 56-84.
31. Kumar R. (2011). Research Methodology: A step by step guide for beginners 3rd ed. London: Sage
Publishers.
32. Mohajan H.K. (2018): Qualitative Research Methodology in Social Sciences and Related Subjects. Journal of
Economic Development, Environment and People, 7(1): 23-48.
33. Muller P.L. (2015): Cybersecurity Capacity Building in Developing Countries. Opportunities and
Challenges. Norwegian Institute of International Affairs.
34. Schia N.N. (2018): The cyber frontier and digital pitfalls in the Global South, Third World Quarterly,
39(5): 821-837.
35. Shah S.R. and Al-Bargi A. (2013): Research Paradigms: Researchers’ worldviews, Theoretical Frameworks
and study designs. Arab World English Journal, Vol. 4 No 4. 2013.

AJMECS ~ 33 ~ Vol. 3(4): Oct. 2018

 Kabanda
36. Sharma R. (2012): Study of Latest Emerging Trends on Cybersecurity and its Challenges to Society.
International Journal of Scientific and Engineering Research, Vol 3 Issue 6, June 2012.
37. Williams B.T. (2014): The joint force commander’s guide to cyberspace operations. Joint Force Quarterly,
73(2): 12–19.

AJMECS ~ 34 ~ Vol. 3(4): Oct. 2018

View publication stats