Professional Documents
Culture Documents
net/publication/335292223
CITATIONS READS
4 4,095
1 author:
Gabriel Kabanda
Zimbabwe Academy of Sciences
48 PUBLICATIONS 136 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Gabriel Kabanda on 21 August 2019.
RESEARCH PAPER
Gabriel Kabanda
Atlantic International University, 900 Fort Street Mall 40, Honolulu, Hawaii 96813, USA
Email: gabrielkabanda@gmail.com, profgkabanda@hotmail.com
ABSTRACT
Cybersecurity is the protection of internet-connected systems, including hardware, software and
data, from cyberattacks. Cybersecurity culture is a set of the attitudes, assumptions, beliefs, values
and knowledge that people use in their interaction with the information assets. In Zimbabwe not
much has been done in terms of cultivating a culture of cyber security in organisations although
giant steps have been taken to adopt and use ICTs. The lack of a framework to provide direction,
focus, guidance and a standardised way of addressing cybersecurity issues in Zimbabwe is one of the
challenges being faced in the ICT industry. With no cybersecurity framework in place, dealing with
cybersecurity issues becomes problematic as there is no guidance and direction on how to prevent,
respond and reduce cybersecurity breaches and risk as well as improve personnel awareness. A
cybersecurity framework that will support a cybersecurity culture to prevent cyber-attacks in
Zimbabwe is therefore required under these circumstances. The research question is “How can a
cyber security culture framework be developed to solve cybersecurity problems for grassroot users
of cyberspace in Zimbabwe?” In that regard, the contextual nature of the problem that this research
seeks to solve can only be addressed from an Interpretivist position. In this research, an
Interpretivist or Constructivist paradigm was used. A qualitative research methodology was used
and Focus Group discussions were used as the research design in a workshop environment.
Key words: Cybersecurity, Compute, Security, Zimbabwean Organizations, internet-connected
systems
Received: 18th June 2018, Revised: 24th July 2018, Accepted: 30th July 2018
©2018 Council of Research & Sustainable Development, India
How to cite this article:
Kabanda G. (2018): A Cybersecurity Culture Framework and Its Impact on Zimbabwean
Organizations. AJMECS, Vol. 3[4]: Oct., 2018: 17-34.
INTRODUCTION
Cybersecurity is the protection of internet-connected systems, including hardware,
software and data, from cyberattacks. Cybersecurity protects the data and integrity of
computing assets belonging to or connecting to an organization’s network. Gercke (2012)
defined cybercrime as a computer related crime, and Oxford English Dictionary (2019)
defined it as criminal activities carried out by means of computers or the internet.
Governments, companies, organisation and individuals throughout the world are
struggling to deal with cybercrimes, and the most forms of cyberattacks are ransomware,
email phishing, cyber bullying, online extortions, etc (Yedaly and Wright 2016; Norton
Symantec, 2017). Cyber security culture is defined as the beliefs, assumptions, attitudes,
values, perceptions and knowledge that people have pertaining to cyber security and how
these manifest in their interaction with ICTs (European Union Agency for Network and
Information Security, 2017). Technology alone cannot be a cushion against cyber- threats,
but instead humans should occupy a centre stage through cyber security culture (Gcaza,
et al, 2017). A strong cyber security culture changes the mindsets of people and their
Kabanda
security behaviour (European Union Agency for Network and Information Security, 2017)
and will stand as a human firewall against threats without coercion.
The emergence of information and communication technologies (ICTs) has precipitated a
dependent information society supportive of business management, information sharing
and provision of electronic services (Malyuk and Miloslavskaya, 2016). In Africa, most
organizations are not ready to respond to information security threats (Africa Cyber
Security Report, 2016). These range from online visa applications to e-government
platforms and this has made them prime targets for cyber-attacks (Africa Cyber Security
Report, 2017). New technologies and business process automation is being done without
ensuring that adequate security controls are put in place to safeguard these systems
(Africa Cyber Security Report, 2016). There is a dire need to nurture an information
society that exhibits a culture of respecting values, rights and freedoms in terms of
accessing information so as to build confidence and trust in the use of ICTs in Africa
(United Nations, 2014). In Africa, twenty-one countries have Data Protection Legislations
and 13 have both Data and Cyber Security Legislation.
Zimbabwe is one of the emerging countries that has embraced the use of technology in the
last two decades, which saw the internet penetration rate rising up to 55.4% in the last
quarter of year 2018 (Potraz, 2018). In Zimbabwe not much has been done in terms of
cultivating a culture of cyber security in organisations although giant steps have been
taken to adopt and use ICTs. Internet connectivity in Zimbabwe has been availed through
the undersea fibre optic network provided by WACS, EASSy and SEACOM (Zimbabwe
National Policy for ICT 2016-2020, 2016). On the other hand Community Information
Centres are being set up countrywide as a way of bridging the digital divide and spreading
ICT uptake (ICT Ministry, 2015). The Community Information Centers offer internet
access, printing, photocopying, scanning, faxing, laminating as well as gaming services
(http://zarnet.ac.zw/, 2017). The human factor remains the weakest link in relation to
cyber security (Da Veiga, A., 2016) and as such, certain secure ways of behaving and using
the cyberspace ought to be engraved in users of cyberspace (Bada and Sasse, 2014).
Meanwhile, the statistics according to the Postal and Telecommunications Regulatory
Authority of Zimbabwe (Potraz, 2017) indicate that the mobile penetration rate in the
third quarter of 2017 increased by 3.5% to reach 100.5% from 97% recorded in the
second quarter following a 3.7% increase in subscriptions. Accordingly, the active
internet penetration rate also increased by 0.9% in the third quarter of 2017, to reach
49.5% from 48.6% recorded in the second quarter following a 1.9% increase in active
subscriptions. On the other hand, mobile Internet data usage rose up 39.1% in the third
quarter of 2017 to record 4,129.4 Terabytes from 2,968.2 Terabytes recorded in the
second quarter of 2017. These statistics prove beyond any reasonable doubt that the
Zimbabwean economy is fast becoming an internet economy and any digital gap has to be
closed for the development of the economy. However, the internet is also a jungle where
cybercriminals fully exploit and take advantage of others.
The increase in internet penetration and electronic transactions means that computers
are fast becoming accessories for committing crime. In Zimbabwe’s National Risk
Assessment (NRA) Report of 2015, cybercrime is listed as one of the crimes contributing
to the US$1,8 billion estimated of illicit proceeds generated from criminal activity
annually in Zimbabwe (RBZ, 2015). The Reserve Bank of Zimbabwe highlighted that from
2011-2015, over 140 cases of cybercrimes were reported. These include phishing, credit
card fraud, identity theft, unauthorized access, hacking, and telecommunications piracy.
The Zimbabwe National Policy for ICT 2016-2020 (2016) also indicates that mobile
money transfer platforms, e-commerce platforms and social media platforms have also
been widely adopted in Zimbabwe. In Zimbabwe, the Cyber Protection Bill was drafted
and is now in its final stages of approval (ICT Ministry, 2015). This is a positive indication
of government’s efforts through the Ministry of Information Communication Technology
and Courier Services to secure Zimbabwean cyberspace against cyber-attacks (MISA,
2017). However, as for Zimbabwe a lot has to be done in order to come up with a
framework that suits its cybersecurity needs.
In their annual report on cyber security, one of the leading cyber security company,
Norton Symantec (2017) revealed that 978 million people in 20 countries were affected
by cybercrime in 2017, and 44% of consumers were impacted by cybercrime in the last
12 months. As a result, consumers who were victims of cybercrime globally lost $172
billion- and average of $142 per victim. The most common cybercrimes experienced by
consumers or someone they know include:
1. Having a device infected by a virus or other security threat (53%)
2. Experiencing debit or credit card fraud (38%)
3. Having an account password compromised (34%)
4. Encountering unauthorized access to or hacking of an email or social media account
(34%)
5. Making a purchase online that turned out to be a scam (33%)
6. Clicking on a fraudulent email or providing sensitive (personal/financial) information
in response to a fraudulent email (32%)
At the time of this research, cybercrimes in Zimbabwe were being dealt with using the
country’s constitution and the Criminal Law (Codification and Reform) Act [Chapter 9:23].
The following Bills relating to cybercrimes were still to be gazetted into law by the
President:
1. Computer Crime and Cyber Crime Bill
2. Data Protection Bill
3. Electronic Transactions and Electronic Commerce Bill
4. National ICT Policy
5. Draft Child Online Protection Guidelines
PURPOSE OF STUDY
1. The purpose of this research is to develop a cybersecurity culture framework and
evaluate its impact on Zimbabwean organisations.
RESEARCH OBJECTIVES
The objectives of this research are to-
1. Ascertain the cybersecurity challenges being faced in Zimbabwe
2. Determine the common types of cybersecurity vulnerabilities, cyberattacks and
threats
3. Investigate cybersecurity needs of grassroot users of cyberspace in Zimbabwe
4. Find out the requirements of a cybersecurity culture framework
5. Assess existing cybersecurity frameworks that are being used to prevent cyber
attacks
6. Develop a cybersecurity culture framework and Cybersecurity strategies suitable for
Zimbabwean organizations.
RESEARCH QUESTIONS
The research questions are crafted with the view of guiding the research process so as to
achieve the objectives of this study.
MAIN RESEARCH QUESTION:
1. What Cybersecurity culture framework is required for Zimbabwean
organizations and the grassroot users?
To answer this there is need to answer the following sub research questions:
SUB RESEARCH QUESTIONS:
1. What are the cybersecurity challenges being faced in Zimbabwe?
2. What are the common types of cybersecurity vulnerabilities, cyberattacks and
threats?
3. What are the cybersecurity needs of grassroot users of cyberspace in Zimbabwe?
4. What are the requirements of a cyber security culture framework?
5. What are the existing cybersecurity frameworks that are currently in use for cyber
threat prevention?
6. How can a cybersecurity culture framework and Cybersecurity strategies be
developed for Zimbabwean organizations and the grassroot users?
CONCEPTS IN CYBERSPACE
According to Williams (2014), cyberspace is a human made information environment
created when computers and related telecommunication equipment and other
components that allow fast movement of large amounts of data are connected. The
Internet is the most notable network that resides in cyberspace. The cyberspace
landscape includes objects such as radio waves, cell phones, fiber optic cables, satellites,
laser beams, software, firmware and anything that can be linked together to form a
network (Magee, 2013). These objects can be in one physical location or different
locations. They can also be physically moved, reconfigured or changed logically. The use
of IP addresses exposes the nonphysical nature of cyberspace. In the physical domain,
addresses reference a physical location but IP addresses tell the user where to go, without
necessarily pointing to a physical location. Cyberspace also describes systems and
services connected directly or indirectly to the Internet, telecommunications and
computer networks (Wamala, 2011). All the interconnected devices and data that
comprise cyberspace are manmade, from the ICT infrastructure to the software, protocols
and resident data. Cyberspace is categorized into three layers namely the physical layer,
the logical layer and the social layer. The exponential rise of the Internet of Things (IoT)
support the fact that cyberspace is growing at an exponential rate and will continue to
grow with no sign of slowing down.
CLOUD COMPUTING
According to Fehling, et al, (2014), the cloud symbol is usually used to symbolize the
internet. Cloud computing is now frequently used to describe the delivery of software,
middleware platforms, infrastructure, whole business processes and storage services
over the internet. These services are delivered when they are needed in the quantity
needed at a certain time. Put differently, cloud computing is very much similar to the rent-
a-car model. The cost effectiveness and efficiency of the cloud platforms is tempting most
organizations to migrate to the cloud and enjoy a wide range of benefits (Sharma, 2012)
which according to KPMG (2018) include:
free capital expenditure
accessibility from anywhere at anytime
no maintenance headaches
improved control over documents as files will be centrally managed
Fig. 1: Projection of growth of the Cloud Computing market. Source: KPMG (2018)
The cloud computing market is expected to grow 4 times between 2015 and 2020 from
US73 billion to US270 billion as depicted in Figure 1 above (KPMG, 2018). Cybersecurity
is also a key challenge in this industry as cybercriminals use cloud services as warehouses
to store their malicious software and as targets that will be used as launchpads for Denial
of Service (DOS) attacks (MacAfee, 2018).
CYBERCRIME
Cybercrime has matured with a big market with several stakeholders and is unlikely to
stop as it is very rewarding. Online criminal marketplaces have gone to the extent of
selling ransomware services and products. End users of technology continue to fail to
adhere to basic security norms and this sustains the cybercrime market (MacAfee, 2018).
Cybercrime features on the top 10 global risks together with terrorist attacks, natural
disasters and extreme weather patterns KPMG (2018). According to MacAfee (2014) and
World Economic Forum (2017) as cited by KPMG (2018), cybercrime costs the world $US
575 billion annually which constitute 0.5% of the world’s Gross Domestic Product. The
damage caused by cybercrime is also expected to reach US$6 trillion by 2021 (KPMG,
2018). Cybercrime is expected to grow taking advantage of poor security of the Internet
of Things (IoT) devices (MacAfee, 2018). Cybercriminals are also riding on Artificial
Intelligence (AI) to make and replicate malicious software as well as identifying weak
targets. Table 2 shows several forms of cybercrime and their associated estimated daily
activity.
Ransomware erupted in 2015 and is likely to continue to be very popular going forward
whilst improving in sophistication. It is anticipated that businesses are going to be facing
ransomware attacks every 14 seconds by 2019 and the attacks on healthcare systems is
expected to quadruple by 2020 (Concierge Security report, 2018).
CYBERSECURITY MARKET
According to KPMG (2018), the global cybersecurity market is expected to grow from
US75 billion to US203 billion by 2021. The major factors driving the industry (KPMG,
2018) include:
the increase in the number of people being connected to the internet
cybercrimes
the need to be cushioned against cybercrime,
rapid adoption of Internet of Things (IoT) as well as the cloud.
However, these digital trends have an effect of increasing vulnerability of systems and
risks and will therefore continue to boost the cybersecurity industry (KPMG, 2018).
availability and confidentiality (Reid and Van Niekerk, 2014). Information security culture
consist of perceptions, attitudes, assumptions, values and knowledge that guide the
interaction of people with organisational information assets with the mandate of securing
information (Al Hogail, 2015). On the other hand cyber security culture is defined as the
beliefs, assumptions, attitudes, values, perceptions and knowledge that people have
pertaining to cyber security and how these manifest in their interaction with Information
Communication Technologies (European Union Agency for Network and Information
Security, 2017).
Fig. 2: Differences between Information Security and Cybersecurity. Source: Center for
Cyber and Information Security (https://ccis.no/cyber-security-versus-information-
security/)
In order to come up with a cybersecurity culture framework, the researcher will take into
account the following factors:
Cybersecurity
Cybersecurity culture
Requirements of a cybersecurity framework
Cybersecurity challenges being faced by grassroot users of cyberspace
Cybersecurity needs of grassroot users of cyberspace
These factors will serve as input to the successful crafting of a cybersecurity culture
framework for the grassroot users of cyberspace. These factors are also part and parcel of
the objectives of this study and will also guide the researcher by way of depicting main
issues to look at in the research.
THEORETICAL FRAMEWORK
A theoretical framework is a guide for a research that is used by a researcher to come up
with his/her research inquiry and also serves as a foundation upon which research is
built (Grant and Osanloo, 2014). Krainovich-Miller (2010) views a theoretical framework
as similar to a map that guides a traveler towards a particular destination. According to
Imenda (2014) absence of a theoretical framework in a research deprives it of direction to
the search of appropriate literature and scholarly discussions that arise from research
findings. The theories that are going to guide this research are the National Institute of
Standards and Technology (NIST) Cybersecurity Framework, General Deterrence Theory
and Game Theory.
The framework core can also be viewed as a set of cybersecurity activities, desired
outcomes and references applicable and common across all sectors. Each function has
categories (total of 22) and subcategories (total of 98) (Angelini, et al, 2017).
Subcategories are basically practical activities that have to be done such as data collection
on the organization’s software and hardware or even documenting legal requirements for
Fig. 4: Elements of the General Deterrence Theory (GDT). Source: Alanezi et al (2014)
GAME THEORY
Game theory describes multi-person decision scenarios as games in which each player
chooses actions that result in the best possible rewards for self, while expecting the
logical actions from the other opponents. According to Chukwudi, et al., (2017), a game is
a narrative or an account of the strategic reciprocal actions between opponents including
payoffs of and constraints for actions that players can undertake but doesn’t specify the
exact actions taken. A player is the primary entity of a game responsible for making
decisions and then taking action and can represent a machine, a person, or a group of
persons within a game (Chukwudi, et al, 2017). In the field of cybersecurity, game theory
will take into account the wrangle between the cyber attackers and the cyber victims
where their decision strategies are closely related. An important element in this theory is
the capacity to analyze the possible large number of cyber threat scenarios in a cyber
system (Hamilton, 2002). In this research this theory will help in the provision of the
much needed direction in the allocation of resources and the putting in place measures
that take into consideration the dynamic nature of cybersecurity threats and cyberspace.
It will also provide a constant reminder that the cyber attackers and grassroot users of
cyberspace are the key players in the game and for the grassroot users of cyberspace to
emerge victorious, they have to be a step ahead of the cyber attackers.
RESEARCH METHODOLOGY
A research methodology can be viewed as a procedural or step by step outline or
framework within which research is done, according to Remenyi, et al., (1998) as cited by
Mohajan (2018). Research methodology can be quantitative, qualitative or mixed. In this
research, a qualitative research methodology was used in order to fulfill the objectives of
this study.
The choice of the qualitative research methodology in this research is guided by the
underlying Interpretivist paradigm that seeks to understand the thought process of
respondents in a certain context and generate new concepts or theories. According to
Willig (2001) as cited by Hossain (2011), qualitative research is mostly concerned about
contextual meaning which blends well with the world views of the Interpretivists that
there are multiple realities that exist and have to be studied in contexts. The purpose of
this study is to develop a cybersecurity culture framework to cushion grassroot users of
cyberspace against cyberattacks. The framework that this research seeks to come up with
has to be informed by grassroot users of cyberspace hence the contextual nature of this
6. We must demand redundance from the service providers and so Service Level
Agreements (SLAs) must be enforced and followed through.
7. Affordability and availability of electricity to only 3% of the population and internet
access to only 47% of the population in Zimbabwe gives room to manipulation by all
kinds of criminals.
8. There is need for technical measures and clear Cybersecurity Visions that are
implementable in our environment.
9. The awareness training programmes need to be conducted more frequently even up
to the grassroots level to raise awareness in Zimbabwe.
10. There is need for a national skills audit on Cybersecurity so that we swiftly address
the skills gaps and delinquency in the competence levels. Furthermore, the few
Zimbabweans well exposed to Cybersecurity are suffering from Brain Drain as they
are targeted for employment in other countries.
11. The national ICT Policies and Cybersecurity policies are not simplified enough for
ordinary citizens and people at grassroots levels to understand and implement.
12. Our own education system is too weak on Cybersecurity skills. There is need to
introduce mandatory Cybersecurity courses at certificate, diploma and degree levels.
For non-graduates, the courses can be introduced somehow.
13. The awareness on cybersecurity laws and legal frameworks is almost zero, and so the
nation needs to be equipped to handle cybercrime.
CYBERSECURITY FRAMEWORK:
From the Focus Group discussions, the following were agreed as the key components of a
Cybersecurity Framework with the supportive strategies, as shown on Table 3:
A Cybersecurity Framework provides a logical structure for the creation of strategy, lays
out a sequence of activities required to implement the plan and provides meaningful
target measures against which the strategy and key efforts are assessed.
The clearer understanding of the difference between Information Security and
Cybersecurity is that:
Information Security is the protection of information and information systems from
unauthorized access, use, disclosure, disruption, modification, or destruction in order
to provide confidentiality, integrity, and availability.
Cybersecurity is the ability to protect or defend the use of cyberspace from cyber
attacks.
CYBERSECURITY VISION:
Today’s cyber attacks are becoming more numerous, more frequent and existentially
more threatening than ever before.The new generation of attackers are no longer always
motivated simply by stealing funds and holding companies’ information hostage. Instead,
their aim can be to infiltrate and manipulate not just an individual company but the entire
ecosystem to which it belongs. Cyber risks are heightened as institutions transform their
operations via new digital channels, automation and other advanced technologies.
Companies need to devote significant investments in securing gaps in their internal,
online and digital frameworks, as those who want to exploit the weaknesses are getting
smarter, bolder and more destructive. In response, regulators are heavily focused on
managing systemic cyber risk and potential contagion (spread) across organizations and
third parties. Contemporary cybersecurity extends beyond protecting sensitive
information and systems from malicious external attack, into guarding identities, data
privacy and vulnerability management on a vast scale. For individual businesses, a new
strategy for addressing cybersecurity is clearly needed.
The Cybersecurity Vision consists of the following five elements, and which are shown by
the schema on Figure 5 below:
1. Talent centricity: Build a culture that makes cybersecurity part of everyone’s job
and create a Chief Information Security Officer (CISO) role that is fit for the purpose
of your organization.
2. Strategy and innovation: Put cybersecurity at the heart of business strategy and
ensure that new digital innovation includes cybersecurity at the outset.
3. Risk focus - Understand broad trends and new regulations that will impact how cyber
risk governance needs to evolve. Implement a three-lines-of-defense (3LoD)
approach with clearly defined roles and responsibilities to manage cyber risk
effectively.
4. Intelligence and agility: Develop internal knowledge capabilities to use
contemporary insights and information to assess the greatest cybersecurity threats.
Deliver timely threat identification with a sharp focus on protecting the critical assets
of the organization.
5. Resilience and scalability: Be prepared to recover rapidly from a cyber breach
while holding your ecosystem to the same cybersecurity standards that you follow as
an organization.
CONCLUSION
The purpose of this research was to develop a cybersecurity culture framework and
evaluate its impact on Zimbabwean organisations. ‘Cyber Risk’ means any risk of financial
loss, disruption or damage to the reputation of an organization from some sort of failure
of its information technology systems. Cybersecurity consists of technologies, processes
and controls that are designed to protect systems, networks and data from cyber attacks.
Cyber security culture is defined as the beliefs, assumptions, attitudes, values, perceptions
and knowledge that people have pertaining to cyber security and how these manifest in
their interaction with ICTs (European Union Agency for Network and Information
Security, 2017). With no cybersecurity framework in place, dealing with cybersecurity
issues becomes problematic as there is no guidance and direction on how to prevent,
respond and reduce cybersecurity breaches and risk as well as improve personnel
awareness. A cybersecurity framework that will support a cybersecurity culture to
prevent cyber-attacks in Zimbabwe is therefore required under these circumstances. The
research question was “How can a cyber security culture framework are developed to
solve cybersecurity problems for grassroot users of cyberspace in Zimbabwe?” In that
regard, the contextual nature of the problem that this research sought to solve could only
be addressed from an Interpretivist position. A strong cyber security culture changes the
mindsets of people and their security behaviour (European Union Agency for Network
and Information Security, 2017) and will stand as a human firewall against threats
without coercion (Al Hogail, 2015). A cybersecurity framework that will support a
cybersecurity culture to prevent cyber-attacks in Zimbabwe is therefore required under
these circumstances. According to National Institute of Standards and Technology (2018),
the NIST Cybersecurity framework was crafted with the view of reducing cyber risk and
improve security to critical infrastructure. A cybersecurity culture addresses major
economic, legal and social issues relating to cyber security so as to help societies to get
prepared to face challenges related to the use and misuse of ICT technologies
(International Telecommunication Union, 2009).
REFERENCES
1. ACS (2016): Cybersecurity: Opportunities, Threats and Challenges.
2. Akaraz C. and Zeadally S. (2015): Critical Infrastructure Protection: Requirements and Challenges for the
21st Century. Journal of Critical Infrastructure Protection (IJCIP), volume 8, Elsevier Science, pp. 53-66,
01/2015.