See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/357889897

Maturity of information systems security in selected private Banks in Ethiopia

Conference Paper · November 2021

DOI: 10.1109/ICT4DA53266.2021.9672221

CITATIONS READS

0 79

2 authors, including:

Lemma Lessa
Addis Ababa University
28 PUBLICATIONS   129 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Integration of ICTs for Sustainable development View project

Digital skills framework View project

All content following this page was uploaded by Lemma Lessa on 14 February 2022.

The user has requested enhancement of the downloaded file.

 Maturity of information systems security in selected
private Banks in Ethiopia
Tadele Shimels
SCHOOL OF INFORMATION
2021 International Conference on Information and Communication Technology for Development for Africa (ICT4DA) | 978-1-6654-3666-3/21/$31.00 ©2021 IEEE | DOI: 10.1109/ICT4DA53266.2021.9672221
SCIENCE
ADDIS ABABA UNIVERSITY
Addis Ababa, Ethiopia
metikesht21@gmail.com
Abstract — Information system security is more critical than
ever before because security threats are rapidly growing and the
environment requires organizations to continuously adapt to
changes. Before putting in place information systems security
measures, organizations are required to determine the maturity
level of their information security governance. Extant literature
reveals that there is no recent study on information systems
security maturity level of banks in Ethiopia. This study, thus,
seeks to measure the existing maturity level and examine the
security gaps in order to propose possible changes in Ethiopian
private banking industry's information system security
maturity indicators. Four private banks are selected as a
representative sample. SSE-CMM (System Security
Engineering Capability Maturity Model) is used as the maturity
measurement criteria and the measurement was based on
ISO/IEC 27001 information security control areas. The data for
the study was gathered using a questionnaire. A total of 93 valid
questionnaires were gathered from 110 participants in the
study. Based on the SSE-CMM maturity model assessment
criteria, the private banking industry's current maturity level is
level 2 (repeatable but intuitive). Institutions have a pattern that
is repeated when completing information security operations,
but its existence was not thoroughly proven, and institutional
inconsistency still exists. Recommendations are forwarded for
management intervention in order to address the identified
gaps.
Keywords— Information Systems Security, Information
Systems threat, Information Systems Security maturity, Maturity
level, Maturity Model.
I. INTRODUCTION
ICT(Information Communication Technology) has
become a major driving force for economic growth and
development, thus technological change and innovations
could be a powerful process that opens up opportunities to
increase social welfare and benefits for societies. Financial
organizations are becoming increasingly reliant on technology
due to the dynamics of activities in today's competent finance
sector. [1]. ICT's extensive usage helps financial sectors in
meeting client needs in a variety of ways. As a result, banks
are increasingly implementing technology solutions such as
core banking, mobile banking, internet banking, cheque
clearance, and foreign remittance.
Even though these rapidly evolving technologies benefit
financial institutions, it also poses a risk if the companies fail
to protect their information assets from cyber-attacks. [2].
This is mostly due to attackers' ongoing development of
malicious programs or electrical signals that change, interrupt,
degrade, or destroy the entire or partial distributed network
system. [3]. As a result, maintaining information system
security is one of the most difficult issues facing financial
institutions.
978-1-6654-3666-3/21/$31.00 ©2021 IEEE
184
Authorized licensed use limited to: IEEE Staff. Downloaded on February 10,2022 at 16:59:55 UTC from IEEE Xplore. Restrictions apply.
Lemma Lessa
SCHOOL OF INORMATION
SCIENCE
ADDIS ABABA UNIVERSITY
Addis Ababa, Ethiopia
lemma.lessa@aau.edu.et
A number of studies have been undertaken in order to
better understand the problems and prospects of actual
information technology adoption in order to get better results.
Developed countries have made significant productivity,
whereas developing ones have not, despite the fact that
developing nations are increasingly investing in IT. [4].
II. PROBLEM STATEMENT
Different security maturity measures are used to the
security systems to attain a certain level of information
security maturity. According to [5], information security level
can be affected by four different domains: the organizational
governance, the information security culture, the architecture
of the system and service management. Numerous security
breaches are caused by users of technology and human
behaviour, rather than by the faultiness in the technology
itself.
A more secured information sharing in an organization is
considered as good approach in increasing the organizations
effectiveness, efficiency, performance and decision-making
capability [6]. However, because the nature of information
sharing is dynamic and changes over time, it is necessary to
study and analyse potential threats on a regular basis in order
to preserve information system security maturity.
According to a study conducted by [8], conducting the
measurement on information systems security using
consistent metrics improves the ability to understand it and
control it. Measuring the maturity level of information
systems security allows organizations to regulate and protect
the threats that come your way, and it also allows you to
improve your information security handling mechanism.
The cybercrime study annual report on 2017 stated that the
annual cyber-attacks are rising every year with 27%, from
average of 102 to 130 [18]. Ransomware attacks are
increasing by double and information security incidents like
WannaCry and Petya affected thousands of targets and altered
the function of public services, financial institutions and large
companies across the world [18]. Based on reported figures,
the high rate of increase in information systems security
threats urge organizations to re-examine their information
systems security maturity periodically.
According to [7], Information security maturity is a critical
priority item for developing countries, but it is not well
addressed. Ethiopian banking sector information security
maturity is below the expected standard and their information
security is insufficient [19]. As a result, addressing
information security agenda have to take the higher priority.
According to [20], many security breaches are not caused
by the faultiness of technology implemented rather users of
the technology and the behaviour of human. Thus, there are
many factors which contribute to failure in information
security.
The fact that recent research conducted on information
security of financial sectors in Ethiopia revealed that the
information security protection and governance culture are
unsatisfactory [20]. Further local investigation has been
carried out on evaluation of the insider threat in Ethiopian
banking sector, cybercrime governance, the policy towards
implementing information security. Despite the fact that
information security research was undertaken, their goal was
not to assess the state of information security maturity.
More recent studies [19], [7], [19], have attempted to
address the security maturity level of Ethiopian public
universities and hospitals in Addis Ababa. They claimed that
there is a lack of research in the field of information security
maturity levels and suggested that more research be done on a
regular basis on different areas. As a result, this study attempts
to fill the research gap by identifying the information security
maturity level in Ethiopian private banks and proposing
potential solutions to help close the gap.
III. RESEARCH APPROACH
The data for measuring the private banking industry's
information system security maturity level is collected using a
quantitative research approach. The data was collected
quantitatively and analysed by using descriptive statistics with
frequencies, percentages, averages, and other statistical
analyses used to assess the maturity level of an information
system security for sampled private banks.
Descriptive statistics is used to describe the population,
situation, or phenomena [10]. Unlike other research design
methodologies, descriptive research design uses a wide
variety of research methods to investigate variables and the
researcher doesn’t control or manipulate any of the variables,
but possible to observe, investigate through different
techniques, and can measure them. When the goal of the
research is to discover characteristics, frequencies, trends, and
classifications, a descriptive research design is more suitable.
[10]. Descriptive research is used to gather information on the
current state of situation and to characterize what exists in
terms of variables or conditions in a particular study area.
IV. ANALYSIS OF INFORMATION SECURITY
MATURITY MODELS
Maturity models have been extensively being used as a
means of organizational development or measurement in the
area of information security. Any framework for performance
analysis and improving efficiency can be considered as the
basis, and if it incorporates methods for quality assurance, it
is referred to as a maturity model [5]. The most common
information security maturity models are taken from different
pieces of literature and summarized below:
The National Institute of Standards and Technology
(NIST) has released a framework that will help companies in
critical infrastructures to minimize the risk of information
security risks. It implements five security measures for
institutions. These controls include data and asset
identification, detection, security, response, and recovery [11].
The NIST framework establishes rules for the activity of US
enterprises. The model has five levels, namely: policies,
procedures, implementation, testing, and integration. In
addition, the model is driven by nine key areas that are divided
Authorized licensed use limited to: IEEE Staff. Downloaded on February 10,2022 at 16:59:55 UTC from IEEE Xplore. Restrictions apply.
into strategic and technical aspects. According to [12] higher
level of maturity can only be attained if and only if the
previous maturity level is attained. Further, the model is
oriented to evaluation and documentation of IT systems, and
it doesn't go into enough detail about non-technical security
services.
ISM3 stands for Information Security Management
Maturity Model, and it enables an organization's information
security maturity level to be divided into five categories of
information security capability. The measures are unavailable,
ad hoc, repeatable, defined, managed, or optimized [11]. The
maturity level defined starts by describing the security
controls, techniques, and technologies needed to protect the
organization.
Currently there are various information security standards
are used around the world which includes mostly utilized
standards like COBIT, ITIL, DNB, PCIDSS, BS7799, etc.
among those standards, ISO27001:2013 gives inclusive and
most acceptable information security standard for different
countries and organizations. This research adopts the ISO
27001:2013 information security standard with its
management practices of selection, implementation and
monitoring of controls is taken into consideration that allows
the organization to protect its information system and related
properties from security risks.
The Systems Security Engineering Capability Maturity
Model (SSE-CMM) was created with the goal of advancing
security engineering because information security relates to
the protection of data against a variety of threats in order to
ensure business continuity, minimize risk, and maximize
profitability and economic opportunities. SSE-CMM method
used by giving the score assessment on each area of the
process that selected between 0 to 5 for each process areas.
The five Capability Maturity Levels that represent increasing
process maturity are:
 Level 0 indicates not all base practices are performed.
 Level 1 indicates all the base practices are performed
but informally, meaning that there is no
documentation, no standards and is done separately.
 Level 2 planned & tracked which indicates
commitment planning process standards.
 Level 3 well defined meaning standard processing
has been run in accordance with the definition.
 Level 4 is controlled quantitatively, which means
improved quality through monitoring of every
process.
 Level 5 is improved constantly indicating the
standard has been perfect and the focus to adapt to
changes.
Levels of maturity for information security management and
control in the process, ranging from level 0 (none) to level 5
(optimistic), based on the organization's assessment
framework. The maturity model is used to identify whether a
problem exists and how to prioritize improvements.
This research primarily conducted based on the ISO
27001: 2013 Standard and the Systems Security Engineering
Capability Maturity Model (SSE-CMM) Maturity Level
Assessment Model to achieve this target. This is due to the
fact that ISO does not have assessment tools [14]. The
185
research mainly employs ISO 27001:2013 to regulate fiscal year. This is because as the number of customers and
variables that are the information security assessment areas. financial success grows up, it becomes more vulnerable to
security concerns and a prime target for attackers. The banks
Measuring the security maturity level of information are divided into four strata, with the researcher selecting one
systems with standardized metrics increases the ability to bank from each level.
recognize and manage information security safety. As a result,
organizations must regularly assess their information system A research participant is expected as important to collect
security maturity level requirements in order to safeguard data data from the sampled that will help in answering the study's
from various security risks. This research was carried out to questions. Members of the study were chosen for their unique
address some of the issues raised in the survey. connection to information system security, as well as
TABLE I. MATURITY LEVEL CRITERIA ASSESMENT INDEX sufficient and relevant professional skills in the sector. An
INDEX SOURCE: KURNIAWAN AND RIADI (2018). employee in the information security division serves as the
study's sample frame. A simple random sampling method was
Range Level Descriptions
used to distribute the questionnaire to responders.
Non- The company does not care about the
0 - 0.50
Existent importance of information security VI. SAMPLING DESIGN AND TECHNIQUE
Company reactively performs
application and implementation of It is necessary to design a sampling that represents the
0.51 - 1.50 Initial theoretical demographic population in order to conduct a
information security, without preceded
by prior planning. quantitative study and obtain participants' responses to the
The Company has a pattern that is questionnaire survey. Because the private banking sector is
Repeatable/ repeatedly performed in conducting wide and has a large area coverage all over the country, and
1.51 - 2.50
Intuitive activities security governance, but its
existence has not been well defined.
the information system is managed centrally, participants for
The Company has formal and written this survey are personnel in the information security
standard procedures that have been division and management information system at headquarters
2.51 - 3.50 Define
socialized to employee to be obeyed of each sampled private banks. For each of the chosen banks,
and worked in daily activities. the aggregate total population of employees working within
The company has a number of information systems and information security is less than 30
indicators or quantitative measures that
3.51 - 4.50 Managed serve as objective performance of
staff in average. This study tries to take 110 participants from
every application. around total of 120 information security experts and related
personnel.
The Company has implemented the
4.51 - 5.00 Optimized information technology governance From the sampled four private banks using stratified
refers to "best practice" probability sampling Bank A, Bank B, Bank C, and Bank D
placed in order of their highest to lowest profit attainment,
TABLE II. DOMAINS, OBJECTIVES AND NUMBER OF CONTROLS IN from A to D. In addition, each private bank's participants were
ANNEX OF ISO 27001:2013 ISO/IEC 27002 [16] SOURCE: [17] chosen, and the 110 questionnaire was distributed to
No of
respondents using a simple random sampling method. This is
No. No of in the ratio of Bank A receive 30 questionnaires, Bank B
Domain of ISO 27001:2013 Objecti
Annex Controls receive 30 questionnaires, Bank C receive 25 questionnaires,
ves
A.5 Information Security Policies 1 2 Bank D receive 25 questionnaires.
A.6 Organization of information security 2 7
A.7 Human resource security 3 6 VII. ANALYTIC TOOLS AND TECHNIQUES
A.8 Asset management 3 10 The analytical tools utilized in this study were
A.9 Access control 4 14 questionnaires to collect primary data from the target group of
A.10 Cryptography 1 2 information system security of each sampled private bank, and
A.11 Physical and environmental security 1 15 document analysis and literature reviews are used to obtain
A.12 Operational security 7 14 secondary data on the study area.
A.13 Communication security 2 7
System acquisition, development The questionnaire was developed to assess existing
A.14 3 13
and maintenance security objectives using the ISO/IEC 27001's 14 security
A.15 Supplier relationships 2 5 areas which helps to determine the level of information
A.16
Information security incident
1 7 security maturity of private banks. The questionnaire is
management utilized as the primary data collection method and it is derived
Information security aspects of from [13]; [7]. Which consisted of two parts containing the
A.17 2 4
business continuity management
A.18 Compliance 2 8
personal information in general, as well as the current state of
information systems security.
Total 34 114
To measure the quality of the research, both reliability and
V. CASE SELECTION AND STUDY PARTICIPANTS validity were applied. Reliability is used to measure the
The sample is a part of objects taken from a population, consistency of the survey, whereas validity is used to measure
which is considered to be representative of the population. For the degree to which a scale or set of measures accurately
this study, the researcher employed stratified probability represents the construct [21]. In this research, the following
sampling to select four banks among the available 17 private strategies are adopted in order to increase the study’s validity
banks according to the data retrieved from the national bank and reliability:
of Ethiopia website. Those banks are grouped into four groups Multiple methods surveys conducted which is
(strata) based on their high-profit achievement 2019/2020 questionnaire, document analysis and literature review for

186
Authorized licensed use limited to: IEEE Staff. Downloaded on February 10,2022 at 16:59:55 UTC from IEEE Xplore. Restrictions apply.
collecting data of this research are used, which permit the analysed. The mean value of information security controls in
researcher to crosscheck the actual working activity Ethiopian private banks in comparison to the sampled four
procedure. And also, the questionnaires were adapted from banks is 2.45, while the last predicted information security
ISO/IEC 27001:2013. and modify based on the requirement maturity level is 5 (Optimized). Based on this scenario, we can
of this research. Moreover, pilot test was made by distributing deduce that a private banking institution's maturity level score
the questionnaires to some IT and Network Security is lies on second level, i.e., repeatable but intuitive.
department managers and some modification was made based
on their feedback. TABLE III. MATURITY LEVEL SUMMARY FOR EACH
CONTROL OBJECTIVES
The information acquired through the primary data
collecting technique was assessed using the ISO/IEC Clause Control Objectives Index Level
27001:2013 information security management control
objectives, and the SSE-CMM was used to assess the maturity 5 Organization of information security 2.47 2
6 Human resource security 2.45 2
level. The main reason to use these tools is ISO doesn’t have
7 Asset management 2.34 2
its own security maturity measuring technique. [15].
8 Information security Policy 2.41 2
SSE-CMM identifies and targets the critical aspects of the 9 Access Control 2.57 3
information security engineering process that must exist in 10 Cryptography 2.19 2
order to achieve a high level of information security maturity. 11 Physical and environmental security 2.73 3
The SSE-CMM is categorized into two parts which are 12 Operational security 2.48 2
process and maturity levels. security engineering process that 13 Communication security 2.37 2
must be completed is defined by the process category, and the System acquisition, development and
14 2.45 2
maintenance
maturity levels are designed to advance security engineering
15 Supplier Relationships 2.57 3
as a defined, mature, and measurable discipline.
16 Compliance 2.59 3
The ISO/IEC 27001 information security control goals are Information security incident
17 2.32 2
coupled with the SSE-CMM in this study and used as a management
combined information system security maturity assessment 18
Information security aspects of
2.29 2
technique. The main reason to link this model and assessment business continuity management
tool is they have designed with similar goal of ISM Average 2.45 2
(Information Security Management).
As it can be seen from the above table for annex A.9
VIII. DATA ANALYSIS AND PRESENTATION (Access control), A.11 (Physical and environmental security),
A.15 (Supplier relationship) and A.16 (Compliance) the
The questionnaire was developed in the online google average allocated to their equivalent score reaches the
form and distributed to the respondents through email and maturity level of 3 which is (Defined) and for the rest of
skype. Among the total of 110 questionnaires, 93 of the control objectives the mean value indicates score level 2
respondents completed and returned the questionnaire. This (Repeatable but intuitive) of information security maturity
indicates that 84.5% of the questionnaires were returned, and level. This is because the System Security Engineering
93 of them are used in this analysis. The data was collected Capability Maturity Model (SSE-CMM) classifies the score
and checked to see if there were any missing or inconsistent as ‘Repeatable but intuitive,' with a range of 1.51 to 2.50
answers. Having followed the validation of the questionnaires, whereas if the score ranges from 2.51 to 3.50 entitled with
the collected data were analysed using SPSS version 25 to ‘Defined’. Fig 2 depicts the maturity level of information
further investigate the results and make recommendations security for private banks in each of fourteen areas derived
based on the findings. from ISO 27001:2013. The assessment scale indicates that the
organization has a score of less than three in all information
security maturity metrics, as seen in the Fig. 1.
Maturity Level

The level of information system security maturity

2.5 2.48
2.39
Bank A Bank B Bank C
The Sampled Private Banks from
higher to lowest
Fig. 1. Maturity level score per Bank
The maturity index is the outcome of determining the level
of information security maturity by calculating the importance
of the maturity level ranging from 0 to 5. Because information
security is tied to institution privacy, the names of any of the
sampled banks are not divulged in this study, and data is
obtained from several private banks, then stored in one, and
among the sampled private banks is also examined. Bank A,
Bank B, Bank C, and Bank D were ordered in sequence of
2.43 highest to lowest profit achievement from the sampled four
private banks using stratified probability sampling. As can be
seen in the fig 1, the average maturity level for the first high
Bank D profit bank A is 2.50, the average maturity level for the second
category is 2.48, the average maturity score for the third
category sampled bank is 2.39, and the average score result
for the final category is 2.43.
From the quantitatively collected data the study finding
shows that Bank A, Bank B, Bank C and Bank D have on
maturity level of 2 If maturity metrics range between 1.51 and
2.50, the maturity level is Two, which is Repeatable but
Intuitive, according to the SSE-CMM Maturity Level
assessment criteria. For all information security areas, the
maturity level value has categorized by the range of SSE-

187

Authorized licensed use limited to: IEEE Staff. Downloaded on February 10,2022 at 16:59:55 UTC from IEEE Xplore. Restrictions apply.
CMM maturity level assessment criteria which is stated above  Professional and certified information security
on the table I. specialists are in short supply.
IX. MATURITY LEVEL GAP ANALYSIS  For server environments that are in the same
location, disaster recovery is not adequately planned.
The expected maturity level for the System Security
Engineering Capability Maturity Model (SSECMM) used to  Inadequately updating and reviewing security
calculate the level of information security maturity is 5, which guidelines for information systems on a regular
is optimized. First, the value difference for each clause is basis.
calculated, and this is the maturity level distance. The total  There is no distinction or separation between the
value of the overall difference is calculated by adding all information security strategy and the IT governance
values and dividing them by the number of control objectives. system.
The magnitude of the difference between actual security
 There are no industry norms or best practices on a
working conditions and expected security conditions is 2.55,
financial system governor.
with a 51.1 % disparity in overall information security
 Employees are unaware of the security requirements
maturity.
for information systems.
 Information is needed to bridge the gap between
Index departments and to improve the detection of new
emerging risks.
3  Budget and manpower allocations are inadequate.
2.5
Maturity Levels

XI. RECOMMENDATIONS
2
1.5
There must be a well-organized and skilled incident
management response team, and this team must practice daily
1 to obtain experience. Focus solely on difficult areas such as
0.5 response time, user report process, and knowledge gap. All IT
0 staff managers, Incident management team members, and
A.5
A.6
A.7
A.8
A.9
A.10
A.11
A.12
A.13
A.14
A.15
A.16
A.17
A.18

other company employees with essential positions must

Fig. 2. Maturity level score per each security area
From among 14 security areas three control objectives are
scored level 3 (defined) have been met: A.9 Access Control,
A.11 Physical and environmental protection, and A.15
Supplier Relationships. While the vast majority of security
control areas are at level 2, (Repeatable but Intuitive). In
general, the private banking industry has not achieved level 4
(Managed) or level 5 qualification (Optimized). The aggregate
outcome of the study to determine the mean value of
information security controls in Ethiopian private banks in
comparison to the sampled four banks is 2.44, and the last
expected information security maturity level is 5.
(Optimized). Based on this illustration, we may deduce that a
private banking institution's maturity level is on the second
level i.e., repeatable but intuitive.
participate in the emergency preparedness practice.
We recommend that Bank X execute the following system
security standards specified for each level to have regular
improvement and monitoring:
Banks should undertake the following to reach level 3 from
their current maturity level of 2:
 Banks should be required to create a security standard
methodology and follow it.
 When both internal and external security-related
incidents are noticed and tracked, coordinate practices
to resolve the issue.
 Organize security awareness, education, and training
programs.
 Control and manage security services and mechanisms.

X. FINDINGS OF THE RESEARCH  Changes in the operational security posture should be

The information security areas like: Access control,
physical and environmental protection, supplier relationships,
and compliance are all information security measures that are
rated at the highest maturity level, which is level 3 of maturity
(Define) procedure. This research also aimed to evaluate the
security control objectives with the lowest maturity levels,
which were shown to be extremely weak, those are:
cryptography, information security incident management, and
information security aspects of business continuity
management. These security control zones, on the other hand,
need to be improved. The following are difficulties of
information system security maturity management found in
these private bank studies:
 The information security manual lacks standardized
risk analysis and security guidelines.
 There are no systems in place to track the level of
information security maturity.
tracked and dealt with in accordance with security
goals.
 Implement, monitor, and update information security
standards on a regular basis.
Banks should do the following to reach level 4 from their
current maturity level of 3:
 They should be required to set measurable information
security targets and manage threat protection
performance objectively.
 The job activities and processes clearly show that the
customer's security requirements were met.
 Implement proper physical security controls to
guarantee that all facilities housing key systems /
equipment, as well as physical areas.

188
Authorized licensed use limited to: IEEE Staff. Downloaded on February 10,2022 at 16:59:55 UTC from IEEE Xplore. Restrictions apply.
Banks should undertake the following to reach level 5 from
their current maturity level of 4:
 Increasing organizational capability in terms of process
efficiency by gathering, synthesize, and monitor
vulnerabilities and their attributes using a threat risk
analysis method.
 To the extent essential to accomplish their roles, all
members of the project team are aware
of and involved with security engineering efforts.
 Implement and administer a centralized system for
detecting, removing, and protecting against harmful
code in all forms.
 Banks should focus their improvement efforts on the
required commitment at all levels in order to achieve all
incremental maturity levels.
XII. CONCLUSION AND FUTURE WORKS
The goal of this study was to measure the current level of
information system security maturity in private banks in Addis
Ababa, Ethiopia, and to review the maturity results to make
recommendations for potential improvements. Attempts were
made in this analysis to review and compare the available
international standards and guidelines to use them compared
to current practice. To evaluate the information system
security maturity management at the sampled four
private banks. Thus, quantitative data collection and analysis
has used.
According to the Systems Security Engineering Capability
Maturity Model which is an extensive systematic review
system to evaluate the framework that has already been
fulfilled and the maturity they have acquired, the outcome of
the security questionnaire analysis managed to obtain an
estimated return of 2.4 for all of the ISO 27001 controls.
Failure to conduct regular risk analysis and maturity level
measurements exposes IT systems to various attacks caused
by emerging technology and incidents. Software suppliers and
device providers in the banking industry is not adequately
tested for possible risks. As per the survey results, private
banks do not have their systems evaluated by third parties that
have the appropriate resources and experience for risk
assessment. It does not perform comprehensive risk
assessments on its own.
To have regular information systems security maturity
enhancement and to have a capability to protect the
institution's information system from technological
advancement threat, we believe conducting more detailed
researches will have benefit for financial institutions. The
following are the researcher's recommendations for future
work:
 This research considered limited private banks; if future
studies can be done in all of the private banks, the
results of this study can be reinforced which may
provide additional insights.
 Assessing the security maturity level of an information
system is not a one-time job. As a result, evaluating
maturity level over time and compare the result.
 Construct a framework that allows the financial sector
to self-assess their information system security maturity
level.
Authorized licensed use limited to: IEEE Staff. Downloaded on February 10,2022 at 16:59:55 UTC from IEEE Xplore. Restrictions apply.
View publication stats
 Academic institutions' prospects and obstacles in
reducing the scarcity of highly trained information
security professionals.
REFERENCES
[1] T. Gries , R. Grundmann, I. Palnau and M. Redlin , Innovations, growth
and participation in advanced economies - a review of major concepts
and findings. International Economics and Economic Policy14:293–
351 2017
[2] Malik F. Saleh, Muneer Abbad, Jaafar M. Alghazo, Compliance to the
Information Security Maturity Model in Saudi Arabia JOURNAL OF
COMPUTER SCIENCE AND ENGINEERING, VOLUME 14,
ISSUE 2 2012
[3] Matthew C. Waxman, Self-defensive Force against Cyber Attacks:
Legal, Strategic and Political Dimensions Electronic copy available at:
https://ssrn.com/abstract=2235838. 2013
[4] Jason Dedrick Kenneth L Kraemer & Eric Shih, Information
Technology and Productivity in Developed and Developing Countries
https://doi.org/10.2753/MIS0742-1222300103 2014
[5] Saleh Malik, Information Security Maturity Model publication at:
https://www.researchgate.net/publication/216462795. May 2011
[6] Oyelami Julius and Norafida Binti, Enhancing the Conventional
Information Security Management Maturity Model (ISM3) in
Resolving Human Factors in Organization Information Sharing.
(IJCSIS) International Journal of Computer Science and Information
Security, Vol. 11, No. 8, August 2013
[7] Nebiyu Ejerssa, Assessment of information security maturity level on
Ethiopian public universities June 2018 unpublished.
[8] Perpetus Jacques and Joël Toyigbé, Measuring Information Security:
Understanding And Selecting Appropriate Metrics May 2015
[9] Ludwig Slusky and Parviz Partow-Navid, Students Information
Security Practices and Awareness. Journal of Information Privacy and
Security. https://doi.org/10.1080/15536548.2012.10845664 2012
[10] Shona McCombes, Descriptive research design methods and
techniques May 2019
[11] Osamah M.M. Al-Matari , Iman M.A. Helal , Sherif A. Mazen & Sherif
Elhennawy, Adopting security maturity model to the organizations’
capability model, Egyptian Informatics Journal,
https://doi.org/10.1016/j.eij.2020.08.001 February 2020
[12] Pillitteri, M., An introduction to Information Security (NIST Special
Publication (SP) 800-12 Rev. 1 (Draft))," National Institute of
Standards and Technology. 2017
[13] Yemane Gebrehiwot, Assessing information security management
using an iso 27001:2013 framework: a case study at ethio telecom June
2018
[14] Prayudi, Rosmiati and Imam Riadi and Yudi, A Maturity Level
Framework for Measurement of Information Security Performance
:International Journal of Computer Applications (0975 – 8887) Volume
141 – No.8, May 2016.
[15] Georg Disterer, ISO/IEC 27000, 27001 and 27002 for Information
Security Management Journal of Information Security, Vol. 4 No. 2,
2013, pp. 92-100. doi: 10.4236/jis.2013.42011.
[16] ISO/IEC27002. (2013). ISO/IEC27002:2013 Information technology-
Security techniques - Code of practice for information security
controls.
[17] Candiwan, Puspita Kencana Sari, Nadiailhaq Nurshabrina Assessment
of Information Security Management on Indonesian Higher Education
Institutions. Springer Book Lecture Notes in Electrical Engineering
Series, Vol. 362, 375-385 2016
[18] LLC, Ponemon Institute Report COST OF CYBER CRIME STUDY :-
INSIGHTS ON THE SECURITY INVESTMENTS THAT MAKE A
DIFFERENCE 2017.
[19] Eskatnaf Bayu and Tibebe Beshah An Investigation on the Current
Information System Security Maturity Level of the Banking Industry
in Ethiopia.
[20] Lemma Lessa and Tsedale Yohannes Information Security Incident
Response Management in an Ethiopian Bank: A Gap Analysis
Completed Research Paper 2019.
[21] Nahid Golafshani, Understanding Reliability and Validity in
Qualitative Research 2003.
189