See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/328604773

Cyber Security Challenges in Organisations: A Case Study in Malaysia

Conference Paper · August 2018

DOI: 10.1109/ICCOINS.2018.8510569

CITATIONS READS

6 4,099

3 authors, including:

Chooi Shi Teoh Ahmad Kamil Mahmood

Universiti Teknologi PETRONAS Universiti Teknologi PETRONAS
4 PUBLICATIONS 75 CITATIONS 187 PUBLICATIONS 1,432 CITATIONS

SEE PROFILE SEE PROFILE

All content following this page was uploaded by Chooi Shi Teoh on 27 September 2021.

The user has requested enhancement of the downloaded file.

 Cyber Security Challenges in Organisations : A Case
Study in Malaysia
Chooi Shi Teoh
Department of Computer and Information Sciences
Universiti Teknologi Petronas
Malaysia
cteoh1@gmail.com
Dr Suhazimah Dzazali
Government Chief Information Officer
Malaysian Administrative Modernisation and Management Planning Unit (MAMPU)
Prime Minister Department Malaysia
suhazimah@mampu.gov.my
Abstract—This paper presents the challenges in cyber security
implementation at organisational level. This research is based on
a case study of the government sector in Malaysia deploying
qualitative approach using semi-structured interviews with a
number of key officers of the organization. The findings clustered
under three pillars of success namely People, Process and
Technology. Under the pillar of People, the challenges are lack of
skills, cyber security is everyone’s responsibilities and human
error, whilst under Process, challenges identified are lack of
implementation plan, wrongly placed human resource and lack of
budget. The challenge in Technology is that it moves too fast. The
findings are useful for the cyber security policy makers and
implementers.
Keywords—component; cyber security, organisational
challenges, people process technology, case study,
I.   INTRODUCTION
In 2017, WannaCry left organisations crippled and
helpless in a global scale. British National Health
Systems(NHS) hospital network had 50,000 systems attacked
by the ransomeware [1]. The WannaCry spread to over 150
countries, disrupting banks, railway, automotive industries,
courier, natural gas providers and various industries. This
followed by another wave of cyber attacks known as “Petya”
which began in Ukrainian organisations [2]. Both the
ransomewares attacks attacked various types and sizes of
organisations, demanding ransoms in Bitcoin in exchange for
decryption key. A South Korean web hosting company even
paid USD 1 million ransom to retrieve its system and recover
customers’ sites back online [1]. These cyber attacks costs
organisations time, money and reputation.
It is crucial than ever that organisations need to be secured
against cyber attacks. At organisational level, cyber security
1
AP Dr Ahmad Kamil Mahmood
Department of Computer and Information Sciences
Universiti Teknologi Petronas
Malaysia
kamilmh@utp.edu.my
efforts encompasses guidelines, frameworks and certifications
such as ISO 27001 and COBIT 5. The efforts at organisational
level are often marred by issues and inhibitors [3, 4]. Success
and problems in information systems are often reflected into
three main pillars of People, Process and Technology [5-7].
In this paper, we present the list of challenges in cyber
security at organisational level. The findings are based on a case
study conducted in MAMPU, the Government Sector lead in
Malaysia.
II.   METHODOLOGY
This research is based on case study approach on
Government Sector in Malaysia. A qualitative approach using
semi-structured interviews were conducted.
The research is done in Malaysian Administration
Modernisation and Management Planning Unit (MAMPU), a
department under Prime Minister’s Department. MAMPU is
the CNII Government Sector Lead in Malaysia. The key roles
of MAMPU are to lead in developing ICT of the public service
sector, to consult in management organisation and ICT for the
public service sector and to research in administrative
modernisation and management planning for the public sector.
In government sector, the cybersecurity impacts national
security, and potentially leads to social discontent and unrest,
especially loss of public confidence [8]. In Malaysia
government, the threats to the assurance of confidentiality,
integrity and availability of the information impacts public
trust, national sovereignty, national security and also public
service delivery [9].
Semi-structured interviews were conducted to gather
insights in the organisations. Given the nature of the research,
the researcher is adopting a qualitative methodology. One of the
key reasons for qualitative research to understand a
phenomenon where there is not much written about the
phenomenon. This research is in line with the definition of
qualitative approach by [10], where it is a process of
understanding a social or human problem, based on a complex,
holistic picture, formed by words, and reporting in natural
context. For this qualitative research, the researcher listened
and captured the essence from the qualitative participants and
build an understanding based on their ideas [10]. The researcher
become the primary research tool [10]. Thus, to prevent bias,
the researcher need to have firm grasp on the topic and not to
have preconceived judgement [10]. One has to be open to
contradictory evidence or negative evidence.
The data analysis was based on interviews, documents
and observations. In qualitative research, the research is
focused on the meaning, and understanding the context.
III.   CYBER SECURITY CHALLENGES
Figure 1: Cyber Security Challenges
There are seven challenges in implementing cyber security
in organisations. The three elements of People, Process and
Technology are the pillars for success in organisations.
Challenges are grouped according to the three pillars of People,
Process and Technology, as they form the foundation for the
organisations.
A.   People
The category associated with people involved in or affected by
cyber security in organisations. The first challenge relates to the
lack of skills in the employees while the second challenge is
lack of responsibilities by everyone in terms of cyber security
in organisation. Lastly, human is the weakest link in cyber
security/
2
1. Lack of skills - Knowledge and skills are highly important
in order to manage incidents. The human resources need to be
trained and also be exposed to utilise the hands-on skillset. This
will help in terms of understanding the latest trends in cyber
threats and also the solutions and mitigations available.
Training and certifications is an ongoing process to train and
update the human resources with the latest skills. In security,
knowledge and skills have to be constantly updated, as cyber
threats are ever evolving.
Some comments from the participants emphasised this issue:
“In 5 years? My view, in terms of threat.. People knowledge” –
Participant 6
“And we have 2-3 people to manage this GSOC from
Government side. Before we have strength to do pentest and
these people have skills. But now GSOC is outsourced” –
Participant 4
“I feel like Government sector in Malaysia, we don’t have
enough people with the hands-on skillset.”- Participant 1
“Like people, the basic concept is education, ongoing. Even
though have good people. Cannot stop there. Threat changes,
new areas coming, they have to be train & retrain.” –
Participant 13
“The challenge is that they don’t have enough experience and
the knowledge or the how to. Yes…. And they lack of training,
awareness on security, skills.”- Participant 5
2. Security is everyone’s responsibilities – Cyber security “Challenges…first thing is ignorance of end users” –
involves everyone and it impacts everyone in the Participant 5
interconnected world. For cyber security, every level, every
organisation needs to do their part to mitigate risks. Some roles
and responsibilities can be centralised and consolidated, some B.   Process
roles and responsibilities still depends on the end point and The category associated with process involved in cyber security
agencies to do the protection and mitigation. Cyber security is at organizational level. The first challenge refers to the lack of
everyone’s responsibilities, not just the IT or Security implementation plan details ready for execution. The second
department. For cybersecurity to be effective, the effort should challenge in process involves human resource with trained
be collective. At the moment, many employees are not aware, skills in cyber security being wrongly placed and relocated. The
lack of responsibilities and accountability in terms of cyber final challenge is the lack of budget allocated for cyber security
security in their organisations. in organisation.
Some comments from the participants emphasised this issue:
1. Lack of implementation plans - Many previous documents
and guidelines are plagued by implementation issues. The lack
“In my opinion, we had done many consolidations. For the
of commitment from users, no time line given, lack of
security like network for example, all network use 1GovNet. So
enforcements and limited resources are some of the issues
on the level of security, we have parameter, the fence, we have
identified. Many of the documentations are strategic and high-
consolidated. At MAMPU level, MAMPU will take care, at the
level ideas, with no clear ways to implement. This caused the
endpoint, each agency do itself…Each agency still has its
lack of support and motivation from the employees.
role.”- Participant 14
Some comments from the participants emphasised this issue:
“Centralised and each stakeholder plays its own role.”-
Participant 15
“To me, framework is just a framework. If you want to
implement it, it’s another story. You can have a lot of
“We have policy, support from top management. It’s very
framework, good framework. But if you don’t have good
important. Firstly, support from our KP. But it’s not only that,
strategy on implementation, it will not work.”- Participant 10
as security should not be focus on security team only, other
departments need to know too. By right, not only the security
“But need to have the implementation strategy. What you have,
people, the security project people who must know ISMS, other
what you need to be implemented or can be implemented.” –
projects too. If the data is leaked, it could be from any other
Participant 5
systems too.”- Participant 9
“Lack of implementation, Dasar is there. So, I think in terms of
3. Human Error - In cyber security, everyone needs to be
implementation need timeline, guideline’s timeline.” –
aware on the happenings and trends in security. With increased
Participant 4
awareness, we can create the culture of security in the
organisation. Even with the latest technology, human is the
“The policy is being done nicely. But implementation, there’s
biggest threat and the weakest link in security. The threats in
no action taken. “- Participant 8
cyber security in human includes social engineering, negligence
and carelessness.
2. Wrongly-placed Human Resource - Human resource in the
Government Sector is transferred, promoted and relocated into
Some comments from the participants emphasised this issue:
different job functions and to different ministries, after a few
years. This caused the trained skills to be placed in the wrong
“Like in smart city, apart from all the technical matters,
job function. It also takes time to build expertise and skill sets
whoever who manage the smart city, they have to strengthen the
in cyber security. Any transferred human resource in cyber
ethics, culture of the user inside. Otherwise the technology
security field will be void for a period of time. At times, the
inside can be misused”- Participant 13
interest does not match the job function and job requirements.
“I think that the most critical as u know in security, human is
Some comments from the participants emphasised this issue:
the weakest link. That’s the area we that we have not been able
to address enough/successfully.”- Participant 2
“That means, dedicated person with knowledge and skills are
not many. And those with the required skillsets are not placed
“Ethics, integrity… You as a government servant, you should
or in position to perform that tasks” – Participant 1
know, you cannot leak information.” Participant 12
“From what I see, Government always appoint wrong people
“Sometimes human … when they know they can’t keep the
for the post/task. And one more thing he doesn’t know that it is
secret. The weakest link is people.” – Participant 7
his task. Even though we told him it’s in your TOR but because

3
it is not his background, he doesn’t even know that it is one of
his task (lack of interest).”- Participant 4
“Yes, not enough resources. And one more people keep
changing, getting promoted. And to train for the skills we need
time. If we get new people, we need to teach new skills”-
Participant 11
“Of course. Relocation, obviously caused expertise gone,
lacking. We build expertise, then get transferred.”- Participant
15
“Yeah and the right people in the team. For example, for a
project, the governance need to have project team. You need to
have enough strength, if with only 3 people to do all, they will
miss a lot of things. The resources assigned are not enough. And
for security, you must assign the right resources.” – Participant
4 issue, criminal always benefit from new technology. They
3. Lack of Budget - Budget is an issue where investing in cyber
security is a part of the total ICT project cost. Budget in cyber
security is difficult to be justified, as the security gotten is not
visible. In cyber security, the tools and services are expensive.
Budget is a challenge in implementation of framework and
guidelines. Tools, human resource and trainings in cyber
security need extra funding.
Some comments from the participants emphasised this issue:
“For Government, that is the main challenge. Its budget. When
u want to increase your strength, security not cheap. Then we
need a lot of budget. Now with all the advance threats, normal
firewall won’t do… “- Participant 14
“Like DLP, now we have stop the project. About DLP, we have
the technology. And to keep up with the technology, we need to
have the budget, maintenance, people, management support,
then there is budget. So, if the budget got cut, how to continue?
“– Participant 4
“Yes, sometimes we look at the agency, say KKM. Under them
are many hospitals, under the hospitals many clinics, under the
clinics many in interior kampongs. Just imagine if they want to
buy anti-virus, yes, they can buy and distribute. But they want
to distribute to the interior, in terms of budget, one of the
limitations. Especially for the big agencies with many branches.
Like Health, and Education.”- Participant 6
“All this while when we do framework, we don’t talk about
budget, only about, process, data, and people. But actually,
budget is important.,. no money no talk.” – Participant 14
C.   Technology
The category associated with technology lists the challenge as
advancement and update in technology moves too quickly.
4
Technology too fast - In the field of cyber security, the
advancement in technology is rapid. With the growth of new
platforms of connectivity, cyber threats increase accordingly.
The numbers of offenders and attacks online are also increasing
exponentially. In MAMPU, for them to update on technology,
it depends on technology updates by vendors and trainings. The
attackers have more resources and time to update and
strengthen their skills and knowledge on latest technology.
Some comments from the participants emphasised this issue:
“Potential future problems? Maybe because of technology. It
will keep on changing and there will be more hackers. All
those information, means we need to increase awareness.” –
Participant 11
“That will be on technology. Cybersecurity is related to tech
change the tools, the tech, to fight them we also need to use
the up to date/current technology, in order to keep up with the
challenge.”- Participant 13
“The threats and vulnerabilities. The hacker tools to hack and
many more. From the last year to this year, there are many
changes already. They mature very fast. So I think in 5 years
there are many more. We need to update our knowledge all
the time.” – Participant 6
“Time and technology changes very fast, with the condition
that our people changes fast too. With new threats we always
have to do strengthening. IOT is not a threat, it’s a good thing.
But many weaknesses in technology for us to handle.” –
Participant 7
“Let’s say you implement on IT, these information technology,
you cannot stop changes. Changes in terms of requirements,
changes from the tools to be used. It will change. That’s where
the challenges are, that I can see...” – Participant 10
IV.   CONCLUSION
There is pressing need for organisatons to be cyber secured.
With higher connectivity and dependencies on cyber space,
organsations are more vulnerable to cyber threats. The efforts
and initiatives in cyber security are often marred with challenges
in the organisations. The triangle of People, Process and
Technology are the pillars for success in organisations. Using
qualitative approach, the challenges are clustered into People,
Process and Technology accordingly. Under People, the
challenges are lack of skills, cyber security is everyone’s
responsibilities and human error. In Process, challenges
identified are lack of implementation plan, wrongly placed
human resource and lack of budget. The challenge in
Technology is technology is moving too fast. In order to increase
the level of cyber security in organisations, these are the initial
challenges which need to be resolved.
 ACKNOWLEDGMENT
This work was supported by International Information
Systems Security Certification Consortium Inc (ISC)2 under the
Graduate Scholarship.
REFERENCES
[1]   Scaife, N., P. Traynor, and K. Butler, Making sense of the ransomware
mess (and planning a sensible path forward). IEEE Potentials, 2017.
36(6).
[2]   Solon, O. and A. Hern, 'Petya' ransomware attack: what is it and how can
it be stopped?, in The Guardian. 2017.
[3]   Smith, S. and R. Jamieson, Determining Key Factors in E-Government
Information System Security. Information Systems Management, 2006.
23(2): p. 23-32.
[4]   Smith, S., et al., Circuits of Power: A Study of Mandated Compliance to
an Information Systems Security De Jure Standard in A Government
Organisation. MIS Quarterly, 2010. 34(3): p. 463-486.
View publication stats
[5]   Boughzala, I. and G.-J. de Vreede, Evaluating Team Collaboration
Quality: The Development and Field Application of a Collaboration
Maturity Model. Journal of Management Information Systems, 2015.
32(3): p. 129-157.
[6]   Prodan, M., A. Prodan, and A.A. Purcarea, Three New Dimensions to
People, Proces, Technology Improvement Model. Advances in Intelligent
Systems and Computing, 2015. 353.
[7]   Soja, E. and P. Soja, Exploring Root Problems in Enterprise System
Adoption From an Employee Age Perspective: A People-Process-
Technology Framework. Information Systems Management, 2017. 34(4):
p. 333-346.
[8]   Choo, K.-K.R., The cyber threat landscape: Challenges and future
research direction. Computer & Security, 2011. 30: p. 719-731.
[9]   Dzazali, S., A. Sulaiman, and A.H. Zolait, Information security landscape
and maturity level: Case study of Malaysian Public Service (MPS)
organizations. Government Information Quarterly, 2009. 26(4): p. 584-
593.
[10]   Creswell, J.W., Research Design : Qualitative, quantiative and mixed
methods approaches. 2009, Sage Publications: United States of America.