Cyber Security Practices and Challenges at Selected Critical Infrastructures in Ethiopia: Towards Tailoring Cyber Security Framework
No Thumbnail Available
Date
2018-06-02
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Addis Ababa University
Abstract
Cyber security is the activity of protecting information and information systems (networks, computers, data centers and applications) with appropriate procedural and technological security measures (Tonge, Kasture and Chaudhari, 2013, p.1). Cyber security threats and breaches are increasing from year to year. A Cyber security breach has the potential to disrupt the proper functioning of nation states. It affects the reputation of organization and erodes customers trust. Cyber security breaches at critical infrastructures can affect the existence of a nation and can disrupt the social, economic and political realm of governments. Critical infrastructures mean any infrastructure vulnerable to information communication network security threats having considerable impact to the social, economic, or political interest of the country.
The purpose of this study is to examine the practices and challenges of cyber security at three selected critical infrastructures in Ethiopia. These critical infrastructures are Ethiopian Electric Power, Ethiopian Electric Utility, and Ethio Telecom. In this study attempts were made to tailor cyber security framework based on the challenges of cyber security, INSA’s Critical Mass Cyber Security Requirement Standard Version 1.0 and NIST Framework to improve critical infrastructures cyber security version 1.1.
The study is based on International Telecommunication Union’s /ITU/ Cyber Security Agenda three pillars Legal, technical and Capability Building. The core processes of NIST framework, Identify, Detect, Prevent, Respond and Recover functions are used as technical sub pillars.
This research used both qualitative and quantitative research approaches. Questionnaires and Interviews are used as data collection instruments. The questionnaire is adopted and modified from International Telecommunication Union’s Global Cyber Security Index of 2017 and MIT Technology Review Customs Research of 2016.
The study subjects are the total population of IT/ICT security or cyber security unit of the selected critical infrastructures. The total of 75 questionnaires were distributed with a response rate of 84%. Interviews were conducted to grasp the processes, challenges and to evaluate the tailored cyber security framework.
Descriptive data analysis techniques are used in SPSS version 23 on the data collected using questionnaire. The survey indicated that the top rated cyber security challenges are lack of in-house expertise (66.7%), inadequate enabling technology and difficulty in locating the right security alert (with equal percentile of 61.9%), and evasion of existing preventive security controls (60.3%).The survey also indicated that attack via Email (74.4%), attacks via mobile computing (68.3%), and attacks via social media (63.5%) are on growing trend of cyber security.
Moreover this research indicated that the selected critical infrastructures are inadequately prepared to detect, prevent, and respond to cyber threats and breaches. It is not only the technical issues that show a grim picture but the executives or the top branch management are not adequately prepared to prevent and respond to cyber threats and breaches.
Based on the findings, attempts were made to propose a tailored cyber security framework based on INSA’s Critical Mass Cyber Security Requirement Standard Version 1.0 and NIST’s Framework for improving critical infrastructures cyber security version 1.1.
Furthermore, in order to tailor the cyber security framework, this research conducted extensive literature review on cyber security framework development. Additionally attempts were made to follow design science guidelines in the process of tailoring the cyber security framework. The tailored cyber security framework is further evaluated for its coverage, suitability, comprehensiveness, clarity, completeness and applicability by using questionnaire and interview.
Finally conclusions and recommendations were made based on the findings and analysis.
Description
Keywords
Cyber Security, Security, Cyber Security Challenges, Framework