• Enhancing the governance of information security in developing countries: the case of Zanzibar

      Shaaban, Hussein Khamis (University of BedfordshireUniversity of Bedfordshire, 2014-01)
      Organisations in the developing countries need to protect their information assets (IA) in an optimal way. This thesis is based upon the argument that in order to achieve fully effective information security management (ISM) strategy, it is essential to look at information security in a socio-technical context, i.e. the cultural, ethical, moral, legal dimensions, tools, devices and techniques. The motivation for this study originated from the concern of social chaos, which results from ineffective information security practices in organisations in the developing nations. The present strategies were developed for organisations in countries where culture is different to culture of the developing world. Culture has been pointed out as an important factor of human behaviour. This research is trying to enhance information security culture in the context of Zanzibar by integrating both social and technical issues. The theoretical foundation for this research is based on cultural theories and the theory of semiotics. In particular, the study utilised the GLOBE Project (House et al, 2004), Competing Values Framework (Quinn and Cameron; 1983) and Semiotic Framework (Liu, 2000). These studies guide the cultural study and the semiotics study. The research seeks to better understand how culture impact the governance of information security and develop a framework that enhances the governance of information security in non-profit organisations. ISO/IEC 27002 best practices in information security management provided technical guidance in this work. The major findings include lack of benchmarking in the governance of information security. Cultural issues impact the governance of information security. Drawing the evidence from the case study a framework for information security culture was proposed. In addition, a novel process model for information security analysis based on semiotics was developed. The process model and the framework integrated both social and technical issues and could be implemented in any non-profit organisation operating within a societal context with similar cultural feature as Zanzibar. The framework was evaluated using this process model developed in this research. The evaluated framework provides opportunities for future research in this area.