ASSESSMENT OF INFORMATION SECURITY CULTURE IN THE BANKING INDUSTRY: THE CASE STUDY OF DEVELOPMENT BANK OF ETHIOPIA

Abstract

Information security culture is mainly considered as a set of information security characteristics that the organization values. In this paper, an attempt has been made to assess the information security culture of Development Bank of Ethiopia. The study aimed at the assessment of information security in the Bank with an intention of identifying weak links in the existing information security culture of the Bank. To that end, an information security culture assessment model and instrument (A Questioner) were adopted from previous studies. The instrument (customized for the current study) incorporates statements that assess the attitude of employees in the Bank in relation to information security components using a Likert Scale. The study indicated that there is a serious problem of information security culture in the Bank (34.4% of respondents have unfavorable attitude towards information security culture of the Bank in addition to the lack of a formal information security policy in the Bank). The study concluded that the overall information security culture of the Bank is not conducive for the protection of information assets. There is no appropriate foundation for defining how information security should be managed in the Bank and the risk identification process and documentation as well as control mechanisms are unsystematic. The study recommended that the Bank should implement a comprehensive and adequate set of information security components that aid in addressing threats on the technical, process and people levels based on identified information security risks and the appropriate controls that are necessary to mitigate identified risks. The Bank should adapt and implement International standards such as the Information Security Forum (ISF 2008), the Control Objectives for Information Technology (CobiT 2004), the Information Systems Audit and Control Association (ISACA 2008) and ISO/IEC 17799 (2005) to implement and manage information security components.