Strategic Framework for Cybersecurity Policy Compliance in Namibian Organizations

  • Iyaloo Waiganjo Namibia University of Science and Technology, Namibia
  • Jude Odiakaosa Osakwe Namibia University of Science and Technology, Namibia
  • Ambrose Azeta Namibia University of Science and Technology, Namibia
DOI: 10.51519/journalisi.v7i1.927
Keywords: Cybersecurity Policy, Policy, Compliance,, Organisational Framework

Abstract

The Internet and its transformative technologies have become essential to both emerging and established businesses. While organisations benefit from connectivity, they are also increasingly vulnerable to cyber-attacks, underscoring the need for robust monitoring systems and comprehensive cybersecurity policies. In Namibia, many organisations have cybersecurity policies, yet employees are often unaware of existence of such policies. This study aimed to examine the complexities of cybersecurity policies within Namibian organisations and provide a tailored roadmap for developing, implementing, and ensuring compliance with these policies to suit the unique landscape of Namibian businesses. Using a qualitative approach guided by design science research, data was collected from 21 participants, including Information Technology (IT) and security managers as well as employees from five organisations across various sectors in the country.  The findings indicated that Namibian organisations are commitment to cybersecurity through comprehensive policies aligned with international standards. However, organisations face impediments that underscore the need for targeted strategies to overcome barriers to policy enforcement. From these finding a framework was designed with strategies and action plans and evaluated by industry experts.  The CSPIC framework was considered Good (rating 2) in most areas by the experts. Gaps in existing frameworks such as usability, adoptability, and budget prioritization were addressed by the proposed CSPIC framework. The Cybersecurity Policy Implementation and Compliance (CSPIC) framework's uniqueness lies in its local adaptability, actionable strategies, and emphasis on leadership and employee engagement.

Downloads

Download data is not yet available.

References

M. Lezzi, M. Lazoi, and A. Corallo, "Cybersecurity for Industry 4.0 in the current literature: A reference framework," Comput. Ind., vol. 103, pp. 97–110, 2018.

M. Kiskis, "Entrepreneurship in cyberspace: what do we know?" Int. J. Entrepreneurial Behav. Res., vol. 17, no. 2, pp. 200–217, 2011.

A. Mishra, Y. I. Alzoubi, A. Q. Gill, and M. J. Anwar, "Cybersecurity enterprises policies: A comparative study," Sensors, vol. 22, no. 2, p. 538, 2022.

J. Ursillo and C. Arnold, "Cybersecurity is critical for all organisations – large and small," Cyber Secur. Rev., vol. 1, no. 4, pp. 12–18, 2019.

G. Grispos, "Cybersecurity: Practice," Encycl. Secur. Emerg. Manag., pp. 1–6, 2019.

N. S. Safa et al., "Information security conscious care behaviour formation in organisations," Comput. Secur., vol. 53, pp. 65–78, 2015.

L. Li et al., "Investigating the impact of cybersecurity policy awareness on employees’ cybersecurity behavior," Int. J. Inf. Manag., vol. 45, pp. 13–24, 2019.

M. S. Jalali et al., "Why employees (still) click on phishing links: Investigation in hospitals," J. Med. Internet Res., vol. 22, no. 1, p. e16775, 2020.

R. A. Alias, "Information security policy compliance: Systematic literature review," Procedia Comput. Sci., vol. 161, pp. 1216–1224, 2019.

D. Tjirare and F. Bhunu Shava, "Developing security metrics to evaluate employee awareness: A case of a Ministry in Namibia," Namibian J. Res. Sci. Technol., vol. 1, no. 1, pp. 11–18, 2018.

P. T. Shambabi, S. Musarurwa, and F. Bhunu Shava, "Assessing organisational information security culture among workforce in universities: A case of Namibia," in Proc. 2021 IST-Africa Conf., 2021, pp. 1–8.

A. Van der Merwe, A. Gerber, and H. Smuts, "Guidelines for conducting design science research in information systems," in Proc. Annu. Conf. South. Afr. Comput. Lect. Assoc., Cham, Switzerland: Springer, 2019, pp. 163–178.

L. S. Nowell et al., "Thematic analysis: Striving to meet the trustworthiness criteria," Int. J. Qual. Methods, vol. 16, no. 1, p. 1609406917733847, 2017.

M. Spruit, "Information security education based on job profiles and the e-CF," High. Educ. Skills Work-Based Learn., vol. 12, no. 2, pp. 294–308, 2022.

S. Cotton, "Experience and qualifications required for a Chief Information Security Officer: An e-Delphi study," Ph.D. dissertation, Univ. Phoenix, 2022.

H. Aldawood and G. Skinner, "Reviewing cyber security social engineering training and awareness programs—Pitfalls and ongoing issues," Future Internet, vol. 11, no. 3, p. 73, 2019, doi: 10.3390/fi11030073.

R. Sabillon, J. J. Cano, and J. Serra-Ruiz, "Cybercrime and cybercriminals: A comprehensive study," Int. J. Comput. Netw. Commun. Secur., vol. 4, no. 6, pp. 165–173, 2016.

J. R. C. Nurse, "Cybersecurity risk communication: Understanding information trust and security usability," IEEE Commun. Surv. Tutor., vol. 15, no. 4, pp. 1475–1490, 2013, doi: 10.1109/SURV.2013.013013.00142.

I. Corradini, "Shaping cybersecurity awareness programs: Lessons from behavioral sciences," Cyberpsychol. Behav. Soc. Netw., vol. 23, no. 5, pp. 333–341, 2020, doi: 10.1089/cyber.2019.0428.

National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, 2018.

European Union, General Data Protection Regulation (EU GDPR), 2016.

African Union, African Union Convention on Cybersecurity and Personal Data Protection, 2014.

Asia-Pacific Economic Cooperation, APEC Framework for Securing the Digital Economy, 2015.

International Organization for Standardization, ISO/IEC 27001:2022 Information Security Management Systems – Requirements, 2022.

M. Alqahtani and R. Braun, "Examining the impact of technical controls, accountability and monitoring towards cybersecurity compliance in e-government organisations," J. Cyber Secur. Technol., vol. 5, no. 3, pp. 203–221, 2021.

M. Alotaibi, S. Furnell, and N. Clarke, "Information security policies: A review of challenges and influencing factors," in Proc. 11th Int. Conf. Internet Technol. Secured Trans. (ICITST), 2016, pp. 352–358.

S. Kumari, A. Thompson, and S. Tiwari, "6G-Enabled Internet of Things-Artificial Intelligence-Based Digital Twins: Cybersecurity and resilience," in Emerg. Technol. Secur. Cloud Comput., IGI Global, 2024, pp. 363–394.

M. F. Safitra, M. Lubis, and H. Fakhrurroja, "Counterattacking cyber threats: A framework for the future of cybersecurity," Sustainability, vol. 15, no. 18, p. 13369, 2023, doi: 10.3390/su151813369.

M. Barad and M. Barad, "Definitions of strategies," in Strategies and Techniques for Quality and Flexibility, IGI Global, 2018, pp. 3–4.

D. Dalcher, "Taking responsibility for our actions: The return of stewardship," PM World J., vol. VIII, no. VII, 2019.

E. Van den Steen, "A formal theory of strategy," Manage. Sci., vol. 63, no. 8, pp. 2616–2636, 2017.

T. Fagade, K. Maraslis, and T. Tryfonas, "Towards effective cybersecurity resource allocation: The Monte Carlo predictive modeling approach," Int. J. Crit. Infrastruct., vol. 13, no. 2–3, pp. 152–167, 2017.

J. Lewis and C. E. Turbyfill, "The how and why of cybersecurity policy: Create behavioral and technical rules to mitigate risk," Cyber Secur. Peer-Rev. J., vol. 6, no. 2, pp. 132–140, 2022.

A. Malin and G. Van Heule, "Continuous monitoring and cybersecurity for high-performance computing," in Proc. 1st Workshop Changing Landscapes HPC Secur., 2013, pp. 9–14.

K. Dempsey et al., Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. NIST Spec. Publ. (SP) 800-137A (Withdrawn), Nat. Inst. Stand. Technol., 2020.

W. He and Z. Zhang, "Enterprise cybersecurity training and awareness programs: Recommendations for success," J. Organ. Comput. Electron. Commer., vol. 29, no. 4, pp. 249–257, 2019.

I. Hamburg and K. R. Grosch, "Aligning a cybersecurity strategy with communication management in organisations," in Digital Commun. Manage., IntechOpen, 2018, pp. 43–58.

B. O. Omoyiola and J. Mckeeby, "Strategies for implementing cybersecurity policies in organisations (A case study of West African organisations)," J. Cyber Secur. Res., vol. 8, no. 2, pp. 150–172, 2023.

J. R. C. Nurse, "Cybersecurity risk communication: Understanding information trust and security usability," IEEE Commun. Surv. Tutor., vol. 15, no. 4, pp. 1475–1490, 2013, doi: 10.1109/SURV.2013.013013.00142.

I. Corradini, "Shaping cybersecurity awareness programs: Lessons from behavioral sciences," Cyberpsychol. Behav. Soc. Netw., vol. 23, no. 5, pp. 333–341, 2020, doi: 10.1089/cyber.2019.0428.

Nat. Inst. Stand. Technol., Framework for Improving Critical Infrastructure Cybersecurity, 2018.

Eur. Union, General Data Protection Regulation (EU GDPR), 2016.

Afr. Union, African Union Convention on Cybersecurity and Personal Data Protection, 2014.

Asia-Pac. Econ. Coop. (APEC), APEC Framework for Securing the Digital Economy, 2015.

Int. Organ. Stand. (ISO), ISO/IEC 27001:2022 Information Security Management Systems – Requirements, 2022.

Published
2025-03-18
Abstract views: 244 times
Download PDF: 160 times
How to Cite
Waiganjo, I., Osakwe, J., & Azeta, A. (2025). Strategic Framework for Cybersecurity Policy Compliance in Namibian Organizations. Journal of Information Systems and Informatics, 7(1), 21-44. https://doi.org/10.51519/journalisi.v7i1.927
Issue
Vol 7 No 1 (2025): March
Section
Articles

Copyright (c) 2025 Journal of Information Systems and Informatics

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

  1. I certify that I have read, understand and agreed to the Journal of Information Systems and Informatics (Journal-ISI) submission guidelines, policies and submission declaration. Submission already using the provided template.
  2. I certify that all authors have approved the publication of this and there is no conflict of interest.
  3. I confirm that the manuscript is the authors' original work and the manuscript has not received prior publication and is not under consideration for publication elsewhere and has not been previously published.
  4. I confirm that all authors listed on the title page have contributed significantly to the work, have read the manuscript, attest to the validity and legitimacy of the data and its interpretation, and agree to its submission.
  5. I confirm that the paper now submitted is not copied or plagiarized version of some other published work.
  6. I declare that I shall not submit the paper for publication in any other Journal or Magazine till the decision is made by journal editors.
  7. If the paper is finally accepted by the journal for publication, I confirm that I will either publish the paper immediately or withdraw it according to withdrawal policies
  8. I Agree that the paper published by this journal, I transfer copyright or assign exclusive rights to the publisher (including commercial rights)