Strategic Framework for Cybersecurity Policy Compliance in Namibian Organizations

Iyaloo Waiganjo; Jude Odiakaosa Osakwe; Ambrose Azeta

doi:10.51519/journalisi.v7i1.927

Authors

Iyaloo Waiganjo Namibia University of Science and Technology, Namibia
Jude Odiakaosa Osakwe Namibia University of Science and Technology, Namibia
Ambrose Azeta Namibia University of Science and Technology, Namibia

DOI:

https://doi.org/10.51519/journalisi.v7i1.927

Keywords:

Cybersecurity Policy, Policy, Compliance,, Organisational Framework

Abstract

The Internet and its transformative technologies have become essential to both emerging and established businesses. While organisations benefit from connectivity, they are also increasingly vulnerable to cyber-attacks, underscoring the need for robust monitoring systems and comprehensive cybersecurity policies. In Namibia, many organisations have cybersecurity policies, yet employees are often unaware of existence of such policies. This study aimed to examine the complexities of cybersecurity policies within Namibian organisations and provide a tailored roadmap for developing, implementing, and ensuring compliance with these policies to suit the unique landscape of Namibian businesses. Using a qualitative approach guided by design science research, data was collected from 21 participants, including Information Technology (IT) and security managers as well as employees from five organisations across various sectors in the country. The findings indicated that Namibian organisations are commitment to cybersecurity through comprehensive policies aligned with international standards. However, organisations face impediments that underscore the need for targeted strategies to overcome barriers to policy enforcement. From these finding a framework was designed with strategies and action plans and evaluated by industry experts. The CSPIC framework was considered Good (rating 2) in most areas by the experts. Gaps in existing frameworks such as usability, adoptability, and budget prioritization were addressed by the proposed CSPIC framework. The Cybersecurity Policy Implementation and Compliance (CSPIC) framework's uniqueness lies in its local adaptability, actionable strategies, and emphasis on leadership and employee engagement.

Downloads

Download data is not yet available.

References

M. Lezzi, M. Lazoi, and A. Corallo, "Cybersecurity for Industry 4.0 in the current literature: A reference framework," Comput. Ind., vol. 103, pp. 97–110, 2018.

M. Kiskis, "Entrepreneurship in cyberspace: what do we know?" Int. J. Entrepreneurial Behav. Res., vol. 17, no. 2, pp. 200–217, 2011.

A. Mishra, Y. I. Alzoubi, A. Q. Gill, and M. J. Anwar, "Cybersecurity enterprises policies: A comparative study," Sensors, vol. 22, no. 2, p. 538, 2022.

J. Ursillo and C. Arnold, "Cybersecurity is critical for all organisations – large and small," Cyber Secur. Rev., vol. 1, no. 4, pp. 12–18, 2019.

G. Grispos, "Cybersecurity: Practice," Encycl. Secur. Emerg. Manag., pp. 1–6, 2019.

N. S. Safa et al., "Information security conscious care behaviour formation in organisations," Comput. Secur., vol. 53, pp. 65–78, 2015.

L. Li et al., "Investigating the impact of cybersecurity policy awareness on employees’ cybersecurity behavior," Int. J. Inf. Manag., vol. 45, pp. 13–24, 2019.

M. S. Jalali et al., "Why employees (still) click on phishing links: Investigation in hospitals," J. Med. Internet Res., vol. 22, no. 1, p. e16775, 2020.

R. A. Alias, "Information security policy compliance: Systematic literature review," Procedia Comput. Sci., vol. 161, pp. 1216–1224, 2019.

D. Tjirare and F. Bhunu Shava, "Developing security metrics to evaluate employee awareness: A case of a Ministry in Namibia," Namibian J. Res. Sci. Technol., vol. 1, no. 1, pp. 11–18, 2018.

P. T. Shambabi, S. Musarurwa, and F. Bhunu Shava, "Assessing organisational information security culture among workforce in universities: A case of Namibia," in Proc. 2021 IST-Africa Conf., 2021, pp. 1–8.

A. Van der Merwe, A. Gerber, and H. Smuts, "Guidelines for conducting design science research in information systems," in Proc. Annu. Conf. South. Afr. Comput. Lect. Assoc., Cham, Switzerland: Springer, 2019, pp. 163–178.

L. S. Nowell et al., "Thematic analysis: Striving to meet the trustworthiness criteria," Int. J. Qual. Methods, vol. 16, no. 1, p. 1609406917733847, 2017.

M. Spruit, "Information security education based on job profiles and the e-CF," High. Educ. Skills Work-Based Learn., vol. 12, no. 2, pp. 294–308, 2022.

S. Cotton, "Experience and qualifications required for a Chief Information Security Officer: An e-Delphi study," Ph.D. dissertation, Univ. Phoenix, 2022.

H. Aldawood and G. Skinner, "Reviewing cyber security social engineering training and awareness programs—Pitfalls and ongoing issues," Future Internet, vol. 11, no. 3, p. 73, 2019, doi: 10.3390/fi11030073.

R. Sabillon, J. J. Cano, and J. Serra-Ruiz, "Cybercrime and cybercriminals: A comprehensive study," Int. J. Comput. Netw. Commun. Secur., vol. 4, no. 6, pp. 165–173, 2016.

J. R. C. Nurse, "Cybersecurity risk communication: Understanding information trust and security usability," IEEE Commun. Surv. Tutor., vol. 15, no. 4, pp. 1475–1490, 2013, doi: 10.1109/SURV.2013.013013.00142.

I. Corradini, "Shaping cybersecurity awareness programs: Lessons from behavioral sciences," Cyberpsychol. Behav. Soc. Netw., vol. 23, no. 5, pp. 333–341, 2020, doi: 10.1089/cyber.2019.0428.

National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, 2018.

European Union, General Data Protection Regulation (EU GDPR), 2016.

African Union, African Union Convention on Cybersecurity and Personal Data Protection, 2014.

Asia-Pacific Economic Cooperation, APEC Framework for Securing the Digital Economy, 2015.

International Organization for Standardization, ISO/IEC 27001:2022 Information Security Management Systems – Requirements, 2022.

M. Alqahtani and R. Braun, "Examining the impact of technical controls, accountability and monitoring towards cybersecurity compliance in e-government organisations," J. Cyber Secur. Technol., vol. 5, no. 3, pp. 203–221, 2021.

M. Alotaibi, S. Furnell, and N. Clarke, "Information security policies: A review of challenges and influencing factors," in Proc. 11th Int. Conf. Internet Technol. Secured Trans. (ICITST), 2016, pp. 352–358.

S. Kumari, A. Thompson, and S. Tiwari, "6G-Enabled Internet of Things-Artificial Intelligence-Based Digital Twins: Cybersecurity and resilience," in Emerg. Technol. Secur. Cloud Comput., IGI Global, 2024, pp. 363–394.

M. F. Safitra, M. Lubis, and H. Fakhrurroja, "Counterattacking cyber threats: A framework for the future of cybersecurity," Sustainability, vol. 15, no. 18, p. 13369, 2023, doi: 10.3390/su151813369.

M. Barad and M. Barad, "Definitions of strategies," in Strategies and Techniques for Quality and Flexibility, IGI Global, 2018, pp. 3–4.

D. Dalcher, "Taking responsibility for our actions: The return of stewardship," PM World J., vol. VIII, no. VII, 2019.

E. Van den Steen, "A formal theory of strategy," Manage. Sci., vol. 63, no. 8, pp. 2616–2636, 2017.

T. Fagade, K. Maraslis, and T. Tryfonas, "Towards effective cybersecurity resource allocation: The Monte Carlo predictive modeling approach," Int. J. Crit. Infrastruct., vol. 13, no. 2–3, pp. 152–167, 2017.

J. Lewis and C. E. Turbyfill, "The how and why of cybersecurity policy: Create behavioral and technical rules to mitigate risk," Cyber Secur. Peer-Rev. J., vol. 6, no. 2, pp. 132–140, 2022.

A. Malin and G. Van Heule, "Continuous monitoring and cybersecurity for high-performance computing," in Proc. 1st Workshop Changing Landscapes HPC Secur., 2013, pp. 9–14.

K. Dempsey et al., Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. NIST Spec. Publ. (SP) 800-137A (Withdrawn), Nat. Inst. Stand. Technol., 2020.

W. He and Z. Zhang, "Enterprise cybersecurity training and awareness programs: Recommendations for success," J. Organ. Comput. Electron. Commer., vol. 29, no. 4, pp. 249–257, 2019.

I. Hamburg and K. R. Grosch, "Aligning a cybersecurity strategy with communication management in organisations," in Digital Commun. Manage., IntechOpen, 2018, pp. 43–58.

B. O. Omoyiola and J. Mckeeby, "Strategies for implementing cybersecurity policies in organisations (A case study of West African organisations)," J. Cyber Secur. Res., vol. 8, no. 2, pp. 150–172, 2023.

J. R. C. Nurse, "Cybersecurity risk communication: Understanding information trust and security usability," IEEE Commun. Surv. Tutor., vol. 15, no. 4, pp. 1475–1490, 2013, doi: 10.1109/SURV.2013.013013.00142.

I. Corradini, "Shaping cybersecurity awareness programs: Lessons from behavioral sciences," Cyberpsychol. Behav. Soc. Netw., vol. 23, no. 5, pp. 333–341, 2020, doi: 10.1089/cyber.2019.0428.

Nat. Inst. Stand. Technol., Framework for Improving Critical Infrastructure Cybersecurity, 2018.

Eur. Union, General Data Protection Regulation (EU GDPR), 2016.

Afr. Union, African Union Convention on Cybersecurity and Personal Data Protection, 2014.

Asia-Pac. Econ. Coop. (APEC), APEC Framework for Securing the Digital Economy, 2015.

Int. Organ. Stand. (ISO), ISO/IEC 27001:2022 Information Security Management Systems – Requirements, 2022.

Strategic Framework for Cybersecurity Policy Compliance in Namibian Organizations

Authors

DOI:

Keywords:

Abstract

Downloads

References

Downloads

Published

Issue

Section

License

How to Cite

Most read articles by the same author(s)

publisher

sidebar

certificate

template

gs-citation

index

stat