A Holistic Approach for Managing ICT Security in Non-Commercial Organisations A Case Study in a Developing Country

The use and development of Information and Communication Technology (ICT) has improvedthe efficiency and flexibility in providing services. While computerisation is taking place at afast speed, the security of critical ICT assets is a growing concern for management. This isbecause the potential for financial damage is intensified and may result in the loss of strategicinformation and property, in service interruption and liability claims. If these risks are not takencare of, the objectives of organisations might be negatively affected as well. The research reported here is about improvement of the ICT security management process innon-commercial organisations in order to reduce possible financial damage, taking intoconsideration the realities found in developing countries. The research took place in adeveloping country—Tanzania, where five organisations were involved. The data gatheringinstruments employed were questionnaires with multiple choice questions, open-endedquestions, and face-to-face interviews with some selected respondents. Also, onsite observation(participatory) and documentary review was used. The respondents were mainly seniormanagement, Operational managers, IT Managers and system administrators, and general andtechnical staff.This thesis presents the empirical investigations and analyses carried out in the organisations.The study is organised into seven papers covering: the state of ICT security management in theorganisations; prerequisites when utilising the existing ICT security management approaches inattaining a solution for managing ICT security in the organisations; issues and challenges ofmanaging ICT security; important aspects to be taken into consideration in order to successfullymanage ICT security; and how the management of ICT security in non-commercialorganisations could be improved. Among others, the research was motivated by the observedneed for bridging the perception gap between the management and technicians when dealingwith the ICT security problem, and consequently extending to a common understanding by thestaff in the various departments and specialities within and between the departments.The thesis contributes to increased empirical knowledge on the importance of the holistic ICTsecurity management process. Particularly, our main contribution is the proposed holisticapproach for managing ICT security in non-commercial organisations, organised in the form ofguidelines with two main phases: the initialisation phase which involved the introduction of theICT security management process in the organisation; and the internalised and continuousphase. The research confirmed that the backing of general management and staff is important forthe success of the ICT security management process in the organisation. This implies that themanagement allows the organisation through its own acquired knowledge and confidence, tointernalise the ICT security management practices, thus enabling people to act confidently at alllevels. Knowing about the ICT risks and their consequences for the core service operations ofthe organisation, the management and staff at all levels and from all departments or specialitiesare more likely to offer their support to ICT security endeavours.