A Framework for Effective Information Security Risk Management: In Kenyan Public Universities

Abstract

With the universities increasingly depending on information and communication technology to execute their core operations and functionalities, their exposure to growing cyber threats is inevitable and hence unprecedented security risks. With the security risks reportedly growing day by day many universities are reported to be unable to effectively respond to or guard against them. The study objectively sought to determine the security requirements which were important for asset protection in the Kenyan public universities, establish currently implemented security practices, identify vulnerabilities and threats to assets, establish the risk control measures, and develop an effective information security risk management framework for Kenyan public universities. The target population was Kenyan public chartered universities, which were clustered into two, and simple random and purposive sampling techniques were employed for sample selection. The questionnaires were administered to the information and communication technology professionals in the universities. The results indicated that accountability and authenticity were established as strong and important security requirements to incorporate in universities security risk evaluations, with mean values of 4.62 and 4.85 respectively out of the possible value of 5 and they had high factor loading into the extracted component of 0.951 and 0.908 respectively. Further, the universities were aware of the risks they were facing, which should have informed their protection strategies and their risk mitigation plans. However, there was notable deficiency in implementation of controls, which would match the identified risks and therefore, the adoption of the proposed framework would assist universities address the deficiencies identified and reduce if not eliminate the susceptibility to the information security risks.