THE ELEMENTS FOR DEVELOPING INFORMATION TECHNOLOGY SECURITY METRICS MODEL FOR UNIVERSITIES IN KENYA

Abstract

There has been increased frequency of information systems' security breaches within universities. Studies indicate that information technology security management could be improved if IT security management were used together with appropriate security metrics which are based on major elements of information technology security. However, there is continued application of inappropriate metrics within the universities. As such, estimating information security status remains a challenge, making managing IT security difficult. The objectives of this study were: to investigate the major elements in management of information security within universities in Kenya, to investigate the relationship between the implementation of the major elements and metrics in the universities in Kenya, to develop and test applicability of a suitable information technology security implementation metrics model based on major information technology security elements for universities in Kenya. Three-step methodological approach was adopted as based on goal-question-metrics concepts and theory of measurement. Step one was a review of secondary publications to ascertain the major information technology security elements and seek the extent of application of the elements within the universities. Secondly, 91 respondents from the 70 universities in Kenya were sampled for data collection. Purposive sampling was conducted for data collection using questionnaire and an interview schedule. In each sampled university, 13 operation areas related to information systems were considered, giving a total of 91 resepondents. Data was collected from the team leader of each operation area, then analysed using SPSS, where the mean and regression model was adopted. Results showed that while security management is conducted with respect to IT security elements, their levels of implementation remain inadequate. Significant relationship and dependance was found between IT security elements and metrics. Regressional coefficient of IT security elements were found and used to develop a reliable IT security metrics' prototype aided by measurement scales and color codes corresponding to differecnt security situations. Applicability of the model was tested at (http://41.89.203.228/oguk) and found feasible. In conclusion, there is statistically significant relationship between the metrics and implmentation of the elements; wherein, while the level of implementation of IT security elements was found to contribute to the metrics, information security policy was found to contribute more. Therefore, it is recommended that the developed IT security implememtation metrics model be used together with the security policy for better information systems security management. The model is recommended for policy makers.