Simon Ngura
Jomo Kenyatta University of Agriculture and Technology

Dr. Michael Kimwele
Jomo Kenyatta University of Agriculture and Technology

Dr. Gladys Rotich
Jomo Kenyatta University of Agriculture and Technology

CITATION: Ngura, S., Kimwele, M. & Rotich, G. (2015). Determinants of Information Security among Small and Medium Enterprises in Kenya. European Journal of Business Management, 2 (1), 124-143.

ABSTRACT

Figures from Australia, USA and UK, reveals that employee misuse and abuse of Internet services comprise twenty - fifty per cent of all Internet incidents. Companies have identified information security as a key concern. A positive information security culture can aid in minimizing the people threat compromising information security while interacting with IT systems. Statistics from Kenya National Bureau of Statistics (KNBS) shows that SMEs contributes about 70% to the country’s GDP and therefore an important segment in the country. SMEs are ranked highest to risk exposure related to information security by PWC. SMEs in Kenya are increasingly reliant on automated and interconnected systems to perform functions essential to their customers’ welfare, in sale of goods and services and hence the increase in the information security due to the high dependence on technology. In relation to this, this study sought to establish the effect IT literacy, IT policies, top management commitment and organizational resources as determinants of information security in SMEs in Kenya. To achieve these objectives, this study employed descriptive survey. The population of interest of this study was employees in top 100 SMEs as identified during Kenya’s Top 100 SMEs Survey (‘Top 100 Survey’) conducted in the year 2011. This study used purposive sampling, targeting employees in the IT department in the top 100 SMEs, to get a study sample of 60 respondents. This study collected both primary and secondary data. While a semi-structured questionnaire was used to collect primary data, secondary data was collected from published books, journals, magazines and companies handbook. The study used drop and pick later method to collect data. Prior to the data collection, a pilot study was conducted to allow for pre-testing of the research instrument to increase validity and reliability. The study used both qualitative and quantitative methods of data collection. Further, the study further employed a multivariate regression model to study the relationship between independent variables and the dependent variable. The study found a significant positive relationship between information security and IT literacy, IT policies, top management commitment and organizational resources. The study therefore recommends information security awareness and training program to boost IT literacy. At the same time, the study recommended that the organizations should align their IT policies with organizational goals to make it everyone’s’ responsibility to achieve information security. Also, the study recommends that policies should be revised from time to time to take into account changes in organization’s mission, operational requirements, threats, environment, or deterioration in the degree of compliance. The top management should provides resources to ensure that information security managers attends industry-specific education and executive-level continuing training.

Full Text PDF Format