ICT Security Readiness Checklist for Developing Countries : A Social-Technical Approach

Abstract: The consequences of Information and Communication Technology (ICT) revolution on society are almost impossible to enumerate. New types of ICT products, services and capabilities are finding their way into our offices, schools and homes - almost on daily basis; impacting the way we work, learn and live. Following this revolution, governments around the world have recognised that the transformation from traditional government to electronic government is one of the most important public policy issues to embrace. Likewise, organisations and businesses around the world are transforming from traditional organisations and businesses to their electronic equivalent.However, to be a part in this revolution, it is important for the concerned governments and organisations to have an ability to differentiate between implementing a new IT/ICT system and a transformation to e-government, e-organisation, and e-business. E-government is not simply about implementing new ICT systems, but it is about changing business models and processes to do things differently and better. ICT offers the solutions, but e-government, eorganisation, and e-business are about changing the way they operate to achieve their mission objectives.Implicitly there are a number of key issues to be considered in this transformation. One such key issue is security, since many of the technical and social security control mechanisms that are in place today are rendered ineffective by the ICT revolution. As such, we can no longer rely entirely on our traditional security controls—e.g. physical access controls, security guards and locks—to ensure the security of an organisation’s assets, processes and communications. The multiplicity of new technical possibilities gives rise not only to new products, services and more efficient and effective ways of doing things, but also to the possibility of misuse of the technology. Consequently, new social and technical security controls are imperative in this revolution. However, research findings show that, in many cases, security issues come as an-after-thought in the ongoing transformations to ICT-enabled organisational or governmental contexts.In this thesis, the challenges of the process of computerisation and other changes due to ICT are investigated from a security point of view. An explorative study of both theoretical and practical aspects of addressing ICT security in organisations was performed. The findings from some organisations studied show that, organisations—as social-technical systems—are facing a myriad of problems in their effort to adequately and effectively implementing a sound ICT security program. As a result, the organisations, individuals, or nations as a whole; may fail in meeting the challenges of exploiting the benefits of ICT; due, in part, to their failure to manage the risks which ICT presents—not being ‘e-ready’ in ICT security matters.In view of the above, the following are the end products of the research: a Model of Security Knowledge, and a Social-Technical ICT Security Readiness Checklist. These end products draw from the available ICT-security knowledge-body and a practical experience from an empirical study conducted in Tanzania. We believe the model and checklist would serve as a starting point in assisting organisations having a similar security situation as those studied, to meet the security challenges of exploiting the benefits of ICT. By providing means for evaluation, formation and implementation of ICT security controls—both social and technical ones—the checklist can be helpful in managing the risks that ICT presents.