A framework for institutionalization of information security management practices in public organisations in Uganda

Abstract

This study developed a framework for institutionalization of information security management practices in public organizations in Uganda. The aim was to address the urgent need for effective information security measures amidst escalating cyber threats. Research focused on elements that constitute a framework for integrating information security into operations of public organizations. Using a mixed-methods approach, the research was conducted across various agencies mostly public universities. The Principal Component Analysis technique was used to establish most significant components and create composite index for each security practice. Findings indicate three key security practices as Information Security Governance Practice; Physical Security and Technical measures; and Personnel Security Practices. From these practices, significant components such as information security policies, information security vulnerabilities, risk management, business continuity, secure asset management, inventory taking, external controls, physical access controls, information access controls, information backups, internal data center access controls, personnel security roles and responsibilities, and security awareness, education and training were identified as requirements to develop the Information Security Management Practices framework. The research findings contribute significantly to academic discourse on information security within developing countries, while furnishing practical recommendations for policymakers and stakeholders by offering systematic guidelines and strategies to address security threats. By providing the framework, this research enhances the overall security posture of cyber security and promote sustainable governance in the digital age. Furthermore, the study recommends for the appointment of Chief Information Security Officer and an Information Risk Owner in public organizations, designating them as accountable individuals for securing organizational information assets. Future work should aim at framework validation in multiple organizations, investigations into how Artificial Intelligence and Internet of Things impact on cybersecurity, or testing the hypotheses to establish the relationships between constructs based on theories adopted.