An Assessment of the Awareness of Cyber security challenges        of Small and Medium Enterprises in Arusha       A Case ...
AbstractThis study was prompted by the recent connectivity of Arusha town to the fibre cablein Dar-es-salaam namely the Se...
security issues. Implying the location of such businesses, cost of preventivemeasures, security policies, appropriateness ...
AcknowledgementThe successful completion of any trying and extensive task would be incompletewithout mentioning the names ...
DeclarationI declare that this dissertation was composed by myself and that the work containedtherein is my own except whe...
Glossary of TermsThis part of the document is to provide acronyms and definitions of some of the keywords used in this dis...
HNL - Habari Node LtdHost: Same as a node. This is a computer (or another type of network device)connected to a network.IA...
PRSP - Poverty Reduction Strategy PaperPSTN - Public Switched Telephone NetworkR&D - Research and DevelopmentSearch Engine...
TOCAbstract..................................................................................................................
3.3.      Chapter Summary ...................................................................................................
List of TablesTable 1: Tanzania Internet Usage and Population Growth .................................................. 13...
Figure 19: Ease of Access to information ............................................................................ 74  ...
Chapter One; Introduction1.1.     Background1.1.1. Background to the problemWe now live in an era known as the Information...
April, 2010,(WIOCC, 2010). Arusha soon followed in May, 2010 as NICTBB completed its firstphase (Security, 2010, Mutarubuk...
result in an Internet leak; which occurs when a partys confidential information is released tothe public on the Internet. ...
usage in Arusha. If Tanzania had 676,000 Internet users as of Jun/10, 1.6% of thepopulation, of which 319,440 Facebook use...
Figure 2: The Cyber Attack Process           Source: (Promisec, 2010, Colonel Louis H. Jordan and Saadawi", 2011)As the Ar...
policy makers, ICT service providers, market analysts, SME‘s management and otherstakeholders; given the potential impact ...
business and administrative operations of the ISP. At least half of the employees aretechnical staff in different areas of...
Opportunities                Expansion to other areas as the Companies reputation is marketable.                Large an...
actual IS security is vital for most businesses as businesses have to maintain a certain levelof security and be able to a...
entailed a substantial dependence on IT services where few business processes can behandled manually when IT services are ...
Determine the information systems security readiness of SME’s located in Arusha and       its significance to the success ...
2. Is there awareness of cyber threats;              a. Are there any measures being taken to deal with these threats?    ...
Lastly it is hoped that this research will assist future researchers in the quest to carry furtherresearch.   1.4. Limitat...
Chapter Two: Literature Review   2.1. IntroductionArusha region is found in northern Tanzania. Arusha shares its northern ...
and related business activities in the area can be said to be SME‘s. These developmentsshow that the Arusha municipality i...
Furthermore SMEs account for over 95% of organizations and 60-70% of employment andgenerate a large share of new jobs in O...
reducing cost of operations [Drew, 2003]. With the report produced by Prerost (1998), thereare many various opportunities ...
examine market trends and opportunities, assess the activities of domestic and internationalcompetitors, and locate potent...
government) were soon coined (Turban et al., 2002). Other user friendly communicationfunctions like electronic learning (e...
This notion of security includes protection from disruptions in confidentiality, integrity,availability, and often non-rep...
2.2. Relevance of Theories and Principles of the StudyConceptual frameworkThe study‘s conceptual framework attempts to sho...
other related modifications). Improved decision support systems are needed to help indesigning and interpreting more quant...
Figure 3: An Example of EIS score from assessment of two companies                                 Source: (Soderbom, 2007...
OCTAVE – The Operationally Critical Threat, Asset, and Vulnerability Evaluation method isreleased by CMU/SEI. OCTAVE uses ...
   End-User Education          Identity Theft Legislation          System Certification and Accreditation          Law...
(including Zanzibar) as opposed to ZANTEL, which has the right to operate in Zanzibar onlyuntil February 2005; and the lic...
like text, data, image, voice and video over an existing infrastructure; the use of a singletransmission technology to off...
Laws on consumer protection, sales and supply of goods in Tanzania were designed toprotect consumers on off-line business ...
The organizations that heavily depend of the internet and computer network were now at riskfrom cyber-attacks which could ...
possess neither robust critical infrastructures that utilize digital control systems nor highlydigitized militaries, and s...
Then re-examined and combined all the existing relevant literature on the two subject‘s small-medium enterprises (SME) and...
Chapter three: Research Design and Methodology   3.1. Research DesignOutline of the case studyThe study started off with f...
evidence. Yin (2003) also highlights the importance of context adding that, within a casestudy the boundaries between the ...
tests and scans, surveys etc. This research is normally more costly as compared to thesecondary research.Secondary researc...
potential SME‘s where the sampling could be carried out. Companies which fit the criteriawere those that matched the descr...
research participants in four areas that represent part of the standard of competence toconsent in many jurisdictionsiii) ...
instruction, design, method of distribution and return, wording of any accompanying letter,method of collecting and analys...
through telephone, post, group and individual email distribution. All the above factors wereconsidered during the choice o...
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
An assesment of Cybersecurity challenge in Arusha
Upcoming SlideShare
Loading in …5
×

An assesment of Cybersecurity challenge in Arusha

1,423 views
1,298 views

Published on

MBA thesis study

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,423
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

An assesment of Cybersecurity challenge in Arusha

  1. 1. An Assessment of the Awareness of Cyber security challenges of Small and Medium Enterprises in Arusha A Case study of Habari Node Ltd This research paper is submitted in partial fulfillment of the requirements of the Award of a Masters of Business Administration in Information Technology. Supervised by Mr. John Pima September, 2011 In Collaboration with the Institute of Accountancy Arusha
  2. 2. AbstractThis study was prompted by the recent connectivity of Arusha town to the fibre cablein Dar-es-salaam namely the Seacom and Essay fibre cable in May, 2010. Thisenhanced connectivity significantly improved the downloads and uploads speed oftraffic to and from Arusha consequently greatly improving the users experience ofInternet related services now traveling at lightening speeds. This opened up thepossibility of effectively using internet related business services like online taxprocessing, banking and educational services that were previously to slow too run onsatellite (VSAT) or dial-up links and triggered a need or awareness for businesses inArusha to start using as well incorporating more Internet related business services intheir daily operations to effectively compete.Unfortunately with this improved connectivity and subsequent increase in businessopportunities could also have generated additional interest in the region by Cyber(Internet related) crime perpetuators as well as amplified exposure to Cyber threatsas connecting to machines in Arusha from anywhere in the world had become fasterand easier. The consequences of these threats/attacks are well-known: violation ofprivacy, theft of information, the potential for a devastating large scale networkfailure, service interruption, or the total unavailability of service. This changetherefore passes a question to small and medium enterprises/businesses (SME‘s) inArusha; as to whether they are adequately prepared to meet this new challenge andif not what could these SME’s do about it?This research therefore set out to assess the efforts of SME‘s in Arusha in the realmof cyber security. Attention was directed to SME‘s because SMEs the engine of thenational economy and account for over 95% of organizations and 60-70% ofemployment (OECD, 1997). When approaching this problem, the researcher notedthat though in the past; traditional definitions of cyber security have been to designstrong cryptography into information security systems. Only protecting confidentialinformation as a motivation for cyber security may not be entirely appropriate forSME‘s.More so there had been increasing interest in other sectors of security, namely geo-political, economic and human previously considered by many as non-traditional 2
  3. 3. security issues. Implying the location of such businesses, cost of preventivemeasures, security policies, appropriateness of the available tools, as well as therecovery or fail-over options in place could also serve as a strong motivator; formany SME‘s possess neither full-bodied critical infrastructures that utilize digitalcontrol systems nor specifically staff information security specialists. Indicating thatthinking about cyber security issues strictly in relation to these systems and staffwould not be complete. The research then sought to determine how to bestinvestigate and implement cyber security in SME‘s, if it is not an issue solelyassociated with protection of confidential data. As a result this research was thencarried out using a collection of methodologies requiring both the secondary and theprimary data to be used for this purpose.The study conducted shows that there was a relationship between the accessibilityof internet, incidences of cyber-attacks, awareness of cyber threats and theorganization size. So although the online survey revealed that while most ArushaSME‘s do access the internet and rely heavily on the Internet many lack the internalresources, formal policies, employee training, and technologies they need to protectthis critical information. To further compound matters most own websites that theyuse to attract customers to their business as well as routinely handle confidential andproprietary data. However the vulnerability scans showed some level of protection;the results from recorded intrusion attempts highlighted an almost aggressive assaulton any device reachable via the Internet.Implying it was quite possible that a substantial number of accessible online systemsmay have already been compromised. The major difficulty in affirming this was dueto the absence of records illustrating these breaches as little effort was being madeto record these incidences due to the ensuing panic/crisis after a cyber-attack/breach.KeywordsAwareness, Challenges, Cyber security, Information Security, Internet, SME‘s. 3
  4. 4. AcknowledgementThe successful completion of any trying and extensive task would be incompletewithout mentioning the names of persons who helped to make it possible. I wouldlike to take this opportunity to express my gratitude in few words and respect to allthose who helped me in the completion of this dissertation.To begin with, I am extremely grateful to Allah for his generous blessing andabundant mercy for the opportunity to do this course and at all the stages thereinculminating in the completion of this dissertation.I convey my heartiest thanks to Mr Erik Rowberg, the managing director of HabariNode Limited, who generously supported and granted me the opportunity to do thisstudy in the most established, respected and highly regarded ICT Company inArusha.I would also like to express my deep sense of gratitude to my supervisor Mr JohnPima, for his support during this research study and guidance to enable mesuccessfully complete this dissertation.Not forgetting my sincere thanks and heartfelt gratitude to my friends, colleagues,fellow students and comrades for giving me timely advice in all the ways and in allaspects that have enabled me to reach this far and for the success of thisdissertation.Finally to my family who have may have felt my absence; it is my sincere prayer thatthis struggle was worth the time away from you. 4
  5. 5. DeclarationI declare that this dissertation was composed by myself and that the work containedtherein is my own except where explicitly stated otherwise in the text, and that thiswork has not been submitted for any other degree or professional qualificationexcept as specified.Date: September 2011 ……………………………… Ismail M. Settenda MBA-IT 0027/T.2010Copyright AcknowledgementI acknowledge that the copyright of this dissertation belongs to Coventry University. 5
  6. 6. Glossary of TermsThis part of the document is to provide acronyms and definitions of some of the keywords used in this dissertation.Application - Software whose primary purpose is to perform a specific function foran end-user, such as Microsoft Word.AICC – Arusha International Conference CentreALMC - Arusha Lutheran Medical CentreAIXP - Arusha Internet Exchange PointATM - Automated Teller MachineCEO - Chief Executive OfficerCracker (a.k.a hacker) - The correct name for an individual who hacks into anetworked computer system with malicious intentions. The term hacker is usedinterchangeably (although incorrectly) because of media hype of the word hacker. Acracker explores and detects weak points in the security of a computer networkedsystem and then exploits these weaknesses using specialized tools and techniques.CRDB - Centenary Rural Development BankCyber - Prefix commonly used to indicate some association with the internet.Cybercrime - A criminal offense that involves the use of a computer network.Cyberspace - Refers to the connections and locations (even virtual) created usingcomputer networks. The term ―Internet‖ has become synonymous with this word.EISAM - Enterprise Information Security Assessment MethodGateway (Router) - A network node connected to two or more networks. It is usedto send data from one network (such as 137.13.45.0) to a second network (such as43.24.56.0). The networks could both use Ethernet, or one could be Ethernet and theother could be ATM (or some other networking technology). As long as both speakcommon protocols (such as the TCP/IP protocol suite), they can communicate.GDP - Gross Domestic ProductHMS – Hospital Management System 6
  7. 7. HNL - Habari Node LtdHost: Same as a node. This is a computer (or another type of network device)connected to a network.IAA - Institute of Accountancy ArushaICT - Information and Communications TechnologyIFMS - Integrated Financial Management SystemInternet: A global computer network that links minor computer networks, allowingthem to share information via standardized communication protocols.Internet Service Provider or ISP: An organization that provides end-users withaccess to the Internet. Note: It is not necessary to go through an ISP to access theInternet, although this is the common way used by most people.IP - Internet ProtocolIS - Information SystemsISP - Internet Service ProviderIT - Information TechnologyIXP - Internet Exchange PointLAN - Local Area NetworkMCT - Ministry of Communications and TransportMD – Managing DirectorNICTBB - National Information Communication and Technology BroadbandBackboneNECTA – National Examinations Council of TanzaniaNGO - Non-Governmental OrganisationNTP - National Telecommunications PolicyPCIS - Personnel Controls Information SystemPoP - Points of Presence 7
  8. 8. PRSP - Poverty Reduction Strategy PaperPSTN - Public Switched Telephone NetworkR&D - Research and DevelopmentSearch Engine - An Internet resource that locates data based on keywords orphrases that the user provides. This is currently the main method used on theInternet to find information. Current search engines are Google, Yahoo, Bing, Ask,AOL search, etc.SEDA - Small Enterprise Development AgencySIDA - Swedish International Development AgencySME - Small and Medium EnterprisesSWOT - Strengths, Weaknesses, Opportunities and ThreatsTRA - Tanzania Revenue AuthorityTCC - Tanzania Communications Regulatory AuthorityTIC - Tanzania Investment CentreTTCL - Tanzania Telecommunications Company LimitedVoIP - Voice over Internet ProtocolVPN - Virtual private networkVSAT - Very Small Aperture TerminalWWW - World Wide Web; also shortened to Web. Although WWW is used by manyas being synonymous to the Internet, the WWW is actually one of numerous serviceson the Internet. This service allows e-mail, images, sound, and newsgroups. 8
  9. 9. TOCAbstract................................................................................................................................. 1Acknowledgement ................................................................................................................. 4Declaration............................................................................................................................ 5Glossary of Terms................................................................................................................. 6TOC ...................................................................................................................................... 9List of Tables ...................................................................................................................... 11List of Figures ..................................................................................................................... 11List of Appendixes ............................................................................................................... 12Chapter One; Introduction ................................................................................................... 13 1.1. Background........................................................................................................... 13 1.1.1. Background to the problem ............................................................................ 13 1.1.2. Background on Habari Node Limited ............................................................. 18 1.2. Purpose of the study ............................................................................................. 20 Statement of the problem ............................................................................................. 21 Research Objective ...................................................................................................... 22 1.3. Significance of the Research ................................................................................ 24 1.4. Limitations and De-limitations of the Research ..................................................... 25 1.5. Chapter Summary ................................................................................................. 25Chapter Two: Literature Review .......................................................................................... 26 2.1. Introduction ........................................................................................................... 26 Defining Accessible Information Systems and Cyber security ...................................... 30 2.2. Relevance of Theories and Principles of the Study ............................................... 33 2.3. Empirical Review .................................................................................................. 37 2.4. Chapter Summary ................................................................................................. 42Chapter three: Research Design and Methodology ............................................................. 44 3.1. Research Design .................................................................................................. 44 3.2. Methodology ......................................................................................................... 51 9
  10. 10. 3.3. Chapter Summary ................................................................................................. 554.0 Chapter Four: Data Analysis and Discussion ............................................................ 56 4.1. Introduction ........................................................................................................... 56 4.2. Findings, Analysis and Discussion ........................................................................ 56 Findings ....................................................................................................................... 56 Analysis of Findings ..................................................................................................... 65 Discussion ................................................................................................................... 71 4.3. Chapter summary ................................................................................................. 745.0 Chapter Five: Conclusion, Recommendations and Further Research ....................... 75 5.1. Introduction ........................................................................................................... 75 5.2. Recommendations ................................................................................................ 76 5.3. Critical review ....................................................................................................... 78Concluding remarks ............................................................................................................ 79References ......................................................................................................................... 80Appendix ............................................................................................................................. 84 Glossary .......................................................................................................................... 84 Questionnaire .................................................................................................................. 86 Research Schedule ......................................................................................................... 94 Research Budget ............................................................................................................. 95 Respondents Comments A – Recent Attacks/Threat ....................................................... 96 Respondents Comments B- Improvements ..................................................................... 97 10
  11. 11. List of TablesTable 1: Tanzania Internet Usage and Population Growth .................................................. 13Table 2: Categories of SMEs in Tanzania ........................................................................... 27Table 3: Sample List of SME‘s in Arusha ............................................................................ 28Table 4: Vulnerabilities, Threats, and Attacks Categories Summary ................................... 32Table 5: Perceived Trend of Cyber Attacks/Threats ............................................................ 61Table 6: Top 15 Noted Cyber Attacks ................................................................................. 62Table 7: Random Vulnerability Scan Results ...................................................................... 63 List of FiguresFigure 1: Tanzania Fibre and Microwave Network Coverage:2005 ..................................... 14Figure 2: The Cyber Attack Process.................................................................................... 17Figure 3: An Example of EIS score from assessment of two companies ............................. 35Figure 4: Vulnerability Possibilities ...................................................................................... 41Figure 5: Model of Security Relationships ........................................................................... 42Figure 6: Outline of the Case Study .................................................................................... 44Figure 7: Companies Employee Count ................................................................................ 66Figure 8: Internet Dependency of SMEs ............................................................................. 66Figure 9: Percentage Use on Internet by Employees .......................................................... 67Figure 10: Internal Internet Use........................................................................................... 67Figure 11: Percentage Satisfaction of SMEs on Current Measures in place ....................... 68Figure 12: Frequency of I.T Checks .................................................................................... 69Figure 13: Current Protection Measures.............................................................................. 69Figure 14: Sources of I.T Security information .................................................................... 70Figure 15: Trend of Intrusion Attempts ................................................................................ 71Figure 16: Compromised networks...................................................................................... 72Figure 17: Use an Internet Policy ........................................................................................ 72Figure 18: I.T Check-ups..................................................................................................... 73 11
  12. 12. Figure 19: Ease of Access to information ............................................................................ 74 List of Appendixes i. Glossary ii. Questionnaire iii. Research Schedule iv. Research Budget v. Respondents Comments A – Recent Attacks/Threat vi. Respondents Comments B- Improvements 12
  13. 13. Chapter One; Introduction1.1. Background1.1.1. Background to the problemWe now live in an era known as the Information Society or Information Age as for almost half acentury the importance of computers for citizens, organisations, governments and society as awhole has been growing. At the same time, the importance of intellectual asset flows, such asinformation and knowledge, has also been growing at the expense of material asset flows(Sveiby, 1997), thus the frequently used term these days ―information is power‖ (Rogers,2010).Consequently in the drive to remain competitive; information systems have to a large extentbecome integrated in industry operations and business systems fostering the growth ofnetworking technologies that offer tools for making communication and sharing of informationmore efficient and faster than before i.e. emails, chat, and VoIP etc. This has culminated in theincorporation of the Internet into business operations as the Internet is quickly becoming themajor infrastructure for information in almost every level and arena in society, e.g. electronicbusiness and electronic government. Table 1: Tanzania Internet Usage and Population Growth Year Users Population % Penetration 2000 50,000 14,712,000 0.3 % 2002 500,000 13,874,610 3.6 % 2005 820,000 12,247,589 6.7 % 2009 520,000 41,048,532 1.3 % Source: (ITU, (2010))From the table above Internet usage statistics show 520,000 Internet users as of June, 2009,1.3% of the population (ITU, (2010)) more recently TCRA reported that as of June 2010 theywere 4.8 million Internet users in Tanzania (T.C.R.A, 2010). This huge jump in Internet usagewas the main drive for improved connectivity leading to the milestone landing of the submarinecables namely Seacom (Seacom, (2009)) and thereafter Essay fibre cable in Dar-e-salaam in 13
  14. 14. April, 2010,(WIOCC, 2010). Arusha soon followed in May, 2010 as NICTBB completed its firstphase (Security, 2010, Mutarubukwa, 2010). Figure 1: Tanzania Fibre and Microwave Network Coverage:2005 Source: (ITU, (2010))Consequently today in Tanzania many industrial sectors or functions of society namely; thetaxation authorities i.e. TRA (Mbonea, (2010)), the banking sectors has banks like CRDB,NBC, healthcare institutions like ALMC uses an HMS called Care2X, educational institutionslike NECTA, NGO‘s like SEDA and SIDA, Tour companies/operators as well as many othernational associations are now using or are planning to use the Internet as its majorcommunication infrastructure.However, the networking and interconnection of systems can significantly increase anorganisation‘s or an enterprise‘s exposure to information security risks (Weiss 2001) and can 14
  15. 15. result in an Internet leak; which occurs when a partys confidential information is released tothe public on the Internet. To best illustrate this ―In April 2010, WikiLeaks; a non-profit mediaorganization dedicated to bringing important news and information to the public(http://wikileaks.org/) caused an international uproar when they published gunsight footagefrom the 12 July 2007 Baghdad airstrike in which Iraqi journalists were among those killed byan Apache helicopter, as the Collateral Murder video in addition to other publications like theAfghan War Diary, (a compilation of more than 76,900 documents about the War inAfghanistan), Iraq War Logs, U.S. State department diplomatic cables that were previously notavailable to the public” leading to worldwide criticism and claims by several U.S. governmentofficials that WikiLeaks exposed classified information that harmed national security as well ascompromised international diplomacy.So it holds true for Arusha as well that in almost every level and arena in society, informationsecurity is becoming an important and crucial issue. It should be noted that in Arusha like therest of Africa, the Internet penetration is far behind that of the rest of the world. Thepenetration rates vary across the continent with northern Africa, South Africa and severalIslands being at the top, with a maximum penetration of just under 36%. (Kristina Cole et al.,2008). Another report by Internet World Statistic gave even lower figures as seen below: Source: (Internet-World-Statistics, (2011))Nevertheless many SMEs in Arusha also gain a competitive edge by using the Internet to domarket research, find information on competitors and track down leads for new customers, orprovide better customer support so they are likely the dominant force behind the Internet 15
  16. 16. usage in Arusha. If Tanzania had 676,000 Internet users as of Jun/10, 1.6% of thepopulation, of which 319,440 Facebook users on June 30/11, 0.7% penetration rate as perITU. Then SME‘s are likely the major users/drivers of this internet usage.In addition Small and Medium Enterprises (SMEs) are the engine of the national economyand represent over half of all employees in the private sector So it should be noted thatSME‘s as significantly contribute to the economy and comprise the majority of the businessesand internet users in the country. (OECD, 1997). Then their importance to the development ofthis nation cannot be understated or ignored nor discussed without consideration of theinformation systems and measures that are in place to protect these systems.The Cyber Security ChallengeTherefore potential network vulnerabilities, threats, and attacks in SME’s must be identified tominimize security concerns. In this study Cyber is most times limited to Internet relatedtechnology its broadest meaning includes both aspects of information and telecommunicationstechnology. System vulnerabilities refer to weaknesses in the system that can be attacked,while threats are the potential to cause damage to online networked resources. Attacks arethe actual use of system vulnerability to put threats into action. Cyber security broadly refers tothe protection measures put in place to prevent system hacking. System hacking is acontinuous process where hackers continue to discover system vulnerabilities to developattacks as depicted in the figure below; 16
  17. 17. Figure 2: The Cyber Attack Process Source: (Promisec, 2010, Colonel Louis H. Jordan and Saadawi", 2011)As the Arusha SME‘s do have such systems it therefore is still vital that accessible informationsystems in Arusha are adequately protected from unauthorised access to information orCybercrime perpetuators. As the latest global threat statistics indicate that:  Approximately 6,000 new computer viruses are released every month.  Hackers create 50,000 new websites each week exploiting approximately 375 high- profile brand names worldwide at any time.  More than 140,000 new zombie computers are created per day and used as botnets for sending spam, etc.  Today about 25% of malware is designed to be spread via USB storage devices that connect directly to PCs.  More than 75% of new malware is designed to infect users through the web Source:(Tabadatze, 2011)To be able to keep up with the above threats will a two pronged approach that on one scalewill require coordination and vigilant continuous monitoring of ICT trends and developments by 17
  18. 18. policy makers, ICT service providers, market analysts, SME‘s management and otherstakeholders; given the potential impact of ICT use on social and economic development it iscrucial for SME‘s and the country at large to strive towards making the benefits (and not thehazards) of ICTs available to all people. One the other scale for I.T mangers and I.T supportstaff to have an accurate awareness of what is happening on a network is critical to thesuccess of an information security program as the enemy is not sleeping. For SME‘s to beable to collect all this timely information it is then important to do this with automation to allowbusinesses to return their attention to the core operations of their businesses. Let me end herewith a quote ―We need timely, targeted, and prioritized information to drive security. Without itis to compare to us driving and using the rear-view mirror to guide us‖ (U.S. Department ofState, 2011). So we should not be intimidated into not driving at all but should strive to drivecorrectly.1.1.2. Background on Habari Node LimitedHabari Node Limited (HNL) is a dynamic Tanzanian company based in Arusha providing arange of ICT based business solutions to the Tanzanian market. HNL was formed by AFAMLimited together with Arusha Node Marie in 2010 to take over the Internet Services activitiesof Arusha Node Marie, a society that has been operational since 1994. Habari Node is nowincorporated under the Tanzania‘s company act 2002 with Certificate of Incorporation number75466.HNL is a licensed data operator with National Application Services License providing highspeed data and internet connectivity with 99.5% service uptime. Last mile connectivity isthrough DSL and direct fibre connectivity in the Arusha CDB and Broadband Wireless in thesurrounding areas. In remote sites and offer backup facilities through iDirect VSAT platform.Their scope of services at HNL include standard ISP services including bandwidth, DNS,domain registration, domain, web, and email hosting services, as well International Voiceover IP calling service.Habari Node has a board of directors which oversees the operations of the company. Theday to day activities are managed by a team of functional managers supervised by theManaging Director. Currently HNL employs over 50 staff who manage daily technical, 18
  19. 19. business and administrative operations of the ISP. At least half of the employees aretechnical staff in different areas of IT with over 6 years work experience (Habari, (2011)).As they are expanding (ArushaTimes, 2011) it appears that the application of ICT services isat the threshold of a new era due to the international fibre cable reaching Arusha, andconsequently opening up new opportunities. They serve home users, government institutions,businesses, agencies, NGO‘s and other ISP‘s in Arusha and their coverage extends all overTanzania and they have the widest reach in Arusha as well as leading market share of theInternet users in Arusha and are therefore a suitable company to channel our cyber securityinitiatives.SWOT Analysis of Habari Node Ltd. Strengths;  Known presence in Arusha  Broad subscriber ship and large Arusha user base.  Renowned for good technical support and service.  Have necessary equipment and infrastructure in place  Centrally located in the city  Host AIXP and encourage inter-cooperation between local ISPs  Management advocates for diligence and encourages innovative ideas Weakness  Too focused on only Internet provision.  No cash for expansions and equipment purchases  Poor or no marketing strategy  Questionable technical competence of staff  Only based in one location - Arusha 19
  20. 20. Opportunities  Expansion to other areas as the Companies reputation is marketable.  Large and under-utilised ICT market in Tanzania.  Provision of alternative ICT services namely;  Web design and Content Management Services  Co-locating servers‘ services  Data entry and Call Centre services  Underground cabling services.  Expansions into areas not necessarily in ICT but complement ICT. i.e. teaching Threats  Competition from other similar service providers in the region.  Complacency or the feeling that we good enough.  Damage to equipment by electrical surges, theft etc.  Political influence-peddling, interference or sabotage 1.2. Purpose of the studyThe main purpose of this project is to explore how the Small and Medium Enterprise‘s (SME)in Arusha in light of the recent fibre connectivity were challenged by the new businessopportunities via the Internet. As well as if there was indeed a relationship between theaccessibility of internet, an increase in the incidences of cyber-attacks, a general awarenessof cyber threats and the organization size. This is in appreciation of the theory that as theInternet becomes the major information infrastructure in most sectors; the importance ofInformation Systems (IS) security steadily increases. As such reaching a certain level of 20
  21. 21. actual IS security is vital for most businesses as businesses have to maintain a certain levelof security and be able to assess the level of other actors‘ security. However IS security isabstract and complex and difficult to estimate and measure.(Oscarson, 2007)I therefore then set out to assess the efforts of Habari Node Ltd and their clients in andaround Arusha in the realm of cyber security. When approaching this problem, it is also mybelief that national security as a motivation for cyber security may not be entirely appropriatefor developing nations. As many developing nations possess neither robust criticalinfrastructures that utilize digital control systems nor highly digitized militaries, and thinkingabout cyber security issues in relation to these systems therefore may not make sense. Itherefore sought like my predecessors to determine how to implement cyber security inArusha, Tanzania not as an issue solely associated with national security. (Kristina Cole etal., 2008).Statement of the problemArusha was recently connected to the worldwide fibre network via the fibre cable in Dar-es-salaam namely the Seacom and Essay fibre cable in May, 2010. This enhanced connectivitysignificantly improved the downloads and uploads speed of traffic to and from Arushaconsequently greatly improving the users experience of Internet related services nowtraveling at lightening speeds. This opened up the possibility of effectively using internetrelated business services like online tax, bank and educational services that were previouslyto slow to run on satellite (VSAT) or dial-up links and triggered a need or awareness forbusinesses in Arusha to start using as well incorporating more Internet related businessservices in their daily operations to effectively compete.Unfortunately with this improved connectivity could also have increased interest in the regionand exposure to Cyber threats as now connecting to machines in Arusha from anywhere inthe world become faster and easier for Cybercrime perpetuators. This change thereforebegged the question; where businesses in Arusha adequately prepared to meet this newchallenge and if not what could these SME‘s do about it?Worldwide in just a few decades, the use of IT has formalized information management andstreamlined the administration of organizations. On the other hand, this development has 21
  22. 22. entailed a substantial dependence on IT services where few business processes can behandled manually when IT services are out of order. Deficiencies in IS security can causedirect negative consequences for business processes; production, sales, businessadministration, etc. due to incorrectness, delays and information leakage and in the end, canaffect the business as a whole.Frequently nowadays we hear the term ―Global Village‖ which seems to infer the world is amuch smaller place nowadays and what happen in one corner of the globe is known in amatter of seconds at the other end of the globe. So true does this hold for the impact of say;actions that happen in one corner and have far-reaching reactions in other parts of the world.It would then be prudent to say that these days nothing is too small to ignore or too remote tonot be considered a significant threat or risk these days.Thus, IS security is a significant and an important issue for SME‘s and for society as a wholemotivates research and practical developments in this area from a number of perspectives;technological as well as organisational and behavioural. The abstractness of IS securityhowever, seems to indicate that the IS security area calls for conceptual and philosophicalapproaches when analysing the theoretical fundamentals of IS security. Compared to forexample the (general) concept of risk, the concepts of IS security and IS security risk haverarely been problemised in a research question.Research ObjectiveThe description of the problem area above posed the question; Are SME’s in Arusha adequately prepared to meet this new challenge and if not what could these SME’s do about it?The researcher therefore set out to establish if there is really an emergence of a threat and ifso; how it relates to the business operations of the SME‘s in Arusha. As already pointed outabove the internet is or will become the major information infrastructure in most businesssectors and consequently involvement of Information Systems (IS) security to protect thisinformation structure becomes necessary. This relationship is now then summarised into acomprehensive research question for this paper: Which is to: 22
  23. 23. Determine the information systems security readiness of SME’s located in Arusha and its significance to the success of the business’s operations?This comprehensive research question comprises the understanding of IS security as awhole. The first part is conceptual while the second – its significance to the success of thebusiness‘s operations – is more practical. The question might also be interesting from aphilosophical point of view, but as emphasized earlier, it also has practical relevance forsociety.This would follow by picking a suitable candidate to attempt represent the majority of otherSME‘s in Arusha namely Habari Node Ltd; the ―leading ISP in Arusha‖ is an SME itself that ischannelling Internet to many other SME‘s in the region. The research objective can then befurther broken down into 3 sub-objectives;  To critically assess the relevant literature on cyber security, small firms, usage/importance of the internet and information security measures that are currently being used.  By assessing the current IS/IT security situation at Habari Node Ltd.  By assessing the current IS/IT security situation of the clients of Habari Node Ltd  To identify the vulnerabilities and potential threats that could exist at Habari Node Ltd and their clients.  By running non-intrusive but penetrative security scans and vulnerability tests on already accessible online points for selected SME‘s in Arusha.  To propose possible measures to meet alleviate or mitigate these threats or vulnerabilities.The comprehensive research question can then be divided into three sub-questions: 1. Is access to the Internet important for business operations? a. How dependent a business operation on the internet. b. Are there I.T usage policies in place for employees using the computers and by extension the Internet in the SME‘s. 23
  24. 24. 2. Is there awareness of cyber threats; a. Are there any measures being taken to deal with these threats? b. If not how could the awareness of cyber threats get generated? 3. What implications or significance do breaches of cyber security have and how do they impact on business operations? a. What are the common vulnerabilities faced by SME‘s in Arusha and how can these threats be mitigated?These questions are mainly sequential; the investigation of cyber security measures takesplace after evident and valid cyber security threats have been defined. 1.3. Significance of the ResearchOn top of being a requirement for the fulfillment of the masters in business degree; this studyaimed to create awareness and to contribute to the general pool of knowledge out there oninformation systems security. Though more specifically targeted the the Arusha basedInternet users, I.T technicians and IT managers, in both public and private institutions whereICT is a strategic tool in enabling core business operations. These categories of actors couldbe interested, and thus have an understanding of cyber security and that being onlineintroduces vulnerability.Since the significance of proper IS security for an organisation is proportional to theorganisation‘s dependence on information. An organization‘s IS security affects not only theorganisation itself, but also its external parties (Von Solms, 1999). Not only do sharedinformation systems and infrastructures require an accepted level of security, but also theorganizations themselves must be considered secure enough to act in these ‗e-arenas‘. Ananalogy is traffic safety; it is not enough to build safe roads, we must also have shared trafficrules and safe cars (von Solms, 1999).As well as point out to the policy makers the gaps in our legal ICT infrastructure and highlightareas that would be addressed to improve the nation‘s ICT framework for the betterment ofICT service provisioning and usage. It should be noted the ICT is already being used as acriteria to determine countries capabilities. For example; Tanzania is ranked 120 on thenetworked readiness index in 2009–2010 in a global information technology report on ICT forsustainability out of 133 economies (Dutta and Mia, 2010). 24
  25. 25. Lastly it is hoped that this research will assist future researchers in the quest to carry furtherresearch. 1.4. Limitations and De-limitations of the ResearchThe assessment was limited to Arusha town and the surrounding environ, though cyberthreats by their nature where not geographically limited.Accessibility to data and the poor collection and storage capabilities of Tanzania in generalwere limited and therefore correct and relevant data was difficult to find. Improvising wasmade as assumptions were then based on fairly old data or related data.Also it did not aim to quantify the challenges or awareness in terms of figures; instead therelative values were assessed. Quantifying the scale of awareness to cyber challenges interms of figures would have required a different approach and it would not have beenpossible to visualize the result in the same way. 1.5. Chapter SummaryChapter one has given a brief introduction on the dissertation, this has also given a brief onthe internet growth in Arusha, Tanzania, Habari Node as a company, its activities andclientele. It has also gone in depth to elaborate the aims and objectives of this dissertation. 25
  26. 26. Chapter Two: Literature Review 2.1. IntroductionArusha region is found in northern Tanzania. Arusha shares its northern border with theRepublic of Kenya. To the west Shinyanga region is found and to the northwest Mara region,to the northeast Arusha region borders to Kilimanjaro region, further east is Tanga region, tothe south Dodoma region; where the capital city of Tanzania is situated. Arusha regioncombines both highland which include Mount Meru (4,566 mm. asl.) and low land.Temperatures average 21º C and lowlands temperatures average 26º C; rainfall ranges from250 mm to 1200 mm per annum.Arusha region covers total of 86,999 sq. km. of which 3,571 sq. km (4.1%) is water. It is thelargest region in Tanzania occupying 9.2% of the mainland. The last census in 1988 recordeda population of 1,351,675 individuals and the current projections for 1998 indicate 1,963,200individuals. In comparison Tanzania total population is at 42,746,620 as of 2011 and acountry area of 945,087 sq. km.The existing economic activities and industries are mining, tourism, forestry, diary, milling,brewery and other agricultural sectors. Though the activity most associated with this studyseems to be tourism as the Arusha region is endowed with rich tourism potentials due to thepresence of the National parks attracts a lot of visitors for outside Arusha. Although it isclaimed that the tourism industry is yet to be developed properly to meet the high quality ofstandards required by tourists; opportunities exist in all areas of safari tours to cover gameviewing, professional hunting, photographic expeditions, trekking and mountain climbing,camping safaris. As well as hotel facilities of high quality are still in demand from small privatelodges, luxury tented camps, hotels.The Arusha Municipality is also a host to a number of International organisations includingthe International Crime Tribunal for Rwanda (ICTR), the regional secretarial of the WorldHealth Organisation (WHO), Pan African Postal Union, the Secretariat of the East AfricanCooperation (EAC) and the Eastern and Southern African Management Institute (ESAMI) tomention but a few. Recent developments i.e. sprouting growth of small scale industries, localtour operators opening new offices or international tour operators setting up local branches 26
  27. 27. and related business activities in the area can be said to be SME‘s. These developmentsshow that the Arusha municipality is gradually becoming an economic hub and it is destinedfor growing businesses and is thus becoming a fast expanding city. Furthermore due to theincrease in the economic and development activities the demand for office space, residentialaccommodation and Internet demand will definitely grow in near future.(SIDO, (2011)).According to the SME policy 2003; the SMEs nomenclature is used to mean micro, small andmedium enterprises. It is sometimes referred to as micro, small and medium enterprises(MSMEs). The SMEs cover non-farm economic activities mainly manufacturing, mining,commerce and services. There is no universally accepted definition of SME. Smallenterprises are mostly formalized undertakings engaging between 5 and 49 employees orwith capital investment from Tshs.5 million to Tshs.200 million. Medium enterprises employbetween 50 and 99 people or use capital investment from Tshs.200 million to Tshs.800million. This is illustrated in the table below: Table 2: Categories of SMEs in Tanzania Employees Category Capital Investment in Machinery (Tshs.) headcount Micro enterprise 1–4 Up to 5 million Small enterprise 5 – 49 Above 5 million to 200 million Medium 50 – 99 Above 200millionto 800 million enterprise Large enterprise 100 + Above 800 millionN.B In the event of an enterprise falling under more than one category, then the level ofinvestment will be the deciding factor, (M.O.T&I, 2002).According to Barakat (2001), he reported that with evidence Small Medium Enterprises play avital role in encouraging the national economic development of any country. SME producemuch of the creativity and innovation that fuels economic progress and also create a lot ofnew jobs. 90 % of the total number of companies is comprised of Small medium enterprisesin most countries, which provides an average 70% of job opportunities (OECD, 1997). 27
  28. 28. Furthermore SMEs account for over 95% of organizations and 60-70% of employment andgenerate a large share of new jobs in OECD economies (OECD, 2000). Table 3: Sample List of SME’s in Arusha Sample List of SMEs in Arusha Sector Company Name Knitwear and Garments AGAPE Women Group Plastic And Rubber Alfa Plast Mould Antique Makonde Carving Co-op Knitwear and Garments Society Ltd Antique Makonde Carving Co- HANDCRAFT Operative ENGINEERING Approtec ENGINEERING Arusha Galvanising Co. (AGACO) Food Processing Boogaloo Ltd Food Processing Darsh Industries KANFRAN ENGINEERING WORKS Food Processing LTD Kilimanjaro Metal shapers ENGINEERING (KEMESHA) Mixed Products Lucha Herbalist Group ENGINEERING Mdomewo Food Processing NYIREFAMI LTD. Food Processing Pestige Industries Ltd President‘s Food and Beverages Food Processing Company Food Processing Rest Products Food Processing Roselyn Products Food Processing Rowen Natural Products ENGINEERING SIDO TDC Arusha ENGINEERING SUDERETA (ELCT) Other TEMDOOpportunities and Threats faced by SMEsThere are major incentives or opportunities for new entrepreneurs and small-to- medium-sized businesses to use the Internet because it helps reduce transaction costs and level theplaying field [Evans and Wurster, 1997]. Among these opportunities for SMEs, are the widerand richer communications, expanding scope of marketing, partnering with suppliers and 28
  29. 29. reducing cost of operations [Drew, 2003]. With the report produced by Prerost (1998), thereare many various opportunities added to SMEs, including productivity and efficiency forbusiness process and development of new market opportunities (B2C and B2B) likewiseaccess to global market. However, how to use the Internet as an opportunity to SMEs usuallydepends on the firm and business factors [Drew 2003]. These influenced factors may include;Internet knowledge; smaller firms technical and the pace of innovation and change in theindustry; the rate at which the market is growing; the structure of the industry in which the firmcompetes; the sources of competitive advantage for the smaller business; the strategic intentof the larger competitors; and the technical and Internet strengths of the larger competitors.Creating awareness of the new opportunities generated by ICT is still necessary in somedeveloping countries, as well as in many of their enterprises. In particular, small- andmedium-sized enterprises (SMEs) are not yet familiar with these opportunities. Nevertheless,several developing countries have already started to benefit from ICT opportunities.Outsourcing using new technologies such as IT outsourcing and BPO is a business-drivenphenomenon. The rapid growth of the internet, albeit limited penetration ratio in the leastdeveloping countries including Tanzania, offers opportunities to SMEs in LDCs to compete inthe global job market for outsourced products and services that combine the retail use of thetelephone and computers.Description of Internet UsersA survey conducted between April and June 2010 showed that there has been a significantgrowth in Internet usage as compared to other traditional means of communication such asthe post office. The results of the survey showed that by June 2010 they were close to 5million Internet users in Tanzania translating to about 11% of all Tanzanians. Those usingCyber cafes were only 5%, 55% were from organisations/institutions and 40% from SOHOand households (T.C.R.A, 2010). It should be noted that Arusha is one of the highest perregion count on Internet use.Though on-line experiences and effective use of the Internet capabilities range greatly amongSMEs and are closely linked to the educational background of users. University-educatedusers are more likely to use the Internet to obtain information on production technologies, 29
  30. 30. examine market trends and opportunities, assess the activities of domestic and internationalcompetitors, and locate potential suppliers. The survey shows that while a significant numberof SMEs use the Internet for their business operations like email, research, the degree anddepth of research capability is limited. However, for the few companies which do use theresearch function extensively, there is a clear impact on sales.Defining Accessible Information Systems and Cyber securityIT refers specifically to technology, essentially hardware, software and telecommunicationsnetworks. It is thus both tangible (e.g. with servers, PCs, routers and network cables) andintangible (e.g. with software of all types). IT facilitates the acquisition, processing, storing,delivery and sharing of information and other digital content. In the European Union, the termInformation and Communication Technologies or ICT is generally used instead of IT torecognize the convergence of traditional information technology and telecommunications,which were once seen as distinct areas.The UK Academy of Information Systems (UKAIS) defines information systems as the meansby which people and organizations, utilizing technology, gather, process, store, use anddisseminate information. It is thus concerned with the purposeful utilization of informationtechnology. The domain of study of IS, as defined by the UKAIS, involves the study of theoriesand practices related to the social and technological phenomena, which determine thedevelopment, use and effects of information systems in organizations and society. Mingersnotes that, although technology is the immediate enabler of IS, ‗IS actually is part of the muchwider domain of human language and communication, that IS will remain in a state ofcontinual development and change in response both to technological innovation and to itsmutual interaction with human society as a whole.‘(Ward and Peppard, 2002)Prior to the 1990‘s businesses mainly used private networks to communicate to other partiesbut during the 1990s, something happened that made us redefine our society or economy; thespread of Internet usage. The main reason for this was the invention and spreading of theWorld Wide Web (WWW), which made the Internet more accessible to people who were nottechnically-minded or experts. This made the Internet interesting as a professional channeland information flows began to dislocate to the Internet, and so terms like the digital economy(Tapscott, 1996), electronic commerce (e-commerce) and electronic government (e- 30
  31. 31. government) were soon coined (Turban et al., 2002). Other user friendly communicationfunctions like electronic learning (e-learning), electronic booking/reservations (e-ticketing),digital calling (VoIP) and improved data transmission etc. begun to emerge.So while Information systems are moving out of the backroom low-level support position(s), toemerge as the nerve centres of organizations and competitive weapons at the front end ofbusinesses (Galliers and Leidner, 2003). Their use of the Internet presents a challenge tomost businesses due to the amplified accessibility to sensitive or confidential information. Theparadox is that the main reason for the Internet growth is that it is a public network thatoriginally was designed for openness and flexibility, and not for security making. Informationsecurity is one of the most crucial issues in the information age. WikiLeaks showed thatsecuring sensitive data online can be more difficult than initially realized, between the ever-growing sophistication of hackers and human errors.Cyber security is a relatively new field, as its study is directly related to the rise of digitaltechnologies. This also means that cyber security has evolved apart from most otherconceptions of security. Despite cyber security‘s unique development, there is a continuingstruggle to define it clearly and in such a way as to allow the definition to evolve along withdigital technology.(Kristina Cole et al., 2008).The International Telecommunications Union developed a paper offering a common definitionof cyber security for the World Summit on the Information Society in 2005.This paper offered three elements that cyber security often refers to: 1. Actions and measures, both technical and non-technical, with the express purpose of protecting computers, networks, software, data and other related digital technologies from all threats 2. “The degree of protection resulting from the adoption of these activities and measures” 3. Professional activity of implementing the above mentioned actions and measures, including research, analysis and policy development. 31
  32. 32. This notion of security includes protection from disruptions in confidentiality, integrity,availability, and often non-repudiation of the above mentioned digital technologies andinformation. There are generally two types of security, passive and active. Passive securityrelates to processes such as system hardening where the system defence is bolstered insuch a way as to resist attack or minimize damage. Active security involves actually trackingattackers and retaliating in an effort to stop an existing attack or to prevent another. However,active security relies on the ability to verifiably identify the attacker, which is extremely difficultgiven the anonymous nature of communication technologies, and therefore cyber security inthis context refers primarily to passive defence techniques. Such techniques do include moreactive measures such as early warning systems and legislation criminalizing cybercrime, aslong as such measures stop short of active retaliation.Like all basic security measures, cyber security is bound by the principle that one onlyprotects something with effort proportional to its value. Poulsens (an international renowedhacker) Law touches on this when he said ―Information is secure only when it costs more toget than its worth”. That is to say, a small business‘s inventory database should not besecured with a multi-million dollar security program. Cyber security necessarily requires thepresence of digital technology, or it does not apply. While one may create cyber securitypolicy without actually possessing the associated technologies, there is little point, and unlessacquisition of said technologies is imminent, such policy is a waste of time and effort.(KristinaCole et al., 2008). Below is a summary of the Vulnerabilities, threats and Attacks categories. Table 4: Vulnerabilities, Threats, and Attacks Categories Summary Vulnerabilities Threats Attacks Poor Design Intrusion Denial of Service (DoS) and Distributed DoS (DDoS) Technologies Spam Un-authorised Access Applications Worm Information Tampering Database Virus Cross-site Scripting Networks Malware IP Spoofing Monitoring tools Spyware Insider Malicious Activities Source: (Colonel Louis H. Jordan and Saadawi", 2011) 32
  33. 33. 2.2. Relevance of Theories and Principles of the StudyConceptual frameworkThe study‘s conceptual framework attempts to shows that a relationship exists betweencommunication infrastructural modifications and business operations and Cyber activity andhighlights the importance of their vulnerability to future scenarios of changed conditions. Italso shows how awareness, policy and/or technical adaptations cope with the added stressesof cyber-attacks/threats leads to adapted Information systems; and that adaptation optionswill, in turn, feedback to business environmental conditions. The researcher started outassuming that; ―there is a relationship between the improved accessibility of internet toArusha with the increase in the incidences of cyber-attacks‖. Source: Author, 2011Finally it highlights the importance of awareness, coordination, policy and decision support inassisting with credible assessment of adaptation options, and especially in analyzing theirtrade-offs between business operational goals (e.g. generation of profit, minimizing damagingeffects to business operational budgets, the loss of service and other components of thecyber-attacks) and developmental costs (e.g. maximizing traffic transmission, incorporatingcyber security capability, increasing response capability, infrastructure modifications and 33
  34. 34. other related modifications). Improved decision support systems are needed to help indesigning and interpreting more quantitative analyses of trade-offs between access toinformation and developmental costs.Model for Assessing Cyber Security Challenges in ArushaThe main idea of the research was to find out the effect of the recently connected fibre totheir daily operations. Controls and tools to determine if this effect was significant or not andpoint out the vulnerabilities and remedies to allay the effect were identified. The researcherthen gathered information primarily through a literature review and extensive research overthe internet.The proposed assessment method will be to use the Enterprise Information SecurityAssessment Method (EISAM), a comprehensive method for assessing the current state of theenterprise information security. The method is useful in helping guide top management‘sdecision-making because of the following reasons:1) it is easy to understand,2) it is prescriptive,3) it is credible, and4) It is efficient.The single value from an assessment is presented in the form of an EIS score. For instance,the fulfilment of information security at an enterprise according to EISAM can be presentedas a percentage, see figure below; 34
  35. 35. Figure 3: An Example of EIS score from assessment of two companies Source: (Soderbom, 2007)EISAM is based on four standards on information security. Together, the requirements andquestions from these standards form a database on enterprise information security, hereinreferred to as the EIS database. Brief descriptions of the four standards included in thedatabase are as follows.ISO/IEC – ―17799, Information technology – Code of practice for information securitymanagement‖ is an international standard published by ISO/IEC. EISAM uses the firstversion of ISO/IEC, which consists of ten high-level groups.NIST – The US National Institute of Standards and Technology (NIST) has published the SP800-26 Security Self-Assessment Guide for Information Technology Systems. This specialpublication (SP) is, as the name states, a self-assessment guide consisting of an extensivequestionnaire.ISF – The Standard of Good Practice for Information Security (SOGP) is produced by theInformation Security Forum (ISF), an international association of over 260 organizations. TheStandard is based on a wealth of material, in-depth research and the extensive knowledgeand practical experience of ISF members, and is updated at least every two years. ISFSOGP is grouped into five high level ―aspects‖. 35
  36. 36. OCTAVE – The Operationally Critical Threat, Asset, and Vulnerability Evaluation method isreleased by CMU/SEI. OCTAVE uses three ―catalogues‖ of information to maintainmodularity and keep the method separate from specific technologies. One of thesecatalogues is the Catalogue of Practices version 2.0 which is used in EISAM. It provides themeans to measure an organization‘s current security practices and to build a strategy forimproving its practices to protect its critical assets.The EIS database contains a total of 1365 entries, i.e. all questions and criteria from the fourstandards. Three independent dimensions of information security were identified from thetheory in the EIS database. These three dimensions, which constitute EISAM, are Scope,Purpose and Time. With a foundation consisting of four well established standards oninformation security, EISAM makes information security comprehensible, and thus rendersstraightforward assessments that give easily comprehensible results(Soderbom, 2007).However, to be able to perform an assessment the EIS categories have to be expressed inassessable terms. As research methods are limited by practical challenges on gatheringinformation in Arusha and Tanzania in general. So primarily independent tests were run thensecondarily an anonymous survey was carried out in Arusha targeting small and mediumenterprises (SME) (M.O.T&I, 2002) and visit a number of government entities and NGO‘s inand around Arusha and ask if and how they were affected by network and computer crime inthe prior year and what steps they‘ve taken to secure their organizations.Based on the previous models of cyber security assessment the researcher developed a listof initiatives that were expected to be assessed from comprehensive cyber securityassessment programs. The initiatives had to be high level enough so as to avoid technicalspecifics, as the technology is constantly evolving. With that in mind, the initiatives wereexpect to span all three security fields. By drawing specific initiatives from internationalconventions on cyber security that applied to my framework. i.e.;  Standards and Policies for System Security Measures  Cybercrime Legislation  Computer Emergency Response Team (CERT/CSIRTs)  Higher Education Programs 36
  37. 37.  End-User Education  Identity Theft Legislation  System Certification and Accreditation  Law Enforcement for Cybercrime.Once the policies are fully approved, they should be made available to all users who areaffected. Finally, all policies should be updated annually to reflect changes in organization orculture.Basic Policy Requirements Policies must: • Be implementable and enforceable • Be concise and easy to understand • Balance protection with productivity Policies should: • State reasons why policy is needed • Describe what is covered by the policies • Define contacts and responsibilities • Discuss how violations will be handled Source: (ECA, 2009) 2.3. Empirical ReviewICT InfrastructureAccording to Robert Ulanga‘s 2005 country report on Cyber security in Tanzania he hintedthat ICT health was important for the economy as he pointed out that the ICT sector had seena significant growth and matched this growth to the similar growth in the economy in thatsame period. Below are some statistics of the reports on the status of the ICT Infrastructurein 2005. By then only two operators were licensed to provide basic telecommunicationservices, namely Tanzania Telecommunications Company Limited (TTCL) the incumbentnational operator and Zanzibar Telecom Limited (ZANTEL). TTCL had a national wide licence 37
  38. 38. (including Zanzibar) as opposed to ZANTEL, which has the right to operate in Zanzibar onlyuntil February 2005; and the licence of Zantel was then extended to cover whole UnitedRepublic of Tanzania. The total number of subscribers was about 150,000 (network capacityis about 250,000 connections). The market structure then was dominated by four (4) mobileoperators namely Vodacom (T) Limited (1,100,000 customers), Celtel (now Airtel) (T) Ltd(550,000 customers), Mobitel (now Tigo) (320,000 customers) and Zantel (85,000 customers)then operating in Zanzibar. The total subscriber base was just over 2 million as of April 2005.Regarding data communication services, there were eleven (11) public data communicationsnetwork operators with the right to install their own international gateway for routing theinternational traffic. The provision of data communication services was fully competitive. TheInternet service provision was under full competition mode of licensing. There were 23Internet service providers operating mainly in Dar es Salaam and few in major cities andtowns countrywide like Arusha. To improve service provision the National Internet ExchangePoint (NIXP) was installed and another in Arusha (AIXP) by 2006 but these two operated andstill operate independently and are not connected. Then they were only four ISPs connectedto their respective IXP. In Arusha the four ISP‘s were Benson Online Ltd (BOL), Cybernet,Arusha Node Marie and Nexus Digital. (AIXP, (2006))Regarding the legal regulatory framework the new licensing framework had been in effectsince February 2005, when the board of the TCRA at its 9th special meeting held in Dar-es-salaam approved the implementation of the converged licensing framework. The board alsodirected that consultations with existing operators and other stakeholders should continue toensure its smooth implementation. The approval was granted to facilitate the implementationof the government‘s full liberalization policy following end of the exclusivity policy and toeffectively respond to the challenges raised by convergence in the InformationCommunication Technology (ICT) Sector.The New Converged Licensing framework was technological and service neutral where alicensee had freedom to choose technology which is most efficient and cost effective wasfree to take signals from the market as to which services are most in demand. A licensee wasalso authorized to provide different services under a single license. The possibilities broughtabout by the convergence phenomena include provision of various communication services 38
  39. 39. like text, data, image, voice and video over an existing infrastructure; the use of a singletransmission technology to offer various services, the provision of the same or substitutableservice by a variety of different types of providers (e.g. data over cable TV, telephone, oreven electrical power networks), substitution of mobile service for fixed service, andintegration of customer terminal equipment or access devices such as the telephone,television and personal computers. In essence this meant that the formerly mobile telephonyproviders would offer Internet services i.e. mobile internet and vice versa the Internet Serviceproviders could provide telephony services i.e. VoIP.Internet access at high bandwidth was envisaged that would create new possibilities todevelop multimedia content for information, entertainment, and data processing. It wasimportant to note that in several countries broadband growth had by this time alreadyoutpaced mobile telephony. The boom was mainly fuelled by software downloads, onlinegaming, and e-commerce. In Tanzanian context, affordable high-speed networks couldfacilitate deployment of Information and Communications Technology for development. Theconverged licensing framework was meant to facilitate the above possibilities.It is important to note that the above development of the licensing framework focused on thedeployment of more ICT infrastructure and had no focus on the correct use and/or protectingusers from illegal activities. This could be attributed to the fact that there was a very limiteddeployment of ICT services with less that 150,000 people using computers and relatedservices at the time(Ulanga, 2005). So efforts toward cyber security and related Issues by thegovernment of Tanzania were done through the Law Reform Commission that circulated adiscussion paper on the introduction of legal framework for electronic commerce in Tanzania.The discussion paper came as a result of a study that highlighted lack of relevant legislationsfor electronic transactions. Two areas have been highlighted in the discussion paper namelycontracts and consumer protection. Generally the legal system in Tanzania was mainly basedon Common law. Regulatory steps to secure electronic transactions such as digitalsignatures, electronic evidence, reforms to contract law, dispute settlement and others havenot yet been promulgated. In terms of contracts, the Tanzanian laws did not even recognizeelectronic contracts. 39
  40. 40. Laws on consumer protection, sales and supply of goods in Tanzania were designed toprotect consumers on off-line business only which hardly applied to the online business whenit came to the matter of distance contracts. The laws did not protect consumers against anyrisks involved in distance selling and buying business because when these laws were passedthe online or distance contracts were not in practice in Tanzania. It was further noted thatTanzanian laws neither covered on-line contracts nor did they recognize cyber space; thelaws in place then provided that, the contract must be in writing and duly signed orauthenticated before a witness a requirement that was hardly applicable in cyber space.Cyber CrimesThe discussion paper also noted that while cyber-crimes posed a significant threat to thedevelopment of electronic transactions Tanzanian Laws did not recognize criminal activitieson the internet. For example illegal intrusion into a computer system could not be prosecutedwith the current legislations at the time which required the perpetuator‘s physical presence.So also went for computer fraud which in the most simplistic form can be described asstealing something of value by means of computers and could be extended to as far asfraudulently giving instructions to a computer to transfer funds into a bank account or using aforged bank card to obtain money from a cash dispenser.Another was data protection, where a threat was defined as the use of data processingtechniques that could pose a danger to the rights and freedoms of those individuals whosepersonal data is subjected to some form of automated processing. There was no law inTanzania which protected data or databases in Tanzania. The main concern here was theright to privacy, data protection and danger of information misuse. Spam in its most simplisticform is the act of sending large number of unsolicited mails with an intention to market aproduct or to deceive the users. This aspect has not been covered in the discussion paper,however currently spam is one of the most visible unwanted activities by the computer usersin Tanzania.Cyber-attacks: as Tanzania was embarking on deployment of e-government and more andmore organizations were adopting the internet as a medium of transmission for their corebusiness functions. The e-mail was replacing the fax as the main medium of transmission. 40
  41. 41. The organizations that heavily depend of the internet and computer network were now at riskfrom cyber-attacks which could be deliberate attempts to disrupt services (Denial of ServiceAttacks) or even more sophisticated attacks. The information document did not address theseaspects of cyber security while there was no legislation which covered these aspects.(Ulanga, 2005).Enumerating all possible Internet vulnerabilities, threats, and attacks in an exact list is notfeasible, yet they can be categorized as the table below shows. Figure 4: Vulnerability Possibilities Vulenerabilty scan of randomly selected SMEs using Nessus/OpenVAS SME.1 High Severity problem(s) found SME.16 Medium Severity problem(s) found SME.17 High Severity problem(s) found SME.18 Medium Severity problem(s) found SME.19 Medium Severity problem(s) found SME.2 High Severity problem(s) found SME.20 Medium Severity problem(s) found SME.21 Medium Severity problem(s) found SME.22 Medium Severity problem(s) found SME.24 Medium Severity problem(s) found SME.25 Medium Severity problem(s) found SME.26 Medium Severity problem(s) found SME.27 Medium Severity problem(s) found SME.28 Medium Severity problem(s) found SME.29 Medium Severity problem(s) found SME.30 Medium Severity problem(s) found SME.31 Medium Severity problem(s) found Source: AuthorAnother study was carried out in 2008 by Kristina Cole et al to assess the efforts of Africannations in the realm of cyber security. They approached cyber security as a national securityconcern due to an increase in the use of digital technology for critical infrastructure, formilitary operations, and for intelligence gathering/management, mandating the creation ofcomprehensive national cyber security plans. Although in their case it was not entirelyappropriate for developing nations as many African countries are developing nations and they 41
  42. 42. possess neither robust critical infrastructures that utilize digital control systems nor highlydigitized militaries, and so thinking about cyber security issues in relation to these systemstherefore may not make sense. They therefore sought to determine how to implement cybersecurity in less developed countries, as an issue not solely associated with national securityand instead assessed cyber security by focusing on initiatives that were motivated by morethan just traditional national security. In order to develop these assessment criteria, thedefinitions of national, economic, and human security needed to be clarified in context of theircommon usage and traditional meanings. To see where cyber security fits into the equationthey introduced the concept and model of security relationships. Figure 5: Model of Security RelationshipsIn this way, cyber security is a function of the various institutions to implement the varioussecurity measures and thus floats between the branches of security. 2.4. Chapter SummaryThis chapter has attempted to give a brief description of Arusha and the businesses activitiestherein. Then went ahead to show the extent to which SMEs are important to the economiesof the countries and spell out all the potentials of the small-medium enterprises, this wasfollowed by the classifying the cyber security challenges which are faced by SMEs. 42
  43. 43. Then re-examined and combined all the existing relevant literature on the two subject‘s small-medium enterprises (SME) and information security namely cyber security. Finally thechapter highlighted the opportunities and the threats which mainly affect the SMEs as well asthe benefits of securing information to the SME‘s. 43
  44. 44. Chapter three: Research Design and Methodology 3.1. Research DesignOutline of the case studyThe study started off with formulating and deciding on the hypothesis for the study, i.e. thepurpose, the goals and the question at issue. Next followed literature studies for collection ofinformation on the background to the project and the framework. The creation of theframework was a major part of the project, and was performed in two steps; creation of thecategory definitions and a validation of the definitions, see Figure 3 for an overview. The nextstep was the data collection, followed by the analysis of the collected data. Figure 6: Outline of the Case Study Source: (Soderbom, 2007)A good design is when it has a general plan for the researchers; detailing how they will goabout answering the research questions and how they will consider and determine thesources for data collection. In addition it will also consider the constraints they may face i.e.location, financial resources, time, ethical issues, access to data etc. The methodologyshould then ponder the fact that the researcher has idealized carefully about why a particularstrategy has been applied.Case StudiesSaunders (2009) defines a case study a strategy for doing research which involves empiricalinvestigation of a particular phenomenon within its real life context using multiple sources of 44
  45. 45. evidence. Yin (2003) also highlights the importance of context adding that, within a casestudy the boundaries between the phenomenon being studied and the context within which itis being studied are not clearly evident. Mortis and Wood (1991) also point out that the casestudy will be necessary if we wish to gain a rich understanding of the context of our researchand the process being enacted. The motives for adopting a case study were due to thefollowing merits as outlined by Kothari (2001). 1) It is fairly exhaustive method which enabled the researcher to study deeply and thoroughly different aspects of the phenomenon. 2) Its flexibility in respect to data collection; this study was carried out using a collection of methodologies and both secondary and the primary data. 3) It saves both time and cost.The rationale of choosing Habari Node Ltd as a case is that it is a leading ISP serving themajority of the Arusha Internet users. HNL was identified as vantage point to investigateCyber security awareness as well as a focal point for the carrying out the vulnerability testsas most of the other SME‘s to be sampled got their internet from HNL. Additionally HNL wasjustified on the grounds that they keep some records of the traffic statistic and as the ISPhandles the majority of the Internet traffic collection of data was simplified. Furthermore theindependent test and vulnerability scans were best run form the ISP as in was a gateway toease consolidation and matching of data. So HNL was chosen to enable the research identifyvulnerabilities, facilitate arriving at solutions for dealing with these risks and possiblydisseminating these findings widely.Primary research is an original research which gives first-hand information on a topic. Thisresearch (such as a journal, a person, or an event) informs you directly about the topic, ratherthan through another person‗s explanation or interpretation. The most common forms ofprimary research are observations, interviews, surveys, experiments, and analyses of originaldocuments and artefact‘s. The primary research is conducted by the researcherherself/himself and it‗s not based on other people‗s work. There are a few approaches to theprimary research and there are; Interviews, focus groups, experiments, structured penetration 45
  46. 46. tests and scans, surveys etc. This research is normally more costly as compared to thesecondary research.Secondary research is the second-hand information on your topic, information at least onceremoved from the original. This information has been complied, summarized, analysed,synthesized, interpreted, and evaluated by someone studying primary research. Journalarticles, libraries, web, publications, magazines, newspapers, encyclopaedia entries,documentaries, and non-fiction books are typical examples of such secondary sources.Secondary research is cheaper than the primary research; it‗s not as useful, accurate, asspecific, primary research. (Saunders, 2009)Area of the studyThe research was done at the HNL offices located at the Arusha International ConferenceCentre (AICC) in Arusha. The selection of the study area was based on various reasons.First, almost data concerning Internet traffic were available. Secondly continuous availabilityof power and Internet connectivity was guaranteed. Also AICC was the ideal area for theresearch due to financial, work and time constraints.The first phase of the research constituted of collecting secondary data from the literaturereview, According to Saunders et al (1996), there are two main reasons for looking back intothe literature, first the preliminary search assists in generating and refining the researchideas. And secondly, a critical review is an integral part of the research process. Likewise tomost research projects, literature review is the early activity in their researches; the sameapplies to this, after the first literature search, the researcher was able to redefine theparameters more exactly and undertook further searches, keeping in mind research goalsand objectives. The literature review helping in coming up with a good insight and anunderstanding into the previous research done on to the trends and this topic which haveemerged.Sample and sampling proceduresThe next phase of the research constituted of determining the population for the study whichwas SME‘s based in Arusha city and determining the sample size by short listing of the 46
  47. 47. potential SME‘s where the sampling could be carried out. Companies which fit the criteriawere those that matched the description in Tanzania‘s SME policy as well as determiningwhat would be the best tools to use to carry out the various vulnerability tests. It wasconvenient to pick out a sample out the entire population and in this study just one SME(HNL) and its clientele was chosen for the purpose of generating the required information.The respondents were information system professionals, managers, directors, support ITstaff and HNL‘s vast cross-section of client‘s.The purposive or judgemental sampling technique was used select representative from thedirectors and managers. Stratified sampling where respondents were grouped into theirrespective skills sets was used to increase the level of representativeness i.e. I.T trained staffwere not considered in the same category as an accountant using the Internet to checkemails. The simple random sampling technique helped the researcher to select membersfrom each subgroup.The next phase of the research was primary data collection using these data collectioninstruments. Which started with the interviewing of the small groups or units of inquiry(unstructured interviews) is that of the two stage triangulation research method, this wasfollowed by a detailed questionnaire, testing quantitatively a much larger sample ofemployees and consumers. This method of quantitative method, was recommended byGrove and burns (1997), it‗s a relatively a new approach and is often called the triangulationmethod.Interviews will be used to gather reliable and valid data relevant to the research objectivesand may be categorized in to three categories [Saunders et al, 2003].i) Structured interviews - It involves the use of the questionnaires which are based on apredetermined and identical set of questions.ii) Semi structured interviews - Here the researcher has a list of themes and topics to cover,though these may vary from interview to interview depending upon the organizational context.The order of questions may also be varied depending upon the flow of the conversation.Some new questions may also be raised basing on the discussions. It also involves tailoringto specific research protocols and also used to assess and rate the abilities of potential 47
  48. 48. research participants in four areas that represent part of the standard of competence toconsent in many jurisdictionsiii) Unstructured interviews - Here there are no predetermined list of questions hence beingan informal interview, with this form of interview the interviewee is free to talk about theBehaviour, events and beliefs in relation to the research subject. Being that this typeinterview is mainly based on the interviewee perceptual experience, it‗s the reason as to whyit‗s known as informant interview and also known as in depth interview because it‗s used toexplore the deepness of the general area in which the researcher is interested.In this research both the semi- structured and unstructured interviews were integrated, whichassisted in ensuring a friendly and smooth atmosphere while taking the interviews. After theanalysis the interviews were then coded and again analysed to produce a questionnaire withreduction of categories. This questionnaire can then be used for the larger sample populationsize.In triangulation the main emphasis is on the combination of methods, for instance surveyquestionnaire with in depth interviews. The main idea of taking two kinds of data collectionmethods is that if it differs in the kinds of data support, and yet are the same in conclusion,then confidence in the conclusions is increased.The overriding advantage of the interview is its adaptability. An adept interviewer can followup probe responses, up ideas and investigate motives and feelings which the questionnairecan never do. The way in which a reply is made can reveal valuable information. There are afew disadvantages as well. Interviews are expensive, small number of the people can beinterviewed with in arrange of time and they are also time consuming (Hussey, 1997).Questionnaires, Survey and case studiesQuestionnaires on the other hand are the less expensive, most popular methods of collectingdata and less time consuming than conducting interviews and very large samples can beobtained. Hussey and Hussey (1997) identified some important factors to be consideredwhile using questionnaire and these are; types of questions, sample size, wordings, including 48
  49. 49. instruction, design, method of distribution and return, wording of any accompanying letter,method of collecting and analysing, actions to be taken if questionnaire is not returned.Other advantages of using questionnaires are; 1) Respondents feel free to explain their opinions especially if anonymity is an option. 2) They avoid interviewer bias as the interviewer is not in a position to induce the respondent. 3) Uniformity of responses is achieved particularly when a closed ended question is employed. 4) Respondents can answer the questions in their own time. 5) Compared to interviews it may be a better store of information. 6) Confidentiality may draw out even more answers. 7) Distant respondents can be used. 8) Can be accomplished with minimum staff and facilities.Disadvantages include; 1) It is only for literate people 2) Questionnaires have a low rate of return 3) Does not allow or give the respondent to seek clarification. 4) With mailed questionnaires one does not have the opportunity to supplement the information in the responses. 5) Closed questionnaire limits alternatives.Source: (Adam, 2007)Different distribution techniques were also described by Hussey and Hussey (1997). Forsome techniques the questionnaires were circulated to the employees and consumers 49
  50. 50. through telephone, post, group and individual email distribution. All the above factors wereconsidered during the choice of method of distribution and the preparation of the final set ofquestionnaire to be used in the survey.Bell (1993) says that surveys can provide answers to questions like What, Where, When, AndHow. It tries to elaborate the problems of representativeness from other approaches like casestudies or most of the qualitative approaches. This approach can be termed as fact findingmission and may contribute little towards the development of a shaping theory or hypotheses.The effects from the survey can then be used to test a theory or hypotheses. The data here isprimarily quantitative but may also be qualitative in nature as it represents people‘s viewsabout an issue.The Web Based Survey ToolTaking into the consideration the above points the survey was then completely web basedwhen carried out and a set of questionnaire was also designed to collect the primary data. Bymaking it web based it both reached the respondents easier, facilitated adjustments andgathering the data was greatly facilitated.ReliabilityThe reliability of a study is how well it will produce the same results on separate occasionsunder the same circumstances. For instance, if a study is well controlled and documented,the reliability will be high, and another researcher who follows the same procedure should getthe same, or similar, resultsValidityValidity deals with how well the study measures what is supposed to be measured. Highvalidity means that the results accurately reflect the concept being measured. Both theresearch method and the way the study is performed are covered. 50

×