Maturity of information systems' security in Ethiopian banks: case of selected private banks

2.1 The research gap in information security models

These day's financial institutions are in high competition and thus are implementing different technologies to perform better. Since the financial sector is considered as a backbone to the economy, its information systems' security has to be well designed, implemented and measured periodically. A more secured information sharing in an organization is considered to be good approach in increasing the organizations effectiveness, efficiency, performance and decision-making capability (Olusegun and Ithnin, 2013). However, the behavior of information sharing is very complex and grows dynamically, so it is mandatory to investigate and analyze the potential risks to ensure maturity of information systems' security regularly.

Information security measures are designed and implemented in an organization to demonstrate and elaborate the organization's approach to ensure information security. The information security mechanism consists of people, policies and infrastructure (Ejerssa, 2018) designed to address the challenges of security breaches revolving around the secured and valuable asset of an organization. According to Ejerssa (2018), information security maturity level in higher educations in Ethiopia is found unsatisfactory. In fact, organizations are different on their structure, the kind of information they have and the capacity to handle information securely.

According to Houngbo and Hounsou (2015), conducting the measurement on information systems' security using consistent metrics improves the ability to understand it and control it. Measuring the information systems' maturity level leads to control and protect the threats and eventually helps to make improvement in information security handling mechanisms. This is well said by Lord Kelvin's adage, “If you can't measure something, you can't understand it. If you can't understand it, you can't control it. If you can't control it, you can't improve it [1].”

Recent research conducted on information security of financial sectors in Ethiopia revealed that the information security protection and governance culture is unsatisfactory (Yohannes et al., 2019). Other local studies focus on different issues, such as an evaluation of the insider threat in the Ethiopian banking sector (Amare, 2015), cybercrime governance (Hailu, 2015), the policy toward implementing information security (Negussie, 2015), designing framework for information security implementation (Tebkew, 2016), designing framework for information security awareness creation (Kebede, 2019), cyber hygiene practice for employees (Deferew, 2020), information security incident response management (Yohannes et al., 2019) and designing framework to manage human factor toward information systems' security (Abebe, 2020). Other related works by Ejerssa (2018), Gera (2019) tried to address the maturity level of information systems' security on Ethiopian public universities and hospitals in Addis Ababa. Even though those studies contribute to address different information security problems, their intention was not to measure the current maturity level of information security. These authors mentioned that there is a dearth of studies in the area of information security maturity level and recommend conducting the same on a regular basis. Hence, this study attempts to fill this research gap by assessing the information security maturity level in the private banks in Ethiopia and propose possible solutions to fill the gaps. This will help the banks to know their security maturity level and take corrective actions so that they can withstand potential cyber-attacks.

2.2 Information security maturity models

Maturity models are extensively being used as a means of organizational development or measurement in the area of information security. Any framework for performance analysis and improving efficiency can be considered as the basis, and if it incorporates methods for quality assurance, it is referred to as a maturity model (Saleh, 2012). To identify the strengths and weaknesses of an organization's information security maturity level, a variety of frameworks or models may be used to assess and identify the discrepancy between the security criteria standard and the actual working environment layout. The common information security maturity models are summarized below.

The National Institute of Standards and Technology (NIST) has released a framework that will help companies in critical infrastructures to minimize the risk of information security risks. It implements five security measures for institutions. These controls include data and asset identification, detection, security, response and recovery (Osamah and Al-Matari, 2021). The NIST framework establishes rules for the activity of US enterprises. It helps to assess and develop the capability of investigating, preventing and responding to cyber-attacks. The model has five levels, namely: policies, procedures, implementation, testing and integration. In addition, the model is driven by nine key areas that are divided into strategic and technical aspects. According to Nieles et al. (2017), higher level of maturity can only be attained if and only if the previous maturity level is attained. Further, the NIST model is oriented to evaluation and documentation of IT systems, and it does not address adequately aspects of nontechnical security services.

ISM maturity model enables an organization's information security maturity level to be divided into five categories of information security capability (namely; unavailable, ad hoc, repeatable, defined, managed or optimized) (Osamah and Al-Matari, 2021). The level of classification is determined by the form of controls and the type of technology enabled by the organization. The maturity level Defined starts by describing the security controls, techniques and technologies needed to protect the organization. The managed maturity level is responsible for developing the technologies required to automate security measures. The optimized maturity level employs access control measures in order to protect the enterprise against both internal and external threats.

De Nederlandsche Bank (DNB) is a maturity assessment framework designed to safeguard financial stability and thus contributes to sustainable prosperity in the Netherlands (Pijpers, 2015). This information system security maturity model is an assessment framework with which financial organizations can perform an assessment to evaluate the maturity of their information systems' security. The DNB information security assessment framework is developed based on COBIT v.4.1 and it includes 21 control objectives which are divided into six areas, i.e. strategy, policies, organization, people, process and technology (Pijpers, 2015; De Haes et al., 2020).

The systems security engineering capability maturity model (SSE-CMM) was created with the goal of advancing security engineering because information security relates to the protection of data against a variety of threats in order to ensure business continuity, minimize risk and maximize profitability and economic opportunities (Kurniawan and Riadi, 2018). Its associated assessment approach are currently available tools for assessing the capability of software vendors of security building materials, programs and services, as well as directing organizations in identifying and developing their security project management (Ferraiolo, 1998).

Levels of maturity for ISM and control in the process ranging from level 0 (none) to level 5 (optimistic), based on the organization's assessment framework. The maturity model is used to identify whether a problem exists and how to prioritize improvements. The five capability maturity levels that represent the process maturity are:

1. Level 0 indicates that not all base practices are performed.

2. Level 1 indicates that all the base practices are performed but informally, meaning that there is no documentation, no standards and is done separately.

3. Level 2 means that the processes are planned and tracked, which indicates commitment to planning process standards.

4. Level 3 for well defined, meaning standard processing has been run in accordance with the definition.

5. Level 4 is controlled quantitatively, which means improved quality through monitoring of every process.

6. Level 5 is improved constantly indicating the standard has been perfect and their focus to adapt to changes.

There are various information security standards in use around the world, which includes mostly utilized standards like COBIT, ITIL, DNB, PCIDSS, BS7799, etc. Among those standards, ISO27001:2013 serves as an inclusive and most acceptable information security standard around the globe. Yemane (2018), for instance, conducted a study on the ISM system for Ethio Telecom using ISO 27001:2013. This research also adopts the ISO 27001:2013 information security standard with its management practices of selection, implementation, and monitoring of controls (see Table 1). Besides, the SSE-CMM is used to achieve this target. This is because ISO 27001:2013 does not have assessment tools (Rosmiati et al., 2016). So, this research mainly employs ISO 27001:2013 to identify variables that are in the information security assessment areas.

Measuring the security maturity level of information systems with standardized metrics increases the ability to recognize and manage information security safety. Therefore, in order to protect information from various security threats, organizations need to understand their information system security maturity level requirements on a regular basis.

4.1 Maturity level gap analysis

The expected maturity level for the SSE-CMM used to calculate the level of information security maturity is 5, which is optimized. First, the value difference for each clause is calculated, and this is the maturity level distance. The total value of the overall difference is calculated by adding all values and dividing them by the number of control objectives. The magnitude of the difference between actual security working conditions and expected security conditions is 2.55, with a 51.1% disparity in overall information security maturity.

From the 14 security areas, three control objectives have scored level 3 (Defined): A.9 – Access Control, A.11 – Physical and environmental protection and A.15 – Supplier relationships, while the vast majority of security control areas are at level 2 (Repeatable but intuitive). In general, the private banking industry has not achieved level 4 (Managed) or level 5 qualification (Optimized). The aggregate outcome of the study to determine the mean value of information security controls in Ethiopian private banks in comparison with the four sampled banks is 2.44, and the last expected information security maturity level is 5 (Optimized). Accordingly, we may deduce that a private banking institution's maturity level is on the second level, i.e. repeatable but intuitive. Table 5 shows gap between the current and expected level of information security maturity.

4.2 Document analysis

As per the document analysis, the sampled private banks do have information security policy and protocol in place to protect the company from both external and internal threats. However, only two of the four sampled private banks have agreed to share their information security guidelines. This method of record analysis assisted the researchers in cross-checking the validity of questionnaire responses. The following is a summary of the results for various security control areas:

Access control policy and identity management: This approach applies to all of the institution's current facilities and services. The policy amendment and revision guidelines state that: “Unless there is special enforcement to update the information protection and access policy in the meantime, it should be updated every three years, subject to prior approval of the Board of Directors”. The researchers deduce from this declaration that there is a significant gap to revise and review the information security policy.

Security incident management: Information systems that are suspected to be compromised are disconnected from the bank's network before the incident has been reviewed, resolved and the risk has been minimized sufficiently. All information security incidents are reported for later study and evaluation in order to identify areas where policies, processes and information security measures can be improved. If the incident is not adequately resolved, the issue should be escalated to the chief information officer.

Physical and environmental security: Classified information and IT infrastructure, such as the data center, disaster recovery center, server rooms, head office organs switches and all word stations connected to Bank X networks, must be physically secured to reduce business and organizational impacts. For demilitarized zone system, device and network management, equipment and software within the scope of this policy must be administered by support groups authorized by the IT security team. For data security, the data have been divided into four classes.

1. High risk: information assets for which there are legal requirements for preventing disclosure or financial penalties for disclosure, i.e. customers' account information, payroll, personnel and financial information.

2. Confidential: Data that should be protected to prevent unauthorized disclosure. The user access to such data is limited to what he/she needs to do their job and can only be given to staff by role and responsibility.

3. Internal use: this category is for internal business information but if disclosed to external entities, could result in some level of harm or disadvantage for the company, its employees and customers.

4. Public: information that may be freely disseminated without causing any harm to the bank, its customers or shareholders.

Human resource security (During employment and termination): It should be ensured that employees, contractors and third-party users are aware of information security threats and concerns. In the course of their usual employment, their obligations and responsibilities are built to handle organizational security policy. To reduce potential security threats, all employees, contractors and third-party users should get enough safety measures, awareness and orientation in security processes and the proper use of information processing facilities. Management in each division should also ensure that personnel under their supervision are appropriately trained on their information security duties before being provided access to sensitive data or information systems. Employees, contractors and third-party users shall exit the banks in an orderly manner. All equipment and access rights associated to their user role should have to be returned and revoked, and whenever an employee changes role with in the bank, the user's access right also should have to be reviewed. The review includes canceling access rights that are no longer needed, unless it has been explicitly authorized by the information system owner or authorized delegates.

Compliance: Management must ensure that security policies are implemented and that regular checks are conducted to ensure compliance with security policy and standards. Critical information systems should be reviewed at least every two years and the IT auditors shall perform compliance reviews or audit of the implementation of recommendations from information incident reports, when necessary. The researchers recognized from the document analysis that the data collected through the questionnaire are included in the institution's information security policy. However, there is a gap when the strategy is implemented on the ground. Despite the fact that these information security regulations exist, their content is limited in contrast to industry standards, in this case ISO 27001, and they are either not communicated or workers lack sufficient awareness. This in turn shows that the organizations did not revise their security policy in the last two or three years, since higher management has waited for managers to submit proposals on revising the security policy.

4.3 Discussion

This study was carried out to reduce and gradually resolve information security-related difficulties and disasters that arise in a variety of ways by evaluating the existing information security maturity level and identifying security gaps in the Ethiopian private banking industry. Although banking is a key financial organization in the economic sector, it is formally vulnerable to fraud and attacks both internally and externally.

The total number of private banks in Ethiopia is 16, according to data acquired from the National Bank of Ethiopia (NBE), and the researchers divided them into four groups based on their high-profit achievement in the 2019/2020 fiscal economic year. Theoretically, the banks with the highest economic achievement are more vulnerable to security attacks, whereas those with the lowest economic achievement are less important to attackers. As a result, when the bank makes a large profit, it becomes a more attractive target for attackers. As a result, Bank A, Bank B, Bank C and Bank D have been arranged in order from highest to lowest profit attainment, from A to D.

The information security maturity level is not a one-time task; institutions founded on information systems must evaluate their security maturity level on a regular basis, as several researchers suggest. This research aimed at answering two research questions, which are discussed below.

The assessment of information security maturity levels helps in determining the organizations' relevant security processes that must be enforced in order to achieve information and information security system. Maturity level values scale from zero to five are used to measure the level of maturity in line with the Maturity Level Performance Objectives.

According to the study's results, the average value of the information security maturity level on the Ethiopian private banking industry in terms of the selected banks is 2.45, and the maximum result on information security maturity level is five (Optimized). This level of significance suggests that information security maturity is at the second level, and that is repeatable but intuitive. And, according to the SSE-CMM assessment criteria, level 2 means that information security controls exist and are carried out in an ordered and controlled way, but in an unstructured manner.

The value of the difference between the actual information security maturity level and expected information security requirements is 2.55. There is a legitimately significant disparity in terms of value in relation to current maturity level as the expected maturity level's worth. There is an action cycle that is repeated when doing duties connected to information security governance management, but its presence has not been explicitly proven or properly defined, and formal inconsistency exists. As stated in the prior section, private banks must be more secure and knowledgeable on the subject because they handle financial information and must address security.

According to Beshah, (2017), the Ethiopian banking industry's maturity level of ISM is lower than what is predicted, with weak information security control and management. According to the study, there is also no information security system or standard used by banks as well as no legislative framework enforced by the banking regulatory body. According to the report, the majority of the banks surveyed lack a structured information security standard, 83.3% lack an ISM standard and 16.7% have implemented COBIT, ISO and PCI DSS independently. The analysis did not calculate maturity and did not define it with a number, and it was carried out using the DNB maturity level evaluation system. Finally, based on the research findings, the researcher suggests that the maturity level gap should be filled by performing an assessment of information security maturity level on a regular basis. Furthermore, banks should offer security awareness training to employees as well as enforce security policies and procedures. In our research, however, majority of the respondents (more than 70%) agreed that their bank has adopted an information security policy, even though there are no institutional framework criteria imposed by regulatory body NBE. The information security division is organized at a department level and has security staff, which was not the case couple of years ago. There is a noticeable difference between the two studies. However, the information security maturity level must be assessed on a regular basis in order to compare the research results and close the gap.

Although not in financial sector, related local research studies were conducted to assess the maturity level of Ethiopian public universities (Ejerssa, 2018). The ISO27001:2013 information security control priorities were used by the researcher, and the study was carried out using the SSE-CMM maturity model evaluation criteria. According to the findings of the study, the majority of the security domain has a maturity level of 2 (Repeatable but intuitive). Another study conducted by Gera, (2019) on assessing the information security maturity level of hospitals in Addis Ababa using the ISO27002, shows the outcome of maturity level 2 based on the SSE-CMM maturity assessment model.

The sensitive nature of the data handled by financial institutions distinguishes them from hospitals and educational institutions. Hence, in this research, the financial sector's maturity level is nearly identical to that of the other sectors. In recent years, the banking industry has shown an increase in the implementation of electronic e-banking services, and the market is now focused on providing superior customer service. In order to provide high-quality service, banks must safeguard the confidentiality, integrity, and availability of their information systems. Financial services have become one of the most common targets for electronic criminals as technology has advanced.

The maturity levels are assessed in order to decide the necessary security changes that a company can implement in order to create a better information and information security framework. Using the results of the questionnaire data, the average value of information security maturity level in Ethiopian private banks was measured. The four sampled banks' average maturity level is 2.45, which is level 2, and the estimated maturity level is 5. Knowing an organization's information security maturity level gives you more trust that its data assets are adequately protected against persistent attacks. It also provides a standardized and systematic mechanism for identifying and assessing information security threats, designing and enforcing appropriate controls and monitoring and improving the effectiveness of the major security areas specified in ISO 27001 information security control criteria.

Several international standards have also emphasized the importance of an organization's information security strategy. According to ITIL, ISO and SAN, information security standards should be implemented within the organization, and employees should be familiar with the policy. Bank X has put in place an information security policy, but it does not seem to be well applied across the whole branches. Some employees are unsure of what they are and are not supposed to do. According to quantitative statistics, 30% of employees are unaware that their company has an information security standard.

According to the study results, the banking industry is facing both internal and external information security threats. A total of 40.7% of respondents reported internal attacks, 22% reported external attacks and 37.3% say all types of attacks. To defend against such attacks, private bank top management must understand the value of information security and pay careful attention to information security maturity on a regular basis. They must focus on creating and coordinating information security teams, as well as allocating an appropriate budget to meet the department's technological requirements. Furthermore, any employee should follow the ISM system protocol and lock his or her computer whenever he or she leaves the workplace, during lunch or break time, or even when he or she goes to another office and there should be a policy in place to protect his or her data from desktop change, including the use of strong passwords and frequent changes, which must be implemented by policy.

According to the study's findings, critical infrastructures such as financial institutions, Internet service providers and national security institutions face challenges, such as a lack of in-house expertise, difficulty identifying the correct security warning sign, a lack of enabling technologies and violation of existing security controls. For information security, expertise or trained professionals are required. According to recent studies, technologies do not work independently. Technological solutions make use of people, procedures and job practices. Trained professionals should use information security software as part of a larger security activity. Besides, based on the interview responses, the following are challenges in relation to information system security maturity in the case private banks:

1. The information security manual lacks standardized risk analysis and security guidelines.

2. There are no systems in place to track the level of information security maturity.

3. Professional and certified information security specialists are in short supply.

4. Disaster recovery is not adequately planned for server environments that are in the same location.

5. Security guidelines for information systems are not adequately updated and reviewed on a regular basis.

6. There is no distinction or separation between the information security strategy and the IT governance system.

7. There are no industry norms or best practices on a financial system governor.

8. Employees are not aware of the security requirements for information systems.

9. Information is needed to bridge the gap between departments and to improve the detection of emerging risks.

10. Budget and manpower allocations are inadequate.

The information security areas such as access control, physical and environmental protection, supplier relationships and compliance are all information security measures that are rated at a higher maturity level, which is level 3 of maturity (Define) procedure. This research also aimed to evaluate the security control objectives with the lowest maturity levels, which were shown to be extremely weak, and these are: cryptography, information security incident management and information security aspects of business continuity management. These security control zones, on the other hand, need to be improved.

5.1 Conclusion

According to the SSE-CMM, the average result is 2.4 for all of the ISO 27001 controls. Hence, we conclude that the banks do not have a predefined and distinct information protection disaster recovery strategy or risk reduction techniques. However, they are partly consistent with international requirements and guidelines such as ITIL, COBIT and ISO. Some processes, such as data classification and incident escalation to the chief information officer, are well executed, whereas some other processes and practices are not well-established, such as awareness and training programs, operational risk prevention systems, teamwork, risk assessment processes and post-incident practices such as sharing of experience are examples of factors that limit maturity.

Human resources, especially technical workers, are not well-versed in technological innovations. This increases the company's exposure to information system security threats. Besides, failure to conduct regular risk analysis and maturity level measurements exposes IT systems to various attacks caused by emerging technology and incidents. Security solutions from different software suppliers and device providers in the banking industry are not adequately tested for possible risks. As per the survey results, private banks do not get their systems evaluated by third parties that have the appropriate resources and experience for risk assessment. Besides, they do not perform comprehensive risk assessments on their own.

5.2 Recommendations for practice

Maturity of information systems' security indicates the degree of development and strength of an organization's security measures to mitigate risks threatening its assets. This study, thus, can help banks to visualize their current information protection capacity and identify security gaps that need to be addressed. Other banks and related financial institutions can also evaluate their information systems' security level using the assessment tool and technique used in this study.

Although the private banks have an information security policy in place, security guidelines and procedures are not well documented and security-related activities are exercised on an ad hoc basis. The information security policy should also be reviewed periodically for its adequacy and completeness. Besides, the user access rules and rights for each user should be expressly stated in a policy guideline. In the event of a transition or promotion, each employee's access privileges must be changed. Employees' information security awareness should also be assessed during the hiring process and on the job periodically. Rules governing information security requirements should also be included in the contract of employment. When an employee, contractor or third-party leaves the organization, he or she must return all of the institution's assets that were used for work under the terms of the contract.

A growing number of information security threats have been reported in recent years. Malware, virus and power outage as well as minor errors with serious consequences are all common occurrences. Financial institutions are highly vulnerable to threats that can damage their operations in various ways and jeopardize their survival. Any kind of attack in the financial sector cannot be tolerated. This study revealed that information security incident management in private banking is found inadequate (i.e. 2.3) and classified at level 2 (repeatable but intuitive). To avoid asset loss and disruption of institute operations, information systems should be monitored and physically well secured. Thus, there must be a well-organized and skilled incident management response team, and this team must practice daily to obtain experience. The banks should focus mainly on difficult areas such as response time, user report process and knowledge gap. All IT staff, managers, incident management team members and other company employees with essential positions must participate in the emergency preparedness practice.

The researchers also recommend that banks should execute the following system security standards specified for each level to have regular improvement and monitoring:

Banks should undertake the following to reach level 3 from their current maturity level of 2:

1. Create a security standard methodology and follow it.

2. When both internal and external security-related incidents are noticed and tracked, coordinate practices to resolve the issue.

3. Organize security awareness, education and training programs.

4. Control and manage security services and mechanisms.

5. Changes in the operational security posture should be tracked and dealt in accordance with security goals.

6. Implement, monitor and update information security standards on a regular basis.

Banks should do the following to reach level 4 from their current maturity level of 3:

1. They should set measurable information security targets and manage threat protection performance objectively.

2. The activities and processes clearly show that the customer's security requirements were met.

3. Implement proper physical security controls to guarantee that all facilities housing key systems/equipment, as well as physical areas.

Banks should undertake the following to reach level 5 from their current maturity level of 4:

1. Increasing organizational capability in terms of process efficiency by gathering, synthesize and monitor vulnerabilities and their attributes using a threat risk analysis method.

2. To the extent essential to accomplish their roles, all members of a security project team are aware of and involved with security engineering efforts.

3. Implement and administer a centralized system for detecting, removing and protecting against harmful code in all forms.

4. Banks should focus their improvement efforts on the required commitment at all levels in order to achieve all incremental maturity levels.

5.3 Suggestions for future research

To have a regular enhancement of the maturity of information systems' security and to have a capability to protect the institution's information system from technological advancement threat, the researchers believe that conducting a more detailed research studies can better benefit financial institutions. Accordingly, this research considered limited private banks. If a future study considers all private banks, the results of this study can be improved which again can provide additional insights. Assessing the security maturity level of an information system is not a one-time activity. As a result, evaluating maturity level over time and comparing the result with this study can help management to trace the progress and find areas of focus. Construct a framework that allows the financial sector to self-assess the maturity level of information systems' security.