This paper presents an innovative Soft Design Science Methodology for improving information systems security using multi-layered security approach. The study applied Soft Design Science Methodology to address the problematic situation on how information systems security can be improved. In addition, Soft Design Science Methodology was compounded with mixed research methodology. This holistic approach helped for research methodology triangulation. The study assessed security requirements and developed a framework for improving information systems security. The study carried out maturity level assessment to determine security status quo in the education sector in Tanzania. The study identified security requirements gap (IT security controls, IT security measures) using ISO/IEC 21827: Systems Security Engineering-Capability Maturity Model (SSE-CMM) with a rating scale of 0 - 5. The results of this study show that maturity level across security domain is 0.44 out of 5. The finding shows that the implementation of IT security controls and security measures for ensuring security goals are lacking or conducted in ad-hoc. Thus, for improving the security of information systems, organisations should implement security controls and security measures in each security domain (multi-layer security). This research provides a framework for enhancing information systems security during capturing, processing, storage and transmission of information. This research has several practical contributions. Firstly, it contributes to the body of knowledge of information systems security by providing a set of security requirements for ensuring information systems security. Secondly, it contributes empirical evidence on how information systems security can be improved. Thirdly, it contributes on the applicability of Soft Design Science Methodology on addressing the problematic situation in information systems security. The research findings can be used by decision makers and lawmakers to improve existing cyber security laws, and enact laws for data privacy and sharing of open data.
References
[1]
Nfuka, E.N., Sanga, C. and Mshangi, M. (2014) The Rapid Growth of Cybercrimes Affecting Information Systems in the Global: Is this a Myth or Reality in Tanzania? International Journal of Information Security Science, 3, 182-199.
http://www.ijiss.org/ijiss/index.php/ijiss/article/view/72
[2]
Mshangi, M., Nfuka, E.N. and Sanga, C. (2015) Using Soft Systems Methodology and Activity Theory to Exploit Security of Web Applications against Heartbleed Vulnerability. International Journal of Computing and ICT Research, 8, 32-52.
http://ijcir.mak.ac.ug/volume8-number2/article4.pdf
[3]
Mshangi, M., Nfuka, E.N. and Sanga, C. (2016) Designing Secure Web and Mobile-Based Information System for Dissemination of Students’ Examination Results: The Suitability of Soft Design Science Methodology. International Journal of Computing and ICT Research, 10, 10-40.
http://ijcir.mak.ac.ug/volume10-issue2/article2.pdf
[4]
Sherwood, J., Clark, A. and Lynas, D. (2009) Enterprise Security Architecture. SABSA White Paper, 6, 43-54.
[5]
Wihitmen, M. and Mattord, H. (2012) Principles of Information Security. 4th Edition, Cengage Learning, Boston.
http://www.cengage.com/resource_uploads/downloads/1111138214_259146.pdf
[6]
Krutz, R.L. and Vines, R. (2007) The CISSP and CAP Prep Guide (Platinum E). Wiley Publishing Inc., New Delhi.
[7]
Lacey, D. (2009) Managing the Human Factor in Information Security: How to Win Over Staff and Influence Business Managers. John Wiley & Sons Ltd., Chichester.
https://www.amazon.com/Managing-Human-Factor-Information-Security/dp/0470721995
[8]
Nachtigal, S. (2009) E-Business Information Systems Security Design Paradigm and Model. The University of London, London.
http://digirep.rhul.ac.uk/items/bf2711d5-4654-40ee-b1c6-4b4f0f83ac97/1/
[9]
Rupere, T., Mary, M. and Zanamwe, N. (2012) Towards Minimizing Human Factors in End-User Information Security. International Journal of Computer Science and Network Security, 12, 159-167.
[10]
Soltanmohammadi, S., Asadi, S., Ithnin, N. and Science, C. (2013) Main Human Factors Affecting Information System Security Seed. Interdisciplinary Journal of Contemporary Research in Business, 5, 329-354. http://ijcrb.webs.com/
[11]
Symantec (2016) Internet Security Threat Report. Network Security.
[12]
Bakari, J.K. (2007) A Holistic Approach for Managing ICT Security in Non-Commercial Organisations: A Case Study in a Developing Country. PhD Thesis. Stockholm University.
http://www.diva-portal.org/smash/get/diva2:197030/FULLTEXT01.pdf
[13]
ISO/IEC 27001:2013 (2013) ISO/IEC 27001:2013 Information Technology Security Techniques Information Security Management Systems Requirements.
http://www.iso.org/iso/catalogue_detail?csnumber=54534
[14]
ISO/IEC 27002:2013 (2013) ISO/IEC 27002:2013 Information Technology Security Techniques Code of Practice for Information Security Controls.
http://www.iso.org/iso/catalogue_detail?csnumber=54533
[15]
Mbowe, J.E., Msanjila, S.S., Oreku, G.S. and Kalegele, K. (2016) On Development of Platform for Organization Security Threat Analytics and Management (POSTAM) Using Rule-Based Approach. Journal of Software Engineering and Applications, 9, 601-623. https://doi.org/10.4236/jsea.2016.912041
[16]
McCumber, C.J.R. (1991) Information Systems Security: A Comprehensive Model. The 14th National Computer Security Conference, Washington DC, 1-4 October 1991, 328-337.
http://csrc.nist.gov/publications/history/nissc/1991-14th-NCSC-proceedings-vol-1.pdf
[17]
Microsoft (2002) The STRIDE Threat Model.
https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20)aspx
[18]
Microsoft (2015) Microsoft Advanced Threat Analytics.
https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics
[19]
PCI-DSS (2013) Payment Application Data Security Standard Requirements and Security Assessment Procedures.
https://www.pcisecuritystandards.org/minisite/en/docs/PA-DSS_v3.pdf
[20]
PCI-DSS (2016) Data Security Standard. Security.
https://pcicompliance.stanford.edu/sites/default/files/pci_dss_v3-2.pdf
[21]
Roessing, R.M. (2010) The Business Model for Information Security. ISACA Journal, 1-27.
https://www.isaca.org/Knowledge-Center/BMIS/Documents/IntrotoBMIS.pdf
[22]
SAN (2013) Interested in learning SANS Institute InfoSec Reading Room Layered Security: Why It Works Layered Security: Why It Works. SAN Institute, 1-13.
https://www.sans.org/reading-room/whitepapers/analyst/layered-security-works-34805
[23]
Al-Azazi, S. (2008) A Multi-Layer Model for E-Government Information Security Assessment. http://hdl.handle.net/1826/3182
[24]
Shaaban, H.K. (2014) Enhancing the Governance of Information Security in Developing Countries: The Case of Zanzibar. PhD Thesis, Bedfordshire.
http://uobrep.openrepository.com/uobrep/bitstream/10547/315359/1/Hussein-Shaaban-PhD-Thesis.pdf
[25]
Arcidiacono, G. (2014) Feature Challenges and Benefits of Migrating to COBIT 5 in the Strongly Regulated Environment of EU Agricultural Paying Agencies. ISACA Journal, 1, 1-3.
https://www.isaca.org/Journal/archives/2014/Volume-1/Documents/Challenges-and-Benefits-of-Migrating-to-COBIT-5_joa_Eng_0114.pdf
[26]
ISACA (2012) COBIT 5 for Information Security. ISACA Journal, 1,
http://www.isaca.org/cobit/pages/info-sec.aspx
Baskerville, R., Pries-Heje, J. and Venable, J. (2009) Soft Design Science Methodology. Proceedings of the 4th International Conference on Design Science Research in Information Systems and Technology, 1-11.
[29]
Peffers, K.E.N., Rothenberger, M. and Kuechler, B. (2012) Design Science Research in Information Systems Advances in Theory and Practice. 7th International Conference, Las Vegas, May 2012. https://doi.org/10.1007/978-3-642-29863-9
[30]
Peffers, K.E.N., Tuunanen, T., Rothenberger, M. and Chatterjee, S. (2007) A Design Science Research Methodology for Information Systems Research. Journal of Management Information Systems, 24, 45-77.
https://doi.org/10.2753/MIS0742-1222240302
[31]
Sanga, C. (2010) A Technique for the Evaluation of Free and Open Sources E-Learning Systems. PhD Thesis, The University of the Western Cape.
http://etd.uwc.ac.za/xmlui/bitstream/handle/11394/2564/Sanga_PHD_2010.pdf?sequence=1
[32]
Farrell, R. and Hooker, C. (2013) Design, Science, and Wicked Problems. Design Studies, 34, 681-705.
[33]
Gregor, S. and Hevner, A.R. (2013) Positioning and Presenting Design Science Research for Maximum Impact. MIS Quarterly, 37, 337-355.
http://www.misq.org/skin/frontend/default/misq/pdf/appendices /2013/V37I2_Appendices/GregorHevnerAppendices.pdf
[34]
Hevner, A.R. and Chatterjee, S. (2012) Design Research in Information Systems: Theory and Practice. Vol. 28, Springer, Berlin.
[35]
Mahundu, F.G. (2016) E-Governance: A Sociological Case Study of the Central Admission System in Tanzania. The Electronic Journal of Information Systems in Developing Countries, 79, 1-11.
http://www.ejisdc.org/ojs2./index.php/ejisdc/article/viewFile/1742/655
[36]
Hevner, A.R., March, S., Park, J. and Ram, S. (2004) Design Science Research in Information Systems. Management Information Systems Quarterly, 28, 75-105.
[37]
Mahundu, F.G. (2015) E-Governance in the Public Sector: A Case Study of the Central Admission System in Tanzania. PhD Thesis. Rhodes University.
http://contentpro.seals.ac.za/iii/cpro/DigitalItemViewPage.external?lang=eng&sp=1020845&sp=T&suite=def
[38]
Basden, A. (2003) Reflections on CATWOE, a Soft Systems Methodology Technique for Systems Designs. Information Systems Journal, 17, 55-73.
[39]
Checkland, P.B. and Scholes, J. (1990) Soft Systems Methodology in Action. John Wiley & Sons, Inc., New York. http://dl.acm.org/citation.cfm?id=130360
[40]
Novani, S., Putro, U.S. and Hermawan, P. (2014) An Application of Soft System Methodology in Batik Industrial Cluster Solo by Using Service System Science Perspective. Procedia—Social and Behavioral Sciences, 115, 324-331.
[41]
Checkland, P.B. (1998) Systems Thinking, Systems Practice. John Wiley & Sons Ltd., Hoboken.
[42]
Salner, M. and Ph, D. (1999) Beyond Checkland & Scholes: Improving SSM. I Can, 11, 20. http://www.systemdynamics.org/conferences/1999/PAPERS/PLEN3.PDF
[43]
Graham, W. (1989) Action and Research: A Soft Systems approach to Organisational Development Evaluating Soft Systems & Organisational Development.
[44]
Williams, B. and Hof, S. (2014) Wicked Solutions: A Systems Approach to Complex Problems. Bob! Williams. http://www.bobwilliams.co.nz/wicked.pdf
[45]
Maconachy, S. and Ragsdale, W. (2001) A Model for Information Assurance: An Integrated Approach. Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, West Point, 308-310.
[46]
Kimble, C. (2008) Holistic Methodologies.
http://www.chris-kimble.com/Courses/sdm/Presentations/SDM7.pdf
[47]
Ashford, W. (2014) The Human Factor a Key Challenge to Information Security.
http://www.computerweekly.com/news/2240236390/The-human-factor-a-key-challenge-to-information-security-say-experts
[48]
Futcher, L. (2011) An Integrated Risk-Based Approach to Support IT Undergraduate Students in Secure Software Development.
http://dspace.nmmu.ac.za:8080/jspui/handle/10948/1673
[49]
Ismail, Z., Masrom, M., Sidek, Z. and Hamzah, D. (2010) Framework to Manage Information Security for Malaysian Academic Environment. Journal of Information Assurance & Cybersecurity, 2010, Article ID: 305412.
https://doi.org/10.5171/2010.305412
[50]
Kapis, K. (2011) Security and Privacy of Electronic Patient Records. PhD Thesis, the Open University of Tanzania.
[51]
Kasita, C. and Laizer, L.S. (2013) Security Architecture for Tanzania Higher Learning Institutions’ Data Warehouse. Journal of Information & Knowledge Management, 3, 25-32.
[52]
Davey, J.W., Gugiu, P.C. and Coryn, C.L.S. (2010) Quantitative Methods for Estimating the Reliability of Qualitative Data. Journal of Multi Disciplinary Evaluation, 6, 140-162.
[53]
Jick, T.D. (1979) Mixing Qualitative and Quantitative Methods: Triangulation in Action Mixing Qualitative and Quantitative Methods: Triangulation in Action. Administrative Science Quarterly, 24, 602-611. https://doi.org/10.2307/2392366
Cohen, L., Manion, L. and Morrison, K. (2007) Research Methods in Education. Professional Development in Education, 6th Edition, Vol. 38, Routledge, New York.
[56]
Saunders, M.N.K., Lewis, P., Thornbill, A. and Jenkins, M. (2009) Research Methods for Business Students. 5th Edition, Pearson Education Limited.
[57]
PMO-RALG (2016) The Prime Minister’s Office, Regional Administration and Local Government (PMO-RALG). http://www.tamisemi.go.tz/
[58]
WEST (2016) Ministry of Education, Science, and Technology (WEST): Institutions. http://moe.go.tz/index.php/sw/
[59]
ISO/IEC 21827:2008 (2008) ISO/IEC 21827:2008 Information Technology Security Techniques—Systems Security Engineering Capability Maturity Model (SSE-CMM).
http://www.iso.org/iso/catalogue_detail.htm?csnumber=44716
[60]
Lacey (2013) Factor Analysis Using R. Practical Assessment, Research, and Evaluation, 18, 1-11. http://pareonline.net/pdf/v18n4.pdf
[61]
R Development Core Team (2005) What Is R?
https://www.r-project.org/about.html
[62]
Tavakol, M. and Dennick, R. (2011) Making Sense of Cronbach’s Alpha. International Journal of Medical Education, 2, 53-55.
https://doi.org/10.5116/ijme.4dfb.8dfd
[63]
Cronbach, L.J. (1951) Coefficient Alpha and the Internal Structure of Tests. Psychometrika, 16, 297-334. https://doi.org/10.1007/bf02310555
[64]
Smyth, D.S. and Checkland, P.B. (1976) Using a Systems Approach: The Structure of Root Definitions. Journal of Applied Systems Analysis, 5, 75-83.
[65]
Maqood, T., Finegan, A.D. and Walker, D.H. (2001) Five Case Studies Applying Soft Systems Methodology to Knowledge Management. QUT Digital Repository.
http://eprints.qut.edu.au/27456/
[66]
Cundill, G., Cumming, G.S., Biggs, D. and Fabricius, C. (2012) Soft Systems Thinking and Social Learning for Adaptive Management. US National Library of Medicine National Institutes of Health, 1, 13-20.
http://www.ncbi.nlm.nih.gov/pubmed/22060320
[67]
Timurtas, D. (2011) Can an Integration of Soft Systems Methodology & the Ethics Framework Enhance Socio-Technical Systems Design in Large and Complex Organizations? An Action Research Study on Two NHS Pathways and Their Design Strategies.
https://www.ucl.ac.uk/silva/uclic/studying/taught-courses/distinction-projects/2010_theses/TimurtasD.pdf
[68]
Razali, S., Noor, N.L.M. and Adnan, W.A.W. (2010) Applying Soft System Methodology (SSM) into the Design Science: Conceptual Modeling of Community Based E-Museum (ComE) Framework. IEEE International Conference on Systems, Man and Cybernetics, 2701-2707.
