Security threats and vulnerabilities mitigation in information systems security for public universities in Kenya

Abstract

The last few years has witnessed increased emergent security threats and vulnerabilities in Universities Information Systems security which include students presenting fake bank slips to be receipted at university accounts, modification of student exams grades in databases using SQL injection, use of memory sticks to propagate viruses, remote login through buffer overflow, phishing attacks among others. There is no well defined framework to mitigate both the insider and outsider threats and vulnerabilities to information systems security for universities. The purpose of this study was to develop a framework for combating security threats and vulnerabilities in information systems security for public universities in Kenya. The objectives of this study were to identify the existing and emerging security threats to information systems in universities, establish existing information system security controls for universities, explore frameworks associated with information system security and develop a secure information system framework for universities. The theory guiding this study was Actor Network Theory which constructs associations within the network and aligns a series of events as a timeline. Survey research design was employed and used stratified and purposive sampling techniques. The target population of this study consisted of System Administrators, Computer Technicians and 4th year Bachelor of Science in Computer Science Students from public universities in Kenya. A total of 306 respondents were used in the study. The tools for data collection consisted of interviews and questionnaires. Data analysis was through use of both descriptive statistics and inferential statistics in which the Pearson product-moment correlation coefficient (r) and t-test was used to establish the relationship between vulnerabilities and threats to information systems and establish existing information systems security controls and frameworks associated with information system security respectively. The key findings from the research study comprised of emergent threats including ransomware, unpatched client software and poor systems configurations. Vulnerabilities identified encompassed inadequate monitoring and analysis of security logs, poor account monitoring and control and missing patches for applications. The results on existing information systems security controls for universities included transaction authorization, duty segregation and logical access controls. The findings on secure information systems frameworks, and standards comprised of security policies and procedures. The significance of the study was a new conceptual framework for developing secure information systems for universities.