A conceptual framework for assessing information security management practices in selected universities in Uganda

Benjamin Ahimbisibwe, Peter Nabende

Makerere University, Kampala, Uganda

Cite: Ahimbisibwe B., Nabende P. A conceptual framework for assessing information security management practices in selected universities in Uganda. J. Digit. Sci. 4(1), 21 – 29 (2022). https://doi.org/10.33847/2686-8296.4.1_2

Abstract. The purpose of this paper is to present a conceptual framework for assessing managerial level information security practices, governance, and activities in selected university institutions in Uganda. Extant literature was drawn from existing information security management practices in different organizations. The proposed conceptual framework consisted of four manageable areas, namely, information security governance practices, information security practices, personnel management practices, and physical security practices. These areas are further subdivided into 25 categories that provide a formal checklist for assessing existing information security management practices in university institutions in Uganda.

Keywords: Conceptual framework, information security management practices, university institutions in Uganda.


1.  Abawajy, J. (2014). User preference of cyber security awareness delivery methods. Behaviour & Information Technology, 33(3), 237-248. URL: https://doi.org/10.1080/0144929X.2012.708787
2. Alshaikh, M., Ahmad, A., Maynard, S. B., & Chang, S. (2014). Towards a taxonomy of information security management practices in organisations. ACIS. URL: https://openrepository.aut.ac.nz/handle/10292/8174
3. Alshaikh, M. (2018). Information security management practices in organisations. PhD thesis, The University of Melbourne. URI: http://hdl.handle.net/11343/208934
4. Aromataris, E. (2014). The systematic review:  an overview. American Journal of Nursing, March 2014, Vol. 114(3).URL: https://doi.org/10.1097/01.naj.0000444496.24228.2c
5. Babatunde, D. A., & Selamat, M. H. (2012). Investigating information security management and its influencing factors in the Nigerian banking industry: a conceptual model. International Journal on Social Science & Art, 2(2), 55-59. URL: https://www.researchgate.net/profile/Dorcas-Adebola-Babatunde-2/publication/264884940_
6. Baxter, R. J., Holderness Jr, D. K., & Wood, D. A. (2016). Applying basic gamification techniques to IT compliance training: Evidence from the lab and field. Journal of information systems, 30(3), 119-133. URL: https://doi.org/10.2308/isys-51341
7. Bilsky, S. A., Cole, D. A., Dukewich, T. L., Martin, N. C., Sinclair, K. R., Tran, C. V. & Maxwell, M. A. (2013). Does supportive parenting mitigate the longitudinal effects of peer victimization on depressive thoughts and symptoms in children? Journal of abnormal psychology, 122(2), 406-419. URL: https://doi.org/10.1037%2Fa0032501
8. Bogere A., Haolader, F. A., & Mahbubur, R. A. (2013). The influence of ICT security to academic environment at universities, case study Uganda: International Journal of Innovative Research in Science, Engineering and Technology, Vol 2, 4866-4873. ISSN: 2319-8753. URL: http://www.rroij.com/open-access/the-influence-of-ict-security-to-academicenvironment-at-universities-case-study-uganda.pdf
9. Coventry, W.L. & Keller, M. C. (2005). Estimating the extent of parameter bias in the classical twin design: A comparison of parameter estimates from extended twin-family and classical twin designs. Twin Research and Human Genetics, 8(3), 214-223. URL: https://doi.org/10.1375/1832427054253121
10. Kisakye, A. (2012). An investigation into information security practices implemented by Research and Education Networks of Uganda (RENU). Masters thesis, Rhodes University. URL: https://research.ict.ru.ac.za/snrg/Theses/Kisakye%202012%20MSc.pdf
11. Komatsu, A., Takagi, D., & Takemura, T. (2013). Human aspects of information security: An empirical study of intentional versus actual behavior. Information Management & Computer Security, 21(1), 5-15. URL: https://doi.org/10.1108/09685221311314383
12. Mbabazi, B. P., Kareyo, M. and Muwanga–Zake, J.W.F. (2016). Assessing the implementation of information security policy in Ugandan Universities. Global Journal of Engineering Science and Researches, 3(11), 1-7. ISSN 2348-8034. URL: http://www.gjesr.com/Issues%20PDF/Archive-2016/November-2016/1.pdf
13. Mugyenyi,R. (2017). Analysing information systems security in higher learning institutions of Uganda. International Journal of Scientific & Technology Research, 6(10), 385-392. ISSN: 2277-8616. URL: https://www.ijstr.org/final-print/oct2017/Analysing-Information-Systems-Security-In-Higher-Learning-Institutions-Of-Uganda.pdf
14. Naz, F., Aftab, J., & Awais, M. (2016). Impact of human resource management practices (HRM) on performance of SMEs in Multan, Pakistan. International Journal of Management, Accounting and Economics, 3(11), 699-708. URL: https://www.ijmae.com/article_116565.html
15. Oyelami, J. O., & Ithnin, N. B. (2015). Establishing a sustainable information security management policy in organization: A guide to information security management practice (ISMP). International Journal of Computer and Information Technology, 4(01), 44-49. URL: https://www.ijcit.com/archives/volume4/issue1/Paper040107.pdf
16. Qingxiong, M., Schmidt, M. B., & Pearson, J. M. (2009). An Integrated Framework for Information Security Management. Review of Business, 30(1). URL: link.gale.com/apps/doc/A220136074/AONE?u=googlescholar&sid=bookmark-AONE&xid=19347e2e
17. Ravitch, S. M., & Riggan, M. (2016). Reason & Rigor: How conceptual frameworks guide research. Sage Publications. URL: https://doi.org/10.1177/105268461602600504
18. Radhakrishna, A., & Raju, R. S. (2015). A Study on the effect of human resource development on employment relations. IUP Journal of Management Research, 14(3), 28. URL: https://www.iupindia.in/1507/Management%20Research/A_Study_on_the_Effect.html
19. Rantos, K., Fysarakis, K., & Manifavas, C. (2012). How effective is your security awareness program? An evaluation methodology. Information Security Journal: A Global Perspective, 21(6), 328-345. URL: https://doi.org/10.1080/19393555.2012.747234
20. Sarode, A. P., & Deore, S. S. (2017). Role of third-party employee verification and background checks in HR management: An overview. Journal of Commerce and Management Thought, 8(1), 86. URL: https://indianjournals.com/ijor.aspx?target=ijor:jcmt&volume=8&issue=1&article=006
21. Solaiman, B., Bosse, E., Pigeon, L., Gueriot, D., & Florea, M. C. (2015). A conceptual definition of a holonic processing framework to support the design of information fusion systems. Information Fusion, 21, 85-99. URL: https://doi.org/10.1016/j.inffus.2013.08.004
22. Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs more holistic approach: A literature review. International Journal of Information Management, 36(2), 215-225. URL: https://doi.org/10.1016/j.ijinfomgt.2015.11.009
23. Stewart, J. M., Chapple, M., & Gibson, D. (2015). Certified information systems security professional study guide. John Wiley & Sons. 7th Edition. URL: https://www.wiley.com/en-us/CISSP+%28ISC%292+Certified+Information+Systems+Security+Professional+Official+Study+Guide%2C+7th+Edition-p-9781119042716
24. Tawfik, G. M., Dila, K. A. S., Mohamed, M. Y. F., Tam, D. N. H., Kien, N. D., Ahmed, A. M., & Huy, N. T. (2019). A step-by-step guide for conducting a systematic review and meta-analysis with simulation data. Tropical medicine and health, 47(1), 1-9. URL: https://tropmedhealth.biomedcentral.com/articles/10.1186/s41182-019-0165-6
25. Trim, P. R. J., Lee, Y. I., & Weston, D. (2014). An interdisciplinary approach and framework for dealing with security breaches and organizational recovery. British Embassy Seoul. URL: http://www.iaac.org.uk/media/1067/reporttrimyoumcybersecuritymarch14.pdf
26. Tryfonas, T. H. E. O. (2010). Information security management and standards of best practice. Handbook of Electronic Security and Digital Forensics. World Scientific Publishing Co, 207-236. URL: https://doi.org/10.1142/7110
27. National Information Technology Authority (NITA) Uganda (2014). National Information Security Policy. National Information Security Framework (NISF) Publication, Uganda.
28. Varpio, L., Paradis, E., Uijtdehaage, S., & Young, M. (2020). The distinctions between theory, theoretical framework, and conceptual framework. Academic Medicine, 95(7), 989-994. URL: https://doi.org/10.1097/ACM.0000000000003075
29. Whitman, M., & Mattord, H. J. (2014). Information security governance for the non-security business executive. URL: https://digitalcommons.kennesaw.edu/facpubs/3204/
30. Williams, G. M., Kroes, R., & Munro, I. C. (2000). Safety evaluation and risk assessment of the herbicide Roundup and its active ingredient, glyphosate, for humans. Regulatory toxicology and pharmacology, 31(2), 117-165. URL: https://doi.org/10.1006/rtph.1999.1371
31. Yaokumah, W., & Brown, S. (2014). An empirical examination of the relationship between information security/business strategic alignment and information security governance domain areas. Journal of Law and Governance, 9(2). URL: https://doi.org/10.15209/jbsge.v9i2.718
32. Zaini, M. K., Masrek, M. N., & Sani, M. K. J. A. (2020). The impact of information security management practices on organisational agility. Information & Computer Security. URL: https://doi.org/10.1108/ICS-02-2020-0020

Published online 12.06.2022