Research Objectives

This debate specifically focused on the concerns within university environments where the institutional culture promotes open sharing of information instead of protecting it. For geographical reasons, it was felt that the research would be better suited to be carried out with South African institutions for the ease of data collection. A number of goals were discussed in Chapter 1 with the idea of deliberating on the information security concerns brought about by the use of personally-owned mobile devices in work related environments. These original research objectives are summarized below:

 To contribute to academic literature with regards to the security concerns around enterprise BYOD adoption and hereby incite further research.

 To provide guidance with regards to the security considerations when implementing a BYOD strategy within universities and similar organizations.

To achieve these objectives, a primary research question was proposed:

Are South African universities adopting BYOD and are they aware of the information security concerns introduced into their organizations by allowing this practice? If so, which strategies if any, are being used to minimize these concerns?

This primary research question was further expanded into five research sub-questions in order to aid in achieving the research objectives.

The findings of sub-questions one to three, implicitly address the first part of the primary research question “Are South African universities adopting BYOD and are they aware of the information security concerns introduced into their organizations by allowing this practice?...” and similarly, questions four and five address the second part of the primary research question “…which strategies if any, are being used to minimize these concerns?”. As such if these sub-questions are addressed this implies that the primary question is automatically addressed. For this reason the sub-questions and how they were dealt with are reflected on below.

1. “Do universities have sensitive data that is worth protecting and what risks are universities faced with?”, was addressed in the literature in Chapter 2 (Section 2.1) where the various data loss concerns were discussed by use of real world examples of data breaches and their resulting impact for the affected institutions. Thereafter, the use of an online targeted questionnaire provided insight to the second part, “do personally-owned mobile devices increase this risk?”

2. “What is BYOD? Define the concept and explore the sudden interest of employee’s using personal mobile devices for work related purposes?” was addressed in Chapter 2 (Section 2.2) of the literature review, where a synthesis of literature from various sources were used to define the concept of BYOD and discover the reasons for the current trend. This delivered a crucial understanding of the history of the change in the computing landscape toward the current mobile computing environment. This also gives an understanding of the productivity advantages that organizations get by allowing BYOD.

3. “What are the current acceptance levels of BYOD within organizations and does this compare to the acceptance levels within South African higher education institutions?” sub-question was addressed in two parts. First, in Chapter 2 (Section 2.3), current practices within organizations were discovered through literature which reference real world examples and reports. It was discovered that many organizations are both directly and indirectly accepting BYOD into their environments due to the push from users. Similar results were then found in the practices of South African universities through the evidence discovered in the questionnaire. High acceptance levels of BYOD were noticeable, along with the recognition from questionnaire participants of the related security threats.

4. “What security threats to organizational data are introduced by these personally-owned mobile devices?” was addressed in Chapter 3 (Section 3.1 and Section 3.2) and primarily drew upon existing literature to discuss the increasing levels of mobile malware and mobile device related threats respectively. A discussion of how these issues may perpetuate information security risks for organizations were reflected on.

5. The final sub-question “What does the related research inform us about organizational mobile device adoption in relation to BYOD and which strategies are organizations using to mitigate any associated threats?” was addressed by reflecting upon similar studies in Chapter 4 which suggests that BYOD is inevitable for most organizations because of the many advantages it offers both the institution as well as the employees. However, BYOD has many disadvantages such as data loss concerns and ultimately increases the attack surface for any organization. The survey was composed and found that the pervasiveness of mobile device adoption in South African universities compared to other organizations.

Additionally, because related academic research was not found in literature the survey sought to determine which mitigation strategies South African universities were using. The results suggest that many of the common controls have not been implemented. For this reason, recommendations for the implementation of a secure BYOD policy was suggested in Chapter 7. A threat modelling procedure was also suggested to aid in creating the policy.

Finally examples of mitigation strategies such as technical controls and user awareness were discussed.

By addressing the five sub-questions, the primary research question was thus addressed and in so doing, the original research objectives were achieved.