QUT Digital Repository:
http://eprints.qut.edu.au/
Alfawaz, Salahuddin and May, Lauren J. and Mohanak, Kavoos (2008) E-government
security in developing countries : a managerial conceptual framework. In:
International Research Society for Public Management Conference, 26-28 March 2008., Queensland University of Technology, Brisbane.
E-government security in developing countries:
A managerial conceptual framework
Salahuddin Alfawaz¹, Lauren May¹, Kavoos Mohanak² ¹Information Institute of Security, ²School of management
Queensland University of Technology, Brisbane, Australia
- Track 12 - eGovernment and Institutional Change-
Abstract
E-government security is considered one of the crucial factors for achieving an advanced stage of e-government. As the number of e-government services introduced to the user increases, a higher level of e-government security is required. This paper firstly presents a review of ICT management in the public sector, information security management and e-government in recent literature by focusing on issues and trends in developing countries. The paper then proposes a conceptual framework for e-government security management within the context of developing countries.. The framework addresses relevant variables from security, cultural, managerial and organizational perspectives. This paper contributes to the e-government literature by establishing an analytical framework for understanding, clarification and investigation of the management issues involved in improving e-government security in technologically-developing countries. This is an issue which has not yet been widely addressed in the open literature.
Keywords: E-government, security policy, management framework, developing
economies, ICT management 1 Introduction
Public and private organizations are facing a wide range of information threats. Information security is a crucial component in their information systems. With their increasing reliance on technologies connected over open data networks, effective management of information security has become one of the most crucial success factors for public and private organizations alike. Requirements and guidelines for effective information security management practices are a prerequisite of e-government in order to promote the necessary steps to ensure successful outcomes. Globally information security best practices and trends are similar. When it comes to applying these best practice approaches to specific applications, however, localized variables and limitations need to be emphasized. This is the case when we consider the application of generic best practices to a specific country, particularly a country which may be considered as still developing technologically.
Studies have shown that there is a link between security issues, e-government and management (Dhillon and Backhouse, 2001; Dhillon and Torkzadeh, 2006; Heeks, 2003; 2006; Siponen and Oinas-Kukkonen, 2007; von Solms, 1999). Studies have also shown that non-technical issues are as important as technical issues in safeguarding an organization’s sensitive information (Dhillon and Torkzadeh, 2006;
Siponen and Oinas-Kukkonen, 2007). The importance of non-technical issues related to security management, however, is de-emphasized in many studies which tend to be quantitative by nature (Siponen and Oinas-Kukkonen, 2007). Particularly, with respect to developing countries, there is a resulting lack of attention in the open literature on factors such as the national and organizational culture, environment and level of awareness and how these factors relate to generic attitudes towards information security and its management.
This paper reviews the existing e-government literature and issues. These issues are introduced and analyzed in terms of how they relate to e-government security by describing them in an information security management framework.
2 E-government concept
The concept of an e-government system is to provide access to government services anywhere at anytime over open networks. This leads to issues of security and privacy in the management of the information systems. Managing such issues in the public sector has different emphases than in the private sector. The broader e-government approach is socio-technical by nature, involving people and processes as well as technologies; hence, particularly in transitional countries, the social culture and characteristics of the country are factors in successful e-government development. In the open literature there are four distinct aspects to e-government. The remainder of this section gives an overview of this literature.
E-government systems
E-government can be defined as government use of information technologies in order to communicate externally in the public sector (with citizens and businesses) and internally (with other government departments) (Ebrahim and Irani, 2005; Gilbert et al., 2004; Heeks, 2006; WorldBank). Accenture (2001) and Ebrahim (2005) give measures for the level of e-government development.
Articles on e-government in some leading countries have been published (Lam, 2005; Norris and Moon, 2005; Pina et al., 2005). A relationship model of e-government integration has been proposed arguing that the development of effective relationships between central government, individual government agencies and users of e-government services are critical to successful e-e-government integration. Those barriers show that both technical and non-technical issues should be considered when implementing e-government integration.
A barrier frequently cited is the need to ensure adequate security and privacy in e-government (Conklin, 2007; Ebrahim and Irani, 2005). Because of the specifics of process in public administration, security models and process models have to correlate (Wimmer and von Bredow, 2001). Norris and Moon (2005), Ebrahim and Irani (2005) and Wimmer and Bredow (2001) have all published articles concerning security and privacy issues in e-government. It is noted that, in fact, e-government itself has become a major contributor to these issues due to its basic concepts of openness and availability.
Information management in the public sector
Information management in the public sector is relevant because relationships with external clients of e-government systems need to be carefully managed. Public organization researchers argue that governments operate in a different environment to
private organizations and, hence, require different approaches. Much has been published in the literature on this topic (Caudle, 1991; Fryer, 2007; Joia, 2003; Moon, 2000). Several characteristics have been identified. The public sector is characterized by the absence of economic markets for final product outputs. The sector relies on government appropriations for financial resources. This reliance produces another constraint, political influence.
Specialized forms of accountability may be required that are not typically faced by private sector firms (Bozeman and Bretschneider, 1986; Bretschneider, 1990; Rainey and Steinbauer, 1999). The Public Management Information System (PMIS) framework differs from conventional Management Information Systems (MIS) frameworks by emphasizing environmental factors rather than internal characteristics of the organization (Bozeman, 1987). This indicates that both public and private sectors are affected by the external factors such as the economic and political authority. However, the public sector seems to be more influenced by those factors than the private sector. Conklin (2007) argues that the differences in these environments play a significant role in the diffusion of technology in e-government settings. It is for this reason that the private sector model can be viewed as inadequate as a basis for management (Stewart and Walsh, 1992).
Hutton (1996) argues that public sector organisations have a number of specific characteristics, which may have an impact on any change management exercise. Some of these include: rigid hierarchies; culture; changes in policy direction can be sudden and dramatic; overlap of initiatives; wide scope of activities; and staff are a crucial part of public sector organisations. These unique characteristics shape transactions between public organizations and citizens, as well as organizational roles, structures and processes. Another critical point is that the public sector is highly sensitive to any information security incident. Although such incidents might be not related to e-government, they can have a negative impact on the adoption and implementation of e-government applications.
Information systems management
From an historical perspective von Solms (2000; 2006) discusses the evolution of information security management systems (ISMS) approaches over the last forty to fifty years by dividing its development into four waves. Although this evolution concept was developed from the perspective of the technologically-developed countries, it is a very useful timeline tool for describing ICT in currently transitioning countries. Each wave describes the general approach to information technology and its management for the given time periods. This concept of a path of ICT evolution can play a significant role in our understanding of the differentiators in ICT technology and the maturity of the information security management system settings in countries which are still in a state of transition somewhere along this path.
Security is traditionally concerned with information properties of confidentiality, integrity and availability. These properties underpin services such as user authentication, authorization, accountability and reliability. Much has been published on the changing role of information security (Dhillon and Torkzadeh, 2006; ISO/IEC, 2005; von Solms, 2000; 2005; 2006) as its general perception has transformed from the purely technical in the 1970s to its current mainstream role in organizations. In the broader sense information security involves people as well as technologies. A small number of publications in the literature address the social acceptance of security
technologies, known as the organizational security culture (Dhillon, 1999; May and Lane, 2006; Ruighaver et al., 2007; Siponen and Oinas-Kukkonen, 2007). Information security standards are well represented in the open literature (Hone and Eloff, 2002; Saint-Germain, 2005; von Solms, 1999; 2005). These standards attempt to describe the various processes and controls needed for successfully implementing an information security policy, rather than advising what the policy should look like (Hone and Eloff, 2002). In general these standards have been developed through the experiences of leading technological countries.
Country context
A key aspect is the country's context where the phenomenon is deployed and operates. A developing country is generally defined as one that has a per capita gross national product less than USD$ 2,000 (Ball, 1990). Nearly 80% of the world's population is living in developing countries. The developing terminology doesn't imply that all developing countries are experiencing similar development. Each country has its unique setting and constraints such as political and economic ones. Ultimately, those constraints will impose different issues relevant to e-government security management. It has been suggested that in an environment of low level of democratization initiatives and low level of e-government readiness, there would be less emphasis on privacy, security, and confidentiality issues (Nour, 2007). It is, therefore, necessary to gain an understanding of cultural dimensions that cover both organizational and national culture (Mendonca, 1996; Molla, 2005; Ciganek, 2004; Hofstede, 2001) by taking into account the overall context in which e-government operates.
According to Heeks (2002; 2003) most ICT programs such as e-government in developing countries fail with 35% being classified as total failures and 50% partial failures. The author attributes these figures to the gap between the current reality (physical, cultural, economic and other contexts) and the design of the ICT program - the greater the gap, the greater the chances of failure. Security has always been identified as one of an information system's important components. Contemporary information assurance management recognizes the imperative to include people and processes, as well as the more traditional technology security issues, in ensuring the quality of information in all modern organizations. To a large extent technological solutions for the majority of security issues have been previously developed. There are however still many application challenges, the people and processes components of information assurance management. This leads to the need for the socio-technical approach to focusing on these issues in the required context for technologically-developing countries.
ICT in developing countries is generally under-represented in the open literature. A few publications fleetingly concede that there can be major issues with transitional countries developing their systems, but the subject is not treated in any depth or breadth. Given the widespread prescription of IT, particularly e-government for developing countries, the urgency of their needs, and the often paucity of their economic resources, it would be useful to understand in depth the factors and issues that underpin them. Yet there are very few published empirical studies directly addressing the issue.
3 The analytical framework
The four aspects or themes mentioned in Section 2 define an e-government security framework within which we explore e-government security management in developing countries. Such aspects situate the e-government security concept within the broader framework of social and organizational theory. Goldkuhl and Lyytinen (1982) described information systems as “technical systems with social implications”. The concept of the socio-technical approach is built on the assumption that information system development involves the design of a work organization where its information system has to be compatible with the surrounding social system, that is, the user and the organizational environments (Lyytinen, 1987). This means that a socio-technical model should combine the features of the information system, the user and the organizational environments. It is recognized that technical and organizational systems are equally important and that the lack of fit between social and technical systems is the primary cause of information systems problems (Iivari and Hirschheim, 1996).
There are several models of information security in the literature that are based on the concept of the socio-technical approach. The Security By Consensus (SBC) model has been suggested by Kowalski (1994). Dhillon (2000) discusses how socio-technical system approaches can be combined with usability engineering in the design of information systems. Eloff and Eloff (2003) argue that an information security management system (ISMS) consists of many aspects such as policies, standards, guidelines, codes of practice, technology, human issues, legal and ethical issues. The Ives et al (1980) model of information systems (IS) research is widely known and discussed in the information system management literature. The model distinguishes between three information system environments (user, IS development, and IS operations environments) and three information system processes (use, development, and operations processes). The environments component defines the resources and constraints that dictate the scope and form of information systems and IS processes. We have chosen the Ives et al (1980) model to appropriately identify the differentiators and requirements needed to be considered by nations for effectively maintaining their information security systems. This choice was made for a number of reasons. First, information security management is considered as a main component of information management systems. Second, the model is well established and several researchers have used this model to tackle different information system issues. Third, its credibility is established for understanding more practical aspects of information systems (Lyytinen, 1987). Finally, due to its comprehensiveness the model will enable us to view the information security issues in the context under study.
In order to identify the key factors of information security in the public contexts, a conceptual framework that helps us to categorize such factors and understand their environment is needed. The literature on the four aspects (e-government, information security management, IT management in the public sector, and the country context) has suggested several factors that may influence the success of e-government security management. Based on the Ives et al. (1980) model we have identified four major components that are widely believed in the open literature to have the potential to significantly impact on the protection of organizations' information assets. The four components are: security culture, managerial, information security infrastructures and change management.
The conceptual framework theorizes a strong relationship between the effectiveness of e-government security management in terms of the basic security criteria (availability, integrity, confidentiality and accountability) and the conceptual framework components which are security culture, managerial and information security infrastructure. We have formulated these as propositions to be investigated in the developing countries’ context. Figure 1 depicts the conceptual framework showing its components and placing the related propositions. These key components are reviewed in the remainder of this section from the recent literature.
Figure 1: Framework of information security management factors
Security Culture
Security culture represents the prevailing attitude towards approaches to a secure organizational environment. Regulatory intervention is particularly important in formulating rules for using and protecting information assets. These factors are affected by legislative and regulatory frameworks, and national and organizational cultures.
Organizational and National culture
In some studies the security culture was observed as part of national culture (Chaula, 2006) whilst in others there was a specific focus on the culture of the organization (Chang and Ho, 2006; Chang, 2007; Ruighaver et al., 2007; Vroom, 2004). Vroom and von Solms (2004) argue that including security practices in the organizational culture proactively and spontaneously for day-to-day operations has a positive affect on the success of the organization.
At this stage our focus is on the national culture. The differences in national culture may explain differences in the effectiveness of information security management at the organizational level. Hofstede (2001) identified five dimensions of national culture: power distance, uncertainty avoidance, individualism, masculinity, and time orientation. Raman and Wei (1992) concluded that culture had a significant impact on how technology meeting systems were perceived, used, and adapted. The cultures of developed countries such as Australia, the United States and the United Kingdom are
similar, and differences in information security issues between these countries and developing countries such as the Gulf Cooperative Council (GCC) (Saudi Arabia, Bahrain, Kuwait, Qatar UAE and Oman) might be explained by cultural differences (Watson et al., 1997). Developing countries encounter cultural and social obstacles when attempting to transfer technology, created abroad, into practice at home (Yavas, 1992).
It is not conclusive that cultural traits such as masculinity, power distance, traditional values and conservatism can affect decision making and employee involvement in developing countries and hinder the effectiveness of information security programs there. Kanungo and Jaeger (1990) argued that the socio-cultural environment of the developing countries, when compared to the developed countries, is relatively high on uncertainty avoidance and power distance, and relatively low on individualism and masculinity. These factors may tend to reinforce resistance to ICT among developing countries and, consequently, contribute to a lack of compliance to relevant measures or controls that would be implemented to safeguard an organization's information assets.
Proposition (1): A public organization’s culture may have an impact on e-government security effectiveness.
Proposition (2): National culture may have an impact on e-government security effectiveness.
Legislation on security and privacy
Legislation and laws should provide the basis for ensuring an adequate level of compliance to international regulations and laws as well as giving internal direction. Recent regulatory developments on the liability of enterprises and management, such as the USA Sarbanes-Oxley Act (2002), the Australian equivalent, the Corporate Law Economic Reform Program (CLERP9) (CLERP9, 2004) and the requirements stated in Basel II, 2005 (Pinder, 2006) have made senior executives more accountable for ensuring the quality of organizational information, which is achieved through effective information assurance management. The increased demand from society for the protection of privacy and personal data has led several countries to develop their own privacy laws, for example the Australian Privacy Act (1988) (AU, 1988) and the European data protection directive (EUDP, 1995).
Many developing countries have yet to consider adopting adequate legislation related to information security management, laws that criminalize cyber attacks and enable police to adequately investigate and prosecute such activities (UN, 2005). In addition, many do not have privacy or network security laws or regulations which could be used to take action against the misuse of ICT resources (Aljifri et al., 2003; Bakari et al., 2005; Shalhoub, 2006).
This implies that many developing countries are not only limited in taking action against intruders targeting their information assets but also against intruders who might use their country’s information network as a base to perform illegal activities globally. This type of activity is a major issue in the information age. This presents another potential fundamental difference between developing countries and developed countries in terms of the existence and absence of the necessary regulations and laws to ensure a higher level of compliance.
Proposition (3): The existence of relevant regulations and laws has an impact on the effectiveness of e-government security management.
Management
Information assurance also depends on the management rules, responsibility, awareness and commitment of senior management and users, and relevant policies. These factors are affected by a variety of issues such as available budget, information security management standards and skilled staff.
Management commitment
Organizations can avoid losses related to computer breaches if more commitment and deterrence is given (Dhillon, 1999). The organizational commitment is affected by organizational culture, individual factors, sector and managerial level as key determinants of organizational commitment (Moon, 2000). Key to the success of the commitment planning process is that commitments are defined and measured in objective terms (Singleton et al., 1988). The effective development of the information security program is carried out on the basis of the contractual attitudes between the organisation stakeholders (senior management, technical staff, users, third parties). In order to determine effective information security management implementation practices it is important that all stakeholders contribute to the information security program. An adequate policy clearly identifies goals, procedures, processes, responsibilities and provides direction to all stakeholders (Fulford and Doherty, 2003; Ruighaver et al., 2007; Saint-Germain, 2005). In this way, inconsistent or conflicting behaviour can be avoided.
In many developing countries there is still a need for more effort regarding developing ICT policies (UN, 2005). For example the absence of ICT security policy and its enforcement has been viewed as a major cause of fragmentation in the rules, procedures and practices leading to inadequate information security programs (Bakari et al., 2005; Tarimo, 2006). This allows us to propose that the likelihood may be greater in developing countries, where in general policies are not in place, that a lower level of organizational commitment prevails than in developed countries.
Proposition (4): The success of e-government security requires a strong and continuous management commitment.
Skills and training
Skilled staff and adequate continuous training programs have been recognized as an important factor for the success of information security programs (Ho, 2002; Norris and Moon, 2005). Hinnant and Welch (2003) argue that increasing the level of computer self-efficacy through training or ICT specific education may serve to influence managerial perceptions of broader ICT initiatives within public organizations.
Generally in developing countries, even when the need for security is recognized, management decisions are limited by scarcity of budget and technical personnel (Rao, 2002; Tarimo, 2006; Timo Wiander et al., 2006). This is a significant problem for transitioning countries. The issue has been attributed to the fact that developing countries generally lag behind in a modern education system that could build robust human capital (Salman, 2004). Insufficient training can lead to misuse of the
electronic processes hindering the potential benefits that might be attained by this new model.
Proposition (5): Insufficient skills and training can lead to misuse of the electronic processes hindering the potential benefits that might be attained by e-government. Awareness
In order to minimize end-user errors, Siponen (2000) introduced a conceptual foundation for organizational information security awareness programs. Siponen concluded that in order to achieve an effective awareness program, such a program should satisfy the behavioural theory requirements and explain to the end-user why they should follow security guidelines. User awareness is always viewed as a focal component and challenge in any ICT system but in the context of developing countries this is a significant issue. Abu-Musa (2007) gives an example of the result of lack of security awareness and other reasons, where organization employees conducted activities such as: deliberate and accidental entry of bad data; sharing of passwords; introduction of computer viruses; suppression and destruction of output; unauthorized document visibility; directing prints and distributed information to people who are not entitled to receive them.
Another focal point is that senior managers and users may not be aware of the security challenges. Each one of them holds certain assumptions, attitudes and values towards the information system implementation and use processes. This can lead to a mismatch of priorities between the organisation and its staff as end users. As a consequence the lack of senior managers' awareness might hinder their willingness to commit sufficient resources. On the other hand, there are the users who might misuse the system due to the absence of a proper awareness program.
This issue has been identified in developing countries where there is a major gap in understanding between ICT staff and senior managers (Bakiri, 2007). This implies a cultural gap between the organization's stakeholders which is significant enough to affect the information security program effectiveness.
Proposition (6): Senior managers and user awareness are focal components to e-government security management effectiveness.
Information Systems structure
According to Heeks (1999) there are three possible approaches to information systems responsibilities: Centralized decisions are taken at the most senior or central level; Decentralized decisions are taken at some level lower than the most senior; typically by individual work units within the organization or even by individual staff; and Core-periphery decisions are taken at both senior and lower levels, either separately or in an integrated manner. Heeks suggests that Core-periphery is most effective for ICT usage and information systems development (Heeks, 1999).
In developing countries governments often exert more influence over industries and organizations, for example controlling access to key resources and setting costs. In developing countries a heavily-centralized management approach is most likely to be favoured over a decentralized one. This centralized approach usually forces organizations to accept limited information security solutions that might not fit their real needs (Atiyyah, 1999).
Proposition (7): The information systems structure has an impact on the success of e-government security management.
Integration
Integration is the extent to which there are coordination and control procedures across different functions of the organization and other organizations (Scholl, 2003; Currie, 1996; Lam, 2005; Ebrahim and Irani, 2005). Issues such as different security models, data ownership and government policy evolution have a negative impact on e-government security. Another factor that influences the success of e-e-government security is the culture of the public agency in which it is developed. New processes of e-government, at different levels within the public organization, demand full coordination between stakeholders.
In developing countries the lack of procedural standards is even more relevant when two different public agencies are working together, concurrently. Procedures standardization is required in order to integrate different internal processes which demand very clear prior definition of leadership and respective function. Hence, the success of the use of a new process depends on the development of relationships between stakeholders within the organisations involved.
Proposition (8): The development of effective relationships between stakeholders is critical to successful e-government security management.
Information security infrastructures
Information security systems are mostly defined as systems that protect information assets from harm or misuse. Traditionally the main information security services are the preservation of confidentiality, integrity and availability of information. Other properties such as authenticity, accountability, non-repudiation and reliability are also involved [ISO/IEC 17799:2005]. Security mechanisms are the technologies that provide the security services; for example digital signatures and firewalls. Technical infrastructure that is capable of handling the required volume and type of transactions in a secure manner is a necessity in achieving the information assurance objectives. Historically information security service goals are the preservation of confidentiality, integrity and availability of information. Other characteristics that have evolved from these basics include authenticity, accountability, non-repudiation and reliability [ISO/IEC 17799:2005]. The concepts and principles of information security services and mechanisms remain the same no matter where, geographically, ICT is applied. Given the same degree of foundational preparedness, it is intuitive that there should be no real difference between developing and developed countries. There is the question however of the state of a nation’s ICT infrastructure which, for developing countries, may present different challenges and priorities that are worthy of mention. In terms of information security infrastructure, developing countries in general lack the necessary security technology structures (Aljifri et al, 2003), such as Public-Key Infrastructures (PKI) and adequate encryption systems, to enable a high quality of electronic information. These types of technologies can ensure confidentiality and provide access control, integrity, authentication and non-repudiation services for organizations moving into the information age. This issue is of major concern to many developing countries as it underlies efforts to establish access to the information age through effective ICTs (UN, 2005).
Proposition (9): Adequate of security infrastructure has an impact on the effectiveness of e-government security management.
Change Management
By implication, change management in the public sector is also topical as systems go through development phases (Ostroff, 2006; Ward and Elvin, 1999). Grover et al. (1995) identified the key elements of change management as breaking the organizational status quo and introducing new practices, new values and new structures. In our context change management can be defined as managing change in public sector organizations to produce an improvement in the information security management. However, public organizations have been characterized by applying an incremental, slow and only partly top-down change approach, instead of a rapid and top-down manner (Fryer, 2007; Hazlett and Hill, 2003). While this might be true the introduction of e-government imposes a strong call for rethinking and reengineering most of the management process in the public sector; for example, stressing the importance of having a senior IT Director/Manager in charge of IT and security programs (Currire, 1996).
In developing countries many organisations often face acute internal resistance when implementing new information and communications technology systems as employees may view this as a threat to their jobs. Besides individual resistance, organizations themselves are conservative inherently and oppose change (Salman, 2004).
Proposition (10): Change management is the vehicle of process evolution for an effective e-government security management.
4 Conclusion
The majority of ICT management standards and best-practice guidelines have been developed by technologically-leading countries. The management of e-government security assurance is a relatively recent focus with which even technologically-leading countries have unresolved issues. For countries which are still developing technologically e-government security management has added issues, mostly to do with environmental factors which differentiate them from the implicit assumptions of leading countries. Our research question is whether or not the management of e-government security for developing countries is fundamentally different from that in technologically-leading countries. Initial indications are that, although the technology itself is essentially the same globally, environment factors influence its application and, hence, impact on the resulting degrees of success of e-government implementations.
Potential key factors are security culture, security and privacy legislation, management commitment, management style, senior management and user awareness, skills and training, management change and information security infrastructure. A framework is proposed for detailed investigation involving a multi-methodological approach to determining the feasibility of the existence of fundamental differences between the two groups. Clearly, the proposed framework is required further testing for thorough empirical validation. It is the position of the authors that a multi-methodological approach will be carried out to capture the richness of the implementation processes of e-government security program in developing countries.
This paper contributes to the open literature in general and to ICT policy developers in transitioning environments in particular. In today's Information Age this is a very topical issue which is yet to be widely addressed.
References
Abu-Musa, A. A. (2007). Evaluating the security controls of CAIS in developing countries: An
examination of current research. Information Management & Computer Security, 15 (1), 46 -
63.
Aljifri, H. A., Pons, A. and Collins, D. (2003). Global e-commerce: a framework for understanding and
overcoming the trust barrier. information Management & Computer Security, 11 (3), 130-138.
Atiyyah, H. S. (1999). Public Organisations’ Effectiveness and Its Determinants in a Developing
Country. Cross Cultural Management, 6 (2).
AU.1988. Australia.Privacy Act 1988. www.privacy.gov.au/act/index.html. (Accessed July 2007)
Bakari, J. K., Tarimo, C. N., Yngstrom, L. and Magnisson, C. (2005) State of ICT Security
Management in the Institutions of Higher Learning in Developing Countries: Tanzania Case
Study. Computers & Security Proceedings of the Fifth IEEE Intrnational Conference on
Advanced Learning Technologies (ICALT 05).
Ball, D. A., McCulloh, W. H. (1990). International Business (4th ed.). Homewood, IL: Irwin.
Bozeman, B. and Bretschneider, S. (1986). Public Management Information Systems: Theory and
Prescription. Public Administration Review, 46, 475-487.
Bozeman, B. (1987). All Organizations are Public. San Francisco, CA: Jossey Bass.
Bretschneider, S. (1990). Management Information Systems in Public and Private Organizations: An
Empirical Test. Public Administration Review, 50 (5), 536.
Caudle, K. E. N. S. L. (1991). Evaluating Public Sector Information Systems: More Than Meets the
Eye. Public Administration Review., 51 (5), 377-384.
Chang, S. E. and Ho, C. B. (2006). Organizational factors to the effectiveness of implementing
information security management. Industrial Management & Data Systems, 106 (3), 345-361.
Chang, S. E. a. L., Chin-Shien. (2007). Exploring organizational culture for information security
management. Industrial Management \& Data Systems, 107 (3), 438-458.
Chaula, J. A. a. Y., Louise and Kowalski, Stewart. (2006). Technology as a Tool for Fighting Poverty: How Culture in the Developing World Affect the Security of Information Systems.
Proceedings of the 4th IEEE International Workshop on Technology for Education in Developing Countries (TEDC’06).
CLERP9.2004. The Corporate Law Economic Reform Program (CLERP 9).
http://www.asic.gov.au/asic/asic.nsf/byheadline/CLERP+9?openDocument (Accessed 2007 July)
Conklin, W. A. (2007) Barriers to Adoption of e-Government. System Sciences, 2007. HICSS 2007.
40th Annual Hawaii International Conference on system sciences. IEEE.
Currire, W. L. (1996). Organizational Structure and the Use of Information Technology: Preliminary
Findings of a Survey in the Private and Public Sector. International Journal of Information
Management, 16 (1), 51-64.
Dhillon, G. (1999). Managing and controlling computer misuse. Information Management & Computer
Security, 7 (4), 171-175.
Dhillon, G. and Backhouse, J. (2001). Current directions in IS security research: towards
socio-organizational perspectives. Information Systems Journal, 11 (2), 127-153.
Dhillon, G. and Torkzadeh. (2006). Value-focused assessment of information system security in
organizations. Information Systems Journal, 16, 293-314.
Ebrahim, Z. and Irani, Z. (2005). E-government adoption: architecture and barriers. Business Process
Management Journal, 11 (5), 589-611.
EUDP. (1995). Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free
movement of such data. Official Journal L 281, 31-50.
Fryer, K. J. A., J. Douglas, A. (2007). Critical success factors of continuous improvement in the public
sector: A literature review and some key findings. TQM MAGAZINE, 19 (5), 497-517.
Fulford, H. and Doherty, N. F. (2003). The application of information security policies in large
UK-based organizations: An exploratory investigation. information Management & Computer
Gilbert, D., Balestrini, P. and Littleboy, D. (2004). Barriers and benefits in the adoption of
e-government. The International Journal of Public Sector Management, 17 (4/5), 286.
Grover, V., Jeong, S. R., Kettinger, W. J. and Teng, J. T. C. (1995). The implementation of business
process reengineering. Journal of Management Information Systems, 12 (1), 109-144.
Hazlett, S.-A. and Hill, F. (2003). E-government: the realities of using IT to transform the public sector.
Managing Service Quality, 13 (6), 445-452.
Heeks, R.1999. Centralised vs. Decentralised Management of Public Information Systems: A
Core-Periphery Solution. (Accessed
Heeks, R. (2003). Most eGovernment-for-Development Projects Fail: How Can Risks be Reduced?
iGovernemnt Working Paper Series, Paper no. 14.
Heeks, R. (2006). Implementing and Managing eGovernemnt.
Hinnant, C. C. and Welch, E. W. (2003) Managerial capacity and digital government in the States: examining the link between self-efficacy and perceived impacts of IT in public organizations.
System Sciences, 2003. Proceedings of the 36th Annual Hawaii International Conference on Seystem Sciences.IEEE.
Ho, A. T.-K. (2002). Reinventing local governments and the e-government initiative. Public
Administration Review, 62 (4), 434-444.
Hofstede, G. (2001). Culture's Consequences, Comparing Values, Behaviors, Institutions, and
Organizations Across Nations. Thousand Oaks CA: Sage Publications, Second edition. Hone, K. and Eloff, J. H. P. (2002). Information security policy - what do international information
security standards say? Computers & Security, 21 (5), 402-409.
Iivari, J. and Hirschheim, R. (1996). Analyzing Information Systems Development: A Comparison and
Analysis of Eight IS Development. Information Systems Journal, 21 (7), 551-575.
ISO/IEC.2005. The international standards ISO/IEC. http://www.saiglobal.com. (Accessed March
2007)
Ives, B. a. H., Scott and Davis, Gordon B. (1980). A Framework for Research in Computer-Based
Management Information Systems. Management Science, 26, 910-934.
Joia, L. A. 2003 In Knowledge Management in Electronic Government: 4th IFIP International
Working Conference, KMGov 2003, Rhodes, Greece, May 26-28, 2003. Proceedings, pp. 76-81.
Kanungo, R. N. and Jaeger, A. M. (1990). Management in Developing Countries. Routledge, New
York.
Lam, W. (2005). Barriers to e-government integration. Journal of Enterprise Information Management,
18 (5/6), 511-530.
Lyytinen, K. (1987). Different Perspectives on Information Systems: Problems and Solutions. ACM
Computing Surveys, 19 (1).
May, L. and Lane, T. (2006). A Model for improving e-Security in Australian Universities. Journal of
Theoretical and applied Electronic Commerce Research, 1 (2), 90-96.
Moon, M. J. (2000). Organizational Commitment Revisited in New Public Management: Motivation,
Organizational Culture, Sector, and Managerial Level. Public Performance & Management
Review, 24 (2), 177-194.
Nour, M. A., e. a. (2007). A context-based integrative framework for e-government initiatives. Government Information Quarterly.
Norris, D. F. and Moon, M. J. (2005). Advancing E-Government at the Grassroots: Tortoise or Hare?
Public Administration Review, 65-75 (1), 64.
Ostroff, F. (2006). Change Management in Government. Harvard Business Review, 84 (5), 141-147.
Pina, V., Torres, L. and Acerete, B. (2005). Are ICTs promoting government accountability?: A
comparative analysis of e-governance developments in 19 OECD countries. Critical
Perspectives on Accounting, In Press, Corrected Proof.
Pinder, P. (2006). Preparing Information Security for legal and regulatory compliance (Sarbanes-Oxley
and Basel II). Information Security Technical Report, 11 (1), 32-38.
Rainey, H. G. and Steinbauer, P. (1999). Galloping Elephants: Developing Elements of a Theory of
Effective Government Organizations. Journal of Public Administration Research and Theory:
J-PART, 9 (1), 1-32.
Raman, K. S. and Wei, K. K. (1992). The GDSS research project. In R.P. Bostrom, R.T. Watson & S.T.
Kinney (Eds.). . New York, NY: Van Nostrand Reinhold.
Rao, M.2002. How real is the internet market on developing countries?
www.isoc.org/oti/articles/0401/rao.html (Accessed July 2007)
Ruighaver, A. B., Maynard, S. B. and Chang, S. (2007). Organizational security culture: Extending the
Saint-Germain, R. (2005). Information Security Management Best Practice Based on ISO/IEC 17799.
Information Management Journal, 39 (4), 60-66.
Salman, A. (2004). Elusive challenges of e-change management in developing countries. Business
Process Management Journal, 10 (2), 140-157.
Shalhoub, Z. K. (2006). Trust, privacy, and security in electronic business: the case of the GCC
countries. information Management & Computer Security, 14 (3), 270-283.
Singleton, J. P., McLean, E. R. and Altman, E. N. (1988). Measuring Information Systems
Performance: Experience with the Management by Results System at Security Pacific Bank.
MIS Quarterly, 12 (2), 325-337.
Siponen, M. T. (2000). A conceptual foundation for organizational information security awareness.
Information Management & Computer Security, 8 (1), 31-41.
Siponen, M. T. and Oinas-Kukkonen, H. (2007). A review of information security issues and respective
research contributions. SIGMIS Database, 38 (1), 60-80.
Stewart, J. and Walsh, K. (1992). Change in the Management of public services. Public Administration,
70 (4), 499-518.
Tarimo, C. (2006): ICT Security Readiness Checklist for Developing countries: A Social-Technical Approach.Ph.D. thesis. Stockholm University, Royal Institute of Technology.
Timo Wiander, Reijo Savola, Kaarina Karppinen and Rapeli, M. (2006) Holistic Information Security
Management in Multi Organization Environment. IEEE ISIE 2006,. IEEE.
UN. 2005. Information Economy Report 2005. http://www.unctad.org/ecommerce/
von Solms, B. (1999). Information security management: why standards are important. Information
Management & Computer Security, 7 (1), 50-57.
von Solms, B. (2000). Information security - The third wave? Computers & Security, 19 (7), 615-620.
von Solms, B. (2005). Information Security governance: COBIT or ISO 17799 or both? Computers &
Security, 24 (2), 99-104.
von Solms, B. (2006). Information Security - The Fourth Wave. Computers & Security, 25 (3), 165-168.
Vroom, C. a. v. S., R. (2004). Towards information security behavioral compliance. Computers &
Security, 23 (191-198).
Ward, J. and Elvin, R. (1999). A new framework for managing IT-enabled business change.
Information Systems Journal, 9 (3), 197-221.
Watson, R. T., Kelly, G. G., Galliers, R. D. and Brancheau, J. C. (1997). Key issues in information
systems management: An international perspective. Journal of Management Information
Systems, 13, 91-115.
Wimmer, M. and von Bredow, B. (2001) E-government: aspects of security on different layers.
Database and Expert Systems Applications, 2001. Proceedings. 12th International Workshop on Database and Expert Systems Applications. 350-355
WorldBank.Definition of E-Government. Viewed from: http://go.worldbank.org/M1JHE0Z280
(Accessed Jan 2008)
Yavas, U. (1992). Constraints on the application of management know-how in the Third World.