An Assesment of Cyber Security Challenge in Arusha

8/3/2019 An Assesment of Cyber Security Challenge in Arusha

1/98

An Assessment of the Awareness of Cyber security challengesof Small and Medium Enterprises in Arusha

A C a s e s t u d y o f H a b a r i N o d e L t d

This research paper is submitted in partial fulfillment of the

requirements of the Award of a Masters of Business

Administration in Information Technology.

Supervised by

Mr. John Pima

September, 2011

I n C o l l a b o r a t i o n w i t h t h e I n s t i t u t e o f

A c c o u n t a n c y A r u s h a


2/98

2

Abstract

This study was prompted by the recent connectivity of Arusha town to the fibre cable

in Dar-es-salaam namely the Seacom and Essay fibre cable in May, 2010. This

enhanced connectivity significantly improved the downloads and uploads speed of

traffic to and from Arusha consequently greatly improving the users experience of

Internet related services now traveling at lightening speeds. This opened up the

possibility of effectively using internet related business services like online tax

processing, banking and educational services that were previously to slow too run on

satellite (VSAT) or dial-up links and triggered a need or awareness for businesses in

Arusha to start using as well incorporating more Internet related business services in

their daily operations to effectively compete.

Unfortunately with this improved connectivity and subsequent increase in business

opportunities could also have generated additional interest in the region by Cyber

(Internet related) crime perpetuators as well as amplified exposure to Cyber threats

as connecting to machines in Arusha from anywhere in the world had become faster

and easier. The consequences of these threats/attacks are well-known: violation of

privacy, theft of information, the potential for a devastating large scale network

failure, service interruption, or the total unavailability of service. This changetherefore passes a question to small and medium enterprises/businesses (SMEs) in

Arusha; as to whether they are adequately prepared to meet this new challenge and

if not what couldthese SMEs do about it?

This research therefore set out to assess the efforts of SMEs in Arusha in the realm

of cyber security. Attention was directed to SMEs because SMEs the engine of the

national economy and account for over 95% of organizations and 60-70% of

employment (OECD, 1997). When approaching this problem, the researcher noted

that though in the past; traditional definitions of cyber security have been to design

strong cryptography into information security systems. Only protecting confidential

information as a motivation for cyber security may not be entirely appropriate for

SMEs.

More so there had been increasing interest in other sectors of security, namely geo-

political, economic and human previously considered by many as non-traditional


3/98

3

security issues. Implying the location of such businesses, cost of preventive

measures, security policies, appropriateness of the available tools, as well as the

recovery or fail-over options in place could also serve as a strong motivator; for

many SMEs possess neither full-bodied critical infrastructures that utilize digital

control systems nor specifically staff information security specialists. Indicating that

thinking about cyber security issues strictly in relation to these systems and staff

would not be complete. The research then sought to determine how to best

investigate and implement cyber security in SMEs, if it is not an issue solely

associated with protection of confidential data. As a result this research was then

carried out using a collection of methodologies requiring both the secondary and the

primary data to be used for this purpose.

The study conducted shows that there was a relationship between the accessibility

of internet, incidences of cyber-attacks, awareness of cyber threats and the

organization size. So although the online survey revealed that while most Arusha

SMEs do access the internet and rely heavily on the Internet many lack the internal

resources, formal policies, employee training, and technologies they need to protect

this critical information. To further compound matters most own websites that they

use to attract customers to their business as well as routinely handle confidential andproprietary data. However the vulnerability scans showed some level of protection;

the results from recorded intrusion attempts highlighted an almost aggressive assault

on any device reachable via the Internet.

Implying it was quite possible that a substantial number of accessible online systems

may have already been compromised. The major difficulty in affirming this was due

to the absence of records illustrating these breaches as little effort was being made

to record these incidences due to the ensuing panic/crisis after a cyber-

attack/breach.

Keywords

Awareness, Challenges, Cyber security, Information Security, Internet, SMEs.


4/98

4

Acknowledgement

The successful completion of any trying and extensive task would be incomplete

without mentioning the names of persons who helped to make it possible. I wouldlike to take this opportunity to express my gratitude in few words and respect to all

those who helped me in the completion of this dissertation.

To begin with, I am extremely grateful to Allah for his generous blessing and

abundant mercy for the opportunity to do this course and at all the stages therein

culminating in the completion of this dissertation.

I convey my heartiest thanks to Mr Erik Rowberg, the managing director of HabariNode Limited, who generously supported and granted me the opportunity to do this

study in the most established, respected and highly regarded ICT Company in

Arusha.

I would also like to express my deep sense of gratitude to my supervisor Mr John

Pima, for his support during this research study and guidance to enable me

successfully complete this dissertation.

Not forgetting my sincere thanks and heartfelt gratitude to my friends, colleagues,

fellow students and comrades for giving me timely advice in all the ways and in all

aspects that have enabled me to reach this far and for the success of this

dissertation.

Finally to my family who have may have felt my absence; it is my sincere prayer that

this struggle was worth the time away from you.


5/98

5

Declaration

I declare that this dissertation was composed by myself and that the work contained

therein is my own except where explicitly stated otherwise in the text, and that this

work has not been submitted for any other degree or professional qualificationexcept as specified.

Date: September 2011

Ismail M. Settenda

MBA-IT 0027/T.2010

Copyright Acknowledgement

I acknowledge that the copyright of this dissertation belongs to Coventry University.


6/98

6

Glossary of Terms

This part of the document is to provide acronyms and definitions of some of the key

words used in this dissertation.

Application -Software whose primary purpose is to perform a specific function foran end-user, such as Microsoft Word.

AICC Arusha International Conference Centre

ALMC - Arusha Lutheran Medical Centre

AIXP - Arusha Internet Exchange Point

ATM - Automated Teller Machine

CEO - Chief Executive Officer

Cracker (a.k.a hacker) - The correct name for an individual who hacks into a

networked computer system with malicious intentions. The term hacker is used

interchangeably (although incorrectly) because of media hype of the word hacker. A

cracker explores and detects weak points in the security of a computer networked

system and then exploits these weaknesses using specialized tools and techniques.

CRDB - Centenary Rural Development Bank

Cyber - Prefix commonly used to indicate some association with the internet.

Cybercrime - A criminal offense that involves the use of a computer network.

Cyberspace - Refers to the connections and locations (even virtual) created using

computer networks. The term Internet has become synonymous with this word.

EISAM - Enterprise Information Security Assessment Method

Gateway (Router) - A network node connected to two or more networks. It is used

to send data from one network (such as 137.13.45.0) to a second network (such as

43.24.56.0). The networks could both use Ethernet, or one could be Ethernet and the

other could be ATM (or some other networking technology). As long as both speak

common protocols (such as the TCP/IP protocol suite), they can communicate.

GDP - Gross Domestic Product

HMS Hospital Management System
http://www.investorwords.com/10019/indicate.htmlhttp://www.businessdictionary.com/definition/association.htmlhttp://www.businessdictionary.com/definition/internet.htmlhttp://www.businessdictionary.com/definition/internet.htmlhttp://www.businessdictionary.com/definition/association.htmlhttp://www.investorwords.com/10019/indicate.html


7/98

7

HNL - Habari Node Ltd

Host: Same as a node. This is a computer (or another type of network device)

connected to a network.

IAA - Institute of Accountancy Arusha

ICT - Information and Communications Technology

IFMS - Integrated Financial Management System

Internet: A global computer network that links minor computer networks, allowing

them to share information via standardized communication protocols.

Internet Service Provider or ISP: An organization that provides end-users withaccess to the Internet. Note: It is not necessary to go through an ISP to access the

Internet, although this is the common way used by most people.

IP - Internet Protocol

IS - Information Systems

ISP - Internet Service Provider

IT - Information Technology

IXP - Internet Exchange Point

LAN - Local Area Network

MCT - Ministry of Communications and Transport

MD Managing Director

NICTBB - National Information Communication and Technology Broadband

Backbone

NECTA National Examinations Council of Tanzania

NGO - Non-Governmental Organisation

NTP - National Telecommunications Policy

PCIS - Personnel Controls Information System

PoP - Points of Presence


8/98

8

PRSP - Poverty Reduction Strategy Paper

PSTN - Public Switched Telephone Network

R&D - Research and Development

Search Engine - An Internet resource that locates data based on keywords or

phrases that the user provides. This is currently the main method used on the

Internet to find information. Current search engines are Google, Yahoo, Bing, Ask,

AOL search, etc.

SEDA -Small Enterprise Development Agency

SIDA -Swedish International Development Agency

SME - Small and Medium Enterprises

SWOT - Strengths, Weaknesses, Opportunities and Threats

TRA - Tanzania Revenue Authority

TCC - Tanzania Communications Regulatory Authority

TIC - Tanzania Investment Centre

TTCL - Tanzania Telecommunications Company Limited

VoIP - Voice over Internet Protocol

VPN - Virtual private network

VSAT - Very Small Aperture Terminal

WWW - World Wide Web; also shortened to Web. Although WWW is used by many

as being synonymous to the Internet, the WWW is actually one of numerous services

on the Internet. This service allows e-mail, images, sound, and newsgroups.


9/98

9

TOC

Abstract................................................................................................................................. 1

Acknowledgement ................................................................................................................. 4

Declaration ............................................................................................................................ 5

Glossary of Terms ................................................................................................................. 6

TOC ...................................................................................................................................... 9

List of Tables ...................................................................................................................... 11

List of Figures ..................................................................................................................... 11

List of Appendixes ............................................................................................................... 12

Chapter One; Introduction ................................................................................................... 13

1.1. Background........................................................................................................... 13

1.1.1. Background to the problem ............................................................................ 13

1.1.2. Background on Habari Node Limited ............................................................. 18

1.2. Purpose of the study ............................................................................................. 20

Statement of the problem ............................................................................................. 21

Research Objective ...................................................................................................... 22

1.3. Significance of the Research ................................................................................ 24

1.4. Limitations and De-limitations of the Research ..................................................... 25

1.5. Chapter Summary ................................................................................................. 25

Chapter Two: Literature Review .......................................................................................... 26

2.1. Introduction ........................................................................................................... 26

Defining Accessible Information Systems and Cyber security ...................................... 30

2.2. Relevance of Theories and Principles of the Study ............................................... 33

2.3. Empirical Review .................................................................................................. 37

2.4. Chapter Summary ................................................................................................. 42

Chapter three: Research Design and Methodology ............................................................. 44

3.1. Research Design .................................................................................................. 44

3.2. Methodology ......................................................................................................... 51


10/98

10

3.3. Chapter Summary ................................................................................................. 55

4.0 Chapter Four: Data Analysis and Discussion ............................................................ 56

4.1. Introduction ........................................................................................................... 56

4.2. Findings, Analysis and Discussion ........................................................................ 56

Findings ....................................................................................................................... 56

Analysis of Findings ..................................................................................................... 65

Discussion ................................................................................................................... 71

4.3. Chapter summary ................................................................................................. 74

5.0 Chapter Five: Conclusion, Recommendations and Further Research ....................... 75

5.1. Introduction ........................................................................................................... 75

5.2. Recommendations ................................................................................................ 76

5.3. Critical review ....................................................................................................... 78

Concluding remarks ............................................................................................................ 79

References ......................................................................................................................... 80

Appendix ............................................................................................................................. 84

Glossary .......................................................................................................................... 84

Questionnaire .................................................................................................................. 86

Research Schedule ......................................................................................................... 94

Research Budget ............................................................................................................. 95

Respondents Comments A Recent Attacks/Threat ....................................................... 96

Respondents Comments B- Improvements ..................................................................... 97


11/98

11

List of Tables

Table 1: Tanzania Internet Usage and Population Growth .................................................. 13

Table 2: Categories of SMEs in Tanzania ........................................................................... 27

Table 3: Sample List of SMEs in Arusha ............................................................................ 28

Table 4: Vulnerabilities, Threats, and Attacks Categories Summary ................................... 32

Table 5: Perceived Trend of Cyber Attacks/Threats ............................................................ 61

Table 6: Top 15 Noted Cyber Attacks ................................................................................. 62

Table 7: Random Vulnerability Scan Results ...................................................................... 63

List of Figures

Figure 1: Tanzania Fibre and Microwave Network Coverage:2005 ..................................... 14

Figure 2: The Cyber Attack Process .................................................................................... 17

Figure 3: An Example of EIS score from assessment of two companies ............................. 35

Figure 4: Vulnerability Possibilities ...................................................................................... 41

Figure 5: Model of Security Relationships ........................................................................... 42

Figure 6: Outline of the Case Study .................................................................................... 44

Figure 7: Companies Employee Count ................................................................................ 66

Figure 8: Internet Dependency of SME's ............................................................................. 66

Figure 9: Percentage Use on Internet by Employees .......................................................... 67

Figure 10: Internal Internet Use ........................................................................................... 67

Figure 11: Percentage Satisfaction of SME's on Current Measures in place ....................... 68

Figure 12: Frequency of I.T Checks .................................................................................... 69

Figure 13: Current Protection Measures.............................................................................. 69

Figure 14: Sources of I.T Security information .................................................................... 70

Figure 15: Trend of Intrusion Attempts ................................................................................ 71

Figure 16: Compromised networks ...................................................................................... 72

Figure 17: Use an Internet Policy ........................................................................................ 72

Figure 18: I.T Check-ups ..................................................................................................... 73


12/98

12

Figure 19: Ease of Access to information ............................................................................ 74

List of Appendixes

i. Glossary

ii. Questionnaire

iii. Research Schedule

iv. Research Budget

v. Respondents Comments A Recent Attacks/Threat

vi. Respondents Comments B- Improvements


13/98

13

Chapter One; Introduction

1.1. Background

1.1.1. Background to the problem

We now live in an era known as the Information Society or Information Age as for almost half a

century the importance of computers for citizens, organisations, governments and society as a

whole has been growing. At the same time, the importance of intellectual asset flows, such as

information and knowledge, has also been growing at the expense of material asset flows

(Sveiby, 1997), thus the frequently used term these days information is power (Rogers,

2010).

Consequently in the drive to remain competitive; information systems have to a large extent

become integrated in industry operations and business systems fostering the growth of

networking technologies that offer tools for making communication and sharing of information

more efficient and faster than before i.e. emails, chat, and VoIP etc. This has culminated in the

incorporation of the Internet into business operations as the Internet is quickly becoming the

major infrastructure for information in almost every level and arena in society, e.g. electronic

business and electronic government.

Table 1: Tanzania Internet Usage and Population Growth

Year Users Population % Penetration

2000 50,000 14,712,000 0.3 %

2002 500,000 13,874,610 3.6 %

2005 820,000 12,247,589 6.7 %

2009 520,000 41,048,532 1.3 %

Source: (ITU, (2010))

From the table above Internet usage statistics show 520,000 Internet users as of June, 2009,

1.3% of the population (ITU, (2010)) more recently TCRA reported that as of June 2010 they

were 4.8 million Internet users in Tanzania (T.C.R.A, 2010). This huge jump in Internet usage

was the main drive for improved connectivity leading to the milestone landing of the submarine

cables namely Seacom (Seacom, (2009)) and thereafter Essay fibre cable in Dar-e-salaam in


14/98

14

April, 2010,(WIOCC, 2010). Arusha soon followed in May, 2010 as NICTBB completed its first

phase (Security, 2010, Mutarubukwa, 2010).

Figure 1: Tanzania Fibre and Microwave Network Coverage:2005

Source: (ITU, (2010))

Consequently today in Tanzania many industrial sectors or functions of society namely; the

taxation authorities i.e. TRA (Mbonea, (2010)), the banking sectors has banks like CRDB,

NBC, healthcare institutions like ALMC uses an HMS called Care2X, educational institutions

like NECTA, NGOs like SEDA and SIDA, Tour companies/operators as well as many other

national associations are now using or are planning to use the Internet as its major

communication infrastructure.

However, the networking and interconnection of systems can significantly increase an

organisations or an enterprises exposure to information security risks (Weiss 2001) and can


15/98

15

result in an Internet leak; which occurs when a party's confidential information is released to

the public on the Internet. To best illustrate this In April 2010, WikiLeaks; a non-profit media

organization dedicated to bringing important news and information to the public

(http://wikileaks.org/) caused an international uproar when they published gunsight footage

from the 12 July 2007 Baghdad airstrike in which Iraqi journalists were among those killed byan Apache helicopter, as the Collateral Murder video in addition to other publications like the

Afghan War Diary, (a compilation of more than 76,900 documents about the War in

Afghanistan), Iraq War Logs, U.S. State department diplomatic cables that were previously not

available to thepublic leading to worldwide criticism and claims by several U.S. government

officials that WikiLeaks exposed classified information that harmed national security as well as

compromised international diplomacy.

So it holds true for Arusha as well that in almost every level and arena in society, informationsecurity is becoming an important and crucial issue. It should be noted that in Arusha like the

rest of Africa, the Internet penetration is far behind that of the rest of the world. The

penetration rates vary across the continent with northern Africa, South Africa and several

Islands being at the top, with a maximum penetration of just under 36%. (Kristina Cole et al.,

2008). Another report by Internet World Statistic gave even lower figures as seen below:

Source: (Internet-World-Statistics, (2011))

Nevertheless many SMEs in Arusha also gain a competitive edge by using the Internet to do

market research, find information on competitors and track down leads for new customers, or

provide better customer support so they are likely the dominant force behind the Internet


16/98

16

usage in Arusha. If Tanzania had 676,000 Internet users as of Jun/10, 1.6% of the

population, of which 319,440 Facebook users on June 30/11, 0.7% penetration rate as per

ITU. Then SMEs are likely the major users/drivers of this internet usage.

In addition Small and Medium Enterprises (SMEs) are the engine of the national economy

and represent over half of all employees in the private sector So it should be noted that

SMEs as significantly contribute to the economy and comprise the majority of the businesses

and internet users in the country. (OECD, 1997). Then their importance to the development of

this nation cannot be understated or ignored nor discussed without consideration of the

information systems and measures that are in place to protect these systems.

The Cyber Security Challenge

Therefore potential network vulnerabilities, threats, and attacks in SMEs must be identified tominimize security concerns. In this study Cyber is most times limited to Internet related

technology its broadest meaning includes both aspects of information and telecommunications

technology. System vulnerabilities refer to weaknesses in the system that can be attacked,

while threatsare the potential to cause damage to online networked resources. Attacksare

the actual use of system vulnerabilityto put threatsinto action. Cyber security broadly refers to

the protection measures put in place to prevent system hacking. System hacking is a

continuous process where hackers continue to discover system vulnerabilities to develop

attacks as depicted in the figure below;


17/98

17

Figure 2: The Cyber Attack Process

Source: (Promisec, 2010, Colonel Louis H. Jordan and Saadawi", 2011)

As the Arusha SMEs do have such systems it therefore is still vital that accessible information

systems in Arusha are adequately protected from unauthorised access to information or

Cybercrime perpetuators. As the latest global threat statistics indicate that:

Approximately 6,000 new computer viruses are released every month.

Hackers create 50,000 new websites each week exploiting approximately 375 high-profile brand names worldwide at any time.

More than 140,000 new zombie computers are created per day and used as botnets for

sending spam, etc.

Today about 25% of malware is designed to be spread via USB storage devices that

connect directly to PCs.

More than 75% of new malware is designed to infect users through the web

Source:(Tabadatze, 2011)

To be able to keep up with the above threats will a two pronged approach that on one scale

will require coordination and vigilant continuous monitoring of ICT trends and developments by


18/98

18

policy makers, ICT service providers, market analysts, SMEs management and other

stakeholders; given the potential impact of ICT use on social and economic development it is

crucial for SMEs and the country at large to strive towards making the benefits (and not the

hazards) of ICTs available to all people. One the other scale for I.T mangers and I.T support

staff to have an accurate awareness of what is happening on a network is critical to thesuccess of an information security program as the enemy is not sleeping. For SMEs to be

able to collect all this timely information it is then important to do this with automation to allow

businesses to return their attention to the core operations of their businesses. Let me end here

with a quote We need timely, targeted, and prioritized information to drive security. Without it

is to compare to us driving and using the rear-view mirror to guide us (U.S. Department of

State, 2011). So we should not be intimidated into not driving at all but should strive to drive

correctly.

1.1.2. Background on Habari Node Limited

Habari Node Limited (HNL) is a dynamic Tanzanian company based in Arusha providing a

range of ICT based business solutions to the Tanzanian market. HNL was formed by AFAM

Limited together with Arusha Node Marie in 2010 to take over the Internet Services activities

of Arusha Node Marie, a society that has been operational since 1994. Habari Node is now

incorporated under the Tanzanias company act 2002 with Certificate of Incorporation number

75466.

HNL is a licensed data operator with National Application Services License providing high

speed data and internet connectivity with 99.5% service uptime. Last mile connectivity is

through DSL and direct fibre connectivity in the Arusha CDB and Broadband Wireless in the

surrounding areas. In remote sites and offer backup facilities through iDirect VSAT platform.

Their scope of services at HNL include standard ISP services including bandwidth, DNS,

domain registration, domain, web, and email hosting services, as well International Voice

over IP calling service.

Habari Node has a board of directors which oversees the operations of the company. The

day to day activities are managed by a team of functional managers supervised by the

Managing Director. Currently HNL employs over 50 staff who manage daily technical,


19/98

19

business and administrative operations of the ISP. At least half of the employees are

technical staff in different areas of IT with over 6 years work experience (Habari, (2011)).

As they are expanding (ArushaTimes, 2011) it appears that the application of ICT services is

at the threshold of a new era due to the international fibre cable reaching Arusha, and

consequently opening up new opportunities. They serve home users, government institutions,

businesses, agencies, NGOs and other ISPs in Arusha and their coverage extends all over

Tanzania and they have the widest reach in Arusha as well as leading market share of the

Internet users in Arusha and are therefore a suitable company to channel our cyber security

initiatives.

SWOT Analysis of Habari Node Ltd.

Strengths;

Known presence in Arusha

Broad subscriber ship and large Arusha user base.

Renowned for good technical support and service.

Have necessary equipment and infrastructure in place

Centrally located in the city

Host AIXP and encourage inter-cooperation between local ISP's

Management advocates for diligence and encourages innovative ideas

Weakness

Too focused on only Internet provision.

No cash for expansions and equipment purchases

Poor or no marketing strategy

Questionable technical competence of staff

Only based in one location - Arusha


20/98

20

Opportunities

Expansion to other areas as the Companies reputation is marketable.

Large and under-utilised ICT market in Tanzania.

Provision of alternative ICT services namely;

Web design and Content Management Services

Co-locating servers services

Data entry and Call Centre services

Underground cabling services.

Expansions into areas not necessarily in ICT but complement ICT. i.e.

teaching

Threats

Competition from other similar service providers in the region.

Complacency or the feeling that we good enough.

Damage to equipment by electrical surges, theft etc.

Political influence-peddling, interference or sabotage

1.2. Purpose of the study

The main purpose of this project is to explore how the Small and Medium Enterprises (SME)

in Arusha in light of the recent fibre connectivity were challenged by the new business

opportunities via the Internet. As well as if there was indeed a relationship between theaccessibility of internet, an increase in the incidences of cyber-attacks, a general awareness

of cyber threats and the organization size. This is in appreciation of the theory that as the

Internet becomes the major information infrastructure in most sectors; the importance of

Information Systems (IS) security steadily increases. As such reaching a certain level of


21/98

21

actual IS security is vital for most businesses as businesses have to maintain a certain level

of security and be able to assess the level of other actors security. However IS security is

abstract and complex and difficult to estimate and measure.(Oscarson, 2007)

I therefore then set out to assess the efforts of Habari Node Ltd and their clients in and

around Arusha in the realm of cyber security. When approaching this problem, it is also my

belief that national security as a motivation for cyber security may not be entirely appropriate

for developing nations. As many developing nations possess neither robust critical

infrastructures that utilize digital control systems nor highly digitized militaries, and thinking

about cyber security issues in relation to these systems therefore may not make sense. I

therefore sought like my predecessors to determine how to implement cyber security in

Arusha, Tanzania not as an issue solely associated with national security. (Kristina Cole et

al., 2008).

Statement of the problem

Arusha was recently connected to the worldwide fibre network via the fibre cable in Dar-es-

salaam namely the Seacom and Essay fibre cable in May, 2010. This enhanced connectivity

significantly improved the downloads and uploads speed of traffic to and from Arusha

consequently greatly improving the users experience of Internet related services now

traveling at lightening speeds. This opened up the possibility of effectively using internet

related business services like online tax, bank and educational services that were previouslyto slow to run on satellite (VSAT) or dial-up links and triggered a need or awareness for

businesses in Arusha to start using as well incorporating more Internet related business

services in their daily operations to effectively compete.

Unfortunately with this improved connectivity could also have increased interest in the region

and exposure to Cyber threats as now connecting to machines in Arusha from anywhere in

the world become faster and easier for Cybercrime perpetuators. This change therefore

begged the question; where businesses in Arusha adequately prepared to meet this new

challenge and if not what could these SMEs do about it?

Worldwide in just a few decades, the use of IT has formalized information management and

streamlined the administration of organizations. On the other hand, this development has


22/98

22

entailed a substantial dependence on IT services where few business processes can be

handled manually when IT services are out of order. Deficiencies in IS security can cause

direct negative consequences for business processes; production, sales, business

administration, etc. due to incorrectness, delays and information leakage and in the end, can

affect the business as a whole.

Frequently nowadays we hear the term Global Village which seems to infer the world is a

much smaller place nowadays and what happen in one corner of the globe is known in a

matter of seconds at the other end of the globe. So true does this hold for the impact of say;

actions that happen in one corner and have far-reaching reactions in other parts of the world.

It would then be prudent to say that these days nothing is too small to ignore or too remote to

not be considered a significant threat or risk these days.

Thus, IS security is a significant and an important issue for SMEs and for society as a whole

motivates research and practical developments in this area from a number of perspectives;

technological as well as organisational and behavioural. The abstractness of IS security

however, seems to indicate that the IS security area calls for conceptual and philosophical

approaches when analysing the theoretical fundamentals of IS security. Compared to for

example the (general) concept of risk, the concepts of IS security and IS security risk have

rarely been problemised in a research question.

Research Objective

The description of the problem area above posed the question;

Are SMEs in Arusha adequately prepared to meet this new challenge and if not what

could these SMEs do about it?

The researcher therefore set out to establish if there is really an emergence of a threat and if

so; how it relates to the business operations of the SMEs in Arusha. As already pointed out

above the internet is or will become the major information infrastructure in most business

sectors and consequently involvement of Information Systems (IS) security to protect this

information structure becomes necessary. This relationship is now then summarised into a

comprehensive research question for this paper: Which is to:


23/98

23

Determine the information systems securityreadiness of SMEs located in Arusha and

its significance to the success of the businesss operations?

This comprehensive research question comprises the understanding of IS security as a

whole. The first part is conceptual while the second its significance to the success of the

businesss operations is more practical. The question might also be interesting from aphilosophical point of view, but as emphasized earlier, it also has practical relevance for

society.

This would follow by picking a suitable candidate to attempt represent the majority of other

SMEs in Arusha namely Habari Node Ltd; the leading ISP in Arusha is an SME itself that is

channelling Internet to many other SMEs in the region. The research objective can then be

further broken down into 3 sub-objectives;

To critically assess the relevant literature on cyber security, small firms,usage/importance of the internet and information security measures that are

currently being used.

By assessing the current IS/IT security situation at Habari Node Ltd.

By assessing the current IS/IT security situation of the clients of Habari

Node Ltd

To identify the vulnerabilities and potential threats that could exist at Habari Node

Ltd and their clients.

By running non-intrusive but penetrative security scans and vulnerability

tests on already accessible online points for selected SMEs in Arusha.

To propose possible measures to meet alleviate or mitigate these threats or

vulnerabilities.

The comprehensive research question can then be divided into three sub-questions:

1. Is access to the Internet important for business operations?

a. How dependent a business operation on the internet.

b. Are there I.T usage policies in place for employees using the computers and

by extension the Internet in the SMEs.


24/98

24

2. Is there awareness of cyber threats;

a. Are there any measures being taken to deal with these threats?

b. If not how could the awareness of cyber threats get generated?

3. What implications or significance do breaches of cyber security have and how do

they impact on business operations?a. What are the common vulnerabilities faced by SMEs in Arusha and how can

these threats be mitigated?

These questions are mainly sequential; the investigation of cyber security measures takes

place after evident and valid cyber security threats have been defined.

1.3. Significance of the Research

On top of being a requirement for the fulfillment of the masters in business degree; this studyaimed to create awareness and to contribute to the general pool of knowledge out there on

information systems security. Though more specifically targeted the the Arusha based

Internet users, I.T technicians and IT managers, in both public and private institutions where

ICT is a strategic tool in enabling core business operations. These categories of actors could

be interested, and thus have an understanding of cyber security and that being online

introduces vulnerability.

Since the significance of proper IS security for an organisation is proportional to the

organisations dependence on information. An organizations IS security affects not only the

organisation itself, but also its external parties (Von Solms, 1999). Not only do shared

information systems and infrastructures require an accepted level of security, but also the

organizations themselves must be considered secure enough to act in these e-arenas. An

analogy is traffic safety; it is not enough to build safe roads, we must also have shared traffic

rules and safe cars (von Solms, 1999).

As well as point out to the policy makers the gaps in our legal ICT infrastructure and highlight

areas that would be addressed to improve the nations ICT framework for the betterment ofICT service provisioning and usage. It should be noted the ICT is already being used as a

criteria to determine countries capabilities. For example; Tanzania is ranked 120 on the

networked readiness index in 20092010 in a global information technology report on ICT for

sustainability out of 133 economies (Dutta and Mia, 2010).


25/98

25

Lastly it is hoped that this research will assist future researchers in the quest to carry further

research.

1.4. Limitations and De-limitations of the Research

The assessment was limited to Arusha town and the surrounding environ, though cyber

threats by their nature where not geographically limited.

Accessibility to data and the poor collection and storage capabilities of Tanzania in general

were limited and therefore correct and relevant data was difficult to find. Improvising was

made as assumptions were then based on fairly old data or related data.

Also it did not aim to quantify the challenges or awareness in terms of figures; instead the

relative values were assessed. Quantifying the scale of awareness to cyber challenges in

terms of figures would have required a different approach and it would not have been

possible to visualize the result in the same way.

1.5. Chapter Summary

Chapter one has given a brief introduction on the dissertation, this has also given a brief on

the internet growth in Arusha, Tanzania, Habari Node as a company, its activities and

clientele. It has also gone in depth to elaborate the aims and objectives of this dissertation.


26/98

26

Chapter Two: Literature Review

2.1. Introduction

Arusha region is found in northern Tanzania. Arusha shares its northern border with the

Republic of Kenya. To the west Shinyanga region is found and to the northwest Mara region,

to the northeast Arusha region borders to Kilimanjaro region, further east is Tanga region, to

the south Dodoma region; where the capital city of Tanzania is situated. Arusha region

combines both highland which include Mount Meru (4,566 mm. asl.) and low land.

Temperatures average 21 C and lowlands temperatures average 26 C; rainfall ranges from

250 mm to 1200 mm per annum.

Arusha region covers total of 86,999 sq. km. of which 3,571 sq. km (4.1%) is water. It is the

largest region in Tanzania occupying 9.2% of the mainland. The last census in 1988 recorded

a population of 1,351,675 individuals and the current projections for 1998 indicate 1,963,200

individuals. In comparison Tanzania total population is at 42,746,620 as of 2011 and a

country area of 945,087 sq. km.

The existing economic activities and industries are mining, tourism, forestry, diary, milling,

brewery and other agricultural sectors. Though the activity most associated with this study

seems to be tourism as the Arusha region is endowed with rich tourism potentials due to the

presence of the National parks attracts a lot of visitors for outside Arusha. Although it is

claimed that the tourism industry is yet to be developed properly to meet the high quality of

standards required by tourists; opportunities exist in all areas of safari tours to cover game

viewing, professional hunting, photographic expeditions, trekking and mountain climbing,

camping safaris. As well as hotel facilities of high quality are still in demand from small private

lodges, luxury tented camps, hotels.

The Arusha Municipality is also a host to a number of International organisations including

the International Crime Tribunal for Rwanda (ICTR), the regional secretarial of the World

Health Organisation (WHO), Pan African Postal Union, the Secretariat of the East African

Cooperation (EAC) and the Eastern and Southern African Management Institute (ESAMI) to

mention but a few. Recent developments i.e. sprouting growth of small scale industries, local

tour operators opening new offices or international tour operators setting up local branches


27/98

27

and related business activities in the area can be said to be SMEs. These developments

show that the Arusha municipality is gradually becoming an economic hub and it is destined

for growing businesses and is thus becoming a fast expanding city. Furthermore due to the

increase in the economic and development activities the demand for office space, residential

accommodation and Internet demand will definitely grow in near future. (SIDO, (2011)).

According to the SME policy 2003; the SMEs nomenclature is used to mean micro, small and

medium enterprises. It is sometimes referred to as micro, small and medium enterprises

(MSMEs). The SMEs cover non-farm economic activities mainly manufacturing, mining,

commerce and services. There is no universally accepted definition of SME. Small

enterprises are mostly formalized undertakings engaging between 5 and 49 employees or

with capital investment from Tshs.5 million to Tshs.200 million. Medium enterprises employ

between 50 and 99 people or use capital investment from Tshs.200 million to Tshs.800million. This is illustrated in the table below:

Table 2: Categories of SMEs in Tanzania

CategoryEmployees

headcountCapital Investment in Machinery (Tshs.)

Micro enterprise 1 4 Up to 5 million

Small enterprise 5 49 Above 5 million to 200 million

Mediumenterprise 50 99 Above 200millionto 800 million

Large enterprise 100 + Above 800 million

N.BIn the event of an enterprise falling under more than one category, then the level ofinvestment will be the deciding factor, (M.O.T&I, 2002).

According to Barakat (2001), he reported that with evidence Small Medium Enterprises play a

vital role in encouraging the national economic development of any country. SME produce

much of the creativity and innovation that fuels economic progress and also create a lot of

new jobs. 90 % of the total number of companies is comprised of Small medium enterprises

in most countries, which provides an average 70% of job opportunities (OECD, 1997).


28/98

28

Furthermore SMEs account for over 95% of organizations and 60-70% of employment and

generate a large share of new jobs in OECD economies (OECD, 2000).

Table 3: Sample List of SMEs in Arusha

Sector Company Name

Knitwear and Garments AGAPE Women Group

Plastic And Rubber Alfa Plast Mould

Knitwear and GarmentsAntique Makonde Carving Co-op

Society Ltd

HANDCRAFTAntique Makonde Carving Co-

Operative

ENGINEERING Approtec

ENGINEERING Arusha Galvanising Co. (AGACO)

Food Processing Boogaloo Ltd

Food Processing Darsh Industries

Food ProcessingKANFRAN ENGINEERING WORKS

LTD

ENGINEERINGKilimanjaro Metal shapers

(KEMESHA)

Mixed Products Lucha Herbalist Group

ENGINEERING Mdomewo

Food Processing NYIREFAMI LTD.

Food Processing Pestige Industries Ltd

Food ProcessingPresidents Food and Beverages

CompanyFood Processing Rest Products

Food Processing Roselyn Products

Food Processing Rowen Natural Products

ENGINEERING SIDO TDC Arusha

ENGINEERING SUDERETA (ELCT)

Other TEMDO

Sample List of SME's in Arusha

Opportunities and Threats faced by SMEs

There are major incentives or opportunities for new entrepreneurs and small-to- medium-

sized businesses to use the Internet because it helps reduce transaction costs and level the

playing field [Evans and Wurster, 1997]. Among these opportunities for SMEs, are the wider

and richer communications, expanding scope of marketing, partnering with suppliers and


29/98

29

reducing cost of operations [Drew, 2003]. With the report produced by Prerost (1998), there

are many various opportunities added to SMEs, including productivity and efficiency for

business process and development of new market opportunities (B2C and B2B) likewise

access to global market. However, how to use the Internet as an opportunity to SMEs usually

depends on the firm and business factors [Drew 2003]. These influenced factors may include;Internet knowledge; smaller firm's technical and the pace of innovation and change in the

industry; the rate at which the market is growing; the structure of the industry in which the firm

competes; the sources of competitive advantage for the smaller business; the strategic intent

of the larger competitors; and the technical and Internet strengths of the larger competitors.

Creating awareness of the new opportunities generated by ICT is still necessary in some

developing countries, as well as in many of their enterprises. In particular, small- and

medium-sized enterprises (SMEs) are not yet familiar with these opportunities. Nevertheless,several developing countries have already started to benefit from ICT opportunities.

Outsourcing using new technologies such as IT outsourcing and BPO is a business-driven

phenomenon. The rapid growth of the internet, albeit limited penetration ratio in the least

developing countries including Tanzania, offers opportunities to SMEs in LDCs to compete in

the global job market for outsourced products and services that combine the retail use of the

telephone and computers.

Description of Internet Users

A survey conducted between April and June 2010 showed that there has been a significant

growth in Internet usage as compared to other traditional means of communication such as

the post office. The results of the survey showed that by June 2010 they were close to 5

million Internet users in Tanzania translating to about 11% of all Tanzanians. Those using

Cyber cafes were only 5%, 55% were from organisations/institutions and 40% from SOHO

and households (T.C.R.A, 2010). It should be noted that Arusha is one of the highest per

region count on Internet use.

Though on-line experiences and effective use of the Internet capabilities range greatly among

SMEs and are closely linked to the educational background of users. University-educated

users are more likely to use the Internet to obtain information on production technologies,


30/98

30

examine market trends and opportunities, assess the activities of domestic and international

competitors, and locate potential suppliers. The survey shows that while a significant number

of SMEs use the Internet for their business operations like email, research, the degree and

depth of research capability is limited. However, for the few companies which do use the

research function extensively, there is a clear impact on sales.

Defining Accessible Information Systems and Cyber security

IT refers specifically to technology, essentially hardware, software and telecommunications

networks. It is thus both tangible (e.g. with servers, PCs, routers and network cables) and

intangible (e.g. with software of all types). IT facilitates the acquisition, processing, storing,

delivery and sharing of information and other digital content. In the European Union, the term

Information and Communication Technologies or ICT is generally used instead of IT to

recognize the convergence of traditional information technology and telecommunications,which were once seen as distinct areas.

The UK Academy of Information Systems (UKAIS) defines information systems as the means

by which people and organizations, utilizing technology, gather, process, store, use and

disseminate information. It is thus concerned with the purposeful utilization of information

technology. The domain of study of IS, as defined by the UKAIS, involves the study of theories

and practices related to the social and technological phenomena, which determine the

development, use and effects of information systems in organizations and society. Mingers

notes that, although technology is the immediate enabler of IS, IS actually is part of the much

wider domain of human language and communication, that IS will remain in a state of

continual development and change in response both to technological innovation and to its

mutual interaction with human society as a whole.(Ward and Peppard, 2002)

Prior to the 1990s businesses mainly used private networks to communicate to other parties

but during the 1990s, something happened that made us redefine our society or economy; the

spread of Internet usage. The main reason for this was the invention and spreading of the

World Wide Web (WWW), which made the Internet more accessible to people who were not

technically-minded or experts. This made the Internet interesting as a professional channel

and information flows began to dislocate to the Internet, and so terms like the digital economy

(Tapscott, 1996), electronic commerce (e-commerce) and electronic government (e-


31/98

31

government) were soon coined (Turban et al., 2002). Other user friendly communication

functions like electronic learning (e-learning), electronic booking/reservations (e-ticketing),

digital calling (VoIP) and improved data transmission etc. begun to emerge.

So while Information systems are moving out of the backroom low-level support position(s), to

emerge as the nerve centres of organizations and competitive weapons at the front end of

businesses (Galliers and Leidner, 2003). Their use of the Internet presents a challenge to

most businesses due to the amplified accessibility to sensitive or confidential information. The

paradox is that the main reason for the Internet growth is that it is a public network that

originally was designed for openness and flexibility, and not for security making. Information

security is one of the most crucial issues in the information age. WikiLeaks showed that

securing sensitive data online can be more difficult than initially realized, between the ever-

growing sophistication of hackers and human errors.

Cyber security is a relatively new field, as its study is directly related to the rise of digital

technologies. This also means that cyber security has evolved apart from most other

conceptions of security. Despite cyber securitys unique development, there is a continuing

struggle to define it clearly and in such a way as to allow the definition to evolve along with

digital technology.(Kristina Cole et al., 2008).

The International Telecommunications Union developed a paper offering a common definition

of cyber security for the World Summit on the Information Society in 2005.

This paper offered three elements that cyber security often refers to:

1. Actions and measures, both technical and non-technical, with the express purpose of

protecting computers, networks, software, data and other related digital technologies from

all threats

2. The degree of protection resulting from the adoption of these activities and measures

3. Professional activity of implementing the above mentioned actions and measures,

including research, analysis and policy development.


32/98

32

This notion of security includes protection from disruptions in confidentiality, integrity,

availability, and often non-repudiation of the above mentioned digital technologies and

information. There are generally two types of security, passive and active. Passive security

relates to processes such as system hardening where the system defence is bolstered in

such a way as to resist attack or minimize damage. Active security involves actually trackingattackers and retaliating in an effort to stop an existing attack or to prevent another. However,

active security relies on the ability to verifiably identify the attacker, which is extremely difficult

given the anonymous nature of communication technologies, and therefore cyber security in

this context refers primarily to passive defence techniques. Such techniques do include more

active measures such as early warning systems and legislation criminalizing cybercrime, as

long as such measures stop short of active retaliation.

Like all basic security measures, cyber security is bound by the principle that one onlyprotects something with effort proportional to its value. Poulsen's (an international renowed

hacker) Law touches on this when he said Information is secure only when it costs more to

get than its worth. That is to say, a small businesss inventory database should not be

secured with a multi-million dollar security program. Cyber security necessarily requires the

presence of digital technology, or it does not apply. While one may create cyber security

policy without actually possessing the associated technologies, there is little point, and unless

acquisition of said technologies is imminent, such policy is a waste of time and effort.(Kristina

Cole et al., 2008). Below is a summary of the Vulnerabilities, threats and Attacks categories.

Table 4: Vulnerabilities, Threats, and Attacks Categories Summary

Vulnerabilities Threats Attacks

Poor Design Intrusion Denial of Service (DoS) and Distributed DoS (DDoS)

Technologies Spam Un-authorised Access

Applications Worm Information Tampering

Database Virus Cross-site ScriptingNetworks Malware IP Spoofing

Monitoring tools Spyware Insider Malicious Activities

Source: (Colonel Louis H. Jordan and Saadawi", 2011)


33/98

33

2.2. Relevance of Theories and Principles of the Study

Conceptual framework

The studys conceptual framework attempts to shows that a relationship exists between

communication infrastructural modifications and business operationsand Cyber activity and

highlights the importance of their vulnerability to future scenarios of changed conditions. It

also shows how awareness, policy and/or technical adaptations cope with the added stresses

of cyber-attacks/threats leads to adapted Information systems; and that adaptation options

will, in turn, feedback to business environmental conditions. The researcher started out

assuming that; there is a relationship between the improved accessibility of internet to

Arusha with the increase in the incidences of cyber-attacks.

Source: Author, 2011

Finally it highlights the importance of awareness, coordination, policy and decision support in

assisting with credible assessment of adaptation options, and especially in analyzing their

trade-offs between business operational goals (e.g. generation of profit, minimizing damaging

effects to business operational budgets, the loss of service and other components of the

cyber-attacks) and developmental costs (e.g. maximizing traffic transmission, incorporating

cyber security capability, increasing response capability, infrastructure modifications and


34/98

34

other related modifications). Improved decision support systems are needed to help in

designing and interpreting more quantitative analyses of trade-offs between access to

information and developmental costs.

Model for Assessing Cyber Security Challenges in Arusha

The main idea of the research was to find out the effect of the recently connected fibre to

their daily operations. Controls and tools to determine if this effect was significant or not and

point out the vulnerabilities and remedies to allay the effect were identified. The researcher

then gathered information primarily through a literature review and extensive research over

the internet.

The proposed assessment method will be to use the Enterprise Information Security

Assessment Method (EISAM), a comprehensive method for assessing the current state of theenterprise information security. The method is useful in helping guide top managements

decision-making because of the following reasons:

1) it is easy to understand,

2) it is prescriptive,

3) it is credible, and

4) It is efficient.

The single value from an assessment is presented in the form of an EIS score. For instance,

the fulfilment of information security at an enterprise according to EISAM can be presented

as a percentage, see figure below;


35/98

35

Figure 3: An Example of EIS score from assessment of two companies

Source: (Soderbom, 2007)

EISAM is based on four standards on information security. Together, the requirements and

questions from these standards form a database on enterprise information security, herein

referred to as the EIS database. Brief descriptions of the four standards included in the

database are as follows.

ISO/IEC 17799, Information technology Code of practice for information security

management is an international standard published by ISO/IEC. EISAM uses the first

version of ISO/IEC, which consists of ten high-level groups.

NIST The US National Institute of Standards and Technology (NIST) has published the SP

800-26 Security Self-Assessment Guide for Information Technology Systems. This special

publication (SP) is, as the name states, a self-assessment guide consisting of an extensive

questionnaire.

ISF The Standard of Good Practice for Information Security (SOGP) is produced by the

Information Security Forum (ISF), an international association of over 260 organizations. The

Standard is based on a wealth of material, in-depth research and the extensive knowledge

and practical experience of ISF members, and is updated at least every two years. ISF

SOGP is grouped into five high level aspects.


36/98

36

OCTAVE The Operationally Critical Threat, Asset, and Vulnerability Evaluationmethod is

released by CMU/SEI. OCTAVE uses three catalogues of information to maintain

modularity and keep the method separate from specific technologies. One of these

catalogues is the Catalogue of Practicesversion 2.0 which is used in EISAM. It provides the

means to measure an organizations current security practices and to build a strategy forimproving its practices to protect its critical assets.

The EIS database contains a total of 1365 entries, i.e. all questions and criteria from the four

standards. Three independent dimensions of information security were identified from the

theory in the EIS database. These three dimensions, which constitute EISAM, are Scope,

Purpose and Time. With a foundation consisting of four well established standards on

information security, EISAM makes information security comprehensible, and thus renders

straightforward assessments that give easily comprehensible results(Soderbom, 2007).

However, to be able to perform an assessment the EIS categories have to be expressed in

assessable terms. As research methods are limited by practical challenges on gathering

information in Arusha and Tanzania in general. So primarily independent tests were run then

secondarily an anonymous survey was carried out in Arusha targeting small and medium

enterprises (SME) (M.O.T&I, 2002) and visit a number of government entities and NGOs in

and around Arusha and ask if and how they were affected by network and computer crime in

the prior year and what steps theyve taken to secure the ir organizations.

Based on the previous models of cyber security assessment the researcher developed a list

of initiatives that were expected to be assessed from comprehensive cyber security

assessment programs. The initiatives had to be high level enough so as to avoid technical

specifics, as the technology is constantly evolving. With that in mind, the initiatives were

expect to span all three security fields. By drawing specific initiatives from international

conventions on cyber security that applied to my framework. i.e.;

Standards and Policies for System Security Measures

Cybercrime Legislation

Computer Emergency Response Team (CERT/CSIRTs)

Higher Education Programs


37/98

37

End-User Education

Identity Theft Legislation

System Certification and Accreditation

Law Enforcement for Cybercrime.

Once the policies are fully approved, they should be made available to all users who are

affected. Finally, all policies should be updated annually to reflect changes in organization or

culture.

Basic Policy Requirements

Policies must:

Be implementable and enforceable

Be concise and easy to understand

Balance protection with productivity

Policies should:

State reasons why policy is needed

Describe what is covered by the policies

Define contacts and responsibilities

Discuss how violations will be handled

Source: (ECA, 2009)

2.3. Empirical Review

ICT Infrastructure

According to Robert Ulangas 2005 country report on Cyber security in Tanzania he hinted

that ICT health was important for the economy as he pointed out that the ICT sector had seen

a significant growth and matched this growth to the similar growth in the economy in that

same period. Below are some statistics of the reports on the status of the ICT Infrastructure

in 2005. By then only two operators were licensed to provide basic telecommunication

services, namely Tanzania Telecommunications Company Limited (TTCL) the incumbent

national operator and Zanzibar Telecom Limited (ZANTEL). TTCL had a national wide licence


38/98

38

(including Zanzibar) as opposed to ZANTEL, which has the right to operate in Zanzibar only

until February 2005; and the licence of Zantel was then extended to cover whole United

Republic of Tanzania. The total number of subscribers was about 150,000 (network capacity

is about 250,000 connections). The market structure then was dominated by four (4) mobile

operators namely Vodacom (T) Limited (1,100,000 customers), Celtel (now Airtel) (T) Ltd(550,000 customers), Mobitel (now Tigo) (320,000 customers) and Zantel (85,000 customers)

then operating in Zanzibar. The total subscriber base was just over 2 million as of April 2005.

Regarding data communication services, there were eleven (11) public data communications

network operators with the right to install their own international gateway for routing the

international traffic. The provision of data communication services was fully competitive. The

Internet service provision was under full competition mode of licensing. There were 23

Internet service providers operating mainly in Dar es Salaam and few in major cities andtowns countrywide like Arusha. To improve service provision the National Internet Exchange

Point (NIXP) was installed and another in Arusha (AIXP) by 2006 but these two operated and

still operate independently and are not connected. Then they were only four ISPs connected

to their respective IXP. In Arusha the four ISPs were Benson Online Ltd (BOL), Cybernet,

Arusha Node Marie and Nexus Digital. (AIXP, (2006))

Regarding the legal regulatory framework the new licensing framework had been in effect

since February 2005, when the board of the TCRA at its 9th special meeting held in Dar-es-salaam approved the implementation of the converged licensing framework. The board also

directed that consultations with existing operators and other stakeholders should continue to

ensure its smooth implementation. The approval was granted to facilitate the implementation

of the governments full liberalization policy following end of the exclusivity policy and to

effectively respond to the challenges raised by convergence in the Information

Communication Technology (ICT) Sector.

The New Converged Licensing framework was technological and service neutral where a

licensee had freedom to choose technology which is most efficient and cost effective was

free to take signals from the market as to which services are most in demand. A licensee was

also authorized to provide different services under a single license. The possibilities brought

about by the convergence phenomena include provision of various communication services


39/98

39

like text, data, image, voice and video over an existing infrastructure; the use of a single

transmission technology to offer various services, the provision of the same or substitutable

service by a variety of different types of providers (e.g. data over cable TV, telephone, or

even electrical power networks), substitution of mobile service for fixed service, and

integration of customer terminal equipment or access devices such as the telephone,television and personal computers. In essence this meant that the formerly mobile telephony

providers would offer Internet services i.e. mobile internet and vice versa the Internet Service

providers could provide telephony services i.e. VoIP.

Internet access at high bandwidth was envisaged that would create new possibilities to

develop multimedia content for information, entertainment, and data processing. It was

important to note that in several countries broadband growth had by this time already

outpaced mobile telephony. The boom was mainly fuelled by software downloads, onlinegaming, and e-commerce. In Tanzanian context, affordable high-speed networks could

facilitate deployment of Information and Communications Technology for development. The

converged licensing framework was meant to facilitate the above possibilities.

It is important to note that the above development of the licensing framework focused on the

deployment of more ICT infrastructure and had no focus on the correct use and/or protecting

users from illegal activities. This could be attributed to the fact that there was a very limited

deployment of ICT services with less that 150,000 people using computers and relatedservices at the time(Ulanga, 2005). So efforts toward cyber security and related Issues by the

government of Tanzania were done through the Law Reform Commission that circulated a

discussion paper on the introduction of legal framework for electronic commerce in Tanzania.

The discussion paper came as a result of a study that highlighted lack of relevant legislations

for electronic transactions. Two areas have been highlighted in the discussion paper namely

contracts and consumer protection. Generally the legal system in Tanzania was mainly based

on Common law. Regulatory steps to secure electronic transactions such as digital

signatures, electronic evidence, reforms to contract law, dispute settlement and others have

not yet been promulgated. In terms of contracts, the Tanzanian laws did not even recognize

electronic contracts.


40/98

40

Laws on consumer protection, sales and supply of goods in Tanzania were designed to

protect consumers on off-line business only which hardly applied to the online business when

it came to the matter of distance contracts. The laws did not protect consumers against any

risks involved in distance selling and buying business because when these laws were passed

the online or distance contracts were not in practice in Tanzania. It was further noted thatTanzanian laws neither covered on-line contracts nor did they recognize cyber space; the

laws in place then provided that, the contract must be in writing and duly signed or

authenticated before a witness a requirement that was hardly applicable in cyber space.

Cyber Crimes

The discussion paper also noted that while cyber-crimes posed a significant threat to the

development of electronic transactions Tanzanian Laws did not recognize criminal activities

on the internet. For example illegal intrusion into a computer system could not be prosecuted

with the current legislations at the time which required the perpetuators physical presence.

So also went for computer fraud which in the most simplistic form can be described as

stealing something of value by means of computers and could be extended to as far as

fraudulently giving instructions to a computer to transfer funds into a bank account or using a

forged bank card to obtain money from a cash dispenser.

Another was data protection, where a threat was defined as the use of data processing

techniques that could pose a danger to the rights and freedoms of those individuals whose

personal data is subjected to some form of automated processing. There was no law in

Tanzania which protected data or databases in Tanzania. The main concern here was the

right to privacy, data protection and danger of information misuse. Spam in its most simplistic

form is the act of sending large number of unsolicited mails with an intention to market a

product or to deceive the users. This aspect has not been covered in the discussion paper,

however currently spam is one of the most visible unwanted activities by the computer users

in Tanzania.

Cyber-attacks: as Tanzania was embarking on deployment of e-government and more and

more organizations were adopting the internet as a medium of transmission for their core

business functions. The e-mail was replacing the fax as the main medium of transmission.


41/98

41

The organizations that heavily depend of the internet and computer network were now at risk

from cyber-attacks which could be deliberate attempts to disrupt services (Denial of Service

Attacks) or even more sophisticated attacks. The information document did not address these

aspects of cyber security while there was no legislation which covered these aspects.

(Ulanga, 2005).

Enumerating all possible Internet vulnerabilities, threats, and attacks in an exact list is not

feasible, yet they can be categorized as the table below shows.

Figure 4: Vulnerability Possibilities

SME.1 High Severity problem(s) found

SME.16 Medium Severity problem(s) found
















Vulenerabilty scan of randomly selected SME's using

Nessus/OpenVAS

Source: Author

Another study was carried out in 2008 by Kristina Cole et al to assess the efforts of African

nations in the realm of cyber security. They approached cyber security as a national securityconcern due to an increase in the use of digital technology for critical infrastructure, for

military operations, and for intelligence gathering/management, mandating the creation of

comprehensive national cyber security plans. Although in their case it was not entirely

appropriate for developing nations as many African countries are developing nations and they


42/98

42

possess neither robust critical infrastructures that utilize digital control systems nor highly

digitized militaries, and so thinking about cyber security issues in relation to these systems

therefore may not make sense. They therefore sought to determine how to implement cyber

security in less developed countries, as an issue not solely associated with national security

and instead assessed cyber security by focusing on initiatives that were motivated by morethan just traditional national security. In order to develop these assessment criteria, the

definitions of national, economic, and human security needed to be clarified in context of their

common usage and traditional meanings. To see where cyber security fits into the equation

they introduced the concept and model of security relationships.

Figure 5: Model of Security Relationships

In this way, cyber security is a function of the various institutions to implement the various

security measures and thus floats between the branches of security.

2.4. Chapter Summary

This chapter has attempted to give a brief description of Arusha and the businesses activities

therein. Then went ahead to show the extent to which SMEs are important to the economies

of the countries and spell out all the potentials of the small-medium enterprises, this was

followed by the classifying the cyber security challenges which are faced by SMEs.


43/98

43

Then re-examined and combined all the existing relevant literature on the two subjects small-

medium enterprises (SME) and information security namely cyber security. Finally the

chapter highlighted the opportunities and the threats which mainly affect the SMEs as well as

the benefits of securing information to the SMEs.


44/98

44

Chapter three: Research Design and Methodology

3.1. Research Design

Outline of the case study

The study started off with formulating and deciding on the hypothesis for the study, i.e. the

purpose, the goals and the question at issue. Next followed literature studies for collection of

information on the background to the project and the framework. The creation of the

framework was a major part of the project, and was performed in two steps; creation of the

category definitions and a validation of the definitions, see Figure 3 for an overview. The next

step was the data collection, followed by the analysis of the collected data.

Figure 6: Outline of the Case Study

Source: (Soderbom, 2007)

A good design is when it has a general plan for the researchers; detailing how they will go

about answering the research questions and how they will consider and determine the

sources for data collection. In addition it will also consider the constraints they may face i.e.

location, financial resources, time, ethical issues, access to data etc. The methodology

should then ponder the fact that the researcher has idealized carefully about why a particular

strategy has been applied.

Case Studies

Saunders (2009) defines a case study a strategy for doing research which involves empirical

investigation of a particular phenomenon within its real life context using multiple sources of


45/98

45

evidence. Yin (2003) also highlights the importance of context adding that, within a case

study the boundaries between the phenomenon being studied and the context within which it

is being studied are not clearly evident. Mortis and Wood (1991) also point out that the case

study will be necessary if we wish to gain a rich understanding of the context of our research

and the process being enacted. The motives for adopting a case study were due to thefollowing merits as outlined by Kothari (2001).

1) It is fairly exhaustive method which enabled the researcher to study deeply and

thoroughly different aspects of the phenomenon.

2) Its flexibility in respect to data collection; this study was carried out using a collection

of methodologies and both secondary and the primary data.

3) It saves both time and cost.

The rationale of choosing Habari Node Ltd as a case is that it is a leading ISP serving the

majority of the Arusha Internet users. HNL was identified as vantage point to investigate

Cyber security awareness as well as a focal point for the carrying out the vulnerability tests

as most of the other SMEs to be sampled got their internet from HNL. Additionally HNL was

justified on the grounds that they keep some records of the traffic statistic and as the ISP

handles the majority of the Internet traffic collection of data was simplified. Furthermore the

independent test and vulnerability scans were best run form the ISP as in was a gateway toease consolidation and matching of data. So HNL was chosen to enable the research identify

vulnerabilities, facilitate arriving at solutions for dealing with these risks and possibly

disseminating these findings widely.

Primary research is an original research which gives first-hand information on a topic. This

research (such as a journal, a person, or an event) informs you directly about the topic, rather

than through another persons explanation or interpretation. The most common forms of

primary research are observations, interviews, surveys, experiments, and analyses of original

documents and artefacts. The primary research is conducted by the researcher

Documents

An Assesment of Cyber Security Challenge in Arusha