A framework for enhancing information systems security among small enterprises in Uganda

Abstract

Over the past decade, there has been a sharp increase in the number of small enterprises adopting digital technologies in the quest for improving efficiency and competitiveness. This is majorly attributed to the expansion of the IT infrastructure, mobile money and covid-19 pandemic. However, this dependence on digital technologies exposes the small businesses to a vast array of cyber threats such as phishing, ransomware, and fraud, against which they remain highly vulnerable. A major challenge is the lack of a tailored information systems security framework addressing the unique needs and constraints of small enterprises. Existing national frameworks (like the NITA-U National Information Security Framework) are geared toward larger organizations, leaving small enterprises with guidelines that are too generic, complex, and costly for them to implement. Resource limitations and minimal in-house expertise further exacerbate the security gaps for small enterprises. This research applies a Design Science Research (DSR) methodology to address the problem by designing and validating an artifact, a customized Information Systems Security (ISS) framework for Ugandan small enterprises. Following the DSR paradigm, the study first identifies and clarifies the practical problem and motivates the need for a solution. It then defines the objectives for a feasible security solution tailored to small businesses. Guided by these objectives and informed by a review of existing frameworks and empirical data, a security framework artifact was designed. The artifact was iteratively refined through demonstration and evaluation: an initial version of the framework was presented to practitioners for feedback, and a formal evaluation was conducted via expert reviews to assess its effectiveness in improving security for small enterprises. The final stage involved communication of the results and artifact, as captured in this thesis. The resulting framework is a practical, four-phased security management model that aligns with industry best practices (drawing on NISTIR 7621 and ISO 27001 standards) while remaining lightweight and affordable for small businesses. It emphasizes a cycle of continuous improvement through phases of assessment, planning, implementation, and monitoring, each with specific actionable measures attuned to the resource constraints of Ugandan small enterprises. Evaluation findings show that the framework is well-aligned with the needs of small enterprises as it addresses identified security gaps, is cost-conscious by leveraging existing tools and guidelines, and is adaptable to the local context. The expert validation confirmed the artifact’s relevance and effectiveness, providing confidence that adopting the framework can significantly bolster the information security posture of small enterprises. In summary, this study contributes in two main ways: (1) it provides a validated security framework that small businesses can easily use to improve their information systems security, and (2) it offers insights from design science on creating security solutions tailored to specific contexts. This shows how design science research can connect general best practices with the needs of local organizations. This work not only provides a valuable solution for practitioners in Uganda's small business sector but also enhances academic understanding by showing how global security frameworks can be adapted to fit the needs of local small enterprises through a detailed design science approach