European Journal of Business and Management

In 2013, Communication Authority of Kenya (CAK) recorded cyber-attacks amounting to Sh5.4 million loses. In April 2016, Bandari Savings and Credit Cooperative Society lost Sh5 million through fraudulent ATM withdrawals (Nation Newspapers, April 8, 2016). These examples demonstrate weaknesses that may exist from security breaches and incidents caused by people, processes, and technology. Ministry of ICT and CAK are lacking specific Information Security Models tailored towards SACCOS in Kenya. The study therefore sought to assess the current status of information security policies among SACCOS in Kenya. The study adopted descriptive research design. The unit of observation was 135 SACCOS registered with SACCO Societies Regulatory Authority (SASRA) while the unit of analysis was 270 ICT personnel working in the 135 targeted SACCOS. The study targeted the SACCOS heads of IT department. The study used Nassiuma (2000) formula to get a sample of 85 respondents. Purposive sampling was further used in selecting study participants in every SACCOS who were considered to be knowledgeable of the variables under study. The study utilized questionnaire as the survey instrument to collect both quantitative and qualitative data. The study adopted descriptive statistics. Descriptive data was presented by use of frequency tables. The study established that in all the SACCOS studied, information security policy is used. However, there are still challenges on how information security breaches and incidents can be contained based on the results of the study and therefore calls for further research in academic research. The findings of the study indicate that SACCOS were able to validate that the enhanced information security model using an integrated approach worked as planned and reported to auditors, managers and executives that incident response programs are robust and reliable. If security controls didn’t work as planned, they will need to fix them. The actions and resources needed should be included in in the report to executives in the SACCOS sector in Kenya

Keywords: SACCOS, Management controls, Information Security Policies, Risk assessment

DOI: 10.7176/EJBM/11-27-09 Publication date:September 30th 2019