Maturity of information systems security in selected private Banks in Ethiopia

Information system security is more critical than ever before because security threats are rapidly growing and the environment requires organizations to continuously adapt to changes. Before putting in place information systems security measures, organizations are required to determine the maturity level of their information security governance. Extant literature reveals that there is no recent study on information systems security maturity level of banks in Ethiopia. This study, thus, seeks to measure the existing maturity level and examine the security gaps in order to propose possible changes in Ethiopian private banking industry's information system security maturity indicators. Four private banks are selected as a representative sample. SSE-CMM (System Security Engineering Capability Maturity Model) is used as the maturity measurement criteria and the measurement was based on ISO/IEC 27001 information security control areas. The data for the study was gathered using a questionnaire. A total of 93 valid questionnaires were gathered from 110 participants in the study. Based on the SSE-CMM maturity model assessment criteria, the private banking industry's current maturity level is level 2 (repeatable but intuitive). Institutions have a pattern that is repeated when completing information security operations, but its existence was not thoroughly proven, and institutional inconsistency still exists. Recommendations are forwarded for management intervention in order to address the identified gaps.