Abstract:
Information technology plays a pivotal role in today’s businesses and in as much as it brings about benefits to the business there are many risks associated with its use that also need to be addressed. In as much as we use information systems for our benefit, there are many risks associated with its use hence organisations no
matter the size should have information security programs in waiting in case risks emanate from the use of technology. The aim of the study was to evaluate the adequacy of information security programs available in small to medium enterprises in Zimbabwe making use of key performance indicators for security governance as basis for measurement. A case study was done using a qualitative research approach. Non-random purposive convenient sampling technique was used to produce a sample of 5 small to medium enterprises in Gweru was used for data gathering. Interviews were done with 5 top management members and questionnaires were administered to 5 security administration/IT involved employees. Literature data was also used. The study found out that based on information security governance KPIs the security programs of the small to medium enterprises are inadequate and loaded with poor practices. Organisations are recommended to look at the constructs of the four generic KPIs strategy, risk, posture and compliance so as to come up with a sound security program for these strategic indicators are a prerequisite to presenting the state of and changes in the security program. Findings from this study contribute knowledge to the information security governance area of study by presenting simple and practical methods to evaluate information security programs allowing management to make plans and strides towards managing cyber risks in a world where information technology has become both a tool and a target. This research can also be used in coming up with an information security governance measurement framework that can be used by small and medium enterprises. This proposed framework will provide a roadmap for decision making and assist small and medium enterprises to give due attention to activities pertaining to security so that a secure computing
environment can be attained.