A proposed framework that enhances the quality of cyber security audits

Master Thesis


Permanent link to this Item
Journal Title
Link to Journal
Journal ISSN
Volume Title
The need to protect information systems or assets remains crucial today. Innovations in technology have led to rapid developments and as technology continues to advance, so is the need to protect information systems. Amongst numerous effects of cyber-attacks on organizations, huge financial losses which in turn affect the economy have since been reported. Cyber security audits need to be strengthened to tighten the protection of information systems. The importance of cybersecurity audits is widely endorsed in literature. Nonetheless, frameworks used to audit cybersecurity are viewed as‘sometimes' weak links to cybersecurity due to their drawbacks in auditing cyber security. A review of literature indicated that cyber-attacks are more rampant in the African continent with the financial sector being the most targeted. Literature also highlighted that the use of relevant frameworks for auditing cyber security improves the quality and effectiveness of audits thereby enhancing cyber security. Studies in information systems have mostly looked at the adoption of frameworks, types of cyber threats and tools needed to audit. Nonetheless, it is important to note that few scholars have examined the applicability and effectiveness of the existing frameworks in auditing cyber security. Furthermore, previous studies emphasize on enhancing cyber security without a particular focus on auditing cyber security including assessing the role of the auditor during the process. As a result, this study looked at cyber security from an auditing perspective with a particular focus on the strengths and weaknesses of the current frameworks that are being used to audit cyber security including. The study also looked at the factors that enhance the effectiveness of cyber security audits. The study draws from different theories, literature and from the strengths and drawbacks of existing frameworks to create an explanatory model. To statistically test and evaluate the model, a quantitative research approach was employed to collect, analyze, and interpret data from South Africa. Data was collected using a questionnaire which was distributed to IT auditors and cyber security professionals from the Information Systems Audit and Control Association (ISACA) South African chapter members. The National Institute of Standards and Technology (NIST) cyber security framework was found to be the widely adopted framework followed by the International Organization for Standardization (ISO) standards, with the Control Objectives for Information Technologies (COBIT) being the least employed framework. The COBIT framework was found to be more aligned to Information Technology governance rather than cyber security. Furthermore, results of this study indicate that effectiveness of cyber security audits is dependent upon competencies of auditors including their ethics and integrity. Results further indicate that frameworks used for auditing are effective to some extent if properly implemented. A proper alignment of an auditor's competencies which include ethics and integrity, and an adoption of a relevant framework will result in effective cyber security audits that reduce the risks of cyber-attacks. Concerning the contribution to practice, results from this study can help organizations to determine and review focus areas of cyber security auditing that they need to emphasize and develop on. Furthermore, the developed model can be used by auditors to develop an audit plan and conduct audits that are effective in identifying, protecting, detecting, preventing, and recovering information systems or assets. The methodological, theoretical, and practical contributions are further discussed in this thesis along with limitations, recommendations, and areas for future research.