BYOD: Risk considerations in a South African organisation
Master Thesis
2018
Permanent link to this Item
Authors
Supervisors
Journal Title
Link to Journal
Journal ISSN
Volume Title
Publisher
Publisher
University of Cape Town
Department
Faculty
License
Series
Abstract
In recent times, while numerous organisations have difficulty keeping abreast with the frequent year-on-year technology changes, their employees on the other hand, continue to bring their personal devices to work to more readily access organisational data. This concept is known as Bring Your Own Device (BYOD). Studies have demonstrated that the introduction of BYOD commonly has a positive effect on both organisation and employees: increased optimism, job satisfaction and productivity are some of the perceived positive effects. Furthermore, BYOD can improve employees’ opportunities for mobile working and assist with the work flexibility they seek. This phenomenon, however, is still not well understood. In the South African context, this refers particularly to an inadequate understanding of risks associated with the introduction of BYOD into organisations. Some of the risks associated with this phenomenon are, for instance, related to information security, legislation and privacy issues. Hence, the intention of this research was to investigate, determine and assess BYOD risk considerations in a South African organisation. Using the available literature on this subject and an interpretative exploratory case study approach, this research explored various facets of BYOD-related risks (e.g. implementational, technological, legislation, regulation and privacy risks, human aspects and organisational concerns) as well as the impact these risks may have on both employees and an organisation. The organisation under investigation – from this point onward referred to as “Organisation A” – is a South African based information technology (IT) security consulting and service management organisation, which has seen increased expansion in its business and thus an increase in the number of its employees utilising their personal devices at the workplace. Even so, Organisation A was uncertain regarding possible risks that might hinder benefits of BYOD. Hence, this researcher defined the main research question as “What are the risks of introducing the BYOD in the South African organisation and what is an effective approach to address identified risks?”. The main objective was to identify and describe BYOD-related risks and to propose an appropriate model for addressing these risks. To answer the main research question, this researcher reviewed the applicable literature on the BYOD, including the limited South African literature pertaining to the subject. The review elicited the most common BYOD-related risks but also some models, frameworks and standards that may be applied for addressing these risks. Based on these revelations, an applicable BYOD risk management model was created and proposed. The literature review findings were subsequently tested in the empirical setting (in Organisation A) by conducting comprehensive interviews with research participants. This research adopted a qualitative approach in general and a case study methodology in particular. The collected data were analysed using the interpretative phenomenological analysis (IPA), which aided in providing a comprehensive understanding of the interviewees’ responses regarding the BYOD risks. The interviewees were selected based on a purposeful (pre-defined) sampling. The results of this interpretative research suggest that the interviewees’ responses are closely aligned with the information on BYOD risks collected from the pertinent literature. The results show that successful introduction and usage of BYOD in the studied organisation requires the implementation of mixed risk management measures: technological (e.g. mobile device management and its additional components), non-technological (e.g. IT or BYOD security policies), the usage of general risk management frameworks (e.g. ISO 27001), the development of an organisational security culture and skilling of the human factor (e.g. employee awareness, training and education, for example). Additionally, it was found that participation of employees in the development of BYOD policies is an essential and effective tactic for transforming a fragile BYOD risk link (i.e. employees) into a strong risk prevention mechanism. Furthermore, this research also revealed that in the South African context, it is important that an organisation’s BYOD security policies are sound, preferably meeting the POPI Act requirements and thereby avoiding legislation risks. The contribution of this research is twofold: first academic, and second, practical. The academic contribution is realised by adding to the body of knowledge on the BYOD risks – most particularly in terms of understanding potential risks when introducing BYOD in the South African context. The practical contribution manifests through the provision of detailed risk considerations and mitigation guidelines for organisations wishing to introduce BYOD practices or considering ways to improve their current BYOD risk management strategy. It is acknowledged that this research has some limitations, particularly in regard to the limited generalisation of the findings due to the limited sample provided by only one organisation. Although the results are not necessarily applicable to other South African organisations, these limitations did not impact the relevance and validity of this research.
Description
Keywords
Reference:
Veljkovic, I. 2018. BYOD: Risk considerations in a South African organisation. University of Cape Town.