An Innovative Soft Design Science Methodology for Improving Development of a Secure Information System in Tanzania Using Multi-Layered Approach

This paper presents an innovative Soft Design Science Methodology for improving information systems security using multi-layered security approach. The study applied Soft Design Science Methodology to address the problematic situation on how information systems security can be improved. In addition, Soft Design Science Methodology was compounded with mixed research methodology. This holistic approach helped for research methodology triangulation. The study assessed security requirements and developed a framework for improving information systems security. The study carried out maturity level assessment to determine security status quo in the education sector in Tanzania. The study identified security requirements gap (IT security controls, IT security measures) using ISO/IEC 21827: Systems Security Engineering-Capability Maturity Model (SSE-CMM) with a rating scale of 0 5. The results of this study show that maturity level across security domain is 0.44 out of 5. The finding shows that the implementation of IT security controls and security measures for ensuring security goals are lacking or conducted in ad-hoc. Thus, for improving the security of information systems, organisations should implement security controls and security measures in each security domain (multi-layer security). This research provides a framework for enhancing information systems security during capturing, processing, storage and transmission of information. This research has several practical contributions. Firstly, it contributes to the body of knowledge of information systems security by providing a set of security requirements for ensuring information systems security. Secondly, it contributes empirical evidence on how information systems security can be improved. Thirdly, it contributes on the applicaHow to cite this paper: Mshangi, M., Nfuka, E.N. and Sanga, C. (2017) An Innovative Soft Design Science Methodology for Improving Development of a Secure Information System in Tanzania Using MultiLayered Approach. Journal of Information Security, 8, 141-165. https://doi.org/10.4236/jis.2017.83010 Received: May 5, 2017 Accepted: July 3, 2017 Published: July 6, 2017 Copyright © 2017 by authors and Scientific Research Publishing Inc. This work is licensed under the Creative Commons Attribution International License (CC BY 4.0). http://creativecommons.org/licenses/by/4.0/


Introduction
The advancement of information communication technologies (ICT) enabled the integration of information systems in cyberspace which is accessible through the Internet and mobile based platforms.Recently, researchers have shown an increased number of cyber crimes affecting information systems in cyberspace.A study by [1] revealed that 12.8% of users in the education sector in Tanzania experience cyber-attacks due to visiting unhealthy websites; 63.29% of e-mails received by users are spam.Thus, security of information in information systems during capturing, processing, storage, and transmission is questionable.This is evidenced by past studies, such as [2] argued that the number of security incidents exploiting security holes in the information systems in cyberspace is increasing.One of the notable security holes is a heart-bleed attack.A study by [2] found that 89% of the universities information systems in cyberspace were vulnerable to heart-bleed attack.The heart-bleed attack is the vulnerability in Open SSL cryptographic software, and allows stealing of the protected information such as username, password, and private certificates in memory of the computer.
Further, [3] argued that many systems security problems are contributed by lack of integrating systematic research methodology, standard security guideline, and principles, security awareness training, and secure coding practices in systems development life cycle.A study by [3] revealed that security awareness training is lacking or conducted in ad-hoc with a mean of 0.59 and standard deviation of 0.499 in rating scale of 0 -5 of the System Security Engineering Capability Maturity Model (SSE-CMM).A study by [3] revealed that secure coding is non-existence or practiced in ad-hoc; with a mean of 0.33 and standard deviation of 0.516 in rating scale of 0 -5 of SSE-CMM.These contribute to the problem of the insecure systems which requires security improvement to ensure security goals (confidentiality, integrity, and availability) are guaranteed.These security problems are contributed by human factor involvement in security.According to a study by [3], come out with the integration of Soft System Methodology and Design Science Research in solving information systems security problematic situation.The results of this integration termed as Soft Design Science Methodology; it has been employed in this study to tackle a problematic situation on how information systems security (ISS) can be improved.
Different approaches have been employed in tackling this wicked problematic situation on how ISS can be improved.These approaches lack multi-layered security integration with Soft Design Science Methodology.Many people make the mistake of believing that building security into information systems (ISs) is simply a matter of referring to a checklist [4] of technical and procedural controls and applying the appropriate security measures on the list.The checklist approach also fails [4]; because many people focus on checking that the links in the chain exist but do not test that the links actually fit together to form a secure chain system.Thus, various studies have tried to address this problem on how to improve the security of information in information systems; but these approaches lack multi-layered security integration with Soft Design Science Methodology.Thus, the current study addresses the messy problematic situation on how ISS can be improved; using multi-layers security integration with Soft Design Science Methodology.This is a methodology for tackling real world messy problematic situation involving human factor, such as how to improve information systems security.This research has several practical contributions.Firstly, it contributes to the body of knowledge of information systems security by providing a set of security requirements for ensuring information systems security.Secondly, it contributes empirical evidence on how information systems security can be improved.
Thirdly, it contributes on the applicability of Soft Design Science Methodology on addressing the problematic situation in information systems security.Fourthly, this research provides a framework for enhancing information systems security during capturing, processing, storage and transmission of information.
The paper is organized as follows: Section 1: presents an introduction, problem statement, and main research objective and research question.Section 2 presents the related works, the theoretical foundations of research methodology: Soft Design Science Methodology, and research gap.Section 3 presents the materials and methods employed in this study.Section 4 presents the root definition of the problem and requirement analysis using CATWOE analysis.Section 5 presents the results findings and discussion.Section 6 describes the proposed framework for tackling real world problematic situation and filling in the identified research gap.Section 7 presents the research study contributions in this study.Finally, section 8 presents the conclusion and recommendations.

Problem Statement
Information systems security (ISS) is the protection of information and information systems (ISs) from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability [5] [6].Information security management incorporates the identification of information resources used by organisations, development, and implementation of policies, standards, guidelines, and procedures to protect those resources (assets) [5].Ensuring ISS, by ensuring security goals (confidentiality, integrity, and availability) of information manipulated by computing systems is a long-standing yet increasingly wicked, messy ill-defined problematic situation facing information systems in cyberspace.The numerous technical advances in ICT do not always produce more secure environments for information systems in cyberspace.Therefore, the information systems security problem in cyberspace cannot be understood or described as solely a technical problem.Information systems are operated by people and this means that information systems security is also a human factor issue [7] [8] [9] [10].Human factors influence how individuals interact with information systems security technology; it is this interaction that is often detrimental to the security of information systems in cyberspace [10].The threats/risks resulted from human factors includes cybercrimes such as hacking, phishing attacks, SMiShing attacks, social engineering attacks, insider attacks (employees sabotages, consultants, contractors, vendors), data theft and leakages [5] [10] [11].
The existing models, frameworks, and standards for addressing the security of information systems in cyberspace are inadequate [4] [5] [12]- [22] practical techniques for enforcing them are unsatisfactory.Within an information system, for any given moment, information is found in one or more of the four states; during capturing, processing, storage, and transmission.The security requirements for ensuring the security of information in information systems should be defined in each information states.Ensuring security of information during capturing, processing, storage, and transmission in information systems is debatable due to failure to ensure security goals (confidentiality, integrity, and availability) in information systems.The solution for tackling a problematic situation involving human factor, need a multi-layer security approach integration with Soft Design Science Methodology.The main research problem is to tackle the real world messy, wicked problematic situation involving human factor; how information systems security can be improved, the case of the education sector in Tanzania.The study adopted Soft Design Science Methodology to guide the research process.

Objective of Study
The main objective of this study was to tackle the messy, wicked, complex problematic situation on how information systems security can be improved.The study assessed security requirements and developed a framework for improving the security of information during capturing, processing, storage and transmission in information systems; using multi-layered security approach integration with Soft Design Science Methodology.

Related Works and Theoretical Foundations of Research Methodology
This section presents the related works to this study and the methodology employed to guide the research work.

Related Works
Various studies have tried to address the problem of how information systems security can be improved, using different approaches.Some of these studies include, a study by [12] focused on improvement of the ICT security management process in non-commercial organisations.A study by [15] proposed framework using rule-based approach.A study by [23] proposed a multi-layer model for e-government information security assessment.A study by [24] focused on enhancing the governance of information security in developing countries (the case of Zanzibar).All these studies lacked the soft system thinking multi-layer security integration approach.This approach is effective for tackling wicked, messy problematic situation involving human factor.Any security system, no matter how well designed and implemented, will have to rely on people [10].
The human factors play a crucial part in the majority of security incidents affecting information systems in cyberspace.Implementing appropriate technical solutions alone still, fail to handle the human factor which results in insecure systems [10] [11].
The existing models, frameworks, and standards have limitations.For example, SABSA [4], ISO27001/2 [13] [14], McCumber [16] and COBIT 5 [25] [26] for information security have limitations.These standards, frameworks or models are too general, need customization and are based on the general environment not targeted environment (education sector in Tanzania).Thus, some have limitations with respect to the research problem and research objective.Today's sophisticated attacker's strike across multiple layers.That means that our security must also be layered.Layered security refers to security systems that use multiple components to protect operations on multiple levels or layers [27].Multi-layered security approach without integration with the soft system thinking approach is ineffective for addressing the wicked, complex problematic situation involving human factor.Thus, to address the wicked, complex problematic situation involving human factor, such as how information systems security can be improved; the study adopted multi-layered security approach integration with Soft Design Science Methodology.

Theoretical Foundations of Research Methodology: Soft Design Science Methodology
The Soft Design Science Methodology [3] [28] merges the common Design Science Research (DSR) process (design, build-artifact, evaluation) [29] [30] together with the iterative Soft Systems Methodology (SSM).The design-build artifact evaluation process was iterated until the specific requirements were met [31] (Figure 1 and Figure 2).

Design Science Research
Design Science Research (DSR) is the research methodology used for creation and evaluation of artifacts for information models (abstractions, architects, frameworks, conceptual systems intended to solve an identified fuzzy organisational problem [32] [33] [34] using behavioural and design science paradigms [33] [35].Information systems artifacts are broadly defined as constructs (vocabulary and symbols) [36], models, representations, methods (algorithms and practices), and instantiations (implementation of systems, and prototype systems) [36].The design is a wicked problem by itself based on the following criteria: requirements and constraints are unstable; complex interactions among subcomponents of the problem and resulting subcomponents of the solution; inherent flexibility to change artifacts and processes; dependence on human cognitive abilities and dependence on human social abilities.DSR has gained significant acceptance within the design work on technology solution but it lacks the socio-technical concern [35] [37] which is a vital component in the conceptualization of artifact development.In this study, the weakness of DSR was addressed by the strength of Soft Systems Methodology and vice versa (Figure 1 and Figure 2).

Soft Systems Methodology
Soft Systems Methodology(SSM) is the methodology which assists people in solving a complex, messy problem in the organisation by using systems rules and principles that allow structuring your system thinking about the real world [38] [39].The real world problematic situation in this study is how to improve the security of information during capturing, processing, storage, and transmission in information systems.At the heart of SSM is a comparison between the world as it is, and some models of the world as it might be [40].Out of this comparison arise a better understanding of the world ("research") and some ideas for improvement ("action") [39] [40].The SSM has seven stages; some of them address the real world, and some of them perhaps the most important parts address a conceptual world (Figure 1).
SSM is a process of seven stages of analysis which uses the concept of a system of human activity as a means to get from the "finding" of the problematic situation (wicked/complex problem) to "taking action" to improve the situation [31] [42].
The SSM has strengths and weaknesses.One of the strengths of SSM is in solving complex messy problematic situations.One of the weaknesses of SSM is that it does not deal with implementation issue [44] [45].The SSM was integrated with DSR methodology (this integration formed Soft Design Science Methodology) [3]; the weaknesses of one were complemented by the strengths of other.In this study, Soft Design Science Methodology was employed in the design and development of a framework for enhancing information systems security.Soft Design Science Methodology was employed in the creation of this artifact.The developed artifact was compared with the real world in circular fashion (Figure 1 and Figure 2) until an optimal framework for enhancing ISS was obtained.

Research Gap
The application of information security technologies does not always result in improved security for information systems in cyberspace.Technology is quite an essential part relating to securing information resources (assets) but people are responsible for design, implementation, and operation of these technological tools for enhancing information systems security during capturing, processing, storage, and transmission.The solution for tackling a problematic situation involving human factor, need a multi-layer security approach integration with Soft Design Science Methodology.There have been a number of valuable studies related to improving the security of information systems, such as studies by [12] [15] [16] [24] [35] [37] [46]- [51] and others.However, none of these studies were carried out for improving information systems security using multi-layered security approach integration with Soft Design Science Methodology.
These past studies have not addressed the identified research gap; for example, a study by [50] focused on ensuring security and privacy of electronic patient records (case of the hospital).A study by [15] proposed a framework based on Microsoft advanced analytics model [17] [18] (STRIDE threat model).This lacks soft systems thinking approach, and it is a vendor based model which implies extension to other environments, not guarantees to give desired results.A study by [24] proposed a framework for information security culture case of Zanzibar; this may not work in the education sector in Tanzania as culture differs from one sector to another.Hence, creates a research gap, for this study, on how the security of information systems in the education sector in Tanzania can be improved.

Materials and Methods
The study employed qualitative and quantitative research method for data collection [52] [53].The quantitate methods employed were surveyed questionnaires (management staff, end users, and IT staff).The qualitative research me-thods employed were semi-structure interview using electronic assessment tools [54] for focused group/individuals, participant observation and documentary review [55] [56].The data collection was conducted in seven organisations under study in the education sector in Tanzania [57] [58].The seven organisations selected are those which are mainly involved in the education assessment and management of education in Tanzania, because of their high impact on the whole sector.In this study, the names of the seven selected organisations referred as K, L, M, N, O, P and Q [57] [58] were not disclosed for confidentiality purpose.In this case, the level of analysis is organisational.
The research involved collection of quantitative and qualitative data from seven organisations (  sampling frame was divided into 7 strata (strata K, L, M, N, O, P, and Q) comprising of end users of information systems from 7 organisations.The respondents from each stratum were selected using random sampling [55] [56].
Due to the nature of the research problem, SSM (Figure 2) was adopted to manage the analysis of data in a systematic way and circular fashion.Collected data were first cleaned and coded before being analysed.In cycles i = 1, 2, 3 in Figure 2, the survey data were analysed to determine security requirements (IT security controls; security measures to ensure security goals of information security are guaranteed).The analysis was done in cycle i = 1 for management staff (Sj, j = 1); cycle i = 2 for ICT Staff (Sj, j = 2); cycle i = 3 for end user of information systems (Sj, j = 3).Out of these comparisons give relevance systems of purpose which require improvement.The validity and reliability of data were determined.The analysis of the collected data in each cycle (Figure 2) was done using "R statistical computing package" based on SSE-CMM [59].R is a software language for carrying out complicated (and simple) statistical analyses [60] [61].
The SSE-CMM, with a rating scale of 0 -5: minimum 0 and maximum 5 was used; 0-not performed (non-existent); 1-performed informally (unplanned/ ad-hoc); 2-partially implemented (planned); 3-implementation is in progress (planned and tracked); 4-fully implemented (well defined and auditable); 5fully implemented and regularly updated (monitored and audited for compliance).Validity and reliability of data were controlled.Cronbach alpha [62] [63] was used to test the reliability of survey questionnaires.The Cronbach alpha in this study was found to be 0.901, which is above 0.7.Thus, survey questionnaires in this study were reliable.The analysis was repeated for semi-structured interview data, participant observation, and documentation review.The data were coded and analysed using R, managed by SSM (Figure 2) in a circular fashion for cycles i = 1, 2, 3… and Sj, j = 1, 2, 3 ... The findings from this study were described and presented in form of charts, figures, and graphs.

Root Definition of the Problem and Requirements Analysis
The problem root definition and requirements analysis were determined using CATWOE analysis.The CATWOE analysis was employed to determine root definition [42] of the complex, real world problematic situation on how to improve information systems security.The CATWOE [64] [65] is a mnemonic with 6 elements denoting Customer/Client, Actors, Transformation, Weltanschauung, Owner and Environmental Constraints.
The study applied the CATWOE analysis to tackle the problematic situation on how to improve ISS by asking at least three questions.The questions asked includes: what the study is trying to achieve (W)?; How (T)?; what constraints it (E)?[66] [67].In answering what is the study is trying to achieve, CATWOE analysis was used to explore the security requirements for ensuring security goals (CIA) are guaranteed for information during capturing, processing, storage, and transmission in information systems.In answering the how (T) question of CATWOE analysis, the inputs were security requirements (IT security measures and security controls) [67].The results of CATWOE analysis in this study are summarized in Figure 3.

Results and Discussions
The results findings for analysed data address the research question on "how the information systems security can be improved?"To address this research question, the study carried out an assessment of the institution information security The data analysis was managed by SSM (Figure 2) in a circular fashion by executing every cycle i for a given iteration cycle (i = 1, 2, 3, … n) for each secu-  rity domain (j = 1, 2, 3, … n which correspond to ISO4, ISO5, ..., ISO13, ISO, 14, ISO15).The results finding depicts that maturity level across security domain is 0.44 (19%) out of 5 in SSE-CMM rating scale of 0 -5 (Table 2).The finding shows that implementation of security controls/countermeasures for most in-formation security domain is lacking.Thus, in order to improve the security of information systems, organisations should implement security controls/ countermeasures in each security domain.
The collected data were analysed and visualised using time line series graph to portray maturity level of seven organisations under study.From the graph (Figure 4), the study portrays that maturity level across domain is below 1 out of 5 in SSE-CMM rating scale 0 -5.The highest maturity level is 0.93 for risk management (ISO4) and the lowest security domain maturity level is 0.18 for compliance (ISO15).The study found that maturity level across security domains is a time series graph with curve line having an average maturity between 0 and 1 out of 5 optimal maturity levels in SSE-CMM rating scale 0 -5.Thus, ensuring the security of information systems in Tanzania education sector is questionable.
For improving the security of information systems, organisations should implement security controls/countermeasures in each security requirement domain.
Further analysis was done using radar/spider chart analytical tool.The choice of radar analytical tool was based on the nature of research question which involved multivariate observations sharing similar characteristics (security maturity levels in SSE-CMM rating scale of 0 -5).The radar chart was used to tackle the research question on how the information systems security can be improved.
The radar chart was used to visualize multivariate observations for institutional maturity level across security requirements domains.Figure 5 depicts a radar chart for institutional security maturity across security requirement domains.
The radar shows that the institutional security maturity is similar across security requirement domains centred within radii of less than 1 in SSE-CMM rating scale of 0 -5 radii.Further, the study found that the highest radii are 3.0 for risk management (ISO4) in organisation O followed by the radius of 2.5 in organisation M. The rest of organisations under study have radii below 1.0 out of 5 in SSE-CMM rating scale of 0 -5.For improving ISS, organisations should view security as a system with multi-layers composed of different security requirements domains interrelated to each other (Figure 5).
The study revealed that maturity level across security domain is 0.44 out of 5  These findings are similar to earlier studies by [1] which found that information systems in cyberspace are affected by cybercrimes.Similarly, studies by [2] [3] found that the number of security incidents exploiting security holes in the web applications is increasing (e.g. the Heartbleed bug).Thus, the results of the current study indicate that there is a lack or ad-hoc implementation of IT security controls and counter measures (for ensuring CIA) in information systems during capturing, processing, storage and transmission of information.Thus, IT security controls and security measures implementation is lacking or practiced in ad-hoc in most of the security domains.This security domain includes risk management; a security policy; organisation of information security; asset management security; human resources security; physical and environmental security; communications and operations management security; access control security; information systems acquisition, development, and maintenance; information security incident management; business continuity management; compliance.Thus, the study proposed a framework for enhancing information systems security (ISS).

Proposed Framework for Enhancing Information Systems Security
The Soft Design Science Methodology was employed to produce the desired artefact.The study employed the root problem definition (CATWOE analysis) (Figure 3).The results from research findings were applied in designing and creating of the innovative artefact for a proposed framework for enhancing information systems security.The process was iterated by comparing real world and the conceptual world until the specific requirements were met in the transformation process of developing a framework for enhancing information systems security during capturing, processing, storage, and transmission.Figure 6

Research Study Contributions
The main objective of this study was to tackle the wicked, complex problematic situation on how information systems security can be improved.The contributions towards this research goal are in line with the results presented in this pa-
maturity level to determine security requirements for improvement based on domain security maturity level.The security domains for improving ISS include risk management (ISO4); security policy (ISO5); organisation of information security (ISO6); asset management(ISO7); human resources security (ISO8); physical and environmental security(ISO9); communications and operations management (ISO10); access control(ISO11); information systems acquisition, development, and maintenance (ISO12); information security incident management (ISO13); business continuity management(ISO14); and compliance (ISO15).

Figure 6 .
Figure 6.Proposed framework for enhancing information systems security.

√
sufficiently segregated in a given organization to ensure the detection of unintentional or unauthorized modification of information.√ √ √ √ √ xix Backup strategies Implement backup strategies' based on required point objective (RPO): loss acceptable; and required time objective (RTO): time required to restore ISs to operation after disaster or emergency.√ √ √ √ √

Table 1 )
to answer the research question, how can information systems security (ISS) be improved?.The sample size for this study was 154 respondents from seven organisations in the education sector.The distributions of these respondents are presented in Table1.This sample was selected using purposive and stratified random sampling techniques.Purposive sampling relies on the judgment of the researcher when it comes to selecting the units [56]., people, cases/organisations, events, pieces of data) that are to be studied[55][56].The selected respondents in this study were those involved in the managing of ICT and security of information systems; procurement decisions of ICT equipment/accessories; ICT use and compliances.The respondents were selected based on the organisation structure.Taking into account these aspects, the purposive sampling technique was the optimal choice for sampling design.The respondents (Table1) were comprised of top management (Permanent Secretary, Commissioners, and Chief Executive Officers), senior management (Directors, Chief Financial Officers, Divisions/ Head of Departments), Operations management (Head of Units/Sections), ICT experts (Network/Systems Administrators, IT Security Specialists and other ICT Staff); and end users (operations staff who interact with information systems and know the business processes) from the 7 organisations under study.A stratified random sampling was used to select respondents for end users of information systems from sampling frame (list of all end users of information systems for 7 organisations under study) based on the research question.The
Availability works and systems.The availability is the timely, reliable access to data and information services for authorized users.Availability is about information being accessible as needed and where needed.Availability ensures that connectivity is accessible when needed, allowing authorized users to access the network or sys- Corruption of data is a failure to maintain data integrity.c)f)IT security controls IT Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets.Controls help to reduce the risk of damage or loss by stopping, deterring, or slowing down an attack against an asset.The IT security controls can be grouped according to nature or relative to time.These controls when grouped according to nature: administrative controls, physical controls, technical controls, and compliance controls.These controls when grouped relative to time: deterrent controls, detective controls, preventive controls and corrective control.Some of these IT security controls for ensuring security goals (CIA) are summarized in Table4.

Table 3 .
Security measures for ensuring security goals (CIA).