Assessing Challenges Facing Implementation of Information Security Critical Success Factors: A Case of National Examination Council, Tanzania

: Aim of this study was to assess challenges facing implementation of information security critical success factors. The study employed quantitative research approach and survey research design where case study design was used. A sample of 79 respondents derived from the population sample of 372 were used by using Slovin’s formula sampling technique, 86% of respondents questionnaire filled effectively were used. Descriptive data analysis was used to analyze variables based on research questions while, statistical tables and figures were used in data presentation. Results of this study indicate that, there are challenges in implementation of information security critical success factors such as security training program, security policy, risk assessment, regular system update, system auditing and committed of top management. The study found reasons for challenges of implementation from respondent views as availability of limited resources, weak financial support from top management, lack of understanding of needed technology from information technology professionals; poor security awareness program for top management who may think that information security is the issue of information technology department only and not the whole organization. It is therefore concluded that organization should identify their specific information security critical success factors to enhance useful of organization limited resource, without investing in generalization and give solutions based on risk priority, in order to make organization secure also utilization of information security critical success factors holds significant importance in ensuring security of an organization's data. It is crucial to address and eliminate any challenges that are within the scope of affordability or manageability.


Introduction
Data security success is a critical issue in organizations recently and make competitive among them.Studies found areas which when are satisfied will assure success in organization data security, these factors differ organizations wide, hence there is a need of identification of these factors organization wide (Gashgari et al., 2017;Klimoski, 2016).Significant agreement on information security critical success factors assist 884 the creation of information security culture, which is associated with factors such as training and education, risk analysis and assessment, compliance, ethical conduct, top management support, security policy, information security awareness, information security policies and implementation of security procedure (Alnatheer, 2015;Zammani & Razali, 2016;Arbanas, 2019).Weakness in security practice reveal that there is an increase in threat in many organizations in Tanzania which imply to data vulnerability, apart from organizations measured to protect their data it is due to poor understanding of critical success factors (Gashgari et al., 2017;Anslow & Drechsler, 2019;TCRA, 2019).When organizational information security critical success factors are identified and satisfied they may qualify their data security (Zammani & Razali, 2016).There are numbers of known information security critical success but their effectiveness differ in different studies and different organization as well due to culture, rule, regulations (Alghamdi et al., 2020).

Suggested Citation
Despite of success in collection of income through system from government there is possibility of attack since new threats are inevitable, vulnerability are discovered while organization aim at increasing profit and reduce security budget (Bada et al., 2016).Much concentrates is given to technical, vast research found that it is not just a technical issues but it is cross cutting issue and address on necessity of identification of information security success factors in totality in order to ensure data safety (Zammani & Razali, 2016) Organization seek data security but face challenge in identification and implementation of critical areas of concentration, that is information security critical success factors identification which others found that is based on three aspects and these are organization issues that is policy and procedures, process issues such as resource planning, training and awareness, risk management, business continuity management and information system audit but also many studies focus on just internal environment of the organization rather than technology-focused which need more study (Alghamdi et al., 2020) Study from Saudi Arabia on identification and implementation of information security critical security factors such as top management active involvement, proper risk management, accountability and compliance, and propose COBIT and ISO/IEC 27014 frameworks which found suitable locally due to local laws and regulations, research need more investigation in the field by using social variables, different organization with different culture to create a best-practice system (Gashgari et al., 2017) Information security critical success factors assist the creation of information security culture, these factors are; training and education, risk analysis and assessment, compliance, ethical conduct, top management support, security policy, information security awareness and information security policies.Literature not agreed on principle and information security critical success factors that can create security culture and recommend further study to be done qualitatively and in large-scale survey and analysis on challenges of implementation (Alnatheer, 2015;Zammani & Razali, 2016).
According to the study from private Bank in Tehran, information security key factors when implemented properly and practiced frequently results into data security success, expert views identify factors as top management support, awareness, training programs, policy, job responsibilities, and motivation compliance with information security international standards.Similar study conducted in Finland depicted, top management support, security policy, awareness, training and job responsibilities as key factors when properly implemented provide data protection but recommend further study on large sample and different environment (Sadeghi, 2016) Despite similarities in identified information security key success factors, their effectiveness differ due to sample, political environment but some of them resemble such as information system audit which is the most effective, for the case of similarities further studies is needed to challenges related to modern technology such as Web of Things, cognitive computing, savvy cars, smart cities and other which bring modern threats (Arbanas, 2019) Information security success factors guarantee organization data security, but before information security implementation the organization should identify its information security critical success factors in order to focus its limited resources in that area rather than focus on totality.Proper understanding of organization information security success factors, can help organizations to manage on how to focus limited resources on critical areas, therefore saving time and money and creating added value and further enabling operational business when are implemented properly (Tu, 2014;Gashgari et al., 2017;Klimoski, 2016;Arbanas, 2019) Organizations face challenges in implementation of information security critical success factor due to human behavior such as resistance to change and expose of security risks, lack of top management support in finding project or delay activities as results to outdated security policy to be able to address modern security concerns (Lubua, 2022;Wallin, 2023) Therefore, the study assesses challenges of information security critical success factors implementation to enhance data security at National Examination Council of Tanzania.

Literature Review
The study on critical success factors as reviewed by Abraham, (2019) identify many critical success factors and the author choose to study the top most effective and these were awareness, top management support and information security policy implementation.Identification of the key success factors principles differ in different organizations due to organization culture and information system practice, some literature agreed in principles and others differ in this study on identification of key information system security factors, some found security risk analysis, ethical conduct policies as key success factors (Alnatheer, 2015) Review on security-awareness campaigns depict security awareness as among the information system key security factors which stimulate willing to change.Training and continuous feedback is necessary when creating cyber security awareness campaigns (Bada et al., 2016).Establishment of effective information security policy, awareness, training and education, risk analysis, risk assessment, information security compliance, ethical conduct policies, organization culture were identified as keys information system security success factors even though threats are inevitable, as long as new vulnerability are discovered every now and then (Alnatheer, 2015;Klimoski, 2016) Cyber Security Awareness Campaigns recommend security awareness as the information system security factors, and aims to identify key factors regarding security, they found human as most cited factor and suggest the change of people's behavior through security awareness campaigns as this results correlate with others (Bada et al., 2016;Havlí, 2019).Critical success factors identified based on three aspects, these are organization issues that is policy and procedures, process issues such as resource planning, training and awareness, risk management, business continuity management and information system audit and these were found in seven domains which consists of 27 critical success factors that must be considered during developing effective information security governance framework through systematic literature review and literature analysis (Alghamdi et al., 2020) Tu et al, (2014) proposed the theoretical model to investigate factors contribute to success in organization information security and propose six critical success factors such as business alignment, organization support, competences, awareness of security risk and control and information security control these factors were identical with other but have a few new factors which were not identified.According to Gashgari et al., (2017) who develop the framework which include information security key factors in government while compared with other successful frameworks in previous research and test his framework which reveal positive effect at government organization in Saudi Arabia, based on major concertation areas; strategic alignment, performance measurement, value delivery, risk management and resource management Other information security key factors such as top management support, information security policy, training and education, assessment and risk analysis, information security compliance, ethical conduct policies and organization culture where found as identical to the previous research through literature analysis (Alnatheer, 2015).Surveys of organizations through systematic empirical, find factors recognizable as a performance of ISMS certification indicators to enhance the overall security level (Kong et al., 2016).It is recommended to organization to follow international security standards as key success factor in information system to ensure robust security standards otherwise system compromise is inevitable (Muhati, 2018) Few studies have examined the effective factors in successful implementation of information security systems but lacked a coherent framework of effective factors; some did not examine the priorities and specific relationship between factors.Some adopted a quantitative approach in addition to identifying and implementation of factors and identify the relative priorities.Other studies found key performance indicators and recommend identified factors to be kept up to date in further studies.Motivation and awareness are among the widely highlighted factors.Training, positive attitude, security stability; clear understanding of security requirements, participation in information security are well supported variables in implementation of information security systems (Kazemi et al., 2012;Waly et al., 2012;Kazemi et al., 2018) According to study focused on finding success factors for self-implementation from qualitative standpoint, implementer commitment, management commitment and implementer competency were found and the finding were beneficial in providing guidance towards the self-implementation and maneuver of ISMS at the Plan Phase in government sector (Maarop et al., 2015).Research found that clear information security policy and support the training programs for workers will eliminate the obstacles that limit the development of management information systems in the River Nile State, recommendation and support of the scientific research in this area to reach the best results.Our results coincide with the literature on skills and competencies needed for successful cybersecurity professionals and reinforced the idea that communication skills are critical and this is a key factor (Wang, 2014;Mishra, 2019) Based on our review more research into information security key success factors is needed due to security challenges associated with new technologies that bring along new threats.Identification of the factors within the organization will ultimately enable the organization to use its limited resources effectively through investing on security factors which matters most (Arbanas, 2019).There are factors that can be extremely helpful such as security awareness; security education, training and continuous feedback and more recommendation on more cyber security awareness campaigns around the world, especially in North America and Asia, to examine the extent to which they have implemented the factors mentioned above and their levels of campaign success (Bada et al., 2016) The theoretical model is developed through literature review and has never been tested.The model's reliability and validity need support from empirical studies.Little empirical study has been done on information security management from organizational level and its operation need validation for further studies.Hence, stronger theory base is needed to further support this research model (Tu, 2014).The findings of the present study indicate that among the factors influencing successful implementation of information security are existence of regular and appropriate processes that lead operator's specific responsibility, accountability and possibility of monitoring performance regularly, and recommend decision-makers make trade rules for importing the hardware needed for providing information security in businesses and future studies on evaluation of impact variables identified in this study on the performance indicators of the success of information security project (Sadeghi, 2016) Surveys of organizations that required ISMS certification recognize that there is a need of consideration of information security factors through experiment and recommend future research in ISMS certified company in accordance with the satisfaction and effectiveness through systematic empirical approach (Kong et al., 2016).According to Mrakovic (2018) it is discovered that cyber attach may have bring harmful impact on people, marine environment and properties, through his structured survey questionnaire he discovered that there is insufficient level of awareness in and knowledge in cyber security, Research studied the risk of cyber security in submarine Lastly, using the quantitative risk assessment method, the authors propose the best practices for maritime cyber security in the form of implementation of mandatory training course (Kundy & Lyimo, 2019).
To ensure effective resources management in information systems organization should identified and implements its critical information key success factors in order to concentrate with, according to studies there are effective information security governance recommended framework such as COBIT and ISO/IEC 27014, there is a need of reviewed of proposed framework application to another organization to confirm its suitability when subjected to another law and regulations (Gashgari et al., 2017).The current existing literature analyses have not clearly identified factors that have significant influence on information security which can fit for all organizations, many researches reveal weakness of organization security measures and increase in number of information security threat, among other factors human error contribution in cyber-attacks mostly.Most of studies in critical success factors have been done theoretically and not subjected to empirical for verification (Tu, 2014;Sadeghi, 2016).
Organizations losses a lot of money through cyberattack, South Africa loses $157 million annually, in 2017 it costed Africa economies $3.5, countries like Nigeria and Kenya losses estimated to be at $649 million and $210 million respectively (Serianu, 2017).TZ-CERT of Jan 2021, reported an increase in cyber security attack from 993,222 to 979,863 within a week and in 2013, financial sector in Tanzania losses almost 1 billion through cybercrime.This poses a huge problem to financial sector and the government at large (Kaimba et al., 2016, World Bank, 2014;TZ-CERT, 2020).There is a problem with identification of information security success key factors and known factors need validation to make a proof with empirical approach since their effectiveness are limited when subjected to another law and regulations (Zammani & Razali, 2016;Bada et al., 2016;Sadeghi, 2016;Kong et al., 2016) Organizations count their success in collection of income through systems, but there is possibility of attack which may bring down organization operation when cybersecurity investment is not done appropriately.Organization invest in technical aspect, but data security is not just a technical issues but it cut across all organization, and problem is not just investment but is about what make difference between success and failure, hence is necessary to identify the key success factors (Zammani & Razali, 2016;Bada et al., 2016) Many researches which have been done in identification of information security critical success factor were categorizing its factors in three aspects; these are organization issues, process issues and information system audit.By using literature analyses, study found significant agreement on critical factors that assist the creation of information security culture, these factors are; training and education, risk analysis and assessment, compliance, ethical conduct, top management support, security policy, information security awareness, policies, and organization culture, and suggest confirming of these factors to be done quantitatively through a large-scale survey (Alnatheer, 2015;Zammani & Razali, 2016).Another study found identical results on positive impact on identified key success through expert views as top management support, awareness, training programs, policy, job responsibilities, and motivation compliance with information security international standards.Finland study found identical results as top management support, information security policy, awareness and training programs and job responsibilities and other three hypotheses have been rejected so large sample space and different environment may show different output (Sadeghi, 2016) Studies conducted on successful implementation of information security systems lacked a coherent framework of effective factors; some did not examine the priorities and specific relationship between factors.Some adopted a quantitative approach in addition to identifying and implementation of factors and identify the relative priorities.Other studies found key performance indicators and recommend identified factors to be kept up to date in further studies.Motivation and awareness are among the widely highlighted factors in implementation of information security systems.Many proposed models are still not subjected to empirical for verification, hence more grounded hypothesis base is required (Gashgari et al., 2017;Tu, 2014;Klimoski, 2016;Kazemi et al., 2012).
Conceptual framework describes important elements or variables and the postulated relationship among them, in studying the assessment challenges facing implementation of information security critical success factor from participant experience may have concern in enhancement of data security at the National Examination Council of Tanzania.

Methodology
This paper chooses a survey research design as it seems to provide easy way to answer questions and the purposes of the study.The design studied by collecting and analyzing data from a few people as the representative of the entire group public opinion are characterized by using questionnaire and sampling method (Atac & Akleylek, 2019;Avedian, 2014) Quantitative research approach was used due to the fact that the study needs empirical proof (Johnson & Christensen, 2020;Mertens, 2013).Targeted population was 372 respondents, by using purposive sampling which target respondents who have reliable information concerning the subject matter.Slovin's formula was used because of population behavior (Lono, 2018) and deduce 79 required respondents from the population which was provided with questionnaires Study questionnaires was adopted from Centre for Internet Security and National Institute of Standards and Technology and customized to meet study requirements Jr et al (2019).Items content validity was done through Lawshe's method of 1975, pre-test was done to check if it will provide the output which will answer the study question appropriately Jr et al ( 2019) also Cronbach's Alpha was used as it was introduced by Lee J. Cronbach back in 1951 to check questionnaire internal consistency and reliability.
Prior to analysis, the acquired data were processed and confirmed.Before being coded into numerals to make them compatible for analysis, the data were edited, compiled, classified, tabulated, and summarized to detect errors and omissions.SPSS and Microsoft Excel were used for descriptive analysis to analyze variables based on research questions.Descriptive statistics such as frequencies, percentages and cross-tabulations were used in data analysis.Statistical figures were used in data presentation.

Results and Discussions
Based on respondents' views, there is depiction of challenges facing implementation of identified information security critical success factors, specifically information security training.Thus data collected through questionnaires are presented in the figure below.

Information security training implementation
Findings from figure 1 indicate that majority (41%) of the respondents agreed facing challenge on implementation of information security training (23%) strongly agreed, (7%) of the respondents strongly disagreed and (25%) of the respondents disagreed.The remaining (5%) of the respondents were neutral of facing implementation challenge.

Figure 1. Challenge Facing Information Security Training Implementation
From that point of view it can be argued that, majority of the respondent face challenge the findings collaborate that of Tidwell (2011) who found that challenge and argued organizations to increase employee training and awareness to avoid accidental and careless also Haukilehto ( 2019) coincide with our study as he found availability of insufficient staff training due to lack of budget and time hence results into organizations cyber security problems and inefficient operation Andra (2019).

Information system auditing
Findings in figure 2 indicate that (36%) of the respondent which is majority strongly agreed facing challenges on implementation of information system auditing, (28%) agreed and (11%) of the respondents strongly disagreed.(15%) of the respondents disagreed and (10%) which is the minority of the respondents were neutral.
As majority of respondent face challenge this study collaborate that of Ceausu et al ( 2018) who found that challenge in information system auditing due to incompetency in audit personnel and recommend training in order to attain efficient information system audit also Zaslavskiy et al (2018) found, effectiveness of the security measures must include internal audits and recommend best audit option through combine the audit on process with the checklist not to skip specific security issues Zaslavskiy et al ( 2018) and Zammani et al ( 2019) findings coincide with this study on challenges facing implementation information system audit since third party audit feedback take much time and recommend to be done regularly so that identified security problem may be fixed timely and recommend team to possess the necessary auditing skills and applying appropriate auditing techniques.

Implementation of information security policy
Findings in figure 3 indicate that there is a challenge in implementation of information security policy as majority of respondents (43%) agreed with that, (30%) strongly agreed, (13%)
The findings from this study collaborate that of Kabanda et al (2018) who found that there is no personal security commitment agreement which make employees, third parties and stakeholders to be committed to follow information security policy, also collaborate that of Alotaibi & Almagwashi (2018) and Tawalbeh et al (2020) who found lack of BYOD security policy to manage and control its use which is needed to maintain security policy for their devices.

Figure 3. Challenge Facing Implementation of Information Security Policy
Information system risk assessment Findings in figure 4 above indicate that (16%) of the respondents strongly agreed facing challenge in implementation of information security critical success factors, (41%) of the respondents agreed and (8%) of the respondents strongly disagreed.Also (28%) of the respondents disagreed and (7%) of the respondents were neutral that information system risk assessment was challenges in implementation of information security critical success factors.
From that point of view, it can be argued that, majority of the respondent (41%) agreed that they face challenges in implementation of information system risk assessment as information security critical success factors in sustainability of information systems security needs.The findings from this study collaborate that of Pham (2019) who found challenge on lack of people with better security skills and risk awareness who comply with the standard, hence violate security policies also risk assessment is a challenging task, tedious and repetitive, and argue organization may seek to build better infrastructure and efficient software which can reduce task complexity and motivate task performance.

Figure 4. Challenge Facing Information System Risk Assessment
Mura (2019) and Sauerwein et al (2018) findings collate with the study on lack of education so recommend education to participant in order to reduce uncertainties and resource investment to reduce time and software solution to analyze more complex cyber threat intelligence task and also some small organization do not perform security risk assessment and insist all enterprises need to adopt risk management in order to assess and treat risks accordingly and obtain the success of information security management.

Information system security management support
Findings in figure 5 indicate that (25%) of the respondents strongly agreed that they face challenge from management during implementation of information system security as information security critical success factors, (3%) of the respondents agreed and (3%) of the respondents strongly disagreed.Also (46%) of the respondents disagreed and (23%) of the respondents were neutral, respondents were asked whether there were facing challenges in implementation of information system security from top management.

Figure 5. Challenge Facing Management Supports Implementation
From that point of view, it can be argued that, majority of the respondent (46%) disagreed that there are challenges of implementation of information security system from top management as information security critical success factors in sustainability of information systems security needs.The findings from this study collaborate that of Twizeyimana et al (2018) who found many e-government projects failure is due to poor management supports as the key challenge, some institutions want effective information security solution without preparation during working with partners and expect to everything from partner hick is due to lack of awareness about the nature of the problem and solution coverage.
Findings of Somepalli et al (2020) coincide our study as he found some organization consider that information security management is the IT department issue only and not of the whole organization, hence the process of finding solution become the issue of the department with limited authority and the organization issue with full of management supports, hence recommend management to ensure that everyone now is aware of information system security needs and importance and COBIT was designed for management to bridge the gap, also Ionescu et al (2018).

Information system security awareness
The respondents were asked whether there were challenges in implementation of information system security awareness programs.Findings in figure 6 indicate that (26%) of the respondents strongly agreed that they face challenge in implementation of information system security awareness as information security critical success factors at the Organization, (49%) of the respondents agreed and (8%) of the respondents strongly disagreed.Also (13%) of the respondents disagreed and (3%) of the respondents were neutral about facing challenges in implementation of information system security awareness program information security critical success factors.From that point of view, it can be argued that, majority of the respondent (49%) agreed that there are challenges of implementation of security awareness as an identified information security critical success factors in sustainability of information systems security needs.

Figure 6. Challenge Facing Information System Security Awareness Implementation
The finding of the study coincide that of Alotaibi & Almagwashi (2018) who found that in order to implement information system security awareness there are cost need to be incurred that is material and technology cost needs money, the study collaborate that of Alghamdi et al (2020) who found cost in changing organization culture, because after awareness program the organization culture should change to become with security change as is found in ISG framework.Zammani et al (2019) argued that there is no motivation towards awareness of latest security policy, threats and issues that occur in the organization hence cost of awareness programs is to ensure the employees, third parties and stakeholders are aware of IS policy, IS issues and IS threats as well as their responsibilities in protecting the organization's information is needed.Zaslavskiy et al (2018) found challenge that some stakeholders are not aware of specific threats to the cloud infrastructure, hence there is a need to take measures to detect threats and avoid them before they occur, Also according to Alotaibi et al (2018) there is a challenge in both information security technology and human factor awareness and many organization concentrate mainly on technology awareness and weaken human factor awareness which is considered as the weakest link in line of defense.

Regular system update
The findings presented in Figure 7 highlight respondents' views on the challenges associated with regular system updates as a critical factor in information security implementation.A significant portion, 34%, strongly agreed that such updates posed challenges, while 26% agreed, and 11% strongly disagreed.Additionally, 18% disagreed, and 10% were neutral on this issue.This suggests that a majority (34%) of respondents acknowledged the difficulties in implementing regular system updates, which aligns with the research of Kabanda et al (2018).Their work found that keeping systems up-todate, including operating systems and antivirus software, is challenging and costly, especially in regions with poor security practices.Similarly, Gyunka & Christiana (2015) pointed out that investing resource in maintaining workers' security knowledge can reduce cyber breaches but is often challenging due to budget constraints and a lack of awareness about the importance of information system security.
Furthermore, the study coincides with Waithaka (2016) findings, emphasizing the weak information infrastructure and unpatched systems due to budget limitations and a lack of understanding of information system security's necessity.Sen (2018) also noted the complexity and potential negative impacts of software patches, causing concerns about business continuity.

Conclusions
The study's findings indicate significant challenges in implementing various aspects of security measures, including security training programs, information security policies, routine risk assessments, regular system updates, information system audits, and receiving support from dedicated top management.These findings are valuable for future research as they contribute to the existing body of knowledge in the field of security implementation.

Recommendations
It is worth to conclude that in order to strengthen information system security at the National Examination Council of Tanzania, challenges faced during implementation of information security critical success factors challenges should be removed, since their effective implementations enable the organization data to be secure.This study makes the following recommendations; First, Priority should be given to information security training program in order to equip them to be able to handle organization data threat and protect organization data that will improve capability of new knowledge and their effective application in the context of globalization to cope information security threat due to lack of its expertise and provision of regular risk assessment task.Second, Organization should implement information security policy effectively per international security standards to avoid threat due to failure to comply with information security policies.Thirdly, provision of management supports through funding information system security projects, provide proper security hygiene through performing systems regularly update such updating operating system currently released systems patches, anti-virus software and infrastructure systems to reduce organization's cyber security breaches.Fourthly, Organization should enhance motivation towards awareness of latest security threats and policy implementation for in-house, third parties and stakeholders as human factor considered as the weakest link in line of defense, through awareness behavior should change and security culture establishment.The study was limited to the case study; hence similar study including additional organization of the same nature with bigger sample size is required for generalization purposes as well as qualitative study.