LEGON CENTRE FOR INTERNATIONAL AFFAIRS AND DIPLOMACY (LECIAD) UNIVERSITY OF GHANA CYBER RISK POSTURE OF GHANAIAN TELECOMMUNICATION COMPANIES: A CASE STUDY OF VODAFONE GHANA BY NAA ADAWULEDE ANDREWS (10390977) THIS DISSERTATION IS SUBMITTED TO THE UNIVERSITY OF GHANA, LEGON, IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE AWARD OF THE MA IN INTERNATIONAL AFFAIRS & DIPLOMACY DEGREE LEGON JULY 2021 University of Ghana http://ugspace.ug.edu.gh i DECLARATION I, NAA ADAWULEDE ANDREWS do hereby declare that, this dissertation is the result of an original research conducted by me under the supervision of Dr. Nene-Lomotey Kuditchar, and apart from other works, which have been duly acknowledged, no part of it has been submitted anywhere for any purpose. NAA ADAWULEDE ANDREWS DR. NENE-LOMOTEY KUDITCHAR (CANDIDATE) (SUPERVISOR) 06/08/2022 06/08/2022 DATE: ………………................... DATE: ……………….......................... University of Ghana http://ugspace.ug.edu.gh ii DEDICATION This work is first dedicated to God Almighty for the strength, wisdom, grace and discipline He instilled in me to complete this work. I also dedicate this work to my parents for their support throughout my academic life. I also dedicate this work as well, to My Love for his endless support and encouragement throughout my study and writing of this dissertation. May God richly bless you all. University of Ghana http://ugspace.ug.edu.gh iii ACKNOWLEDGEMENTS After what seemed to be an endless period of despair, I would like to thank the Almighty God for giving me strength to complete this work. Thank you for hearing me when I was down. All praise and glory unto You. Secondly, I cannot begin to thank My Love, Mr. Henry Olletey, for his endless support and encouragement. His words, pragmatism and positivity helped me move forward when I felt like I could not any longer. I am truly grateful. I would also like to thank two special classmates: Ms Nina Ohenewaa Kwarteng, and Mr. Ato Enninful for always finding time to encourage despite struggles with their own work. My gratitude also goes to all organizations and resource persons who irrespective of their busy schedules made it possible to answer all my questions. Your input is invaluable. Finally, my sincere appreciation goes to my supervisor, Dr. Nene-Lomotey Kuditchar who provided astute advice and suggestions throughout all review sessions. His feedback always pushed me to amplify and evaluate my ideas. University of Ghana http://ugspace.ug.edu.gh iv LIST OF ABBREVIATIONS IoT - Internet of Things ITU - International Telecommunications Union USB - Universal Serial Bus NCA - National Communications Authority MNO - Mobile Network Operator ERM - Enterprise Risk Management DoS - Denial-of-Service DDoS - Distributed Denial-of-Service CoE - Council of Europe AU - African Union MoU - Memorandum of Understanding ECOWAS - Economic Community of West African States CIRT - Computer Incident Response Team CERT - Computer Emergency Response Team CIIP - Critical Information Infrastructure Protection PPP - Public-Private Partnerships ADP - Accelerated Development Program SAT-3 - South Atlantic Telecommunications cable no.3 WASC - West African Submarine Cable VSAT - Very Small Aperture Terminal ISP - Internet Service Provider PCSRC - Postal and Courier Services Regulatory Commission GMet - Ghana Meteorological Agency AITI-KACE - Ghana-India Kofi Annan Centre of Excellence in ICT University of Ghana http://ugspace.ug.edu.gh v NITA - National Information Technology Agency DPC - Data Protection Commission GIFEC - Ghana Investment Fund for Electronic Communications GPCL - Ghana Post Company Limited NCSPS - National Cyber Policy and Strategy CNII - Critical National Information Infrastructure NCSC - National Cyber Security Centre COP - Child Online Protection NCSTWG - National Cyber Security Technical Working Group UAM - User Access Management CISO - Chief Information Security Officer CTO - Chief Technology Officer University of Ghana http://ugspace.ug.edu.gh vi TABLE OF CONTENTS DECLARATION....................................................................................................................... i DEDICATION.......................................................................................................................... ii ACKNOWLEDGEMENTS .................................................................................................. iii LIST OF ABBREVIATIONS ................................................................................................ iv TABLE OF CONTENTS ....................................................................................................... vi ABSTRACT .......................................................................................................................... viii CHAPTER 1 ............................................................................................................................. 1 1.0 Introduction .................................................................................................................................. 1 1.1 Statement of Research Problem ................................................................................................... 3 1.2 Research Questions ...................................................................................................................... 3 1.3 Research Objectives ...................................................................................................................... 3 1.4 Scope of study ............................................................................................................................... 4 1.5 Rationale of study ......................................................................................................................... 4 1.6 Sources of data ............................................................................................................................. 4 1.7 Method ......................................................................................................................................... 5 1.8 Literature review: Cyber Security and Risk Management ............................................................ 5 1.8.1 What is cyber security? .......................................................................................................... 6 1.8.2 Theoretical Framework: Enterprise Risk Management Theory ............................................. 7 1.8.2.1 Cyber security risk management ...................................................................................... 12 1.8.3 Cyber Security: The Fourth Industrial Revolution in Perspective ........................................ 15 1.8.4 The Politics of Cyber Security ............................................................................................... 20 1.8.5 Cyber Security Conventions and Treaties: The African Union Convention on Cyber Security and Personal Data Protection and the Budapest Convention in Perspective .............................. 31 1.9 Arrangement of chapters ............................................................................................................ 32 CHAPTER 2 ........................................................................................................................... 33 2.0 The evolutionary history of Vodafone in Ghana ......................................................................... 33 2.1 Telecommunications Policy in Ghana ......................................................................................... 34 2.1.1 International telecommunications Segment ....................................................................... 34 2.1.2 Domestic public telephone services .................................................................................... 35 2.1.3 Dedicated transmission networks........................................................................................ 35 2.1.4 Internet Services .................................................................................................................. 35 2.1.5 Roles of Government Institutions ........................................................................................ 36 2.2 Ghana Cyber Security Policy ....................................................................................................... 37 CHATPER 3 ........................................................................................................................... 40 University of Ghana http://ugspace.ug.edu.gh vii 3.0 Introduction ................................................................................................................................ 40 3.1 Approach to Study ...................................................................................................................... 40 3.2 Research Strategy ....................................................................................................................... 41 3.3 Data Collection Techniques ........................................................................................................ 42 3.4 Data Analysis and Discussion ...................................................................................................... 43 3.4.1 Cyber risks in telecommunications companies .................................................................... 43 3.4.2 Risk management approach ................................................................................................ 46 3.4.3 Risk management innovations ............................................................................................. 51 3.4.4 Cyber risk policy evolution ................................................................................................... 51 CHAPTER 4 ........................................................................................................................... 53 4.0 Summary of findings ................................................................................................................... 53 4.1 Conclusion ................................................................................................................................... 54 4.2 Recommendations ...................................................................................................................... 54 4.3 Further areas of research ............................................................................................................ 55 BIBLIOGRAPHY .................................................................................................................. 57 APPENDIX ............................................................................................................................. 67 University of Ghana http://ugspace.ug.edu.gh viii ABSTRACT This study sought to explore the cyber risk posture of Ghanaian telecommunication companies using Vodafone Ghana as a case study. This study used Enterprise Risk Management (ERM) as a theoretical backbone and data were collected and analyzed qualitatively. Scholars define ERM as a holistic, systematic, and integrated approach to the management of the total risks that a company faces. It challenges the norm of siloed and department-specific risk management. The risk management structure and approach of the organization largely follow the tenets of ERM and outlined how cyber risks are identified, mitigated and monitored at different levels. The findings further indicated that telecommunication companies in Ghana experience unique cyber risks due to their capacity in storing and handling sensitive information in operations. Also there seems not to be cross-firm collaboration and experience sharing on the application of the ERM strategy. It seems organizations operate in isolation when it comes to the need of protection against cyber risks. In addition, although Ghana’s national cyber policy evolution and current state is adequate relative to regional and global standards, the enforcement and enactment of provisions is lax and lacking at best. Recommendations from this study are based on ways to enhance cyber security posture in the telecommunications industry and the country. These include collaboration between industry players, public sector collaboration, regional/international cooperation, and awareness campaigns to develop public culture on cyber security. University of Ghana http://ugspace.ug.edu.gh ix University of Ghana http://ugspace.ug.edu.gh Page 1 of 77 CHAPTER 1 Cyber Security and Risk Management 1.0 Introduction Advances in technology have brought the world to a new age; the fourth industrial revolution or Industry 4.0. This shift heralds a cyber-connected world with increased smart machinery, manufacturing, tailored products and services, smart autonomous technologies, artificial intelligence, Internet of Things (IoT), and cloud computing among others (Deloitte, 2017). As of July 2020, there are 4.57 billion active internet users worldwide (Clement, 2020). The interconnectedness of Industry 4.0-driven operations coupled with the speed of digital transformation proliferates increasingly complex cyber risks and cyber security challenges (Deloitte, 2019). These cyber risks force people, organizations, institutions and governments to alter their manner and culture of operations to achieve strategy and business objectives. Organizations of all types and sizes are susceptible to cyber-attacks with valuable data, systems, and assets at the mercy of cyber attacker’s motives. Increasing cyber threat activities prevent organizations from achieving strategy and business objectives and can result in destruction and deterioration of trust, brand, reputation, informational assets and financial well- being of victim companies. As a result, the reality is that cyber risk is not something that can be avoided; instead, it must be managed. According to International Telecommunications Union’s (ITU) global cyber security index conducted in 2018, Ghana ranked 89th out of 175 nations (International Telecommunications Union, 2019). In 2019, Ghana lost about $9.8 million to criminal activities last year, compared to $105 million dollars in the previous year to cybercrime acts including mobile money scams, and other forms of extortion (Nyarko-Yirenkyi, 2020). With the emergence of cyber-fraud crime between 1999 and 2000 in Ghana, the evolution of electronically based crimes has been from credit card fraud, initially facilitated by hotel attendants at international hotel chains who would collate and share credit card details of Western visitors with scammers. There were also University of Ghana http://ugspace.ug.edu.gh Page 2 of 77 identity or romance scams where fraudsters posed as individuals with false identities faking love interests for financial information and passwords; estate fraud where scammers ‘sell’ property to typically Westerners and Ghanaians residing in the diaspora looking to return to the country upon retiring; all of which were infamously termed as ‘sakawa’ or ‘419 schemes’ (Warner, 2011, pp. 739,740,744). The proliferation of cyber-crime drew attention to the country and resulted in being blacklisted as a haven for money-laundering by the transnational surveillance agency, the global Financial Action Task Force in 2012 (Darko, 2015) and flagged by U.S. online retailers as they became increasingly aware of fraudulent orders from internet scammers (Warner, 2011, p. 738). Ghana was among the first nations on the continent to gain access to the internet in the 1990s (Foster, Goodman, Osiakwan, & Bernstein, 2004, p. 6). Access to internet connectivity was in waves beginning from computers in internet cafés and other public access areas such as workplaces, schools and tertiary institutions. The second wave of internet connectivity was through the introduction of smartphones, mobile broadband and access dongles which are universal serial bus (USB) modems with SIM card slots to provide internet to a computer. The third wave progressed to fixed-line connectivity through fiber optic technology (Baylon & Antwi-Boasiako, 2016, pp. 1,2). According to the National Communications Authority (NCA) as of January to March 2020, there are 25,479,511 mobile data subscriptions across 4 main mobile network operators (MNOs) in the country (National Communications Authority, 2020). As internet infrastructure expands and internet connectivity becomes cheaper and faster, cyber criminals have more resources to proliferate illegal activity with access to larger pool of potential victims (Baylon & Antwi-Boasiako, 2016). Evidently, telecommunication companies are key custodians of the information and assets involved in perpetration of these crimes. In response to the increasing threat of cyber-crime activity in the country, the government of Ghana – particularly the Ministry of Communications and its sub-bodies later discussed have University of Ghana http://ugspace.ug.edu.gh Page 3 of 77 the mandate to make and uphold laws specific to electronic and cyber activity. Laws including the Electronic Transactions Act (Act 772), Ghana National Telecommunications Policy, and the National Communications Act (Act 769) among others, govern the responsibilities of relevant players in the industry (Media Foundation for West Africa, 2017). Thus, this research is seeking to explore the cyber risk posture of telecommunication companies in Africa, using Vodafone Ghana as a case study. 1.1 Statement of Research Problem To what extent and in what ways does the risk posture of Vodafone Ghana align with the Ghana National Telecommunications and Cyber Security policy framework? 1.2 Research Questions Based on the statement of research problem stated above, the study seeks to address the following research questions: 1. What are the cyber risks encountered by telecommunication companies in Ghana? 2. What is the risk management approach of these telecommunication companies? 3. What are the possible risk assessment innovations? 4. What is the cyber risk posture policy evolution of these telecommunication companies? 1.3 Research Objectives The study will address the following research objectives: 1. To ascertain the cyber risks encountered by telecommunication companies in Ghana. 2. To investigate the risk management approach of these telecommunication companies. University of Ghana http://ugspace.ug.edu.gh Page 4 of 77 3. To explore the possible risk assessment innovations 4. To examine the cyber risk posture policy evolution of these telecommunication companies 1.4 Scope of study Vodafone Ghana was chosen as the case study due to its interesting past of evolving from what used to be Ghana’s national telecommunications backbone and fully owned by the government of Ghana. The existence of Vodafone Ghana currently partially owned by Vodafone Plc and the government of Ghana was the scope period. As an employee of Vodafone Ghana, I had the privilege of a unique position that allowed me unusual access to data. Thus, making for a convenient and intellectually smart move. However, this privileged position could also limit and constrain ability to talk about some aspects of this study. 1.5 Rationale of study Through the application of Enterprise Risk Management as the theoretical backbone, this study adds to existing knowledge on the topic and explore how telecommunication companies address cyber risk issues. 1.6 Sources of data Data was collected using primary and secondary sources. Primary data includes in-depth one- on-one interviews with respondents from relevant institutions to the study. Whereas secondary data includes journals, articles, books, online sites and other relevant documents. University of Ghana http://ugspace.ug.edu.gh Page 5 of 77 1.7 Method This study employs the use of a qualitative research approach to understand what kind of cyber threats are peculiar to the telecommunications industry and how these are managed by employing the enterprise risk management conceptual framework. The chain-link or snowball technique will be used to identify respondents for the purpose of this research. In this technique, information gathering begins with an individual or a few people and then depends on these people to connect the researcher with others who have similar characteristics and can contribute to the research (Lopez & Whitehead, 2013). Identified persons will be engaged in in-depth elite interviews to gather necessary information. Information collection will cease when responses approach a point of saturation – when respondents stop giving new information. This technique is limited in that it relies on referrals from an original list of contacts to identify additional contributors. Thus, participants are often not considered to form a representative enough sample of the overall population under observation (Lopez & Whitehead, 2013). Data analysis technique required for this study will be content analysis which will involve classifying data purposefully in order to comprehend the data collected and highlight the salient points, insights or findings. Analysis will also use the ERM framework as a guide. 1.8 Literature review: Cyber Security and Risk Management This section entails a systematic look at the definition of cyber security and its relevance in the perspective of the fourth industrial revolution, the politics of cyber security in developed state, African states and in multinational corporations, and the politics of cyber risk assessment. A conceptual framework based on the concept of enterprise risk management (ERM) will also be discussed. University of Ghana http://ugspace.ug.edu.gh Page 6 of 77 1.8.1 What is cyber security? This section discusses the definitions, similarities and differences of information security and cyber security. While both terms are similar and used interchangeably by most, cyber security and information security are not identical (Von Solms & Van Niekerk, 2013). Fundamentally, both practices focus on the protection of sensitive organization data using data security and risk management techniques, yet on closer inspection, cyber security is a broader concept than information security, encompassing additional dimensions. Information security is “the protection of information resources against unauthorized access” (Raggad, 2010). This indicates that only authorized personnel or ICTs are permitted access to sensitive sources of information sources such as, network, data, software and hardware. This is a definition which clearly pertains to organizational objectives as those form the basis on which authorization decisions are made. Through data abstraction and limitation of access to data sources, authorization is only granted to key business stakeholders who require the information for the execution of specific business objectives. This controlled access to organizational information supports the overall business aim of reducing the likelihood and adverse effects of security incidents. The ISO/IEC 27000 (2016), a significant global standard, defines information security “as the preservation of confidentiality, integrity and availability of information”. These are three aspects of information (Known as ‘CIA Triad’) that require protection for the attainment of security objectives. Only authorized personnel should be granted access (availability) to the accurately represented information (integrity) without exposure to unauthorized parties (confidentiality) (Harris , 2002). They are also called characteristics of information security. If one of those characteristics is compromised, it is said to be a security failure. The International Telecommunications Union (ITU) (2008, p. 2) defines cyber security as follows: “Cybersecurity is the collection of tools, policies, security concepts, security University of Ghana http://ugspace.ug.edu.gh Page 7 of 77 safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets.” This definition emphasizes key elements and subjects under cyber security which require protection. In all instances however, the concepts of “information security and cyber security both aim to maintain the security properties of confidentiality, integrity and availability” (Junp, 2011). However, the ITU’s definition highlights a broader perspective of conserving technical and non-technical elements. Von Solms and Van Niekerk (2013) echo this by emphasizing the focus of cyber security in relation to both information and non-information assets within the cyber space or that can be affected via cyber space. The term cyber security will be used in place of information security as the former covers the broader scope of this research. Thus, the term ‘cyber risk management’ will be used to connote risk management process that is used to manage cyber risk. 1.8.2 Theoretical Framework: Enterprise Risk Management Theory This study employs the concept of enterprise risk management (ERM) as the framework and backbone. This section will discuss the connotation and scope of ERM, starting with a fundamental question: “what is ERM?”, the shortcomings of the theory, and how it will be operationalized in the context of cyber risk posture of telecommunications in Ghana. Historically, companies or enterprises have managed risk in a silo manner according to department or division. This is mainly because risks differ according to each section of the business. In this form of risk management, each department has its own tools and practices which appeared fragmented and incongruous. Beginning with Kloman’s (1976), “The Risk Management Revolution,” many practitioners have advocated a coordinated approach to risk University of Ghana http://ugspace.ug.edu.gh Page 8 of 77 management (Bromiley, McShane, Nair, & Rustambekov, 2015, p. 266). Kloman described practices in mid 70s and 80s Europe which now form the basis of what is considered to be ERM today. It was a proposal of collective and multidisciplinary risk management rather than isolated and disjointed into several departments. ERM came to the fore as a corporate concept in the mid-1990s and has been defined in several ways according to scholars and collective groups. Dickinson (2001, p. 360) defines ERM as “a systematic and integrated approach to the management of the total risks that a company faces.” Casualty Actuarial Society (2003, p. 8) outlines Enterprise Risk Management as “disciplines by which an organization in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purposes of increasing the organization’s short- and long-term value to its stakeholders.” Barton et al (2002, p. 4) stipulate that “ERM shifts risk management from a fragmented, ad hoc, narrow approach to an integrated, continuous, and broadly focused approach.” Another definition according to Sobel and Reding (2004, p. 29) “is a structured and disciplined approach to help management understand and manage uncertainties and encompasses all business risks using an integrated and holistic approach.” The Committee of Sponsoring Organizations (COSO) in (2004) described “ERM as a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Therefore, Enterprise Risk Management can be seen as a systematically integrated and discipline approach in managing risks within organizations to ensure firms achieves their objective which is to maximize and create value for their stakeholders. The spirit of these definitions of ERM will be applied specifically to security risk which typically arises from the usage and operation of information systems. Thus, employing ERM as a conceptual framework, a useful way to operationalize would be along two dimensions: one University of Ghana http://ugspace.ug.edu.gh Page 9 of 77 is the components of the process of risk management and the other is the manner in which the process is integrated throughout the organization. The first dimension, the components of risk management is a comprehensive process that requires organizations to define, evaluate, monitor and manage risk. The first step of this risk management process is the definition of risk which involves framing the context of risk-based decision-making and to create a plan to help organizations determine how to assess, respond to, and monitor risk. This includes preempting threats and vulnerabilities, evaluating probability of occurrence and likely impact on subsequent components. It also involves assessing and identifying risk tolerance levels which is the level, types and degrees of risk that are deemed permissible by the organization. Framing risk also comprises strategic executive- level decisions on how risk to organizational activities and assets, individuals, partners, and the Nation, is to be managed by leadership (National Institute of Standards and Technology (NIST), U.S. Department of Commerce, 2011, p. 6). The second component of risk management highlights strategies for evaluation of risk by organizations, within the defined context of risk outlined in the first step. The essence of this step is to identify threats to businesses or threats directed through organizations, internal and external frailties of organizations, potential harm should these vulnerabilities be exploited, and the probability of occurrence of said threats. The business must develop tools and methodologies to assist in this assessment. The third component of risk management addresses how organizations respond to risk once said risk has been identified in the risk evaluation stage. Following the spirit of ERM definitions earlier, the risk response is to provide congruous, organization-wide action in accordance with the risk frame. This is done by determining appropriate course action consistent with the organization’s risk appetite or risk tolerance, and executing responses in accordance with the predetermined courses of action. Types of risk responses that can be University of Ghana http://ugspace.ug.edu.gh Page 10 of 77 implemented include accepting, avoiding, mitigating, sharing or transferring risk. Appropriate tools and techniques must be developed to assist in responding to risk, evaluating these responses and communicating these responses to relevant stakeholders within and external to the organization. Finally, the fourth component of risk management outlines ways in which organizations monitor risk over time. This component exists as a check to validate the implementation of risk responses, determine the overall efficacy and pinpoint changes and impacts on the organization. The process of risk management is flexible and must not necessarily always follow a linear or sequential path through the components elicited above. Information, communication flows as well as execution can be dynamic among the components. The second dimension of operationalizing ERM, with respect to information security risk, is the manner in which the process is integrated throughout the organization. This is done through an approach with addresses risk at three levels: the organizational level, business processes and objectives level, and information systems level. This approach can be conceptualized as a pyramid with the topmost tier being the organization level, tier 2 in the middle as the mission/business process level and tier 3, the base of the pyramid, as the information systems level (National Institute of Standards and Technology (NIST), U.S. Department of Commerce, 2011, p. 9). This multitier approach enables seamless communication and execution of the risk management process across the total organization through inter-tier and intra-tier interaction. Tier 1 tackles risk from the perspective of the organization and implements the activities of risk framing which involves providing context for all the organization’s risk management activities. Governance structures consistent with the strategic goals and objectives of the organization must be established to give insight into conducted risk management activities. These governance structures include the implementation and establishment of a risk function, University of Ghana http://ugspace.ug.edu.gh Page 11 of 77 a risk management strategy which reflects risk tolerance, and the definition and implementation of organization-wide strategies for investment in resources, tools and techniques for information security. Missions and business divisions outlined in this tier significantly impact the design and development of the processes in Tier 2 to achieve these functions which trickles down into how information systems are allocated and deployed at Tier 3. Tier 2 addresses risk from the perspective of business processes and is based primarily on the risk context, decisions, and activities at Tier 1. These activities include defining processes to support mission and business functions identified in Tier 1, prioritizing these processes according to criticality and sensitivity of information required, incorporating information security requirements into the process and establishing an information security embedded organization architecture. All of which are aligned with the strategic organizational objectives. Tier 2 influences and guides deployment of security controls to information systems at Tier 3. This level also provides feedback to Tier 1 which could result in modification of the organization’s risk frame and management activities. Tier 3 approaches the subject of risk from the perspective of information systems and is based on the risk context, decisions and activities highlighted in the previous two tiers. Risk management activities in this tier comprise of the categorization of organizational information systems, assignment of organizational information systems security controls and the ecosystems under which those information systems operate. These are consistent with the established enterprise architecture and information security architecture of the organization, managing the selection, operation, evaluation, accessibility to, and monitoring of allocated safety features, forming parts of a well-structured system in the development life-cycle process executed across the organization (National Institute of Standards and Technology (NIST), U.S. Department of Commerce, 2011, p. 10). These activities also provide essential feedback to Tiers 1 and 2. University of Ghana http://ugspace.ug.edu.gh Page 12 of 77 Scholarly reviews and critique of this concept and surveys among risk managers reveal that several articles define extensively the features and functions of the ERM process, with only a few providing guidance on how to achieve it. Practically all literature do not address the challenging combination of cultural, logistical and historical issues that have plagued and are unique to all organizations. Many articles use great overarching statements that are quite broad, vague and all-encompassing. There exists a clearly identifiable gap in the availability of information on ways through which the organizational silos can be harmonized to truly transform traditional risk management. Implemented systems or tools for ERM depend on the type of unique risks faced by organizations thus it is impossible for a general ERM system suitable for any kind of organization (Kerstin, Simone, Nicole, & Lehner, 2014, p. 13). Lastly, the impact of corporate culture on ERM execution and practices is inadequately addressed in the literature (Fraser, Schoening-Thiessen, & Simkins, 2011, pp. 399-401). 1.8.2.1 Cyber security risk management Measures that organizations put in place to protect valuable company assets constitutes cyber security risk management (Testrig, n.d.). Risk management enables effective decision making and communication of results within the organization (Kure, Islam, & Razzaque, 2018, p. 2). Literature on handling of information system and computer related security risk generally focuses on technical issues and disregards application of some aspects of the risk management process (Eling, McShane, & Nyugen, 2021, p. 96) There tends to be more focus on “reducing probability of an adverse event than on reducing its consequences” (Blakley, McDermott, & Geer, 2001, p. 99). Collier et al. (2013, p. 469) notes that focuses on “technical issues at component levels” such as threat and vulnerability detection should shift towards a more holistic analysis that integrates the physical, information, cognitive and social domains – the four domains of cybersecurity. The first domain, physical, refers to the hardware, software and University of Ghana http://ugspace.ug.edu.gh Page 13 of 77 networks that make up cyber infrastructure. Information domain, the second, feature “monitoring, information storage and visualization” (Collier, Linkov, & Lambert, 2013, p. 469). The third, cognitive domain, implores proper analysis and sensing of information that influences decision making. Finally, the social domain focuses on consistency of cyber security decisions with “social, ethical and other considerations that are characteristic of their enveloping societal domain” (Collier, Linkov, & Lambert, 2013, p. 470). Cyber risk management process involves identification, analysis, and treatment. A method of identifying cyber risks is whether they affect the ‘CIA triad’ – confidentiality, integrity and availability (Biener, Eling, & Wirfs, 2015). These three in addition to authenticity (validity of transmission) and non-repudiation (proof of identity and delivery) are termed the five (5) pillars of cyber security (Infinit-O, 2018). Howard and Longstaff (1998, p. 14) note that “vulnerability arises in different stages of development” - design, implementation and configuration. Cyber risk analysis looks at factors that could increase a firm’s chances of experiencing cyber- attacks, tools and methods in analyzing the probabilities as well as impacts of cyber-related events. Organization characteristics such as the firm size, corporate social responsibility activities, and financial strength are determinants in their chances of experiencing cyber-related events. Firm size implies the quality and breadth of infrastructure. On one hand, smaller organizations that have less robust infrastructure in comparison to larger firms could experience more cyber-attacks. On another hand, larger firms are likely to hold more data thus are bigger targets. However, Lending et al (2018) notes that due to the better information security infrastructure of larger firms, cybercriminals are discouraged from attacking. The way in which an organization’s activities may affect the environment, the level of involvement in community and the overall social responsibility can be a factor in why cybercriminals target firms. Largely socially irresponsible organizations are likely to be targeted by activist hackers as a form of punishment (Eling, McShane, & Nyugen, 2021). Finally, a firm’s financial strength University of Ghana http://ugspace.ug.edu.gh Page 14 of 77 which dictates the investment in cybersecurity systems has a play in probability as well. Financially strong organizations are less likely to experience cyber-attacks. Tools and methods used to assess probabilities include risk scoring based techniques (Shetty, et al., 2018), software that use statistical analysis, adversarial risk analysis (Insua, et al., 2019) and machine learning techniques (Sentuna et al., (2020). Cyber-related events have impacts on shareholder value and reaction, consumers, reputation and compliance with legal and regulatory obligations. Shareholder value is negatively affected in the event of cyber-attacks. These threats “incur additional costs for targeted firms, which lowers their long-term performance on average” (Eling, McShane, & Nyugen, 2021, p. 103). Reactions of shareholders to cyber-related events tend to waver based on frequency – on the onset of cyber incidents there are high negative shareholder reactions but as the frequency of events increase, reactions from shareholders plateau as they become familiar with the frequent incidence. Consumer trust and spend is affected by organization’s that experience cyber- attacks. Occurrence of breaches negatively impacts the trust consumers have in a business thus affect the money they are willing to give away to the business (Bansal & Zahedi, 2015). The organization’s reputation erodes, and this further affects the bottom line. Legal and regulatory impact can be in the form of fines and sanctions as laws. Cyber risk treatment is determined by a combination of the likelihood and level of impact of a cyber-related event. Treatment includes “avoidance, mitigation to reduce likelihood and/or impact, transfer, and retention” (Eling, McShane, & Nyugen, 2021, p. 104). Although recognized as a treatment option in literature, avoidance is reflected on as unrealistic as in this age of dependency on information technology and digital era of industry 4.0, organizations and consumers always expect to be secure. Thus, management of the risk is seen through the other treatments. Mitigation of cyber risks include measures that protect the five pillars of University of Ghana http://ugspace.ug.edu.gh Page 15 of 77 cybersecurity (confidentiality, integrity, availability, authenticity, and non-repudiation). Examples of these measures are password and biometric authentication, virtual private networks, and encryption. Risk transfer relies on insurance as a measure. Cyber insurance policies coverage includes liability areas such as network security, privacy, communication and media, and cyber extortion (R & R Insurance). Retention of risk is when the best effort of mitigation and transfer yields a level of residual risk that is acceptable (Eling, McShane, & Nyugen, 2021). Stine et al. (2020) notes that there is difficulty in integrating cybersecurity programs into the framework of ERM. As discussed earlier, ERM is a holistic approach to risk management – implemented across all levels of the organization. However, due to the complexity in defining cyber risks, it tends to be treated in a silo. Weill and Ross (2004)stipulate that although cyber risk is and should be seen as important in all levels of corporate governance, “most boards continue to ignore or delegate technology matters to management, sometimes several layers down the organization structure” (Valentine, 2016, p. 179). 1.8.3 Cyber Security: The Fourth Industrial Revolution in Perspective Industrial revolutions are important milestones that have changed the course of human history. In the 18th century, the invention of steam power resulting in mechanization and mechanical power generation marked the beginning of the first industrial revolution (Rojko, 2017, p. 79). The second industrial revolution introduced electric energy-driven mass production, which empowered factory workers to easily and quickly replicate products with the help of assembly line techniques. The third industrial revolution, the beginning of the information age, was characterized by the onset of electronics and the automation of processes using computers, resulting in a highly productive industrial era (Frost & Sullivan, 2017, p. 3). Presently on the fourth industrial revolution, also known as ‘Industry 4.0’, the world is witnessing rapid University of Ghana http://ugspace.ug.edu.gh Page 16 of 77 advances in technology and a new age of integrated digital or cyber space and physical space catalyzed by the Internet of Things (IoT). Industry 4.0 involves processing enormous data volumes, engineering human-computer interactive systems and improving communication between the digital and physical environments (Frost & Sullivan, 2017, p. 4). The concept of industrialization is not limited just to production systems but also includes the complete value chain (from producers to the consumers of one enterprise towards the ‘Connected Word’ of all enterprises) and the functions and services of all enterprises (Rojko, 2017, p. 86). “The main idea of Industry 4.0 is to exploit the potentials of new technologies and concepts such as availability and use of the internet and IoT, integration of technical processes and business processes in companies, digital mapping and virtualization of the real world, and ‘smart’ factory including ‘smart’ means of industrial production and ‘smart’ products” (Rojko, 2017, p. 80). The onset of this new industrial age has changed conventional terms like production planning and control to cyber-physical systems and IoT, and data management to Big Data, Cloud and Cybersecurity. Organizations adapting to these new technologies rely on efficiency of their information systems to facilitate their business activities. These ‘smart’ and interconnected organizational systems not only create more opportunities but significantly increase the exposure to many security risks, with critical and financial impacts (Pereira, Barreto, & Amaral, 2017, p. 1257). Cybersecurity in the industrial landscape gained momentum after the infamous Stuxnet attack in an Iranian nuclear facility in 2010 (Frost & Sullivan, 2017, p. 9). The mysterious attack at the time, deemed the world’s first digital weapon, sabotaged and wreaked physical havoc on centrifuges from carefully placed malicious files on computer systems. The trajectory of evolution of cyber-attacks since 1980s to the present 21st century has moved from general attacks which are less complex and sophisticated like password cracking or password guessing, to very complex and highly sophisticated security threats like enterprise cyber-espionage, University of Ghana http://ugspace.ug.edu.gh Page 17 of 77 malicious codes, Denial-of-Service (DoS), and supply chain hacking (Ervural & Ervural, 2018). Moving towards Industry 4.0 is an enormous endeavor which directly impacts in several areas of today’s manufacturing industry, particularly in security. It is essential, and urgent, that organizations embrace the development of a strategy to deploy and run security compliance processes that Industry 4.0 requires, especially towards reducing the organizational level of exposition as well as to proper manage the mitigation procedure of its impacts (Pereira, Barreto, & Amaral, 2017, p. 1259). 1.8.3.1 Telecommunications Industry Security Threats Telecommunication companies constitute some of the biggest targets for cyber-attacks due to their operation and control of critical infrastructure which facilitate the storage and flow of copious amounts of highly sensitive data. This section deals with commonly identified security threats peculiar to the mobile telecommunications industry. 1.8.1.3.1 Denial-of-service (DoS)/ Distributed denial-of-service (DDoS) Attacks Denial-of-Service (DoS), also known as a Distributed Denial of Service (DDoS), is the process of halting the operations of a system or application, rendering it unavailable and unusable (DDoS attack statistics: A look at the most recent and largest DDoS attacks, 2020). This form of cyber-attack typically involves flooding the targeted device with traffic from one computer and internet connection. Distributed denial-of-service (DDoS) attacks, as the name suggests, flood applications or systems of victims with traffic from multiple sources. These multiple sources are also known as bots or botnets. DDoS attacks are challenging to get a handle on as it is difficult to pinpoint the exact origin of the attack. During the period where the system of the victim is overwhelmed with unusually large volumes of requests, legitimate customers of University of Ghana http://ugspace.ug.edu.gh Page 18 of 77 the victim are unable to access relevant information systems and network sources. The damage caused by DoS/DDoS cyberattack can incur very high costs for an organization resulting in possible material damage to servers and networks, operational, financial loss as well as reputational damage. Data from Bulletproof’s 2019 Annual Cyber Security Report indicates that a small company could lose up to $120,000 if they fall victim to a DoS or DDoS attack. For larger companies, costs could surpass $2 million (Bulletproof, 2019). According to a report by NetScout, in 2019, there were 8.4 million DDoS attacks targeted at IT infrastructures, cloud, mobile networks and IoT devices (NetScout, 2019). 1.8.1.3.2 Supply Chain Threats The connected nature of Industry 4.0 increases the potential to make supply chains more efficient. The reliance of mobile operators on numerous external parties for the delivery of key operational infrastructure, products and services, extends to their customers who in turn depend on these operators for the facilitation of different life and business activities. This complex chain of dependency opens up all parties of the downstream links to risks and vulnerability of suppliers, thus, making the supply chain increasingly attractive to attackers (GSMA, 2019). In this supply chain of interconnectedness, cyber attackers do not need to target the main entity to compromise their security. They can focus on weak points in the supply chain to compromise which will eventually affect the target. Thus, threat lies in who organizations do business with and where materials needed to achieve mission and business objectives are sourced from. An inefficient management of the supply chain exposes the operator to possible erosion of brand and trust, regulatory sanctions and significant financial losses. 1.8.1.3.3 Human-related Threats Internal human risk threats include actors of malicious intent as much as negligence. GSMA (2019) outlines four types of human-related threats: social engineering and phishing attacks, University of Ghana http://ugspace.ug.edu.gh Page 19 of 77 misconfiguration, disregarding processes and insider threat. Social engineering attacks are when the attacker influences the user to take a desired action which comprises their security. Phishing a method of social engineering aimed at the theft of sensitive user information including login credentials and digital banking accesses. Usually, the attacker masquerades as a trustworthy entity and deceives the victim into taking an action such as opening an email link, which compromises their security. These malicious links typically lead to the installation of malware which may spy on their online activity or freeze their system till they pay a ransom (Imperva, n.d.). “Misconfiguration, often dubbed the 'fat finger attack', is where devices are left in an insecure default state or configured insecurely by mistake. This is then leveraged by an attacker” (GSMA, 2019, p. 15). The third type of human-related threat is disregarded processes. This is when processes are often outlined but not followed. Often when a process is deemed laborious or unnecessary. Finally, insider threats, which is when someone with insider knowledge of how an organization operates intentionally acts in a malicious way (GSMA, 2019). Some insiders help voluntarily, others are coerced through blackmail. 1.8.1.3.4 Internet of Things (IoT) Devices The Internet of Things (IoT) has been welcomed by consumers and enterprise. Majority of IoT attacks exploit poorly configured factory settings of devices. Many IoT devices are built using low-end, cheaply manufactured components and are sold in large volumes, making them ideal for reaching many victims at a time. The attacks of users of these devices also exposes the telecom operators’ networks to the same security risks, potentially harming their business operations. University of Ghana http://ugspace.ug.edu.gh Page 20 of 77 1.8.4 The Politics of Cyber Security The notion of security has different meanings in the realm of international relations. The meaning is interpreted and covers relevant spaces according to era. In the World War II and Cold War eras, international security revolved around military power or use of force and focused on superpower conflict and nuclear war. The concept of international security also included food, energy supplies, ideology, science and technology, environmental degradation, health and human security (Tsakanyan, 2017, p. 339). At the end of this era, the scope of international security “had to be recast to reflect the changing nature of conflict” (Freedman, 1998, p. 48). Increased access to the internet in 1990s brought introduced a cyber space that would also redefine the traditional and conventional notions of security. Cyberspace enables people and communities interact, socialize and organize all around the globe. Its vast capabilities and applications posed national and international concern. It created opportunity for exploit by criminals and even state governments. Increasing cyber incidents have given the impression that cyber-attacks are becoming more targeted, more expensive, more disruptive, and in many cases more political and strategic (Cavelty & Wenger, 2019, p. 1). Protecting this cyber space, ensuring cyber security, is a need that is increasingly growing in the realm of diplomacy and world politics. The definition of cybersecurity is contested politically in both national and international arenas. The concept keeps evolving from being discussed as merely information security in small expert and technical circles to a matter of national security dealt with strategically in the highest government circles. It is contested among state actors as there is discord in agreement on common vocabulary (Giles & Hagstead, 2013, p. 1). According to Cavelty and Wenger (2019), cyber security politics is characterized by two main factors – “The first is use and misuse of digital technologies by human actors in economic, social and political contexts. The second is conflicting settings of formal and informal negotiations which define responsibilities, legal frameworks and acceptable rules of engagement among the state, its people, and the private University of Ghana http://ugspace.ug.edu.gh Page 21 of 77 sector.” Through their use, technologies can be seen as material objects, power resources or neutral tools that drive social change (Hoijtink & Leese, 2019). Contrarily, technologies can be seen as stages on which the operation of power relations are highlighted and where the shaping of the behavior of social and political actors occurs (Behrent, 2013, p. 57). Makers of technologies infuse their intentions, norms and values when designing and the products use is manipulated according to existing power structures. Thus, “technologies are shaped by political ideas and power structures and shape the possibilities of political action in turn” (Cavelty & Wenger, 2019, p. 6). Technologies and cyber space have given rise to ‘new power’ and threats that are even recognized as a ‘fifth domain’ after land, sea, air and space (The Economist, 2010). Cyber power is the ability to obtain preferred outcomes through use of the electronically interconnected information resources of the cyber domain. It is understood as exploitation of cyberspace resources for the attainment of specific political objectives in and out of cyberspace (Nye, 2010, p. 4). This new power however, has its own dependencies and vulnerabilities (Rattray, 2001). Actors in cyberspace and cybersecurity can be the state and non-state actors which include individuals, private corporations, and interest groups. However, to be categorized as “an actor in cyberspace, the following three qualifications of ‘actorhood’ should be met; structural, population and territorial elements” (Seunghwan, Birch, & Bengtsson, 2016, p. 219). Structural elements include skilled human resources performing duties as system developers and administrators with capability of identifying vulnerabilities, and access to robust equipment and infrastructure. Population elements include both technical and consumer users of cyber systems. More users mean more information in systems which translates into more power for the actor. The last criteria is the territorial element which includes “ownership and access rights to user information, user-contributed content, and all types of core data. The level of access to University of Ghana http://ugspace.ug.edu.gh Page 22 of 77 user data defines the size of an actor’s cyber territory” (Seunghwan, Birch, & Bengtsson, 2016, p. 220). 1.8.4.1 Politics of Cyber Security in International Relations Cybersecurity can be seen as an instrument to achieve a state’s national interest. It can also be used as an instrument to influence the views and opinions of adversaries. This philosophy and operationalization are seen in approaches of states like the Unites States, Russia and China and is manifested in the play of world politics. This section explores the role of cybersecurity in global politics with a keen examination of the approaches of the USA, Russia and China and how these approaches interplay in relationships between them. The United States, leaders in the ICT industry, is among the first countries to directly experience the negative impact of the information revolution (Tsakanyan, 2017, p. 342). There is heavy reliance on network technologies and information infrastructure to ensure the proper functioning sectors of a country’s economy and the lives of its citizens, including health care, transport, finance and agriculture. The Federal Bureau of Investigation (FBI), according to Tsakanyan in The role of cybersecurity in world politics, highlights three key groups of actors that pose threats in cyberspace. These are organized crime syndicates who mostly target financial services, state sponsors who engage in cyber espionage against enterprises and public institutions, and terrorist groups who orchestrate disparaging activities against a country’s critical information systems infrastructure, thus, posing a national security threat. Viewing cybersecurity as a core component of national security, the Chinese government holds this issue in high regard. They are cautious of software and infrastructure from Western manufacturers and perceive its use as a threat to national security. This view manifests in the growing power China continues to garner by expanding their territory in IT products and services (Tsakanyan, 2017, p. 345). University of Ghana http://ugspace.ug.edu.gh Page 23 of 77 The Russian approach, through the lens of their national interests, views cyberspace as a tool to weaken the socio-political and economic systems of other states, psychologically threaten populations, destabilize society and compromise the flow and authenticity of the information space of other nations (Tsakanyan, 2017, p. 346). Kshetri (2014) further deals with approaches of these select countries in relation to cooperation on formal treaties and frameworks for cybersecurity in his work Cybersecurity and International Relations: The U.S. Engagement with China and Russia. He first notes that alliances and policy guidelines involving treaties are sustained only when there is a sense of mutual advantage. This presence of mutual advantage is the first determinant to joining an international coalition. Case in point, referencing Goldsmith (2011, p. 3) and Keyser (2003), the Council of Europe (CoE) treaty, the most popular cybercrime treaty, have clauses that promote intrusion of national sovereignty which present no incentive to China, Russia and many developing countries. He goes on to question whether informal approaches of international alliance perform better than formal ones in dealing with international cyberspace problems. The U.S. and Russia have differing approaches. U.S favors cooperation through ad hoc or informal mechanisms that tend to bypass formal institutions and treaties, whereas Russia favors international treaties to secure cyberspace against threats. Citing Lipson (1991, p. 500), it is of the positive view that informal approaches have notable impact as they are more flexible that treaties. A positive playout of this is the formation of trans-governmental networks sharing information with each other, harmonizing guidelines and best practices. These informal networks are arguably “the optimal form of organization for the Information Age” (Kshetri, 2014, p. 8) Kshetri goes on to analyze relationships between the aforementioned countries concerning issues of cyberspace. First between the U.S. and China, there is an air of mistrust and disharmony in cooperation. Allegations and counter-allegation characterize this relationship in University of Ghana http://ugspace.ug.edu.gh Page 24 of 77 cybersecurity (Kshetri, 2014, p. 11). China has been accused of consistently engaging freelance hacking groups in international cybersecurity attacks, thus providing “plausible deniability” about any association with the state. Despite not having concrete evidence clearly showing involvement, the allegations are relentless based on noticeable patterns and circumstantial evidence. The Chinese response to these allegations are strong denial and accusation of lackluster attitude in western counterparts when it comes to fighting cybercrime. This relationship is further emphasized in challenges of technology companies of both sides operating in either territories. For example, the Chinese government are wary of companies like Microsoft, and the U.S. government are wary of Huawei. Huawei, the world’s biggest seller of network telecommunications equipment, is seen in controversial light (Vaswani, 2019). Given the status of ‘national champion’ in China due to its successful local and international sales, strategic contributions to the Chinese government and powerful political connections, this pioneer of ICT and telecommunications is accused of being a gateway spy on Western nations. The seeds of suspicion stem from events such as the compromise of the Chinese- built African Union (AU) headquarters in Addis Ababa. Completed in 2012, everything was custom-built by the Chinese- including a state-of-the-art computer system. In 2018, a French newspaper reported that AU’s computer system had been compromised, with data from AU servers transferred to servers in Shanghai for five years. “It was also reported that microphones and listening devices had been discovered in the walls and desks of the building following a sweep for bugs” (Vaswani, 2019). The main supplier of information and communication technology systems to the AU headquarters was China’s best-known telecoms equipment company - Huawei. However, just because Huawei supplied equipment did not mean it was complicit to any theft of data. There was also no evidence to indicate that Huawei’s telecoms network University of Ghana http://ugspace.ug.edu.gh Page 25 of 77 equipment was ever used by the Chinese government - or anyone else - to gain access to the data of their customers. Regardless, these reports bolster the suspicions around the tech giant. In 2018 amidst a trade war between the United States and China, Huawei became entangled in the string of events deepening suspicions of Western nations and affecting diplomatic relations. Huawei’s chief financial officer and founder’s daughter, Meng Wanzhou, was arrested in Canada at the request of the US, who accused her of breaking sanctions against Iran, and attempted theft of trade secrets. The US sees the company as a strategic arm of the Chinese Communist Party. With the trajectory of telecommunications evolving into ‘fifth generation’ or 5G, which promises faster download speeds and much greater connectivity between devices than at present, Huawei is one of the companies best placed to lead the evolution. The US began to warn nations against the use of Huawei technologies. “In 2019, U.S. Secretary of State Mike Pompeo warned that the United States would not be able to partner with or share information with countries that adopt Huawei Technologies Co Ltd systems, citing security concerns. Pompeo said nations in Europe and elsewhere need to understand the risks of implementing Huawei’s telecommunications equipment and that when they did, they would ultimately not use the company’s systems” (Reuters, 2019). In an interview on the subject, Pompeo said, “If a country adopts this and puts it in some of their critical information systems, we won’t be able to share information with them, we won’t be able to work alongside them.” This resulted in the US adding Huawei to a list of companies that American firms cannot trade with unless they have a licence (BBC News, 2019). Scrutiny of cybersecurity between the two nations expands into the realm of social media as well. Chinese-owned applications such as TikTok and WeChat are in danger of being banned in the US for suspicions of threat against national security and prevention of Beijing from University of Ghana http://ugspace.ug.edu.gh Page 26 of 77 exploiting the apps to collect user data or disseminate propaganda (Whalen, Lerman, & Nakashima, 2020). Thus, technology and cyber security remain entangled in relations between the two nations. U.S. – Russia relations on issues involving cyberspace are in disharmony in a way that further emphasizes historical relations from the Cold War era. Illustrated in several examples, points of disharmony include absence of notifying either side when action is to be taken on criminal nationals of each side. From the national security and international relations standpoint, there are a number of unique aspects of the cyberspace which may offer some insight into the nature of relations among nations as noted above. Firstly, “the nature of cyberspace makes it impossible to trace the actual origin of the software” (Choucri & Goldsmith, 2012, p. 71). Thus accusing a state or entity of foul play would be based on inferences of circumstantial evidence rather than direct, factual and conclusive evidence. This unique characteristic leads to the second which is that offenders in cyberspace are more emboldened as compared to physical space. Lastly, citing Lipson (1991) and Ramseyer (1991), Kshetri notes that cyber violators are very rarely punished thus actors are likely to engage in violations if such violations cannot be witnessed and violators go unpunished. 1.8.4.2 Politics of Cyber Security: African States In Kshetri’s work on Cybercrime and Cybersecurity in Africa, “he notes that cybersecurity is considered to be as a luxury, not a necessity in many African economies. Its importance has not yet been sufficiently appreciated or acknowledged in the continent” (Kshetri, 2019, p. 78). “The African Union Commission and Symantec, as part of the Global Forum for Cybersecurity Expertise (GFCE) Initiative, released a report analyzing cyber security trends and government responses across Africa. It focused on 5 key areas: social media, scams, and Email threats, smartphones and the Internet of Things, business email Scams, rise of ransomware and University of Ghana http://ugspace.ug.edu.gh Page 27 of 77 cryptolocker and vulnerabilities” (Cyber security trends and government responses in Africa, n.d.). Increasing access to smartphones and increased connectivity make the emerging economies in Africa attractive targets for cybercrimes. The report found out that of 54 countries in Africa, 30 lacked specific legal provisions to fight cybercrime and utilize electronic evidence (Mathe, 2019). In 2017, cybercrime cost Africa an estimated total of $3.5 billion (Mathe, 2019). Annual losses to cybercrimes in the same year in Nigeria and Kenya were $649 million and $210 million respectively. South Africa loses $157 million annually to cyberattacks (Kshetri, 2019, p. 77). Further noting that “the sectors in which cybercrime is predominantly active are Banking/Financial services, government, e-commerce platforms, mobile payments and telecommunications.” Problems that the continent faces include vulnerable systems, lax cybersecurity practices, a lack of skills among internet users to protect themselves from rapidly rising cyber-threats, severe shortage of cybersecurity manpower and weak legislation and law enforcement. Despite these, measures strengthening cyber readiness, legislation and enforcement are gradually improving. Conventions, treaties and Memorandum of Understanding (MoU) specific to the African region exist to enable more effective cooperation on Cybersecurity initiatives. Such include a MoU between the Economic Community of West African States (ECOWAS) and International Telecommunications Union (ITU), and the African Union Convention on Cyber Security and Personal Data Protection. Signed on the 8th of June 2015, the MoU between the ECOWAS and ITU serves as a non- binding framework for collaboration between the Parties, within the framework of the ITU Global Cybersecurity Agenda and in accordance with the parties’ commonly agreed goals for a more secure and safer information society and on the basis of mutual benefit (ITU, n.d.). Common interests and mutually agreed points of cooperation include elaboration of regional University of Ghana http://ugspace.ug.edu.gh Page 28 of 77 Cybersecurity initiatives through ECOWAS and enhancing the Cybersecurity posture of ECOWAS member countries through country specific initiatives including: • The National Computer Incident Response Team (CIRT)/ Computer Emergency Response Team (CERT) programme whereby constant evaluations and assessments, including regional cyber drills, are conducted; • Improving Cybersecurity efforts in ECOWAS nations through custom-made capacity building initiatives and collaborative roadmaps executed in agreed phases; • the Global Cybersecurity Index which evaluates the Cybersecurity competencies of member nations, allowing for timely Cybersecurity measures and the fostering of a globally consistent culture of Cybersecurity; • the Child Online Protection initiative, an international collaborative network with the sole aim of advancing the protection of children and young people online globally through the provision of guidance on safe online conduct. • The synchronization and improvement of laws that pertain to effectively addressing the prosecution of Cybercriminals; • the communication of national Cybersecurity policies which detail the creation and execution of national frameworks for Cybersecurity and critical information infrastructure protection (CIIP) through a comprehensive approach. 1.8.4.3 Politics of Cyber Security: Multinational corporations The activities of multinationals challenge the traditional role of the state in security, and in this context, cybersecurity as well. Through innovation, multinationals are able to amass significant cyber power and cause power shifts (Seunghwan, Birch, & Bengtsson, 2016, p. 225). Thus, through activities not constrained by boarders, access to robust systems, infrastructure and expertise, large number of users and the non-obligatory show of good intention towards these University of Ghana http://ugspace.ug.edu.gh Page 29 of 77 users, companies could be more powerful than states in the realm of cyberspace. A clear example of these powerful companies are Google, Apple and Microsoft. In Sigholm’s work in Non-State actors in cyberspace operations, it is noted that although corporations are perceived as law-abiding entities, they are sometimes caught up in matters of cyberwarfare. This is “at the request of a nation state, either by being on a government contract or by more autonomous actions under the government’s blessing” (Sigholm, 2013, p. 21). Intelligence agencies may also use corporate fronts as a cover for cyber espionage operations. Large international corporations doing business in many different countries may find themselves in a precarious situation during a cyber-conflict, finding themselves on both sides of the front line. 1.8.4.3.1 Public–Private Partnership in National Cyber-Security Strategy Public-private partnerships (PPP) are used as a means to address both non-traditional and traditional security threats. However, in the context of national cyber security, the relationship is uniquely problematic (Carr, 2016). There is lack of clarity in the roles and priorities of both sides which is characterized by reluctance of politicians of the state to claim authority for introduction of tougher cyber laws, and the private sector’s aversion to accepting responsibility or liability for national security. Authors such as Dunn Cavelty and Suter (2009) explore the role of and capacity of government in PPP for protection of critical infrastructure. Their article, Public–Private Partnerships are no silver bullet: An expanded governance model for Critical Infrastructure Protection, develops a comprehensive understanding of how policy-makers and the private sector are conceptualizing their respective roles in national cyber security, where there may be disparity in these conceptions and what implications this may have for national and international cyber security. This dynamic in application to the case study at hand, Vodafone Ghana (representing the private sector) and Government of Ghana (representing the public), could be examined for their points of contradictions in terms of what is of priority to both sides and how it conflicts. The interests of private businesses and that of the state are often University of Ghana http://ugspace.ug.edu.gh Page 30 of 77 not convergent when it comes to Critical Infrastructure Protection (CIP) (Dunn Cavelty & Suter, 2009, p. 3). Points of divergence include the following arguments. Firstly, the degree of attention to confidentiality might not be the same on both sides thus information transfer from private to public entities could cause risk such as reputational damage to the private entity. Additionally, from the government perspective, accidental or intentional divulging of classified information may also hamper activities of intelligence services and other institutions. Secondly, majority of companies which are multinationals or transnational companies subject themselves to higher international standards thus are “only partially appreciative of the necessity of national cooperation” (Dunn Cavelty & Suter, 2009, p. 3). Thirdly, the private sector views the issue from the perspective of business administration and business continuity thus is not treated with the same level of urgency. Fourthly in The Private Sector: A Reluctant Partner in Cybersecurity, Etzioni (2014) notes that despite corporations being considered as rational actors thus expected to voluntarily take measures to protect themselves and realize profits, CEOs have been shown to focus on short-term costs and benefits, to the detriment of longer- term effects. This translates into underinvestment in controls and measures to address cyber security. Fifthly, expanding the issue of bottom-line and realizing profits, obligatory cybersecurity regulations would impose substantial costs on private sector thus impeding profitable operations. Companied would need to spend millions in order to develop cybersecurity systems. Lastly, further emphasizing the extent of roles in the policy-making of cyber security and the extent of divergence, opponents of government cybersecurity regulations claim that government mandates will actually hamper cybersecurity and other innovations in the private sector (Etzioni, 2014). Establishing clear standards for companies would impede their flexibility by forcing them to introduce cumbersome or inefficient cybersecurity measures. “PPPs require a complementarity of goals, mutual trust, clear goals and strategies, University of Ghana http://ugspace.ug.edu.gh Page 31 of 77 clear distribution of risks, clear sharing of responsibilities and authority, and market and success-oriented thinking to be strategically” efficacious (Dunn Cavelty & Suter, 2009, p. 3). 1.8.5 Cyber Security Conventions and Treaties: The African Union Convention on Cyber Security and Personal Data Protection and the Budapest Convention in Perspective This section deals with treaties and conventions on cybercrime that Ghana has ratified. In June 2014, the 23rd Ordinary Session of the Summit of the African Union held in Malabo, Equatorial Guinea, adopted the legal instrument; the African Union Convention on Cyber Security and Personal Data Protection (African Union, 2014). This is also known as the Malabo Convention. The Convention covers a very wide range of online activities, including electronic commerce, data protection, and cybercrime, with a special focus on racism, xenophobia, child pornography, and national cybersecurity (African Union adopts framework on cyber security and data protection, 2014). Out of 55 states, 14 have signed on to the Convention, 8 have ratified/acceded and 8 have deposited (African Union, 2020). The treaty will enter into force 30 days after the 15th instrument of ratification or accession is deposited (African Union, n.d.). Officially known as the Council of Europe Convention on Cybercrime, the Budapest Convention was the first international treaty to focus explicitly on cybercrime (Daskal & Kennedy-Mayo, 2020). Entering into force in 2004, the convention focuses “on crimes committed via the Internet and other computer networks, dealing particularly with infringements of copyright, computer-related fraud, child pornography and violations of network security. It also contains a series of powers and procedures such as the search of computer networks and interception. Its main objective is to pursue a common criminal policy aimed at the protection of society against cybercrime, especially by adopting appropriate legislation and fostering international co-operation” (Council of Europe, n.d.). It serves as a University of Ghana http://ugspace.ug.edu.gh Page 32 of 77 guideline for any country developing comprehensive national legislation against cybercrime and as a framework for international cooperation between State Parties to this treaty. On December 3rd 2018, the Republic of Ghana deposited the instruments of accession to the Budapest Convention on Cybercrime (Council of Europe, 2018). 1.9 Arrangement of chapters This study is divided into 4 chapters. Chapter one will include the general introduction to the study with a thorough literature review on the subject. Chapter two will delve deeper into the significance of cyber security in the international arena. Chapter three will assess the cyber risk posture of Vodafone Ghana using the chosen conceptual framework. Chapter four will involve the summary of Research Findings, Conclusion and Recommendations. University of Ghana http://ugspace.ug.edu.gh Page 33 of 77 CHAPTER 2 Vodafone and Ghana’s National Telecommunications Policy 2.0 The evolutionary history of Vodafone in Ghana Vodafone in Ghana is an operating company of Vodafone Group Plc – a mobile telecommunications company, with a significant presence in Europe, the Middle East, Africa, Asia Pacific and the United States (Vodafone Ghana, 2020). The range of communications solutions include mobile, fixed lines, internet, voice and data. The company also provides M- Pesa, locally known as Vodafone Cash, “a mobile money transfer and payment service that enables customers to access their bank accounts to send and receive money, purchase goods, pay bills, and save money and receive short-term loans” (Vodafone, n.d.). Vodafone Ghana, originally the Post and Telecommunications Department of the Colonial Administration, went through several transformations before being renamed Ghana Telecom in 1996 (Ajao, 2009). The Telecommunications Division of the Department turned Corporation in 1974, was carved out in 1993 (Ghana Post, 2020). Then, the state-owned corporation had almost full monopoly over all telecommunication services (Haggarty, Shirley, & Wallsten, 2002, p. 4). However, due to a history of poor service characterized by lack of access, poor quality for those who had access, high international tariffs, inefficiency and poor management, as well as other contributing institutional factors, the incumbent was unpopular and this led to reform in the telecommunications sector (Haggarty, Shirley, & Wallsten, 2002, p. 4). In the process of reform, a road map document called the Accelerated Development Program (ADP) subsequently launched in 1994 (Osei-Owusu, 2017, p. 54). The primary means to achieve the above policies and objectives documented in ADP was the establishment Ghana Telecom (in June 1995). This was to replace the then telecommunications division of the Post and Telecommunication Operator. The implementation of the ADP was expected to pave the way for the denationalization and total liberalization of the telecom industry. Upon privatization in University of Ghana http://ugspace.ug.edu.gh Page 34 of 77 1996, Ghana Telecom was divested first to a consortium called G-Comm Limited led by Telekom Malaysia and was later managed by a Norwegian management services company known as Telenor Management Partners (Ajao, 2009). In 2006 after taking possession of 100% shares of Ghana Telecom, the Government took a decision to partially privatize the company. The initial objective was to sell 66.67% shares of the fully owned company to a strategic investor in order to attract private sector capital and technical expertise in the country's telecom sector (Agyekum, 2010). A bidding process was launched to invite interested parties. The process culminated in August 2008 with a $900 million payment by Britain’s Vodafone Group Plc for a 70 percent stake in Ghana Telecom leaving 30 percent for the Government of Ghana (Ellott & Kpodo, 2008). 2.1 Telecommunications Policy in Ghana Telecommunications is one aspect of a wider trend of technological and market convergence which encompasses fields such as broadcasting, information technology, and electronic commerce. The Government of the Republic of Ghana recognizes its importance and has thus put in efforts to be at the forefront of the information and communications revolution in Africa (Government of Ghana, 2004). These efforts include liberalization of basic telecommunications services by embracing the potential of competitive markets and introducing reform to the sector. Thus, transforming the telecommunications industry from a largely monopolized, state-owned model to a broadly competitive, private and open market model. 2.1.1 International telecommunications Segment In the international market sphere, telecommunications infrastructure and operations carry communication signals across Ghana’s borders. Elements of this segment include licensed University of Ghana http://ugspace.ug.edu.gh Page 35 of 77 gateway operators (operators who have been officially authorized to maintain connection for international terminations), South Atlantic Telecommunications cable no. 3 (SAT-3) access (a submarine cable which connects West Africa, South Africa to Europe), private licensed Very Small Aperture Terminal (VSAT) systems (licensed access to international data networks by private users), and unlicensed international bypass services (unauthorized service providers who through sidestepping channels of licensed international operators, connect international voice calls to the local public network) (Government of Ghana, 2004). 2.1.2 Domestic public telephone services These services provide telephone connectivity within Ghana. Components of this segment include fixed wire line networks for basic telephone services, wireless mobile networks through the use of defined frequencies, and public telephones and tele-centers allowing calls and charging per use (Government of Ghana, 2004). 2.1.3 Dedicated transmission networks These networks are responsible for providing connection between two or more dedicated locations. This segment can also be leveraged as wholesale services to licensed retail operators, private entities for closed user group services or for public signal distribution enabling services such as TV connectivity and broadband (Government of Ghana, 2004). 2.1.4 Internet Services Relying on existing networks and dedicated connections, internet services are able to connect end users to the internet. Connectivity is provided through Internet Service Providers (ISPs) that offer packages for various use, internet backbone connectivity which links national and international connection points, and publicly available access points (Government of Ghana, 2004). University of Ghana http://ugspace.ug.edu.gh Page 36 of 77 2.1.5 Roles of Government Institutions This section classifies the roles that government institutions play in enacting Ghana’s telecommunications policy. 2.1.5.1 Ministry of Communications and Digitalization The ministry is the principal authority in shaping the components of telecommunications policy. In this position, they ensure robustness of the policy and update appropriately where necessary. The ministry also acts as a consultant in all regulatory proceedings led by the NCA (the primary industry regulator). The ministry as a representative of Ghana on international fronts such as ECOWAS in relation to the nation’s telecommunication policies ensures the interests of the country are always protected. Finally, the ministry is also responsible for reporting and monitoring the status of the sector and tracking trends and concerns according to set goals (Government of Ghana, 2004). The Ministry constitutes the below agencies and statutory bodies and through them, implements mandated operational and regulatory policies (Ministry of Communications, 2016): 1. Postal and Courier Services Regulatory Commission (PCSRC) 2. Ghana Meteorological Agency (GMet); 3. Ghana-India Kofi Annan Centre of Excellence in ICT (AITI-KACE): 4. National Information Technology Agency (NITA) 5. Data Protection Commission (DPC) University of Ghana http://ugspace.ug.edu.gh Page 37 of 77 6. National Communications Authority (NCA) 7. Ghana Investment Fund for Electronic Communications (GIFEC) 8. Ghana Post Company Limited (GPCL) 2.1.5.2 National Communications Authority (NCA) The NCA is the primary regulator of the telecommunications sector. It is also the instrument through which the National Telecommunications Policy is enacted. Its roles include being responsible for issuance of licenses, regulating competition among players, managing available spectrum frequencies, regulating tariffs, monitoring activities, performance and compliance with regulations of operators, upholding technical standards, overseeing quality of service and protecting the interests of consumers. 2.2 Ghana Cyber Security Policy As emphasized earlier, society today is a more virtual world that relies on the internet for communication and business. Ghana’s road to a more digitized economy which includes digitizing government services, building a biometric National Identity register, deploying a digital property addressing system, and mobile money interoperability among others, relies on the strength of Information and Communication Technologies (ICTs) (National Communications Authority, 2018). Increasing attacks on national infrastructure and government sites mandate protection of critical national information infrastructure to ensure national security in the wake of cyber wars. Activities of government can be brought to a halt if the National Information Technology Agency (NITA) infrastructure is attacked. Thus, policy was needed to manage the cyber security risks to government and private sector critical information infrastructure (Ministry of Communications, 2015). University of Ghana http://ugspace.ug.edu.gh Page 38 of 77 The current cyber security policy and regulatory framework evolution has been as follows. In 2014 the Ministry of Communications inaugurated the Ghana Computer Emergency Response Team (CERT-GH) to coordinate national cyber security incidents. Approved by Cabinet in November 2016, Ghana adopted a National Cyber Security Policy and Strategy (NCSPS) (Media Foundation for West Africa, 2017, p. 14). This policy identifies specific initiatives to address cybercrime and cyber security issues as well as provides a strategy for implementation. Aside the NCSPS, specific legislations which address cyber security related issues have been passed by parliament: The Electronic Transactions Act – 2008 (Act 772), Data Protection Act – 2012 (Act 843), Economic & Organized Crime Act (EOCO) Act – 2010 (Act 804) and Anti- Money Laundering Act – 2008 (Act 749) (Media Foundation for West Africa, 2017). These Acts identify cyber security offences such as unauthorized access to protected information, stealing and electronic forgery, and child pornography. They also mandate organizations, like telecommunications companies, which fall within these remits to undertake regular vulnerability and systems checks to ensure robustness of IT systems that store, process and transmit particularly personal data. In 2020, Parliament passed the Cybersecurity Act – 2020 (Act 1038). This Act establishes a Cyber Security Authority, protects the critical information infrastructure of the country, regulates cybersecurity activities in the country, provides for the protection of children on the internet and promotes the development of cybersecurity and other related matters. Through the Cybersecurity Act, 2020, the information and communications sector has been identified as Critical National Information Infrastructure (CNII). This category is “defined as those assets (real and virtual), systems and functions that are vital to the nation such that their incapacity or destruction would have devastating impact on national economic growth, national image, national defense and security and government capability to function” (Ministry of Communications, 2015). University of Ghana http://ugspace.ug.edu.gh Page 39 of 77 The main institution dedicated to developing and effecting the national cyber security policy and strategy is the National Cyber Security Centre (NCSC). The NCSC is a national agency established in 2018 under the Ministry of Communications. “It is responsible for Ghana’s cybersecurity development including cybersecurity incidents response coordination within government and with the private sector. The NCSC is responsible for Awareness Creation & Capacity Building, Cybersecurity Incident Coordination & Response (CERT), Critical National Information Infrastructure Protection (CNIIP), Child Online Protection (COP) and International Cooperation, among others” (National Cyber Security Centre, 2019). The NCSC work closely with the National Cyber Security Technical Working Group (NCSTWG) in the implementation of cybersecurity initiatives across government and non-governmental sectors. University of Ghana http://ugspace.ug.edu.gh Page 40 of 77 CHATPER 3 Research Method 3.0 Introduction The primary objective of this study is to determine the extent to which and in what ways the cyber risk posture of Vodafone Ghana aligns with the Ghana National Telecommunications and Cyber Security policy framework. This chapter tackles the research methodology that supporting the study. It delves into the approaches, procedures and techniques employed in this study. Details of data collection, framework and analysis are also discussed. Finally, a discussion the critique associated with the selected method. 3.1 Approach to Study This research employs qualitative method – one of the three major methods of the social sciences. This method was developed to allow scholars research social and cultural phenomena (Goundar, 2012). Qualitative research is defined as “any type of research that produces findings not arrived at by statistical procedures or other means of quantification” (Strauss & Corbin, 1998, pp. 10-11). Gay and Airasian (2000, p. 627) also define qualitative research as “the collection of extensive data on many variables over an extended period of time, in a naturalistic setting, in order to gain insights not possible using other types of research”. However, these definitions largely depend on the essence of quantitative research which is described as “research that explains phenomena according to numerical data analyzed by means of mathematically based methods, especially statistics” (Yilmaz, 2013, p. 311). Thus to capture a definition that reflects its unique characteristics, Yilmaz (2013, p. 312) defines qualitative research as “an emergent, inductive, interpretive and naturalistic approach to the study of people, cases, phenomena, social situations and processes in their natural settings in order to reveal in descriptive terms the meanings that people attach to their experiences of the world”. Berg (2007, p. 3) also captured that “quality refers to the what, how, when, and where of a University of Ghana http://ugspace.ug.edu.gh Page 41 of 77 thing – its essence and ambience. Qualitative research thus refers to the meanings, concepts, definitions, characteristics, metaphors, symbols, and descriptions of things.” Qualitative research permits the researcher an insider view on the field of study. It plays an important role in uncovering possible relationships, causes, effects and dynamic processes (Goundar, 2012). Through descriptive and narrative style, the knowledge gained through qualitative investigations is more informative, richer and offers enhanced understandings compared to that of quantitative research (Tewksbury, 2009). Qualitative methods let the researcher record and understand people in their own terms, whereby depth and detail develop through direct quotation and meticulous description. Qualitative data is conducted through interviews, focus groups and participant's observation (Yunos & Ahmad, 2014). Despite these strengths, qualitative research is criticized for its problem of adequate validity or reliability due to its subjective nature. Thus, outcomes are limited to the context, conditions, events and interactions of the study. Another critique point is the lengthy time required for data collection, analysis and interpretation. There is also some extent of effect on the subjects of study posed by the researcher (Goundar, 2012). This study aims to investigate cyber risk phenomenon focusing on the characteristics or features of cyber security which is exploratory in nature. Thus this qualitative research approach is relevant to the study because it is aimed at obtaining deep analysis of the case at hand rather than merely providing information from many units (Siaw, 2015). 3.2 Research Strategy The identification of a research approach prescribes the strategies of enquiries associated with the research. Creswell (2003, p. 14) notes that key approaches to qualitative research include “ethnographies, case studies, grounded theory, phenomenological research, and narrative research”. Research strategies are the manner in which the researcher plans to go about the research study (Siaw, 2015). University of Ghana http://ugspace.ug.edu.gh Page 42 of 77 The strategy implemented is a case study. It can be used to describe a unit of analysis (e.g. a case study of a particular organization) or to describe a research method. Case study research is the most common qualitative method used in information systems (Goundar, 2012). Creswell (2003, p. 15) describes a case study as a kind of plan “in which the researcher explores in depth a program, an event, an activity, a process, or one or more individuals. The case(s) are bounded by time and activity…” Thus, a case study involves close observation and examination of the case or subject at hand. The implementation of a case study as a research strategy drives and enables this research to enquire intensely into the extent to which and in what ways the risk posture of Vodafone Ghana aligns with the Ghana National Telecommunications and Cyber Security policy framework. 3.3 Data Collection Techniques Data was collected using two main sources: primary and secondary sources. Primary sources inc