Information security risk management in small-scale organisations: A case study of secondary schools computerised information systems

The use of computerised information systems has become an integral part of South African secondary schools, bringing about a host of information security challenges that schools have to deal with in addition to their core business of teaching and learning. Schools handle large volumes of sensitive information pertaining to educators, learners, creditors and financial records, which they are obliged to secure. Unfortunately, school management and users are not aware of the risks to their information assets and the repercussions of a compromise thereof. Computerised information systems are susceptible to both internal and external threats but ease of access is likely to manifest in security breaches, thereby undermining information security. One way of enlightening schools about the risks to their computerised information systems is through a risk management programme. Schools may not have the full capacity to perform information security risk management exercises due to the unavailability of risk management experts and scarce financial resources. Therefore, the objective of this paper is to educate secondary schools´ management and users on how to perform a risk management exercise for their computerised information systems in order to reduce or mitigate information security risks within their information systems and protect vital information assets. This study uses the Operationally Critical Threat, Asset, and Vulnerability Evaluation for small organisations (OCTAVE-Small) risk management methodology to address these information security risks in two selected secondary schools.