Olusegun Ajigini

The African Journal of Information Systems Volume 8 | Issue 2 Article 2 Spring 4-1-2016 A Framework to Manage Sensitive Information during its Migration between Software Platforms Olusegun Ademolu Ajigini University of South Africa,- John Andrew van der Poll University of South Africa,- Jan H. Kroeze PhD University of South Africa,- Follow this and additional works at: http://digitalcommons.kennesaw.edu/ajis Part of the Computer Security Commons, and the Management Information Systems Commons Recommended Citation Ajigini, Olusegun Ademolu; van der Poll, John Andrew; and Kroeze, Jan H. PhD (2016) "A Framework to Manage Sensitive Information during its Migration between Software Platforms," The African Journal of Information Systems: Vol. 8: Iss. 2, Article 2. Available at: http://digitalcommons.kennesaw.edu/ajis/vol8/iss2/2 This Article is brought to you for free and open access by DigitalCommons@Kennesaw State University. It has been accepted for inclusion in The African Journal of Information Systems by an authorized administrator of DigitalCommons@Kennesaw State University. For more information, please contact- Ajigini, van der Poll et al A Framework to Manage Sensitive Information during Migrations A Framework to Manage Sensitive Information during its Migration between Software Platforms Research Paper Volume 8, Issue 2, April 2016, ISSN- Olusegun Ademolu Ajigini University of South Africa- John Andrew van der Poll University of South Africa- Jan H. Kroeze, PhD University of South Africa-(Received December 2014, accepted September 2015) ABSTRACT Software migrations are mostly performed by organizations using migration teams. Such migration teams need to be aware of how sensitive information ought to be handled and protected during the implementation of the migration projects. There is a need to ensure that sensitive information is identified, classified and protected during the migration process. This paper suggests how sensitive information in organizations can be handled and protected during migrations, by using the migration from proprietary software to open source software to develop a management framework that can be used to manage such a migration process. The research used a sequential explanatory mixed methods case study to propose a management framework on information sensitivity during software migrations. The management framework is validated and found to be significant, valid and reliable, by using statistical techniques such as exploratory factor analysis, reliability analysis and multivariate analysis, as well as a qualitative coding process INTRODUCTION Information is a resource that has strategic value to an organization, and exists in many forms – such as written or printed documents, electronic files, microfilms and videotapes (Fung & Jordan, 2002). Correct information is expected to support decision-making or to provide service at the appropriate time. Therefore, the integrity of the information cannot be compromised, and data protection is vital, in order The African Journal of Information Systems, Volume 8, Issue 2, Article 2 21 Ajigini, van der Poll et al A Framework to Manage Sensitive Information during Migrations for the users to be assured of their privacy and that the data meets the service provider’s integrity requirements (Duri et al., 2004). The management of sensitive information relating to their business ought to be very important to all organizations (Rakers, 2010). Arai and Tanaka (2009) have highlighted the importance of avoiding information leakage in a computer system’s handling of a company’s sensitive information – for example, during migration of platforms. Sensitive information is regarded as any information which, if leaked, can lead to the destruction of the person or the organization, and may include personal information as well as the organization’s information (Nawafleh et al., 2013). This paper is about the development of a framework to manage sensitive information during its migration between software platforms. This research involves the development and validation of a management framework for the migration of sensitive information during the migration of platforms by using a sequential explanatory mixed methods case study approach. The rest of the paper is organized as follows: the t first section explains the background to the study. The following section elucidates the research setting and methodology. The quantitative and qualitative data findings are then presented. This is followed by the section on the management framework on migration of platforms. Lastly, the discussion and conclusion of the research are presented. BACKGROUND The study concentrates on South African government departments and parastatals that have performed software migrations. The main focus is the development and validation of a management framework that can be used to protect and handle sensitive information during its migration between software platforms. A good example of such platform migration is from Closed Source Software (CSS) to Open Source Software (OSS) – also known as Free Open Source Software (FOSS). In South Africa, examples of such platform migrations include, but are not limited to: a) migrations from proprietary systems to open source systems conducted during the eNaTIS migration by the Department of Transport (IT Web, 2007). b) State Information Technology Agency (SITA) migration to FOSS (GITOC, 2003). c) Presidential National Commission (PNC) migration to FOSS (PNC, 2007). d) National Libraries of South Africa (NLSA) migration to FOSS (Novell Connection, 2009). e) National Department of Arts and Culture migration to FOSS. f) South African Department of Public Works migration to an open source asset management system The following problems are envisioned during the migration of sensitive information across platforms: a) there is the possibility of intruders trying to gain unauthorized access to the system during such migration process (Crossler et al., 2013). b) viruses and intruders can also invade the system during the migration process (Huth et al., 2013). c) data integrity needs to be maintained during the migration, and data corruption has to be prevented (Huth et al., 2013). d) information leakage (Ahmad et al., 2014; Garfinkel, 2014). e) information theft (Von Solms & Van Niekerk, 2013). f) identity theft (Kirda & Kruegel, 2005). The African Journal of Information Systems, Volume 8, Issue 2, Article 2 22 Ajigini, van der Poll et al A Framework to Manage Sensitive Information during Migrations g) phishing is an online identity theft that aims to steal sensitive information e.g. passwords of banking clients and client’s credit card information (Kirda & Kruegel, 2005). h) stealing sensitive information – e.g. account details and cookies, and getting hacked during the process (Gupta, 2010). The view of these authors is that these problems could be proactively resolved, if an organization uses a management framework on sensitive information during platform migrations to guide their migration project implementation – hence the importance of this study. RESEARCH SETTING AND METHODOLOGY The focus of this paper is the development of a management framework to manage information sensitivity during software migrations. The research was conducted in some South African government departments and parastatals, located in Pretoria, South Africa that had migrated from proprietary platform to open source platform. Specifically, the migration from Closed Source System (CSS) to Open Source System (OSS) is used to conceptualize the solution to the research problem. Research Setting Data is collected from the following organizations, namely State Information Technology Agency (SITA); South African Revenue Services (SARS);, Presidential National Commission (PNC);, National Libraries of South Africa, South African Department of Arts and Culture;, South African Department of Public Works, and South African Department of Social Development. These organizations have performed platform migrations such as migration from a proprietary platform to an OSS platform. The data is then subjected to quantitative and qualitative analysis, to conceptualize the final management framework. Research Methodologies Research methods are techniques used for carrying out the research, while a methodology is the set of methods in a research project. Methodology is a strategy of enquiry guiding a set of procedures, while methods are techniques used in analyzing data to create knowledge (Denzin & Lincoln, 2000; Cresswell, 2009; Petty et al., 2012). The case study methodology is used to carry this research by using multiple cases (data triangulation). The mixed methods approach is used in this research to enhance and validate the management framework on information sensitivity. Mixed methods research has been defined by Johnson and Onwuegbuzie (2004) as an approach requiring the researcher to combine the two paradigms (quantitative and qualitative), methods, concepts or language. They argue that a mixed methods approach draws upon the strengths and perspectives of each method by recognizing the existence and importance of reality and influence of human experience. Mixed methods research is defined by Tashakkori and Creswell (2007) as the collection and analysis of data, and then integrating the findings by drawing inferences from quantitative and qualitative approaches. Case study research is one of the ways of performing social science research, while experiments, surveys, histories and the analysis of archival information are the others (Yin, 2009). Case study research is conducted in an actual life situation by the researcher, and there is no distinction The African Journal of Information Systems, Volume 8, Issue 2, Article 2 23 Ajigini, van der Poll et al A Framework to Manage Sensitive Information during Migrations between the research phenomenon and the real life context, especially when there is no difference between phenomenon and context (Yin, 2009). The case study research is used as the methodology in this research work, and it is carried out by using the mixed methods approach. Multiple sources of evidence (data triangulation), as explained by Yin (2003), is followed, to conduct this research. The results from these cases are analyzed, using both quantitative and qualitative data analysis to develop the management framework on information sensitivity during the migration of platforms. The case study research is conducted in some South African government departments and parastatals that have performed platform migrations. Underlying Philosophical Paradigm Research strategies in Information Systems (IS) differ in their underlying philosophical paradigms and IS researchers are expected to understand the different paradigms underlying their research strategies (Oates, 2006). IS philosophical paradigms include positivism, interpretivism, critical research and pragmatism (Oates, 2006). The underlying philosophical paradigm used by the researcher is pragmatism, which substantiates the trustworthiness and dependability of the case study research. This is because both quantitative and qualitative methods, in the form of a mixed methods research approach, are employed in this research. Data Gathering Data was gathered in the government organizations and agencies that are mentioned in the introductory section. Data triangulation was used to collect the data, that is, data was collected from many different sources, following Yin’s (2003) data triangulation methodology. A questionnaire was developed and forwarded to 250 respondents in various government organizations and agencies. The author of this thesis received 90 completed questionnaires. The responses were then collated using a spreadsheet, and the data was imported into the JMP SAS software for data analysis. The quantitative research questions were enhanced by the qualitative analysis, by using open-ended and in-depth interviews to validate the preliminary management framework that resulted from the quantitative analysis. The qualitative interviews were recorded on tapes, and were later transcribed. Recording requires consent, and ethical clearance was obtained from the University of South Africa’s ethics committee. The transcripts were subsequently imported into the NVIVO version 10 software, for further qualitative analysis. Data Analysis Two types of data analysis were performed, namely quantitative data analysis and qualitative data analysis, in order to validate the management framework. There was a pilot quantitative data analysis (item analysis) performed to test the reliability of the questions posed in the questionnaire. During this pilot quantitative data analysis, the questionnaire was validated by testing the reliability of the constructs in the questionnaire using item analysis (Cronbach's alpha). The African Journal of Information Systems, Volume 8, Issue 2, Article 2 24 Ajigini, van der Poll et al A Framework to Manage Sensitive Information during Migrations Twenty-five respondents completed the first version of the questionnaire, then the data was analyzed using statistical techniques to validate the constructs and obtain the final questionnaire. The final questionnaire was analyzed using statistical analysis, namely factor analysis, item analysis, and reliability analysis. Factor analysis was used to identify the constructs in the measuring instrument, while item analysis was used to test the reliability of the constructs in a measuring instrument (Tate, 2003; Wiid & Diggines, 2013). There are two major types of factor analysis, namely (a) Exploratory Factor Analysis (EFA) and (b) Confirmatory Factor Analysis (CFA) (Thompson, 1992; Kahn, 2006). The EFA is used to identify the constructs in this research. The idea is to identify and eliminate the items that do not measure an intended construct or measure multiple constructs that could be poor indicators of the desired construct (Worthinton & Whittaker, 2006). After the pilot quantitative data analysis, the descriptive and correlation analyses were performed. During the qualitative data analysis, the audio tapes containing the interviews were transcribed and analyzed using the NVIVO software. A bottom-up approach (content analysis) grounded in data was used to develop the management framework on information sensitivity, inductively. The framework was validated using open-ended and in-depth interviews with government organizations that have performed platform migrations. QUANTITATIVE DATA FINDINGS This section covers the quantitative data findings in the study. Biographical Data Distributions The Biographical Data is the first component in the questionnaire called component A. Some of the Biographical Data Distributions in the research is explained below: (i) Type/Nature of Respondent Employment Figure 1 describes the type/nature of respondent employment. The majority of the respondents were from three government organizations, namely SITA, South African Department of Public Works and South African Department of Social Development. The African Journal of Information Systems, Volume 8, Issue 2, Article 2 25 Ajigini, van der Poll et al A Framework to Manage Sensitive Information during Migrations 22% 22% 22% 16% 9% SITA 9% Presidential South African National African South African National Department of Libraries of National Department of Commission(P Public Works South Africa Department of Social NC) Arts and Development Culture Figure 1. Type/Nature of respondent employment (ii) Respondent’s Post Levels (IT Specialists) Figure 2 shows the respondents’ post levels for the IT specialists. The figure shows that most of the respondents fall into the developers and junior developers (49% and 28% respectively). 49% 28% 15% 3% 4% IT senior manager IT manager Senior developer Developer Junior developer Figure 2. Respondent Post Level (IT Specialists) (iii) Respondents' Type of Work Figure 3 depicts the respondents’ type of work in their organizations. It shows that most of the respondents work at transferring and loading data/ETL migration and data security/IT security (21% and The African Journal of Information Systems, Volume 8, Issue 2, Article 2 26 Ajigini, van der Poll et al A Framework to Manage Sensitive Information during Migrations 34% respectively). This might mean that the majority of the IT respondents are from the data/IT security domain. 34% 21% 13% 9% 8% 10% 4% Creating sensitive data ETL Data security Software developer Database Storage IT security administrator administrator administrator Figure 3. Respondents’ type of work (iv) Respondents’ Awareness of Sensitive Data Management Policy The respondents' awareness of a sensitive data management policy in organizations is depicted in Figure 4. It shows that most of the respondents are aware of a sensitive data management policy in organizations (92%). This shows that there could be an awareness of a sensitive data management policy, among the IT respondents. Figure 4.1 Respondents’ Awareness of Sensitive Data Management Policy (v) Respondents’ Participation on Platform Migration Projects The respondents’ participation in platform migration projects is shown in Figure 5. This figure reveals that most of the respondents have participated in migration projects (94%). This might mean that most of the respondents have been part of migration projects, and their contributions would be valuable in the research, due to their knowledge in this area. The African Journal of Information Systems, Volume 8, Issue 2, Article 2 27 Ajigini, van der Poll et al A Framework to Manage Sensitive Information during Migrations Figure 5.2 Respondents’ Participation on Platform Migration Projects Exploratory and Descriptive Statistics (a) Exploratory Factor Analysis (EFA) The original questionnaire is made up of four scales or components (B, C, D and E). Component B is made up of three constructs: employee behavior (construct B1), employee training (construct B2), and employee accountability (construct B3). Component C is made up of four constructs: organizational strategy (construct C1), organizational policies and procedures (construct C2), organizational data (construct C3), and organizational standards (construct C4). Component D is made up of five constructs: data categories and business rules (construct D1), data classification system (construct D2), data protection tools (construct D3), data sensitivity assessment (construct D4), and security models (construct D5). Component E is made up of five constructs: data migration and planning (construct E1), data migration process (construct E2), data migration tools (construct E3), data migration controls (construct E4), and data migration monitoring (construct E5). The questions in each of these components B, C, D and E are regrouped after the EFA has been performed on each of them. Table 1 illustrates the grouping of questions in all the components of the questionnaire. COMPONENT B COMPONENT C COMPONENT D B1 B2 B3 C1 C2 C3 C4 D1 D2 D3 D4 E1 E2 E3 E4 E5 B1.1 B2.1 B3.1 C1.1 C2.1 C3.1 C4.1 D1.1 D2.1 D3.1 D4.1 E1.1 E2.1 E3.1 E4.1 E5.1 B1.2 B2.2 B3.2 C1.2 C2.2 C3.2 C4.2 D1.2 D2.2 D3.2 D4.2 E1.2 E2.2 E3.2 E4.2 E5.2 B1.3 B2.3 B3.3 C1.3 C2.3 C3.3 C4.3 D1.3 D2.3 D3.3 D4.3 E1.3 E2.3 E3.3 E4.3 E5.3 B1.4 B2.4 B3.4 C1.4 C2.4 C3.4 C4.4 D1.4 D2.4 D3.4 D4.4 E1.4 E2.4 E3.4 E4.4 E5.4 D1.5 D3.5 COMPONENT E E2.5 Table 1. Grouping of Questions in all the Components of the Questionnaire Table 2 indicates how the questions were re-grouped in component B, after performing EFA on Component B of the questionnaire, to ensure the validity of the identified constructs. The African Journal of Information Systems, Volume 8, Issue 2, Article 2 28 Ajigini, van der Poll et al A Framework to Manage Sensitive Information during Migrations Factor 1 Factor 2 Factor 3 Question B1.1 Question B1.2 Question B3.1 Question B2.1 Question B2.4 Question B3.2 Question B3.4 Question B1.3 Question B1.4 Question B2.2 Question B2.3 Table 2. Re-Grouping of Questions in Component B of the Questionnaire Table 3 indicates how the questions were re-grouped in component C, after performing EFA on component C of the questionnaire, to ensure the validity of the constructs. Factor 1 Factor 2 Factor 3 Question C1.2 Question C1.4 Question C3.2 Question C1.3 Question C2.1 Question C3.4 Question C2.2 Question C2.3 Question C4.3 Question C3.1 Question C2.4 Question C3.3 Question C4.1 Question C4.2 Question C4.4 Table 3. Re-Grouping of Questions in Component C of the Questionnaire Table 4 illustrates how the questions were re-grouped in component D, after performing an EFA on component D of the questionnaire, to ensure the validity of the constructs. Factor 1 Factor 2 Question D1.2 Question D1.1 Question D2.1 Question D1.3 Question D1.4 Question D5.1 Question D1.5 Question D5.2 Question D2.3 Question D5.3 Question D2.4 Question D5.4 Question D3.1 Question D3.2 Question D3.3 Question D3.4 Question D3.5 Question D4.1 Question D4.2 Question D4.3 Question D4.4 Table 4. Re-Grouping of Questions in Component D of the Questionnaire The African Journal of Information Systems, Volume 8, Issue 2, Article 2 29 Ajigini, van der Poll et al A Framework to Manage Sensitive Information during Migrations Table 5 shows how the questions were re-grouped in component E, after performing the EFA on Component E of the questionnaire, to ensure validity of the constructs. Factor 1 Factor 2 Question E2.2 Question E1.1 Question E2.3 Question E1.2 Question E2.4 Question E1.3 Question E2.5 Question E1.4 Question E3.1 Question E4.2 Question E3.2 Question E3.3 Question E3.4 Question E4.1 Question E4.3 Question E4.4 Question E5.1 Question E5.2 Question E5.3 Question E5.4 Table 5. Re-Grouping of Questions in Component E of the Questionnaire The new constructs and their descriptions after the EFA was performed, are shown in Table 6. Construct Description Awareness Accountability score or (Employee_awareness/information Handling/accountability) Training handling or (Employee_course type/sensitivity Construct 2 classification) Consequences of sensitive data or (Employee_Training/Info Construct 3 Non-protection consequences) General data policies, etc. or Construct 4 (Organization_strategy/culture/communication/data) Specific sensitive data policy or (Organization_data security Construct 5 Policy/sensitive info identification) Access to sensitive data or (Data_access/controls/standards Construct 6 enforcement) General data issues or (Employee_roles/Responsibilities) Construct 7 Data security model or (Organization_security models) Construct 8 General control etc. or (Monitor/control_tools/migration Construct 9 issues/risk assessment/migration duration/network bandwidth) Migration planning or (Migration processes_application Construct 10 identification/time management/servers de-staging/source data Backup/data quality) Table 6. New Constructs after EFA and their Descriptions Construct 1 The African Journal of Information Systems, Volume 8, Issue 2, Article 2 30 Ajigini, van der Poll et al A Framework to Manage Sensitive Information during Migrations (b) Reliability Analysis The results of the reliability analysis of the new constructs, obtained as a result of the exploratory factor analysis on the original questionnaire, are presented in table 7. Estimates of internal consistency as measured by Cronbach’s alpha, all exceeded 0.80, with the exception of three constructs that are less than 0.70. This indicates good reliability for seven of the ten constructs. Variables Items Cronbach Alpha Reliability Construct 1 B1.1;B1.2;B3.1 0.7033 Acceptable Construct 2 B2.1;B2.4;B3.2;B3.4 0.8443 Good Construct 3 B1.3;B1.4;B2.2;B2.3 0.6265 Acceptable Construct 4 C1.2;C1.3;C2.2;C3.1;C4.2;C4.4 0.8922 Good Construct 5 C1.4;C2.1;C2.3;C2.4;C4.1 0.8342 Good Construct 6 C3.2;C3.4;C4.3 0.7046 Acceptable Construct 7 D1.2;D1.3;D1.4;D1.5;D2.4;D3.1;D3.2;D3.4;D3.5; D4.1;D4.2;D4.3;D4.4 0.9658 Good Construct 8 D1.1;D2.1; D5.1;D5.3;D5.4 0.8630 Good Construct 9 E2.2;E2.3;E2.4;E2.5;E3.1;E3.3;E3.4;E4.1;E4.3;E5. 1;E5.2;E5.3;E5.4 0.9647 Good Construct 10 E1.1;E1.2;E1.3;E1.4;E4.2 0.8975 Good Table 7. Reliability Analysis Results of the New Constructs (c) Means and Standard Deviations of new Constructs The comparisons among the new constructs, with respect to the means and the standard deviations of the new constructs, are shown in Table 8. Construct Mean Std Dev Construct 1 Construct 2 Construct 3 Construct 4 Construct 5 Construct 6 Construct 7 Construct 8 Construct 9 Construct 10 - - Table 8. Means and Standard Deviations of the new Constructs The African Journal of Information Systems, Volume 8, Issue 2, Article 2 31 Ajigini, van der Poll et al A Framework to Manage Sensitive Information during Migrations The knowledge of the data that are collected is obtained from descriptive statistics – e.g. standard deviations, mean values, and scatter plots. The new Construct 3 is the most important one, with a mean of 4.66. Correlation analysis and predictive models are used to relate the quantity from a future activity to an earlier process measurement (Runeson & Host, 2009). (d) Correlations between the Constructs Table 9 shows that the correlation of the paired constructs are mostly medium and strong. Variable by Variable Correlation Count Lower 95% Construct 2 Construct 3 Construct 3 Construct 4 Construct 4 Construct 4 Construct 5 Construct 5 Construct 5 Construct 5 Construct 6 Construct 6 Construct 6 Construct 6 Construct 6 Construct 7 Construct 7 Construct 7 Construct 7 Construct 7 Construct 7 Construct 8 Construct 8 Construct 8 Construct 8 Construct 8 Construct 8 Construct 8 Construct 9 Construct 9 Construct 9 Construct 9 Construct 9 Construct 9 Construct 1 Construct 1 Construct 2 Construct 1 Construct 2 Construct 3 Construct 1 Construct 2 Construct 3 Construct 4 Construct 1 Construct 2 Construct 3 Construct 4 Construct 5 Construct 1 Construct 2 Construct 3 Construct 4 Construct 5 Construct 6 Construct 1 Construct 2 Construct 3 Construct 4 Construct 5 Construct 6 Construct 7 Construct 1 Construct 2 Construct 3 Construct 4 Construct 5 Construct 6 - - - The African Journal of Information Systems, Volume 8, Issue 2, Article 2 Upper 95% Signif Prob-