Paper Title
Bank Information Systems Vulnerability: The Case of Ethiopia

Abstract
Problem Statement: Today’s cyber security threats require organizations to continuously check their vulnerability. Information systems vulnerability assessment is identifying the cyber security weaknesses and gaps of information systems at the organization, a strategic decision for the organization. Extant literature informs us that making security vulnerability assessment a daily practice is a critical organizational strategy. This study assesses a bank in Ethiopia to identify its cyber security practices and proposes ways to improve information systems vulnerability and steps to make it a daily practice. Methods: A qualitative case study research method is applied. We collected data through interview and document analysis. Eight respondents were purposively selected based on their involvement in the organization’s vulnerability assessment. Thematic analysis technique is applied to analyze the data. Results: The result revealed cyber security vulnerability; weaknesses and gaps were identified in the case bank’s cyber security practices. A defined vulnerability assessment procedure was not found. Vulnerability gaps were identified in many of the bank processes including vulnerability assessment, risk assessment, remediation, verification, and monitoring. Conclusion: The study identified challenges including lack of personnel awareness and understanding about vulnerability assessment, lack of skilled professionals to analyze the vulnerabilities, negative perception of managers about the scan and remediation responsibilities, and lack of a predefined standard operating procedures. The study concludes by recommending strategies for an effective vulnerability assessment process at the bank. Keywords - Vulnerability, Vulnerability Assessment, Vulnerability Assessment Lifecycle, Information system security