ROOM 5

1. KINYA SHARON 20/00208

2. PESSY KAPERE 20/00184
3. SILAS GACHIE 19/06840
4. WOF OMBATI 19/02790
5. NAOMI KUVUNA 19/02508
6. JOHN KEEGAN 19/02474
7. JIMMY NDIRITU 19/02717
8. DENNIS ROTICH 19/02485
9. IAN MUZAI 19/02339
10. JEREMY KIBAARA 20/01015
 1. Discuss the concept theories in Human Aspects of Information Security and
Forensics. [15Marks]
All kinds of human factors can deeply affect the management of security in an organizational
context despite of all security measures. But analyzing, modeling, quantifying and controlling
human factors are difficult due to their subjective and context specific nature

Social Cognitive Theory: A model on human behavior which argues that environmental
influences, personal factors, and behavior are determined reciprocally.
Socio-Technical Systems Theory: An approach that considers organizations as the combination
of both social and technical systems in order to increase the productivity.

Distributed Cognition Theory: An approach which considers cognition as a distributed

phenomenon.

Grounded theory: A systematic and qualitative methodology of developing theories based on

the systematically collected and analyzed data.

Self-Efficacy: People’s judgments of their capabilities to organize and execute courses of action
required to attain designated types of performances.

Computer Security Model: A multilayer model which shows the steps in computer security
including the measures and the next actions of the security abusers after being successful against
a security measure.

Activity Theory: An approach which proposes that human activity aims at accomplishing
certain outcomes through the help of artifacts and other resources.?

General Deterrence Theory: A term adopted from the discipline of criminology, which is about
the disincentives and sanctions to prevent a criminal act in security.

2. Discuss the laws that affect the Information and Communications Technology
[15Marks]

a) Computer misuse and cybercrime Act

b) Data protection act 2019
c) Constitution of Kenya
 d) Computer Fraud and Abuse Act
e) Cyber Intelligence Sharing and Protection Act (CISPA)
f)

 COMPUTER MISUSE AND CYBERCRIMES ACT of Parliament

The Act Provides for offences relating to computer systems

The Act enables timely and effective detection, prohibition, prevention, response, investigation
and prosecution of computer and cybercrimes; to facilitate international co-operation in dealing
with computer and cybercrime matters and connected purposes

 Unauthorized access
A person who causes, whether temporarily or permanently, a computer system to perform a
function, by infringing security measures, with intent to gain access, and knowing such access is
unauthorized, commits an offence and is liable on conviction, to a fine not exceeding five million
shillings or to imprisonment for a term not exceeding three years, or to both.

 Access with intent to commit further offence

A person who commits an offence under section 14 with intent to commit a further offence under
any law, or to facilitate the commission of a further offence by that person or any other person,
commits an offence and is liable, on conviction, to a fine not exceeding ten million shillings or to
imprisonment for a term not exceeding ten years, or to both.

 Unauthorized interference
A person who intentionally and without authorization does any act which causes an unauthorized
interference, to a computer system, program or data, commits an offence and is liable on
conviction, to a fine not exceeding ten million shillings or to imprisonment for a term not
exceeding five years, or to both

 Child pornography
(1) A person who, intentionally

(a) publishes child pornography through a computer system;

(b) produces child pornography for the purpose of its publication through a computer system;
(c) downloads, distributes, transmits, disseminates, circulates, delivers, exhibits, lends for gain,
exchanges, barters, sells or offers for sale, lets on hire or offers to let on hire, offers in another
way, or make available in any way from a telecommunications apparatus pornography; or

(d) possesses child pornography in a computer system or on a computer data storage medium,
commits an offence and is liable, on conviction, to a fine not exceeding twenty million or to
imprisonment for a term not exceeding twenty-five years, or both

"child" means a person under the age of eighteen years

 Computer fraud
(1) A person who, with fraudulent or dishonest intent

(a) unlawfully gains;

(b) occasions unlawful loss to another person; or

(c) obtains an economic benefit for oneself or for another person, through

any of the means described in subsection (2), commits an offence and is liable, on conviction, to
a fine not exceeding twenty million shillings or imprisonment term for a term not exceeding ten
years, or to both.

 Identity theft and impersonation

A person who fraudulently or dishonestly makes use of the electronic signature, password or any
other unique identification feature of any other person commits an offence and is liable, on
conviction, to a fine not exceeding two hundred thousand shillings or to imprisonment for a term
not exceeding three years or both.

 Phishing
A person who creates or operates a website or sends a message through a computer system with
the intention to induce the user of a website or the recipient of the message to disclose personal
information for an unlawful purpose or to gain unauthorized access to a computer system,
commits an offence and is liable upon conviction to a fine not exceeding three hundred thousand
shillings or to imprisonment for a term not exceeding three years or both

 Cyber terrorism
A person who accesses or causes to be accessed a computer or computer system or network for
purposes of carrying out a terrorist act, commits an offence and shall on conviction, be liable to a
fine not exceeding five million shillings or to imprisonment for a term not exceeding ten years,
or to both.

 Cyber harassment
A person who, individually or with other persons, willfully communicates, either directly or
indirectly, with another person or anyone known to that person, commits an offence, if they
know or ought to know that their conduct

(a) is likely to cause those people’s apprehension or fear of violence to them or damage or loss
on that persons' property; or

(b) detrimentally affects that person; or

(c) is in whole or part, of an indecent or grossly offensive nature and affects the person.

A person who commits an offence under subsection (1) is liable, on conviction, to a fine not
exceeding twenty million shillings or to imprisonment for a term not exceeding ten years, or to
both.

 THE DATA PROTECTION ACT, 2019 AN ACT of Parliament

The data protection bill has been pending for almost 4 years now, it seeks to provide for
protection of personal information and hereby give effect to the constitutional right of a person
not to have information relating to their family or private affairs unnecessarily required or
revealed.

It embraces the principles of data protection such as necessity of collecting information, data
subjects’ right to access information about them, imposition of duty to ensure information is
accurate, updated and complete.

This Act gives effect to Article 31(c) and (d) of the Constitution; to establish the Office of the
Data Protection Commissioner
The Act makes provision for the regulation of the processing of personal data; to provide for the
rights of data subjects and obligations of data controllers and processors; and for connected
purposes

Data Commissioner means the person appointed under section 6.

Data controller means a natural or legal person, public authority, agency or other body which,
alone or jointly with others, determines the purpose and means of processing of personal data.

Data processor means a natural or legal person, public authority, agency or other body which
processes personal data on behalf of the data controller.

 REGISTRATION OF DATA CONTROLLERS AND DATA PROCESSORS

19 (1) A data controller or data processor required to register under section 18 shall apply to the
Data Commissioner. Any measures to indemnify the data subject from unlawful use of data by
the data processor or data controller; and any other details as may be prescribed by the Data
Commissioner.

(3) A data controller or data processor who knowingly supplies any false or misleading detail
under sub-section commits an offence.

(4) A data controller or data processor shall collect, store or use personal data for a purpose
which is lawful, specific and explicitly defined.

 REGISTRATION OF DATA CONTROLLERS AND DATA PROCESSORS

18. (1) Subject to sub-section (2), no person shall act as a data controller or data processor unless
registered with the Data Commissioner.

 COMPLIANCE AND AUDIT

The Data Commissioner may carry out periodical audits of the processes and systems of the data
controllers or data processors to ensure compliance with this Act.

PRINCIPLES AND OBLIGATIONS OF PERSONAL DATA PROTECTION

25. Every data controller or data processor shall

ensure that personal data is -

(a) processed in accordance with the right to privacy of the data subject;

(b) processed lawfully, fairly and in a transparent manner in relation to any data subject;

(c) collected for explicit, specified and legitimate purposes and not further processed in a manner
incompatible with those purposes;

(d) adequate, relevant, limited to what is necessary in relation to the purposes for which it is
processed

(e) collected only where a valid explanation is provided whenever information relating to family

or private affairs is required

(f) accurate and, where necessary, kept up to date, with every reasonable step being taken to
ensure that any inaccurate personal data is erased or rectified without delay;

(g) kept in a form which identifies the data subjects for no longer than is necessary for the
purposes which it was collected; and

(h) not transferred outside Kenya, unless there is proof of adequate data protection safeguards or
consent from the data subject.

 PROCCESSING OF PERSONAL DATA RELATING TO CHILD

33. (1) Every data controller or data processor shall not process personal data relating to a child
unless -

(a) consent is given by the child's parent or guardian; and

(b) the processing is in such a manner that protects and advances the rights and best interests of
the child.

(2) A data controller or data processor shall incorporate appropriate mechanisms for age
verification and consent in order to process personal data of a child.

 OBJECTING TO PROCESSING
36. A data subject has a right to object to the processing of their personal data, unless the data
controller or data processor demonstrates compelling legitimate interest for the processing which
overrides the data subject's interests, or for the establishment, exercise or defense of a legal
claim.

 COMMERCIAL USE
37 (1) A person shall not use, for commercial purposes, personal data obtained pursuant to the
provisions of this Act unless the person -

(a) has sought and obtained express consent from a data subject; or

(b) is authorized to do so under any written law and the data subject has been informed of such
use when collecting the data from the data subject.

 RIGHT TO DATA PORTABILITY

38. (1) A data subject has the right to receive personal data concerning them in a structured,
commonly used and machine-readable format.

 LIMITATION TO RETENTION OF PERSONAL DATA

39. (1) A data controller or data processor shall retain personal data only as long as may be
reasonably necessary to satisfy the purpose for which it is processed unless the retention is

(a) required or authorized by law;

(b) reasonably necessary for a lawful purpose;

(c) authorized or consented by the data subject; or

(d) for historical, statistical, journalistic literature and art or research purposes.
  NOTIFICATION AND COMMUNICATION OF BREACH
43. (1) Where personal data has been accessed or acquired by an unauthorized person, and there
is a real risk of harm to the data subject whose personal data has been subjected to the
unauthorized access, a data controller shall-

(a) notify the Data Commissioner without delay, within seventy-two hours of becoming aware of
such breach; and

(b) subject to subsection (3), communicate to the data subject in writing within a reasonably
practical period, unless the identity of the data subject cannot be established.

OFFEMCES OF UNLAWFUL DISCLOSURE

 POWER TO SEEK ASSISTANCE

59. For the purpose of gathering information or for any investigation under this Act, the Data
Commissioner may seek the assistance of such person or authority as they deem fit and as is
reasonably necessary to assist the Data Commissioner in the discharge of their functions.

 POWER OF ENTRY OF SEARCH

60. The Data Commissioner, upon obtaining a warrant from a Court, may enter and search any
premises for the purpose of discharging any function or exercising any power under this Act.

 OBSTRUCTION OF DATA COMMISSIONER

61. A person who, in relation to the exercise of a power conferred by section 9-

(a) obstructs or impedes the Data Commissioner in the exercise of their powers;

(b) fails to provide assistance or information requested by the Data Commissioner;

(c) refuses to allow the Data Commissioner to enter any premises or to take any person with
them in the exercise of their functions;
(d) gives to the Data Commissioner any information which is false or misleading in any material
aspect, commits an offence and is liable on conviction to a fine not exceeding five million
shillings or to imprisonment for a term not exceeding two years, or to both.

 OFFEMCES OF UNLAWFUL DISCLOSURE

72. (1) A data controller who, without lawful excuse, discloses personal data in any manner that
is incompatible with the purpose for which such data has been collected commits an offence.

(2) A data processor who, without lawful excuse, discloses personal data processed by the data
processor without the prior authority of the data controller commits an offence.

 GENERAL PENALTY
73. (1) A person who commits an offence under this Act for which no specific penalty is
provided or who otherwise contravenes this Act shall, on conviction, be liable to a fine not
exceeding three million shillings or to an imprisonment term not exceeding ten years, or to both.

 The constitution of Kenya talks about the right to privacy in Kenya

Privacy is a fundamental human right set forth in many international human rights documents. It
is the center of protection of human dignity and forms the basis of all democratic societies. It
also supports and strengthens other rights such as freedom of expression, information and
association. Activities that limit the right to privacy, such as surveillance and censorship, can
only be justified when they are prescribed by law to be necessary to achieve legitimate goals
which are proportional to the goals pursued.

Article 2 of Kenya’s Constitution states:

(5) The general rules of international law shall form part of the law of Kenya.

Sovereignty of the people.

(6) Any treaty or convention ratified by Kenya shall form part of the law of

Kenya under this Constitution.

Domestic laws and regulations related to privacy

Article 31 of the Constitution of Kenya protects the rights to privacy. It states:

Every person has the right to privacy, which includes the right not to

have—

(a) their person, home or property searched;

(b) their possessions seized;

(c) information relating to their family or private affairs unnecessarily required or revealed;
or

(d) the privacy of their communications infringed.

2009 Kenya Information and Communications Act, includes the following

provisions:

Article 31

A licensed telecommunication operator who otherwise than in the course

of his business—

(a) intercepts a message sent through a licensed telecommunication system; or

(b) discloses to any person the contents of a message intercepted under paragraph; or,

(c) discloses to any person the contents of any statement or account specifying the
telecommunication services provided by means of that statement or account, commits an
offence and shall be liable on conviction to a fine not exceeding three hundred thousand
shillings or, to imprisonment for a term not exceeding three years, or to both.

Article 83

(1) Subject to subsection (3), any person who by any means knowingly: —

(a) secures access to any computer system for the purpose of obtaining, directly or
indirectly, any computer service;
 (b) intercepts or causes to be intercepted, directly or indirectly, any function of, or any data
within a computer system, shall commit an offence.

Article 93 (1)

No information with respect to any particular business which—

(a) has been obtained under or by virtue of the provisions of this Act; and

(b) relates to the private affairs of any individual or to any particular business, shall, during
the lifetime of that individual or so long as that business continues to be carried on be
disclosed by the Commission or by any other person without the consent of that individual
or the person for the time being carrying on that business.

Section 15 (1) of the Kenya Information and Communications (Consumer

Protection) Regulations, 2010, states that; Subject to the provisions of the Act or any other
written law, a licensee shall not monitor, disclose or allow any person to monitor or disclose, the

content of any information of any subscriber transmitted through the licensed systems by
listening, tapping, storage, or other kinds of interception or surveillance of communications and
related data.”

 COMPUTER FRAUD AND ABUSE ACT

This law makes it a crime to access and subsequently share protected information.
Very useful where the government investigates cyber threats thus ensuring security of networks
against cyber-attacks especially during information transmission between the government and
technology or manufacturing companies. The act was passed in late 1980's.

 CYBER INTELLIGENCE SHARING AND PROTECTION ACT (CISPA)

Legislation regarding this act was introduced in 2011. A basic definition of this act is that it
concerns how to share information on potential cyber threats with the federal government (US)