A Cybersecurity Culture Framework for Grassroots Levels in Zimbabwe

Cybersecurity is a combination of technologies, processes and operations that are designed to protect information systems, computers, devices, programs, data and networks from internal or external threats, harm, damage, attacks or unauthorized access. 1 The research was purposed to develop a cybersecurity culture framework which ensures that grassroot users of cyberspace are secured from cyber threats. Literature review showed that in Zimbabwe, no research had attempted to come up with a cybersecurity culture framework for grassroot users of cyberspace. The research was guided by the interpretivist paradigm and employed a qualitative methodology. A descriptive research design was used to answer the research questions and unstructured interviews were done to ascertain the cybersecurity needs and challenges of grassroot users of cyberspace. A cybersecurity culture framework was then crafted based on the research findings. The researchers recommended that Zimbabwe should have a cybersecurity vision and strategy that cascades to the grassroot users of cyberspace. Furthermore, the education curricula should be revised so that it incorporates cybersecurity courses at primary and secondary school level. This will then ensure that ICT adoption is matched with cyber hygiene and responsible use of cyberspace.


Introduction Background
Cybersecurity is a combination of technologies, processes and operations that are designed to protect information systems, computers, devices, programs, data and networks from internal or external threats, harm, damage, attacks or unauthorized access. 2 The essence of cybersecurity is to consolidate the confidentiality, integrity, and availability of computing resources, networks, software programs, and data into a coherent collection of policies, technologies, processes, and techniques for the prevention of the occurrence of cyber-attacks. 3 The key cybersecurity applications are the detection of intrusion and malware. The Network Intrusion Detection Systems (NIDS) distinguishes between malicious users and the legitimate network users with a view to ascertain anomalous violation of security policies. 4 NIDS are categorized into two taxonomies, anomaly detectors and misuse network detectors. According to Bloice and Holzinger, 5 the components in Intrusion Detection and Prevention Systems (IDPSs) can be sensors or agents, servers, and consoles for network management. Hackers are now able to devise innovative ways of breaking into network systems secured by firewall, encryption, antivirus software, secure protocols, etc.
The attitudes, assumptions, behaviour, beliefs, values and knowledge exhibited by people during their interaction with the information assets is what constitutes the cybersecurity culture. 6 According to Malyuk and Miloslavskaya 7 and United Nations, 8 the solution of emerging cyber security challenges will not be rectified by government or law enforcement bodies alone but in conjunction with society. A strong cybersecurity culture influences the security behaviour and mindsets of people, and will stand as a human firewall against threats without coercion. 9 Currently, there is a general lack of knowledge and information on cybersecurity matters in Africa. 8 The establishment of a cybersecurity culture is an essential approach to cybersecurity. 10 Cybersecurity legal frameworks to fight cybercrime are still being developed and in their infancy. Twenty-one countries in Africa have Data Protection Legislations of which 13 have both Data and Cyber Security Legislation. Zimbabwe is one of the African countries that has a provision for a Data Protection Authority together with the Cape Verde, Equatorial Guinea, Ghana, Lesotho, Malawi, Mauritius and South Africa. By April 2016, 11 countries notably, Botswana, Cameroon, Côte d'Ivoire, Ghana, Mauritania, Mauritius, Nigeria, Senegal, Tanzania, Uganda and Zambia seemed to have basic substantive and procedural law provisions in place. Substantive and procedural law provisions are partially in place in only 12 African countries namely Algeria, Benin, Gambia, Kenya, Madagascar, Morocco, Mozambique, Rwanda, South Africa, Sudan, Tunisia and Zimbabwe. Sadly, the majority of African countries are still yet to put in place in full force specific legal provisions on electronic evidence and cybercrime.

Statement of The Problem
The greatest risk of cyber-attacks has increased phenomenally due to the astronomical increase in internet-connected systems. 3 The gross limitations of firewall protection against external threats have proved their inadequacy. The rapid development of computing and digital technologies has necessitated the need to revamp cyber defense strategies for most organizations. Consequently, there is an imperative for security network administrators to be more flexible, adaptable, and provide robust cyber defense systems in real-time detection of cyber threats. Progress in the ICT industry in Zimbabwe is hampered by the lack of a framework which provides direction, focus, guidance and a standardised way of addressing cybersecurity. As an integral part of the development into information societies, the protection of valuable information, infrastructure and individuals from cyber-attacks has become of primordial importance in countries like Zimbabwe. What is required under the circumstances to prevent cyber-attacks in Zimbabwe is a cybersecurity culture framework.

Purpose of Study
T h e r e s e a r c h w a s p u r p o s e d t o d e v e l o p a cybersecurity culture framework which ensures that grassroot users of cyberspace are secured from cyber threats.

Research Objectives
The research objectives were to: Ascertain the cybersecurity challenges being faced in Zimbabwe b) Investigate cybersecurity needs of grassroot users of cyberspace in Zimbabwe c) Develop a cybersecurity culture framework for grassroots users of cyberspace in Zimbabwe

Research Questions
The main research question was: How is a cybersecurity culture framework developed to thwart the cybersecurity risks for the grassroot users of cyberspace in Zimbabwe?
The sub questions were: a) What are the cybersecurity challenges being faced in Zimbabwe? b) How can the cybersecurity needs of grassroot users of cyberspace in Zimbabwe be met? c) How can a cybersecurity culture framework be developed for grassroot users of cyberspace in Zimbabwe?

Literature Review Internet of Things (IoT)
The era of the Internet of Things (IoT) generates huge volumes of data collected from various heteregenous sources which may include mobile devices, sensors and social media. The Internet of Things (IoT) involves the interconnection among the interconnected devices. The transmission method can be wired or wireless depending on the devices. 11 The exponential rise of the IoT support the fact that cyberspace is growing at an exponential rate and will continue to grow with no sign of slowing down. Secure consumption of cyberspace is contingent upon the cultivation of a cybersecurity culture. 12 Hackers are now targeting the Internet of Things (IoT). 13 Due to the advances in IoT, the technological integration and collaboration is envisaged to increase in complexity which precipitates cybersecurity risk. 14 Interconnectivity of people, devices and organizations in this digital era unveils access points where cyber criminals can get in. The cloud also presents a good chance for Internet of Things to flourish but security is always an issue. The use of the internet via smartphones and tablets has presented accessibility of organizations' data anywhere anytime. The number of Internet of Things (IoT) devices is increasing phenomenally as we use these IoT devices daily on the network. 15 The Internet of Things (IoT) industry was projected in 2015 to grow to a worthiness of $US19 trillion by 2020 globally 16 Figure 1 below shows an upward growth trend in the number of Internet of Things (IoT) from the year 2015 to 2025. According to SANS, 17 the number of Internet of Things (IoT) devices is anticipated to quintuple within a period of 10 years from 2015 to 2020. The growth in Big Data and Cloud Computing industries also presents great chances for the Internet of Things (IoT) industry to flourish. However, cybersecurity risk continues to be a key challenge with the advent of IoT. Hackers are likely to penetrate an organization's network through the IoT devices 18 or through the cloud environment which the Internet of Things (IoT) devices heavily rely on. 19 The cybersecurity risk of IoT devices together with the users is high and its importance is of great significance. 15

Advances in Cloud Computing
Cloud computing entails the provision of internet services through a hired software operating on a hired hardware provided through someone else's data center. 20 Cloud Computing is the provision of computing as an on-demand, pay-as-you-go service availed in the form of virtualized distributed processing, storage, and software resources and a service. The NIST Cloud computing framework states that cloud computing is made up of five essential characteristics, three service models and four deployment models, 21 as shown on Figure 2. The five (5) essential characteristics of Cloud Computing are briefly explained follows:

Fig. 2: Cloud Computing service and deployment models
On-Demand Self-Service A consumer can unilaterally provision computing capabilities such as server time and network storage as needed automatically, without requiring human interaction with a service provider.

Broad Network Access
Heterogeneous client platforms available over the network come with numerous capabilities that enable provision of network access.

Resource Pooling
Computing resources are pooled together in a multi-tenant model depending on the consumer demand in a location independent manner.

Rapid Elasticity
This is the rapid and elastic provisioning or purchase of unlimited capabilities to quickly scale out; and rapidly released to quickly scale in.

Measured Service
Cloud computing systems can be automatically controlled and optimized with a transparent metering capability at some level of abstraction appropriate to the type of service.
Cloud computing has many benefits for the organizations and these include cost savings, scalability, anytime anywhere access, use of latest  The cloud computing market was projected by KPMG 19 to grow 4 times between 2015 and 2020 as depicted Figure 3 above with the associated business growth rising from US73 billion to US270 billion, respectively. The situation is exacerbated by cybercriminals who use the cloud services as warehouses to store their malicious software and as launchpads for Denial of Service (DOS) attacks. 18

National Institute of Standards and Technology (NIST) Cybersecurity Framework
According to National Institute of Standards and Technology. 24 the NIST Cybersecurity framework was developed with the sole purpose to curb cyber risk and improve security to the critical infrastructure. The NIST Cybersecurity framework is premised on Control Objectives for Information and Related Technologies (COBIT), International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC). Since different organizations face different cybersecurity risks, this framework is not a one size fits all framework.
The framework comprises the framework core, implementation tiers and the framework profile. The five sub-components of the NIST framework are shown below on Figure 4.
The framework core comprises a set of cybersecurity activities, references and desired outcomes applicable and common across all sectors. According to Alcaraz and Zeadally, 25 critical infrastructure is made up of assets and systems which can be either virtual or physical that are of great importance to a nation. 1

General Deterrence Theory (Gdt)
The General Deterrence Theory posits that the use of counter means such as strong deterrents and penalties can dissuade the occurrence of cyberattacks and other crooked self-centered activities 26 In order to eliminate the threats and mitigate against cyber risks, counter measures can be adopted that include training and education, backups and disaster recovery. With deterrence activities, activities that counteract criminal abuse of cyberspace can be embarked on. 27 The main components of the General Deterrence Theory are Deterrence, Prevention, Detection and Remedy as illustrated in Figure 5 below. 27 The General Deterrence Theory unpacks the risk management approach to cybersecurity which provides a technical blueprint that ensures that grassroot users of cyberspace are shielded against cyber-attacks.

Game Theory
Game theory presents multi-person decision scenarios as games where each player opts for actions that result in the best possible rewards for self. A game presents a narrative of the strategic reciprocal actions between opponents but with no specific actions taken. 28 The dispute between the cyber attackers and the cyber victims with regards to decision strategies is adequately handled by Game theory.In this research this theory helped in the provision of the strategic direction in the allocation of resources and the technical measures for the dynamic cybersecurity ecosystem.
Developing countries are facing the following cybersecurity challenges:

Cryptography
Data is valuable and needs to be protected. There is need to protect data from unauthorised personal within an organisation, or from external parties with malicious intentions. Encryption or cryptography preserves electronic data in protected formats that restrict access only to the intended users. This method of protecting data is defined as follows: '

Significance of Cryptography
The central focus of cryptography in computer technology is on are Authentication, Integrity and Confidentiality.
Authentication refers to correctly identifying a user of a system before they are granted access, Authentication is the process by which a user establishes his identity to a system or application. 37 Hitachi categorises authentication into three forms. 38 • Something the user knows, i.e., a secret, such as a password, PIN or the answer to a security question.

•
Something the user has, such as a one-time password token, smart card or mobile phone.

•
Something the user is, meaning a biometric measurement of the user --his voice print, finger print, vein pattern scan, iris or retina scan or some behaviour, such as his typing cadence Integrity, in the context of computer systems, refers to methods of ensuring that data is real, accurate and safeguarded from unauthorized user modification39. This gives users confidence that they are dealing with authentic system developers or owners.
Confidentiality means that 'you can keep your information secret especially when you send sensitive data over a network'40. Cryptography addresses the quest for preserving your online transactions, personal data, or any other secret information.

Applications of Cryptography
Cryptography is applied in many areas of computer technology including the use of cryptography in the creation of virtual money, called crypto-currency.
Crypto-currency has a very high to keep this money secure on the various platforms.

Conceptual Framework
A conceptual framework helps the researcher in the identification and crafting of his/her world view on the phenomenon under investigation 44 and reflects the thoughts around the entire research process. 44 It can be viewed as a researcher's idea on how to explore the research problem. It is hinged on the concepts which are the key variables in a study and is specific and it narrows down to ideas that are used by the researcher. 46 It helps in the clarification of concepts and in the proposition of relationships among concepts in a study. 47 In this research, the researchers used the conceptual framework that is depicted in Figure 6 below.

Fig. 6: Conceptual framework
In order to come up with a cybersecurity culture framework, the researchers took into account the following factors: Requirements of a cybersecurity framework • Cybersecurity challenges being faced faced by grassroot users of cyberspace • Cybersecurity needs of grassroot users of cyberspace

Research Methodology
A research paradigm is way of thinking philosophically or a world view that enlightens the meaning or interpretation of research data. 48 It also gives a reflection of the researcher's opinions or beliefs about the world that s/he exists in or want to exist in. The research paradigm is a conceptual lens through which the researcher scans the methodological facets of their research to decide on the research methods that will be used and how the data will be analysed. 48 Epistemology has a main focus on the theory of knowledge. 49 Epistemology helps the researcher in the establishment of the faith that s/he puts in his/ her data. 48 Ontology as a division of philosophy deals with the assumptions that are put in place in order to believe that something is real or makes sense.  48 add that an ontology provides an understanding of the things that constitute the world as it is known. A methodology is an umbrella term used to cover research methods, research design and procedures used in a planned investigation to find out something.
Axiology refers to the ethical issues worthy of consideration when doing research. 48 The research used the Interpretivist Paradigm, whose components are shown on Table 1 below and the justification given. According to Mohajan, 51 research methodology can also be viewed as a procedural or step by step outline or framework within which research is done.
In this research, a qualitative research methodology was used in order to fulfil the objectives of this study. The Interpretivist paradigm guided the choice of the qualitative research methodology that sought to understand the thought process of respondents in a certain context and generate new concepts or theories. This study was purposed to develop a cybersecurity culture framework to cushions grassroot users from cyber risks. The framework that this research sought to come up with had to be informed by grassroot users of cyberspace hence the contextual nature of this research demanded a qualitative methodology as underpinned by the interpretivist philosophy.
The research sought to dig deep and bring fourth the complicated cybersecurity aspects within a rural setting and a case study is the best approach. A case study was done for a rural community in Murewa District in Mashonaland East in Zimbabwe.
Depending on the nature of the research objectives, research designs can be combined in a single study. 49 In this research a descriptive research design was used to answer the research questions. According to Kothari 52 and Nassaji 53 , descriptive designis a study designed to describe the participants and the phenomenon to be studied in an exact way.
Other data collection methods used include interviews, questionnaires and visual records. 49 The 'what' nature of the objectives could only be addressed through a descriptive research design which sought to find out answers as things happened in a natural setup hence the use of the descriptive research design in this research.
Research methods are the techniques or procedures or methods used to conduct research. 49,52 According to Kothari 52 , these research methods fall the categories that include data collection methods; statistical techniques used in the establishment of relationships between variables; and methods to evaluate accuracy of research findings. Research methods are a part of the research methodology. 52 Data was collected from the respondents namely through interviews, observations, questionnaires and focus groups.
In this research, unstructured interviews were done in order to ascertain the cybersecurity needs as well as the challenges that grassroot users of cyberspace face. There was great need for preparation of questions based on the different age groups of respondents, hence the need for flexibility in wording and the way issues were clarified to them.
In order to counteract weaknesses in the questionnaire, interviews were also used. Furthermore, the observation technique was used so as to achieve the following: • double-check information provided by respondents through other means such as interviews and questionnaires and compare it with that which will be observed and note consistencies and inconsistencies • get fresh insights or even discover new things that respondents may not wish to reveal in interviews or will not think of mentioning because they think they are not relevant • get an understanding of the challenges and needs of the grassroot users of cyberspace as they actually use their internet devices.
Questionnaires were used to support interview obtained data to widen the scope of data collection.
Both close ended and open ended questions were used. These questionnaires were made to be interactive and written in clear and simple English so that respondents could understand and respond accordingly.
Murewa district in the Mashonaland East Province of Zimbabwe was chosen for this study. The target population comprised of teachers, pupils and parents or guardians who stay in the rural areas of Murewa. A sample size is the number of respondents from which the researcher gets the required information. 54 In this research, non-probability sampling techniques were used.Triangulation was used in this research in order to ensure validity and reliability of findings so as to build a complete picture from the research findings. This was achieved by analysing data collected through interviews, questionnaires and observations and themes were built.

Results and Analysis
A total of 270 respondents participated in this research from which a total of 31 interviews were conducted and 239 questionnaires were answered. Table 2 below shows the response rates obtained from the study.

Fig. 7: Research participant categories
The composition of respondents that took part in the research is shown on Figure 7.
A total 270 participants took part in the research. There were more female primary and secondary school student participants than males due to the fact that there is normally more female enrolments than their male counterparts. More male polytechnic students participated in the research than their female counterparts because generally more males tend to take up science related courses. The participants grouping by gender is shown on Figure 8.
some links that popped whilst they were surfing the internet.

Limited Cybersecurity Courses in the Education Curricula
Some participants from the education fraternity highlighted that the Zimbabwean education system had limited or zero courses on cybersecurity at primary or secondary level and yet the persons who fall in these age groups frequently use the cyberspace and are exposed to cyber risks.

Difficulties in Prosecuting Cybercriminals
Participants indicated that tracking the perpetrators of cybercrime and bringing them to book was a challenge. They felt that the police was not well equipped and knowledgeable enough to handle cybersecurity cases and victims.

Exposure to Pornography
Participants also revealed that unnecessary pop ups of pornographic disturbed smooth internet surfing and lured the users into visiting more pornographic websites.

Limited Research on Cybersecurity
Respondents also pointed out that research in cybersecurity is still in its infancy in Zimbabwe and to some extent this is attributed to lack of proper ICT equipment that necessitates a practical cybersecurity research approach.

Cybersecurity Skills Gap
A cybersecurity skills gap in Zimbabwe was also identified as one of the biggest challenges as there is only a few people pursuing information security or cybersecurity as a course or career. Brain drain was also identified a major contributing factor to this cybersecurity skills gap.

Fake News
Fake news was also highlighted as a challenge as it was causing unnecessary panic, destruction of property, marriage breakdowns as well as defamation of character amongst citizens.

Lack of Ministerial Role Clarity on Cybersecurity Issues
Some respondents highlighted that in Zimbabwe, there is a lack of ministerial role clarity on cybersecurity matters.

Fig. 8: Participant grouping by gender
The findings from this research were summarised according to the themes from the research objectives.

Cybersecurity Challenges Being Faced By Grassroot Users of Cyberspace In Zimbabwe
A detailed summary of the cybersecurity challenges being faced by grassroot users of cyberspace is given below:

Poor and Unreliable Internet Connectivity
Internet connectivity was found to be one of the biggest challenges being faced by respondents. It affected the surfing of the internet for purposes of doing research as well as online

Identity Theft
Respondents indicated that they had their personal and credit card details stolen through their emails by people they do not know. Some even lost huge sums of money in the process.

Poor Customer Service from Internet Service Providers
Participants underlined the poor customer service from internet service providers in the event of service disruption.

No Proper Policies and Regulations To Counter Cyber Threats
Participants also indicated that there were no welldeveloped policies and regulations to counter cyber attacks.

High Internet /Data Charges
High cost of the internet or data was also a major hindrance in accessing cyberspace.

Shortage of Ict Teachers Who Can Teach Cybersecurity
Some school heads indicated that the biggest challenge they were facing was that of lack of skilled ICT staff who could teach Computer Studies and cybersecurity.

Lack of Cyber Security Capacity Building for Teachers
Some rural school teachers complained of the lack of ICT and cybersecurity capacity building initiatives such as workshops and trainings to keep them a breast with the changing technology space.

Lack of Supporting Infrastructure
Participants reiterated the fact that several computerization programmes had been launched in many rural schools but had not been equally matched with electrification initiatives such that the computers remained idle due to lack of electricity infrastructure.

Limited Understanding of Ict and Cybersecurity Issues
The researcher noted that most participants were not well conversant with issues to do with ICTs in general and cybersecurity was a big word to them.

Cybersecurity Needs of Grassroot Users of Cyberspace in Zimbabwe
The following is a summary of the findings on the cybersecurity needs of grassroot users of cyberspace in Zimbabwe.

Cybersecurity Technical Measures
Participants highlighted the need for adoption of technical measures that are implementable in the Zimbabwean environment. These range from internet and social media policies, backups, antiviruses, access controls as well as other physical and logical security measures.

Cybersecurity Awareness
Cybersecurity awareness programmes were identified as an important need for grassroot users of cyberspace as they promote thoroughness and cautiousness in the conduct of cyber activities in the cyberspace.

Cybersecurity Skills Training
Respondents indicated that cybersecurity skills gaps should be addressed in order to reduce errors that may lead to cyber breaches and compromised security.

Cybersecurity Education
Participants reiterated the fact that there is need for the introduction of mandatory cybersecurity courses at certificate, diploma and degree levels. As for non-graduates, the courses could be introduced at primary and secondary level.

Cybersecurity Training for Law Enforcement Agencies
Respondents pointed out that the Zimbabwean law enforcement agencies need to be equipped through cybersecurity training and education in order to handle cybercrime cases.

Physical Security of Ict Equipment
Participants from schools revealed that strong physical security of ICT equipment was required because vandalism and theft of computers and computer accessories was quite rampant in some primary and secondary schools in Murewa.

Payment Systems
Respondents pointed out that the Government of Zimbabwe should chip in provision of a national payment system that can guarantee availability, dependability and reliability of services of national significance at better service charges.

Improved Payment Service Availability
Respondents revealed the need for online and offline transaction facilities to be made available at all times to ensure service availability even in instances where the network is down.

Cybersecurity legislation
Cybersecurity legislation needs to be instituted as a way of tackling some of the cybersecurity challenges being faced in Zimbabwe.

Special Call Centre for Reporting Cybercrimes
Some respondents pointed out the need for a dedicated cybersecurity call centre where cyber incidents could be reported and relevant assistance offered to those in need.

Cybersecurity Knowledge Sharing
Knowledge sharing particularly on issues to do with cybersecurity was also identified as a need by participants.

Requirements of A Cybersecurity Culture Framework
This section will summarise findings on the requirements of a cybersecurity culture framework

Shared Cybersecurity Vision and Communication Strategy
ICT experts reiterated the need for the crafting of a cybersecurity vision supported by an effective communication strategy as a means of aligning all the citizens to a cybersecurity strategy. The nation's leadership has to drive the vision and strategy through effective communication to every citizen and everyone should be made to understand it and make them realize their positions in the cybersecurity ecosystem.

Stakeholder Engagement
Respondents highlighted the need for stakeholder involvement in coming up with a clear cybersecurity vision and strategy that is also implementable in the Zimbabwean grassroot environment. It should be shared by every Zimbabwean and not only by a minority group of individuals and organizations.
In that regard, grassroot user consultations are key in coming up with cybersecurity solutions that address their cybersecurity needs.

Cybersecurity legislation
Participants revealed that cybersecurity is central in the safety of the public, prosperity of the economy and also the security of government. In that regard, enactment of laws that guide the reporting of cyber breaches and how the criminals will be dealt with is very important so as to effectively apply the law when a crime has been committed.

Cybersecurity Education and Awareness
Respondents indicated that empowerment through education in cybersecurity is an important ingredient in the making of a cybersecurity culture framework. This will go a long way in fostering awareness and instilling a culture of cybersecurity.

Cybersecurity Researchand Development
Participants pointed out that research and development in cybersecurity should be well supported and funded by the Government of Zimbabwe so as to stimulate research in the field of cybersecurity.

Cybersecurity Emergency Readiness
Respondents revealed that emergency readiness is a key pillar in a cybersecurity framework

Local and International Cooperation
The need for local and international cooperation on cybersecurity issues was also unveiled by respondents as a key element of a cybersecurity framework.

Existing Cybersecurity Frameworks In Use
The research unveiled some of the cybersecurity frameworks that are in use across the globe. These include the following:

Proposed Cybersecurity Culture Framework for Grassroot Users of Cyberspace in Zimbabwe
A cybersecurity culture framework for grassroot users of cyberspace was then crafted based on the research findings as shown in Figure 9 below. It is made up of five pillars which are: • Shared National Cybersecurity Vision and Strategy • ICTs and Related Infrastructure • Cybersecurity Legislation • Education and Awareness • Technology framework and skills These pillars should be subjected to a process of continuous review and alignment in line with the changing technology and cyber threat landscape.

Shared National Cybersecurity Vision and Strategy
Zimbabwe has to have a cybersecurity vision and strategy that should also cascade to the grassroot users of cyberspace. The national cybersecurity strategy should set clear, top-bottom direction to institute and develop cybersecurity for the government, organizations, and citizens at large.

Ict and Related Infrastructure
ICT and Related Infrastructure such as base stations and electricity are very important as they help to shape the communication landscape that facilitates access to cyberspace. Without provision of infrastructure, it is difficult to cultivate a culture of cybersecurity due to limited access to information and rollout of education and awareness programmes.

Cybersecurity Legislation
Cybersecurity laws should be enacted so as to pave way for the prosecution of cybercriminals and to prevent and deter cybercrime. These laws should be flexible and giving room for continuous review and alignment in line with the prevailing technology and cyber threat landscape.

Education and Awareness
The grassroot users of cyberspace have to be educated and made aware of cyberspace, cyber risk and cybersecurity. This education should be introduced in early stages of schooling such as at primary school level so that the culture of cybersecurity can be inculcated earlier.

Technology Framework and Skills
Technology skills to administer cybersecurity technologies and impart cybersecurity skills are extremely important. Cybersecurity controls, products and systems should be put in place to also help in the cushioning of the people against cyber-attacks. Cyber emergency readiness and prevention should be enacted through the setting up of CERTs at government and sectorial levels.

Conclusions of the Key Findings
The following conclusions were drawn from the research findings:

Research Contributions
This study came up with a Cybersecurity culture framework for grassroot users of cyberspace in Zimbabwe. It is the first research of its type to be carried out in the context of ICT4D in Zimbabwe. Literature review showed that in Zimbabwe, no research had attempted to come up with a cybersecurity culture framework for grassroot users of cyberspace. This study, therefore, is expected to stimulate debate on the new knowledge generated. However, the pillars presented in the framework may need to be elaborated further by more research studies.

Areas of Future Research
The field of cybersecurity is still fairly new and as such presents a fertile ground for research particularly in developing countries like Zimbabwe. Internet adoption and usage is still growing and as such, a lot has to be done to ensure that cybersecurity issues are also taken on board.
In that regard, the researcher feels that more cybersecurity frameworks can also be crafted in the following areas to cushion various users against cyber-attacks: • Cybersecurity framework for local government particularly for urban and rural municipalities in Zimbabwe. • Cybersecurity framework for the health services sector • Cybersecurity framework for Small to Medium Enterprises or the informal sector in Zimbabwe.

Integrative Conclusion
According to the International Telecommunications Union, 9 the creation of a cybersecurity culture is an essential approach to cybersecurity. The research was purposed to develop a cybersecurity framework that supports a cybersecurity culture to prevent cyber-attacks in Zimbabwe. The research objectives were to: a) Ascertain the cybersecurity challenges being faced in Zimbabwe b) Investigate cybersecurity needs of grassroot users of cyberspace in Zimbabwe c)Develop a cybersecurity culture framework for grassroots users of cyberspace in Zimbabwe. The researchers used the conceptual framework to come up with a cybersecurity culture framework cognisant of Cybersecurity issues, Cybersecurity culture, Requirements of a cybersecurity framework, Cybersecurity challenges being faced faced by grassroot users of cyberspace, and Cybersecurity needs of grassroot users of cyberspace.
In this research, in order to come up with a cybersecurity framework for grassroot users of cyberspace in Zimbabwe, it was critical to study respondents in detail within their rural context in order derive concepts that will be input to the framework. In this research, a qualitative research methodology was used in order to fulfil the objectives of this study. The framework that this research came up with had to be informed by grassroot users of cyberspace hence the contextual nature of the research problem demanded a qualitative methodology as underpinned by the interpretivist philosophy. A descriptive research design was used to answer the research questions and unstructured interviews were done in order to ascertain the cybersecurity needs as well as the challenges that grassroot users of cyberspace face. The observation technique was also used so as to achieve the following: • double-check information provided by respondents through other means such as interviews and questionnaires and compare it with that which will be observed and note consistencies and inconsistencies get fresh insights or even discover new things that respondents may not wish to reveal in interviews or will not think of mentioning because they think they are not relevant. • get an understanding of the challenges and needs of the grassroot users of cyberspace as they actually use their internet devices.
The findings from this research were summarised according to the themes from the research objectives.
The key challenges to progress on Cybersecurity include limited research on cybersecurity.
Respondents also pointed out that research in cybersecurity is still in its infancy in Zimbabwe and to some extent this is attributed to lack of proper ICT equipment that necessitates a practical cybersecurity research approach. There is a Cybersecurity skills gap in Zimbabwe as one of the biggest challenges as there is only a few people pursuing information security or cybersecurity as a course or career. However, specific Cybersecurity needs of grassroot users of cyberspace in Zimbabwe were identified and these include Cybersecurity education where participants reiterated the fact that there is need for the introduction of mandatory cybersecurity courses at certificate, diploma and degree levels.
Other needs include Cybersecurity legislation which needs to be instituted as a way of tackling some of the cybersecurity challenges being faced in Zimbabwe.
Respondents indicated that empowerment through education in cybersecurity is an important ingredient in the making of a cybersecurity culture framework. With regards to Cybersecurity research and development, participants pointed out that research and development in cybersecurity should be well supported and funded by the Government of Zimbabwe so as to stimulate research in the field of cybersecurity. A cybersecurity culture framework for grassroot users of cyberspace was then crafted based on the research findings. Zimbabwe has to have a cybersecurity vision and strategy that should also cascade to the grassroot users of cyberspace. Furthermore, the education curricula should be revisited so that it incorporates cybersecurity courses at primary and secondary school level so that ICT adoption can be matched with cyber hygiene and responsible use of cyberspace.
With regards to research contributions, this study came up with a Cybersecurity culture framework for grassroot users of cyberspace in Zimbabwe. Literature review showed that in Zimbabwe, no research had attempted to come up with a cybersecurity culture framework for grassroot users of cyberspace.