International Journal of Hybrid Information Technology Vol. 9, No.11 (2016), pp. 99-126 http://dx.doi.org/10.14257/ijhit.2016.9.11.10 ISSN: 1738-9968 IJHIT Copyright © 2016 SERSC Business Continuity Management & Disaster Recovery Capabilities in Saudi Arabia ICT Businesses Thamer Al Hamed and Mamdouh Alenezi College of Computer and Information Sciences, Prince Sultan University, Riyadh 11586, Saudi Arabia thamer.alhamed@gmail.com, malenezi@psu.edu.sa Abstract A sustainable business continuity management plan (BCM) is developed to adapt and respond to the current complex and dynamic business environment, while simultaneously accommodating the key system transformations. As an integral part of BCM, business preparedness reduces the impact of a disruption to employees, productivity and profitability. Additionally, BCM and disaster recovery helps service providers and owners of critical infrastructure, such as telecommunication networks and digitized energy utilities to resume operation within the shortest time in the event that a disaster strikes. The central drive of this extensive research is developing a maturity model for BCM/DR for measuring the capability of BCM and disaster recovery for the Kingdom of Saudi Arabia (KSA) companies. A qualitative research scheme, marked by an open-structured interview was adopted to explore the core aspect of the research topic. A customized maturity model for the KSA ICT sector was developed by analyzing the existing model and then validating the developed maturity model against the predefined objectives. The research demonstrated that the establishment of a standardized maturity model for BCM/DR as capability instrument for the ICT segment is valuable to address the gap in KSA organizations as they assess the competences of their BCM/DR programs or processes. Keywords: Business Continuity Management, Disaster Recovery, Maturity Model, ICT Sector 1. Introduction Organizations are increasingly facing a versatile risk landscape, where manmade and natural disasters are threatening to interrupt core business activities. In 2012, Saudi Aramco was a victim of the first, extensively documented cyber-attack in the Gulf [6]. In reference to various cyber security experts and open media reports, an individual with access to the company compromised Aramco’s network by accessing to the company’s network illegally. A malware, most likely via a USB stick was deployed into the network. In the same line, a similar attack was launched against RasGas. When it comes to network and IT related risks, minor events for instance computer hardware/software failure in a critical infrastructure (CI) module can paralyses electronic-oriented business till the hardware/software is assimilated and correctly installed or configured. Such cyber-attacks have a detrimental impact on companies and the economy at large. It is also important to note that disruptive and new technological concepts such as Bring-Your-Own-Device (BYOD) also increases vulnerabilities to the existing ICT networks [7]. Additionally, as cyber criminals evolve increases threats to the security of information assets as they have an increased access to readily available and sophisticated network intrusion tools and techniques that have disastrous effects on communications. In other words, despite having security mechanisms against network intrusions, CIs and informational assets are at risk of man-made disasters [8]. Online Version Only. Book made by this file is ILLEGAL.