Information security awareness in higher education: An exploratory study

Abstract

The research explores factors that affect information security awareness of staff, including information systems decision makers, in higher education within the context of a developing country, namely the UAE. An interpretive case-study approach is employed using multiple data gathering methods. The research reveals that factors such as conscientiousness, cultural assumptions and beliefs, and social conditions affect university staff behaviour and attitude towards work, in general, and information security awareness, in particular. A number of recommendations are provided to initiate and promote IS security awareness in the studied environment.

Introduction

Concerns for Information Systems (IS) security and confidentiality in a university computer network environment were expressed as early as 1975 (Kerievsky, 1976). Colleges and universities have been a target for cyber attacks for two main reasons (Katz, 2005): first, because of the vast amount of computing power they possess; and second, because of the open access they provide to their constituents and to the public. University networking infrastructures are not only designed to serve the needs of faculty, staff, and students, but also to accommodate the needs of visitors, and geographically distributed researchers sharing large quantities of data. While the nature of higher education requires openness to the public and a continuous sharing of information, a balance must be maintained to ensure that information assets are not being put at risk or compromised. Unauthorized grade changes and persistent problems with registration or financial systems can undermine universities' credibility and viability.

In this context, understanding IT security threats and challenges facing higher education is essential to avoid potential loss of university information and knowledge assets. In less than three years, at the University of Texas at Austin's Business School, two major breaches have taken place. Nearly 200,000 electronic records have been illegally accessed, including students' social security numbers and biographical material, alumni, and staff related data (Marks, 2007). On March 11, 2005, in the University of California, Berkley, a laptop was stolen from a restricted area of the graduate division offices. The laptop was left unattended for a short period of time. The stolen laptop contained the names and the associated social security numbers of 98,000 students (Marks, 2007).

In fact, experts in computer security agree that universities are among the least IS secured environments. Only a fraction of universities provide security and conduct awareness training. This is confirmed by a quantitative survey of 435 higher education institutions by EDUCAUSE (Updegrove and Wishon, 2003). Only a third of the surveyed institutions had security awareness training for students and staff (North et al., 2006). Also, a recent study of the websites of 236 top-ranked schools (Marklein, 2006) found that just 27% posted easy-to-access policies on collection and use of personal information. All the sites had at least one non-secure page with a data collection form. In fact, a third of higher education institutions have experienced a data loss or theft in 2006, in particular grades and exam questions, with 9% reporting a loss or theft of student personal information, which could affect millions of university students (Piazza, 2006). A number of universities now recommend building security awareness, training, and education components for students and staff, and emphasize that everyone needs to be aware of up-to-date IT threats so they can apply the security lessons in the most effective way (Piazza, 2006).

Students (aged 18–24 year olds) are high-risk and attractive candidates for security attacks. This can be explained by the fact that students are typically transient and have less credit history than more established adults (Marks, 2007). A student may receive a web postcard in an email, and inadvertently installs a Trojan horse onto his system, becoming a victim of a clever social engineering attack (Marks, 2007). In this context, information technology experts in developed countries, including the United States, are taking advantage of heightened awareness of public safety to urge college and university officials to take steps to secure their campus computer networks (Ronald, 2001). Universities today need to enforce exposure of their usage policies in order to achieve better results. Relying only on end users to read the policies is less effective. Repeated exposure could increase user retention of policies, thus increasing awareness (Cronan et al., 2006).

However, most IS security managers pay more attention to technical issues and solutions such as firewalls, routers, and intrusion detection software, while pay less focus on soft issues such as the hazards caused by end users' lack of IS security awareness (Katz, 2005). Information security awareness can be described as a state where users in an organization are aware of their security mission (Siponen, 2000). We can distinguish two categories of security awareness: framework and content (Siponen, 2000). The former concerns standardization, certification and measurement activities, while the latter addresses the human and socio-cultural aspects of information security awareness. Furthermore, Puhakainen (2006) points out that 59 IS security awareness approaches have been put forward by practitioners and scholars. These approaches can be classified into two categories. Studies in the first category consider IS security awareness to mean attracting users' attention to IS security issues (e.g., Hansche, 2001, Katsikas, 2000). Studies in the second category regard IS security awareness as users' understanding of IS security and, optimally, committing to it. While IS security awareness is commonly recognized, the number of studies that considers it in-depth is limited. This may be attributed to (a) the non-technical nature of IS security awareness (Siponen, 2000), and/or (b) its scope, as it falls outside the traditional engineering and hard computer science domains (Dunlop and Kling, 1991).

IS security awareness plays a significant role in the process of the overall information security of any organization (Thomson and von Solms, 1998, Straub and Welke, 1998). The important role of the human factor in IS security has been recognized by both the research community and IS security practitioners (Parker, 1998, Parker, 1999, Siponen, 2000, Siponen, 2001). As such, users' IS security awareness is reflected in their attitudinal and behavioural patterns (Beatson, 1991, Lafleur, 1992, Gaunt, 1998, Gaunt, 2000, Höne and Eloff, 2002, Mitnick, 2002, Puhakainen, 2006). However, these attitudinal and behavioural features have a socio-cultural and human dimension that need to be analysed and understood to ensure full users' commitment and adherence to IS security regulations.

The number of scientific studies that consider IS security awareness in developed countries, especially in higher education environments, is very limited (Marks, 2007). The situation is even more dire in the case of developing countries where the socio-cultural environment combined with a lack of resources and knowledge may present even more barriers to promote IS security awareness. The proposed research contributes to the body of knowledge by addressing these identified gaps.

The research explores factors that affect information security awareness of staff, including information systems decision makers, in higher education within the context of a developing country, the UAE. Related work is first given, followed by an overview of the methodology that underpins the research. A comprehensive analysis of the case-study results is provided, followed by an in-depth discussion. Finally the paper concludes with a set of recommendations to initiate and promote IS security awareness in the studied environment.