Information security awareness in higher education: An exploratory study
Introduction
Concerns for Information Systems (IS) security and confidentiality in a university computer network environment were expressed as early as 1975 (Kerievsky, 1976). Colleges and universities have been a target for cyber attacks for two main reasons (Katz, 2005): first, because of the vast amount of computing power they possess; and second, because of the open access they provide to their constituents and to the public. University networking infrastructures are not only designed to serve the needs of faculty, staff, and students, but also to accommodate the needs of visitors, and geographically distributed researchers sharing large quantities of data. While the nature of higher education requires openness to the public and a continuous sharing of information, a balance must be maintained to ensure that information assets are not being put at risk or compromised. Unauthorized grade changes and persistent problems with registration or financial systems can undermine universities' credibility and viability.
In this context, understanding IT security threats and challenges facing higher education is essential to avoid potential loss of university information and knowledge assets. In less than three years, at the University of Texas at Austin's Business School, two major breaches have taken place. Nearly 200,000 electronic records have been illegally accessed, including students' social security numbers and biographical material, alumni, and staff related data (Marks, 2007). On March 11, 2005, in the University of California, Berkley, a laptop was stolen from a restricted area of the graduate division offices. The laptop was left unattended for a short period of time. The stolen laptop contained the names and the associated social security numbers of 98,000 students (Marks, 2007).
In fact, experts in computer security agree that universities are among the least IS secured environments. Only a fraction of universities provide security and conduct awareness training. This is confirmed by a quantitative survey of 435 higher education institutions by EDUCAUSE (Updegrove and Wishon, 2003). Only a third of the surveyed institutions had security awareness training for students and staff (North et al., 2006). Also, a recent study of the websites of 236 top-ranked schools (Marklein, 2006) found that just 27% posted easy-to-access policies on collection and use of personal information. All the sites had at least one non-secure page with a data collection form. In fact, a third of higher education institutions have experienced a data loss or theft in 2006, in particular grades and exam questions, with 9% reporting a loss or theft of student personal information, which could affect millions of university students (Piazza, 2006). A number of universities now recommend building security awareness, training, and education components for students and staff, and emphasize that everyone needs to be aware of up-to-date IT threats so they can apply the security lessons in the most effective way (Piazza, 2006).
Students (aged 18–24 year olds) are high-risk and attractive candidates for security attacks. This can be explained by the fact that students are typically transient and have less credit history than more established adults (Marks, 2007). A student may receive a web postcard in an email, and inadvertently installs a Trojan horse onto his system, becoming a victim of a clever social engineering attack (Marks, 2007). In this context, information technology experts in developed countries, including the United States, are taking advantage of heightened awareness of public safety to urge college and university officials to take steps to secure their campus computer networks (Ronald, 2001). Universities today need to enforce exposure of their usage policies in order to achieve better results. Relying only on end users to read the policies is less effective. Repeated exposure could increase user retention of policies, thus increasing awareness (Cronan et al., 2006).
However, most IS security managers pay more attention to technical issues and solutions such as firewalls, routers, and intrusion detection software, while pay less focus on soft issues such as the hazards caused by end users' lack of IS security awareness (Katz, 2005). Information security awareness can be described as a state where users in an organization are aware of their security mission (Siponen, 2000). We can distinguish two categories of security awareness: framework and content (Siponen, 2000). The former concerns standardization, certification and measurement activities, while the latter addresses the human and socio-cultural aspects of information security awareness. Furthermore, Puhakainen (2006) points out that 59 IS security awareness approaches have been put forward by practitioners and scholars. These approaches can be classified into two categories. Studies in the first category consider IS security awareness to mean attracting users' attention to IS security issues (e.g., Hansche, 2001, Katsikas, 2000). Studies in the second category regard IS security awareness as users' understanding of IS security and, optimally, committing to it. While IS security awareness is commonly recognized, the number of studies that considers it in-depth is limited. This may be attributed to (a) the non-technical nature of IS security awareness (Siponen, 2000), and/or (b) its scope, as it falls outside the traditional engineering and hard computer science domains (Dunlop and Kling, 1991).
IS security awareness plays a significant role in the process of the overall information security of any organization (Thomson and von Solms, 1998, Straub and Welke, 1998). The important role of the human factor in IS security has been recognized by both the research community and IS security practitioners (Parker, 1998, Parker, 1999, Siponen, 2000, Siponen, 2001). As such, users' IS security awareness is reflected in their attitudinal and behavioural patterns (Beatson, 1991, Lafleur, 1992, Gaunt, 1998, Gaunt, 2000, Höne and Eloff, 2002, Mitnick, 2002, Puhakainen, 2006). However, these attitudinal and behavioural features have a socio-cultural and human dimension that need to be analysed and understood to ensure full users' commitment and adherence to IS security regulations.
The number of scientific studies that consider IS security awareness in developed countries, especially in higher education environments, is very limited (Marks, 2007). The situation is even more dire in the case of developing countries where the socio-cultural environment combined with a lack of resources and knowledge may present even more barriers to promote IS security awareness. The proposed research contributes to the body of knowledge by addressing these identified gaps.
The research explores factors that affect information security awareness of staff, including information systems decision makers, in higher education within the context of a developing country, the UAE. Related work is first given, followed by an overview of the methodology that underpins the research. A comprehensive analysis of the case-study results is provided, followed by an in-depth discussion. Finally the paper concludes with a set of recommendations to initiate and promote IS security awareness in the studied environment.
Section snippets
Related work
There have been in recent years increased information security considerations in organizations (Straub and Welke, 1998, Schlienger and Teufel, 2003). This is mainly due to the fact that information systems and the Internet are today used not only by organizations to increase their competitiveness, but also by criminals. This is becoming a trend in higher education institutions that are experiencing an increase in security threats and attacks (Marks, 2007).
Based on recent studies (Whitman and
Methodology
The general aim of the research is to explore the levels of IS security awareness of higher education institutions in the UAE. The research addresses the following two main research questions:
- •
What are the current IS “security” challenges and threats facing universities within the context of a developing country?
- •
What are the levels of IS security awareness of higher education Information Systems decision makers and staff in relation to these challenges and threats?
An interpretive case-study
Case-study fieldwork results
A number of categories emerged from the data analysis using pattern coding techniques of qualitative analysis (Miles and Huberman, 1994), aiming to assign units of meaning to the descriptive or inferential information compiled from qualitative data and to summarize segments of data. In order to analyze the qualitative data of the interviews, three processes were undertaken: creating interviews transcripts, generating pattern codes, and drawing a checklist matrix. The first process involved
Discussion
Several common themes emerged from the different data collection methods used in this study. While some of the results are in line with findings from existing studies, such as the study of the EDUCAUSE Centre for Applied Research (Updegrove and Wishon, 2003), their recurrence within the context of the studied environment suggests careful consideration. While acknowledging that cultures, resources, and technical environments compared to the West do vary; it is also understood that no single
Conclusion
Environments and their setup play a major role in influencing IS security awareness. These are reflected in existing legislations, policies, procedures, standards, the nature of the working environment, and how data and computers are viewed.
Zayed University is the first experiment to establish a technology-based public university with an advanced higher education model similar to the model in North America. Growing pains are expected, and maturity with time is attainable. During this study, the
Acknowledgement
The authors would like to thank the two anonymous referees for the useful comments and suggestions made. The authors alone are responsible for any errors and omissions.
Y. Rezgui is a Professor in Engineering informatics at Cardiff University. He was the founding director of the Informatics Research Institute at Salford University, a leading centre in Information Systems. He has led over 15 national and European multi-disciplinary research projects. He conducts research in areas related to software engineering (including service-oriented architectures), information and knowledge management (centred on the use of Ontology), collaborative working, and virtual
References (69)
- et al.
Tasks for and tasks in human-computer interaction
Interacting with Computers
(2006) Installing an appropriate IS security policy in hospitals
International Journal of Medical Informatics
(1998)Practical approaches to creating a security culture
International Journal of Medical Informatics
(2000)- et al.
Security concerns of system users: a study of perceptions of the adequacy of security
Information and Management
(1991) - et al.
What makes an effective information security policy?
Network Security
(2002) - et al.
An integrative study of information systems security effectiveness
International Journal of Information Management
(2003) Health care management and information system security: awareness, training or education?
International Journal of Medical Informatics
(2000)Development of security policies
Computers and Security
(1994)Exploring virtual team-working effectiveness in the construction sector
Interacting with Computers
(2007)- et al.
Structures of responsibility and security of information systems
European Journal of Information Systems
(1996)
Modeling IT ethics: a study in situational ethics
MIS Quarterly
Writing IS security policies
From human factors to human actors: the role of psychology and human–computer interaction studies in system design
Modern network complexity needs comprehensive security
Security
Risk analysis: an interpretive feasibility tool in justifying information systems security
European Journal of Information Systems
Security – a personnel issue. The importance of personnel attitudes and security education
Case research in marketing: opportunities, problems, and a process
Journal of Marketing Research
Key issues in information systems management: 1994–95 SIM Delphi results
MIS Quarterly
Code of practice for information security management
Piracy, computer crime, and IS misuse at the university
Communications of the ACM
Lack of policy causes IT risks
Information warfare and security
The handbook of qualitative research
Information system security management in the new millennium
Communications of the ACM
Social relationships in electronic communities
Building social capital: the importance of entrepreneurial social infrastructure
Rural Development News
Assessing staff attitudes towards information security in a European healthcare establishment
Medical Informatics
Designing a security awareness program: part I
Information System Security
Five personality dimensions and their influence on information behaviour
Information Research
Information systems auditing manual
ISO/IEC 17799, information technology – code of practice for IS security management
The evolution of user-centered focus in the human computer interaction field
IBM Systems Journal
Security and confidentiality in a university computer network
ACM SIGUCCS Newsletter Archive
Cited by (143)
Evaluating protection motivation based cybersecurity awareness training on Kirkpatrick's Model
2023, Computers and SecurityCitation Excerpt :Students, academicians and staff members continuously exchange data in a multi model environment which results in a huge amount of data being generated that can potentially be exploited by cyber criminals (Zhang and Li, 2015). Studies have also reported (Rezgui and Marks, 2008; Katz, 2005) the exploitation of universities’ computational infrastructure in launching denial of service attacks and mining of cryptocurrency by using students’ and staff's data. With low level of cybersecurity awareness in university going students, a number of research calls have been made to cultivate cybersecurity awareness (Chen et al., 2021) in HEIs.
Fostering Cyber-Resilience in Higher Education: A Pilot Evaluation of a Malware Awareness Program for College Students
2024, Communications in Computer and Information ScienceSecurity literacy model for strategic, tactical, & operational management levels
2024, Information Security JournalIdentifying trends in information security and privacy concern research
2023, IFLA Journal
Y. Rezgui is a Professor in Engineering informatics at Cardiff University. He was the founding director of the Informatics Research Institute at Salford University, a leading centre in Information Systems. He has led over 15 national and European multi-disciplinary research projects. He conducts research in areas related to software engineering (including service-oriented architectures), information and knowledge management (centred on the use of Ontology), collaborative working, and virtual enterprises. He has over 100-refereed publications in the above areas, which appeared in international journals such as Knowledge Engineering Review, Journal of Operational Research Society, Information Sciences, and Interacting with Computers.
A. Marks holds a PhD in Information Security from University of Salford. He is an information systems auditor and an Oracle Certified Associate with over ten years experience in software management and development in higher education. He is currently the full time manager of the Financial Information Systems in Zayed University in Dubai, UAE where he took a leading role in the development and deployment of several infrastructure information systems projects, leading all of the human and organizational aspects including the validation and testing of the solution, with a prominent role in the requirements capture and modelling phases.