No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Information Security in Higher Education Institutions: A Systematic Literature Review
Abstract
Information security in institutions of higher learning continues to be a concern. This is substantiated by the many security-related incidents that have occurred in these institutions over the past decade. In this study, we expound on the vulnerabilities and threats faced by higher education institutions and identify the information security measures that can be adopted to ensure safety. The study identifies insiders, poorly implemented information security frameworks, decentralized networks, Bring Your Own Device (BYOD), and a lack of investment in information security in HEI as the highest vulnerabilities. Accordingly, the study identifies social engineering attacks, distributed denial of service attacks, malware, and insider threats as potential threats and attacks on information in HEI. Furthermore, the findings of this study suggest multi-faceted information security measures encompassing technological, organizational, environmental, and human measures to ensure information security protection in HEI. The study identifies gaps for areas of further research.
ResearchGate has not been able to resolve any citations for this publication.
Information security policies and behaviors play a crucial role in organizations, particularly in higher education institutions. These policies outline guidelines and best practices to protect sensitive data, safeguard privacy, and prevent unauthorized access or misuse of information. In higher education institutions, they help secure research findings, intellectual property, and student records. By fostering a culture of security awareness and encouraging responsible behavior, organizations can safeguard their reputation, instill trust, and meet legal and regulatory requirements. This literature review has revealed challenges and highlighted the current trends of information security policy compliance, as well as the theories used for information security compliance from 2013 to 2023. Out of 50 research papers published on the topic of information security policy compliance, three influencing factors were identified through filtration: behavioral intention, awareness and culture, and human with organizational management. The findings show that there is a lack of information security policies in the higher education sector. This review contributes to the information security literature by providing a fully organized systematic review of conducted research in the last decade.
The extremely complex and dynamic digital environments of universities make them highly vulnerable to the risk of data breaches. This study empirically investigated the factors influencing data breach risks in the context of higher education, according to crime opportunity theory and routine activity theory. The data consisted of university samples from China and were collected mainly from the Chinese Education Industry Vulnerability Reporting Platform. After applying Poisson regression for the estimation, increased public disclosure of vulnerabilities was found to escalate the frequency of data breaches, whereas cross-border data flow decreased the number of data breaches. Furthermore, the mechanism by which academic strength affects data breaches was examined through the two mediators of cross-border data flow and vulnerability disclosure. In addition, cloud adoption reduced data breaches, and public clouds were determined to be relatively more secure than private clouds. Cloud adoption also acted as a moderator between the negative impact of vulnerabilities and the positive impact of cross-border data flow on data breaches. The estimation and robustness findings revealed the underlying mechanisms that impacted university data security, clarifying the understanding of data breaches and suggesting practical implications for universities and other institutes to improve information security. The findings of this study provide insights and directions for future research.
The demands for information security in Higher
Education Institutions (HEIs) are expanding as HEIs are
vulnerable because of the involvement of human factors.
Hence, maintaining data privacy is paramount, where most
individuals interacting with systems and applications are the
main stakeholders (lecturers, students, and non-academic
staff). In this regard, existing literature and security experts
claim that enhancing users' Information Security Awareness
(ISA) is one of the most effective protective techniques.
Therefore, this study aims to propose a conceptual security
awareness framework consisting of devices, application areas,
and security practices and their related activities for HEIs.
Moreover, five conceptual dimensions are suggested that affect
users' ISA and are necessary for HEIs while measuring the
ISA of their stakeholders. For investigating and understanding
these issues, interviews were conducted with IT security
experts working in HEIs.
Higher education institutions are going through major changes in their education and operations. Several influences are driving these major changes. Digital transformation, online courses, digital-navy students, operational costs, and micro and nano degrees are just some examples of these influences. Digital technologies show a range of tools selected to include formalized learning environments in teaching in higher education, and students utilize these tools to promote their learning. The Industrial Revolution 4.0’s technological growth has penetrated higher education institutions (HEIs), forcing them to deal with the digital transformation (DT) in all of its dimensions. As they enable us to characterize the various interrelationships among stakeholders in a digitally enabled context of teaching and learning, applying digital transformation techniques to the education sector is an emerging field that has attracted attention recently. The aim of this study is to provide an overview of the distinguishing features of the digital transformation implementation process that has occurred at higher education institutions. In addition, how digital learning can be seen as part of the ecosystem of modern higher education. Further study is necessary to determine how higher education institutions can comprehend digital transformation and meet the demands imposed by the fourth Industrial Revolution.
Background
A good search strategy is essential for a successful systematic literature study. Historically, database searches have been the norm, which was later complemented with snowball searches. Our conjecture is that we can perform even better searches if combining these two search approaches, referred to as a hybrid search strategy.
Objective
Our main objective was to compare and evaluate a hybrid search strategy. Furthermore, we compared four alternative hybrid search strategies to assess whether we could identify more cost–efficient ways of searching for relevant primary studies.
Methods
To compare and evaluate the hybrid search strategy, we replicated the search procedure in a systematic literature review (SLR) on industry–academia collaboration in software engineering. The SLR used a more “traditional” approach to searching for relevant articles for an SLR, while our replication was executed using a hybrid search strategy.
Results
In our evaluation, the hybrid search strategy was superior in identifying relevant primary studies. It identified 30% more primary studies and even more studies when focusing only on peer–reviewed articles. To embrace individual viewpoints when assessing research articles and minimise the risk of missing primary studies, we introduced two new concepts, wild cards and borderline articles, when performing systematic literature studies.
Conclusions
The hybrid search strategy is a strong contender for being used when performing systematic literature studies. Furthermore, alternative hybrid search strategies may be viable if selected wisely in relation to the start set for snowballing. Finally, the two new concepts were judged as essential to cater for different individual judgements and to minimise the risk of excluding primary studies that ought to be included.
The Covid-19 pandemic had a major impact on the organization of studies in higher education institutions (HEIs). Distance learning was the only possibility to continue the educational process, since March 2020. Cloud computing, online learning platforms and video conferencing applications, whose use was quite limited in HEIs, in the conditions of the pandemic with Covid-19, have become the main assets for conducting online studies. Thus, the risk of DoS / DDoS attacks, cross-site scripting, spoofing, unauthorized data access and infection with malicious programs, but also the theft of personal data has increased dramatically. The research was based on identifying the classes of attacks with major impact, on the assets, but also making recommendations for increasing cyber security in e-learning conditions. Common recommendations include updating systems and managing security patches, implementing access policies at the application or resource level, classifying information, and using cryptographic protocols.
The demands for information security in higher education will continue to increase. Serious data breaches have occurred already and are likely to happen again without proper risk management. This paper applies the Comprehensive Literature Review (CLR) Model to synthesize research within cybersecurity risk by reviewing existing literature of known assets, threat events, threat actors, and vulnerabilities in higher education. The review included published studies from the last twelve years and aims to expand our understanding of cybersecurity’s critical risk areas. The primary finding was that empirical research on cybersecurity risks in higher education is scarce, and there are large gaps in the literature. Despite this issue, our analysis found a high level of agreement regarding cybersecurity issues among the reviewed sources. This paper synthesizes an overview of mission-critical assets, everyday threat events, proposes a generic threat model, and summarizes common cybersecurity vulnerabilities. This report concludes nine strategic cyber risks with descriptions of frequencies from the compiled dataset and consequence descriptions. The results will serve as input for security practitioners in higher education, and the research contains multiple paths for future work. It will serve as a starting point for security researchers in the sector.
The rapid technological developments associated with the decrease in the cost of smartphones made the latter more accessible and convenient to be used. In an educational setting, students are increasingly bringing their smartphones to classrooms, this could have serious security implications, particularly when students are less aware of smartphone information security threats. This paper is set out to provide an empirical comparison in the level of information security awareness among college students in terms of knowledge and behavior. The main aim is to find the difference between students’ awareness level of information security using smartphones vs. computers. A descriptive research design was adopted and an online survey method was employed. Research findings showed that students were highly aware of some information security concepts, however, they behaved differently in protecting their smartphones compared to computers. Training campaigns are suggested to be conducted aiming to educate students with possible information security risks related to smartphone usage in educational settings.
Higher education institutions (HEIs) are progressively computerized to deal with substantial academic and operational information. With the increase in enriched information systems (IS) comes the potential hazard of malicious exposure to internal and external threats. This academic sector is advancing in the implementation of technical security controls; however, behavioral influence is still a challenge in the information security domain. Information security policies (ISPs) are generally designed and developed to control employees' working behavior, yet compliance with these documents is near to non-existent. This research paper describes an empirical test of the influence of institutional governance (IG) on protection motivation and planned behavior of employees in HEIs. Results were analyzed using structural equation modeling (SEM) techniques. Our findings confirm the significant contribution of IG in motivating protection behavior among employees of HEIs. This cultivated motivation encourages positive conduct in information security policy compliance (ISPC). Keywords Information security policy (ISP), Information security policy compliance (ISPC), behavior, protection motivation, institutional governance (IG), higher education institutions (HEIs), protection motivation theory (PMT), theory of planned behavior (TPB) 2
Knowledge production within the field of business research is accelerating at a tremendous speed while at the same time remaining fragmented and interdisciplinary. This makes it hard to keep up with state-of-the-art and to be at the forefront of research, as well as to assess the collective evidence in a particular area of business research. This is why the literature review as a research method is more relevant than ever. Traditional literature reviews often lack thoroughness and rigor and are conducted ad hoc, rather than following a specific methodology. Therefore, questions can be raised about the quality and trustworthiness of these types of reviews. This paper discusses literature review as a methodology for conducting research and offers an overview of different types of reviews, as well as some guidelines to how to both conduct and evaluate a literature review paper. It also discusses common pitfalls and how to get literature reviews published.
Whereas there is growing use of information technology (IT) within
institutions of higher learning, little is known about the level of information security
awareness (ISA) amongst students joining such institutions in developing countries
and more specifically Africa. This study investigates ISA amongst undergraduate
students in one of the universities within Nairobi in Kenya. From the study findings,
it was clear that majority of the students did not possess adequate understanding of
ISA. This was further affirmed by more than 60% of the students indicating not to
have received any ISA training program before. We therefore submit that, there is a
strong need to cultivate ISA culture amongst students joining institutions of higher
learning. Cultivating this culture at the entry level will ensure that students as well as
the institutions’ communities at large have secure utilization of various IT resources.
Furthermore, we recommend that ISA needs to be incorporated in the undergraduate
curriculum to help enhance such awareness. Likewise, it would be valuable for such
institutions to have ISA program as part of their wider information security strategy
framework.
This paper provides a systematic literature review in the information security policies’ compliance (ISPC) field, with respect to information security culture, information security awareness, and information security management exploring in various settings the research designs, methodologies, and frameworks that have evolved over the last decade. Studies conducted from 2006 to 2016 reporting results from data collected through diverse means have been explored; however, only a few studies have focused primarily on a sensitive infrastructure under risk, as is the case with higher education institutions (HEIs). This study reports that ISPC in HEIs remains scarce, as is the realization of security threats and dissemination of information security policies to end users (employees). This research makes a novel contribution to the body of knowledge as a unique study that has reviewed the influence of institutional governance in HEIs on protection motivation leading towards ISPC.
Literature reviews establish the foundation of academic inquires. However, in the planning field, we lack rigorous systematic reviews. In this article, through a systematic search on the methodology of literature review, we categorize a typology of literature reviews, discuss steps in conducting a systematic literature review, and provide suggestions on how to enhance rigor in literature reviews in planning education and research.
In this survey, we review the existing game-theoretic approaches for cyber security and privacy issues, categorizing their application into two classes, security and privacy. To show how game theory is utilized in cyberspace security and privacy, we select research regarding three main applications: cyber-physical security, communication security, and privacy. We present game models, features, and solutions of the selected works and describe their advantages and limitations from design to implementation of the defense mechanisms. We also identify some emerging trends and topics for future research. This survey not only demonstrates how to employ game-theoretic approaches to security and privacy but also encourages researchers to employ game theory to establish a comprehensive understanding of emerging security and privacy problems in cyberspace and potential solutions.
Information security awareness (ISA) is referred to as a state of consciousness where user ideally committed to the rules, recognize the potentiality, understand the importance of responsibilities and act accordingly. Despite the number of case occurred in information security breaches, especially at knowledge-based institution result from the reluctance of user's failure to comply with security guidelines, such effective measure should take place to anticipate the negative effect. Therefore, more attention is required to understand the roles of individual, institutional and environmental antecedent for optimization in raising the information security awareness. This paper elucidated the roles of its antecedent and measure in influencing ISA of user using survey method that contributes for better understanding by analyzing user perception. From the resuls, this study identified several important factor impacts to the awareness and its relationship to other factor such as religious indicator can influence peer performance but also social pressure. Thus higher education can focus the policy for encouraging them to have proper response from student and staff in avoiding security incident.
Academic institutions are among the most targeted information systems in the world. Their highly decentralized infrastructure makes it difficult to ensure reliable security measures across their networks. Moreover, academic institutes have different departments, with diverse users (faculty, staff, students, and researchers), with abundant public and private data residing on servers and end systems. The probability and impact of threats and damage to the confidentiality, integrity and availability have never been higher. Although the educational institutes are now aware that the security of their information assets (included IT infrastructure, records, research data, faculty and students) is their highest priority in terms of risk, business continuity and reputation, very little research/work has been carried out in this field. This paper provides a general framework to implement the Information Security Management System (ISMS) in academic institutes and suggests some best practices to adopt or implement in order to make the system and network secure to some extent.
Background:
Snowballing involves recursively pursuing relevant references cited in the retrieved literature and adding them to the search results. Snowballing is an alternative approach to discover additional evidence that was not retrieved through conventional search. Snowballing's effectiveness makes it best practice in systematic reviews despite being time-consuming and tedious.
Objective:
Our goal was to evaluate an automatic method for citation snowballing's capacity to identify and retrieve the full text and/or abstracts of cited articles.
Methods:
Using 20 review articles that contained 949 citations to journal or conference articles, we manually searched Microsoft Academic Search (MAS) and identified 78.0% (740/949) of the cited articles that were present in the database. We compared the performance of the automatic citation snowballing method against the results of this manual search, measuring precision, recall, and F1 score.
Results:
The automatic method was able to correctly identify 633 (as proportion of included citations: recall=66.7%, F1 score=79.3%; as proportion of citations in MAS: recall=85.5%, F1 score=91.2%) of citations with high precision (97.7%), and retrieved the full text or abstract for 490 (recall=82.9%, precision=92.1%, F1 score=87.3%) of the 633 correctly retrieved citations.
Conclusions:
The proposed method for automatic citation snowballing is accurate and is capable of obtaining the full texts or abstracts for a substantial proportion of the scholarly citations in review articles. By automating the process of citation snowballing, it may be possible to reduce the time and effort of common evidence surveillance tasks such as keeping trial registries up to date and conducting systematic reviews.
Purpose
Despite the growing concern about security breaches and risks emerging from Shadow IT usage, a type of information security violation committed by organizational insiders, this phenomenon has received little scholarly attention. By integrating the dual-factor theory, unified theory of acceptance and use of technology (UTAUT) and social control theory, this research aims to examine facilitating and deterring factors of Shadow IT usage intention.
Design/methodology/approach
An online survey was performed to obtain data. As this study aims at investigating the behavior of organizational insiders, LinkedIn, an employment-oriented network site, was chosen as the main site to reach the potential respondents.
Findings
The results show that while performance expectancy, effort expectancy and subjective norms considerably impact intention to use Shadow IT, personal norms and sanctions-related factors exert no influence. Besides, an organizational factor of ethical work climate is found to significantly increase individual perceptions of informal controls and formal controls.
Originality/value
This work is the first attempt to extend the generalizability of the dual-factor theory and UTAUT model, which primarily has been utilized in the context of system usage, to the new context of information security. This study is also one of few studies that simultaneously take both organizational and individual factors into consideration and identify its impacts on user's behaviors in the information security context.
Information is considered an essential asset in Higher Education Institutions (IES) either public or private, specifically since the pandemic there has been a rise in academic and administrative security risks at such institutions, hence an increase in cloud services. As expected, IES have proposed new risk- prevention methods instead of the traditional ones seen as obsolete, considering security programs modifications made in digital transformation demands. This study identifies issues generated by IES information security tools and security measures implemented for information protection security processes. As per the systematic literature review, 47 English written scientific articles were analyzed from the following bibliographical bases: IEEE Xplore, ScienceDirect, SpringerLink, ResearchGate, PeerJ, belonging to quartiles Q1, Q2 y Q3. In the articles, responses to research questions were found. Results obtained allowed for the recognition of security issues affecting IES institutions security measures and tools containing security threats. To conclude, the seriousness of applying security policies, technical measures, and constant critical security assessments regarding information security in IES is outlined.KeywordsInformation securityData protectionSecurity techniquesSecurity measuresHigher Education Institutions
Whereas the starting point of a literature review is presented in Chapter 2—finding out more about what is written about a specific topic by evaluating it from a critical objective—, it leaves open what constitutes a good quality literature review, whether as review of scholarly knowledge before an empirical study or as stand-alone study. Keeping in mind that there are different archetypes of literature reviews, see Section 2.5, also the way of looking at quality will vary across these types and with the objective of the literature review. Thus, it deserves a closer look at how quality of literature reviews can be assured.
Abstract— Most of cyber security threats originate from
users’ unconcerned behaviors, especially when those users are
less aware of security threats and consequences. Attackers are
aware of this attitude and work to exploit it the way they can,
by breaking up the security chain. The dramatic increase of
Internet usage by people of different ages and backgrounds
places them under serious cyberthreats and attacks. The most
popular and straightforward motives of these attacks is
basically the lack of awareness and knowledge around
cybersecurity measures and procedures which dramatically
increases security breaches.
This research is motivated by the facts mentioned above, and
it aims to assess the level of Internet users’ security awareness
among Palestinian learners. The study focuses on five
fundamental security issues involving passwords, social media
usage, email usage, security of mobile devices, and social
engineering. A quantitative approach is employed in the
study, where data was collected by means of pre-designed and
tested questionnaires from a random sample of 200
participants. Data were collected, encoded, preprocessed and
then analyzed using SPSS. Results emphasized the overall
carelessness of Internet users in relation to security measures,
knowledge and practices. Most of respondents did not try to
gain any knowledge whatsoever by, for instance, attending an
awareness course. The study found that users with higher
level of knowledge in security awareness acted in a more
professional way toward cyberthreats than those who did not
have that knowledge.
Keywords— Information Security Awareness, ISA level,
Knowledge, Attitude, Behavior.
Cybersecurity awareness can be viewed as the level of appreciation, understanding or knowledge of cybersecurity or information security aspects. Such aspects include cognizance of cyber risks and threats, but also appropriate protection measures.
Current research has demonstrated the progressively more strategic role that information security has in modern organisations. Higher education is no exception. The reported increasing number of security breaches experienced in recent years by higher education institutions epitomises the importance of confidentiality, integrity and availability of information in universities. To synthesise research in this field, this literature review systematically examines papers that have been published in the last thirteen years. The present review aims at expanding our understanding of the sub-topics, perspectives, methodologies, and trends that characterise this nascent field of investigation. Literature gaps are highlighted and an agenda for further work is proposed. First of its kind, this review concludes that information security management in higher education is a highly under-investigated topic. Areas for further research include information security culture; comparative studies on information security management in industries other than higher education; comparative studies across universities; and economics of information security management.
Phishing is an attack where the attacker creates the fake object (e-mail, web site, etc) to fool an online user into eliciting personal information. This is a base for a big variety of other security attacks as during this social engineering attack user provides sensitive personal information. In order to protect against phishing attacks a variety of tools are proposed; however, the majority agrees that the best countermeasure is user training and education rather than hardware or software solutions. In this paper, we analyze how credulous to phishing attacks are educated persons (people with no less than bachelor degree). The real-world study was executed to inspect how personnel of higher education organization react to phishing email, how credulous, suspicious they are and how far they will go in revealing their personal data.
The higher educational institution presents a microcosm of the Internet and society at large—an environment of elevated technology deployment, and valuable experience in utilizing and protecting personal and organizational information technology resources. In some ways, higher education’s early experience with Bring Your Own Everything (BYOE) provides it with the building blocks needed to more fully address the promise and peril of the Internet of Things (IoT) in the campus environment. This chapter presents some of the security, privacy, and infrastructure issues that the proliferation of mobile and connected devices bring to campus and how US higher education institutions are responding to the complexities—opportunities and challenges—presented via the rise of the Internet of Things.
Purpose
The purpose of this case study is to examine the factors that impact higher education employees’ violations of information security policy by developing a research model based on grounded theories such as deterrence theory, neutralization theory, and justice theory.
Design/methodology/approach
The research model was tested using 195 usable responses. After conducting model validation, the hypotheses were tested using multiple linear regression.
Findings
The results of the study revealed that procedural justice, distributive justice, severity and celerity of sanction, privacy, responsibility, and organizational security culture were significant predictors of violations of information security measures. Only interactional justice was not significant.
Research limitations/implications
As with any exploratory case study, this research has limitations such as the self-reported information and the method of measuring the violation of information security measures. With respect to the method of measuring information security violations, it has been a challenge for researchers. Of course, the best method is to capture the actual behavior. Another limitation to our case study which might have affected the results is the significant number of faculty members in the respondent pool. The shared governance culture of faculty members on a U.S. university campus might bias the results more than in a company environment. Caution should be applied when generalizing the results of this case study.
Practical implications
The findings validate past research and should encourage managers to ensure employees are involved with developing and implementing information security measures. Additionally, the information security measures should be applied consistently and in a timely manner. Past research has focused more on the certainty and severity of sanctions and not as much on the celerity or swiftness of applying sanctions. The results of this research indicate there is a need to be timely (swift) in applying sanctions. The importance of information security should be grounded in company culture. Employees should have a strong sense of treating company data as they would want their own data to be treated.
Originality/value
Setting and enforcing in a timely manner a solid sanction system would help in preventing information security violations. Moreover, creating a culture that fosters information security would help in positively affecting the employees’ perceptions toward privacy and responsibility which in turn impacts information security violations. This case study applies some existing theories in the context of the U.S. higher education environment. The results of this case study contributed to the extension of existing theories by including new factors on one hand, and confirming previous findings on the other hand.
Information is one of the most prominent assets for Universities and must be protected from security breach. This paper analyzed the security threats specifically evolve in University's network, and with consideration of these issues, proposed information security framework for University network environment. The proposed framework reduces the risk of security breach by supporting three phase activities; the first phase assesses the threats and vulnerabilities in order to identify the weak point in educational environment, the second phase focuses on the highest risk and create actionable remediation plan, the third phase of risk assessment model recognizes the vulnerability management compliance requirement in order to improve University's security position. The proposed framework is applied on Vikram University Ujjain India's, computing environment and the evaluation result showed the proposed framework enhances the security level of University campus network. This model can be used by risk analyst and security manager of University to perform reliable and repeatable risk analysis in realistic and affordable manner.
Information security has become an important thing for any organization because of information technology adoption, including for higher education institutions. Increasing the number of information security incidents in academic environment make those institutions have to implement a good information security management. However, most of them cannot do it easily because of various factors. This study has a purpose to determine factors that influence information security management in higher education institutions. Variables that related to those factors were divided into five, i.e., awareness, budget, security policy, management support and organization mission. This research used quantitative method with factor analysis technique. The population in this study were universities in Bandung, Indonesia. The sampling technique used was purposive sampling. Based on the results of the factor analysis, two factors were constructed. The first factor consists of four variables; i.e., awareness, budget, information security policy, and top management support. The second factor consists of a variable, mission organization. All the variables in the first factor (awareness, budget, information security policy, and top management support) are more significant in affecting implementation of information security management in higher education.