This study assessed the state of information security in academic institutions and developed recommendations for policy and practice.
The results suggest that academic institutions are developing a baseline level of information security. Over three-fourths of respondents reported increases in the number of attacks on their institutions compared to last year, including laptop thefts, copyright infringement, and denial of service attacks. Yet over half of the academic institutions did not employ a full-time information security officer or any full-time staff members dedicated to information security. Less than one-fourth of responding academic institutions had a formal information security policy in place. Responding institutions performed a variety of assessments over the past year, most frequently vulnerability assessments and audits. A broad range of security technologies have been utilized by responding agencies; the most commonly used technologies included anti-virus software, spam filtering, and perimeter firewalls. More than three-fourths of responding institutions considered themselves either “well prepared” or “somewhat prepared” to defend against a major information security incident. A “data-based roadmap” of practical recommendations for policy and practice were developed based on the findings. Six steps are recommended for achieving a baseline level of information security: (1) locate and classify information assets; (2) build awareness; (3) tighten security policies; (4) establish mandatory training; (5) automate and institute processes; and (6) empirically assess activity. The study design included a field survey entitled the Information Security in Academic Institutions Survey, which was completed by 72 information security professionals in academic institutions and open-ended interviews with 12 professionals. Additionally, two academic institutions provided network activity data. Future research should focus on quantifying the threat posed to public safety and security by academic institutions and should assess the types and volume of criminal activity occurring in academic institutions. Exhibits, endnotes, appendixes