Cyber Security in Academia

















Cybersecurity in Academia
Wade A. Rutherford
Computer and Information Sciences
Berea College




GSTR 410
Dr. Peter Hackbert
September 30, 2018
Abstract
Ten of millions if not hundreds of millions of people are affiliated or have made some type of transaction with an academic institution or one of its properties and are at risk whenever a data breach occurs. The sensitive data that they gave to the institution when making their transaction(s) is ripe for the taking of any would-be malicious actor. The cyber security issues within academia are evident through the expenses caused by data breaches and expenses related to these cyber incidents (e.g. legal suits and cyber incident prevention). Cybersecurity issues in academia stem from the lack of resources available, the lack of compliance of good cybersecurity practices, the lack of impact to an institution’s reputation for data breaches, cybersecurity not being considered when choosing an institution to attend, and the deductive nature of information. In order to improve this situation one should allot a greater budget to cybersecurity personnel of academia and policies and practice among personnel should be formalized, institutions should provide and if possible require practical cybersecurity awareness training among the users of their network, cybersecurity of an institution should be prioritized and valued among incoming students and staff who are seeking out institutions, and the deductive nature of data and the complexity of cybersecurity should be realized and respected.





Key words: Academia, Cyber Incident Prevention, Cybersecurity, Cybersecurity Awareness, Cyberspace, Data Breaches, Malicious Actors, Phishing, Vulnerability Management
Glossary
Academia: The part of society including academic institutions and their properties (Cambridge English Dictionary, 2018).
Cyber Incident Prevention: The prevention of any event that is not a part of standard operations of a service, that may cause an interruption or a reduction in the quality of said service specifically in relation to technology and or network traffic (Rigdon,618).
Cybersecurity: The protection of a device and its data from harm or loss (Rigdon, 1123).
Cybersecurity Awareness: Knowledge of good cybersecurity practices and a means of intuition when dealing with potential threats (things that may become an incident) (Rigdon).
Cyberspace: The internet and various domains connected to it such as intranet (domains specifically accessible to a certain device) and extranet (domains specifically accessible via a certain address or web page, e.g. Berea College’s Moodle network that is accessed through the myBerea page) (Rigdon, 338).
Data Breach: The unauthorized and/or unintentional release or viewing of secured data.
Malicious Actors: A user or an autonomous program that acts as a user, which has the intent or is programmed to cause harm to the system and or network or use it in an unauthorized manner (Rigdon, 738).
Phishing: An internet scam that will ask for certain information via a forged email (Rigdon, 919).
Vulnerability Management: The management of any weakness, capability, policy, or otherwise that can be exploited by a threat (Rigdon, 1393).
Methodology
I started my research doing a review of the literature via a key word search as advised by professional librarian Angel Rivera. Once I thought of a list of related key words for my research topic, I defined those terms by basing them off the definitions and definitions for similar terms or derivative/parent terms given with the Cambridge English Dictionary and Rigdon’s Dictionary of Computer and Internet Terms. I changed these definitions to more specifically reflect what I was referring to when using these terms. After this I went on continue through my research via my key word search. I specifically sought peer reviewed academic and scholarly works. I focused on hard data given from cases of actual data breaches and professional advice and observations. I intended to have as complete an understanding of the topic as best I could. To gain a worldly understanding of the topic I included sources not only from the US but also some works from South Korea and the United Arab Emirates within my research and to gain a broad understanding of  the topic I considered not only the computer and information science perspective of cybersecurity in academia but also included how sociology (i.e. Neo-Institutional Theory) and law (e.g. the HITECH Act) affected the topic as well.
Overview
The remainder of this work is organized as follows. The next section briefly demonstrates the significance of this topic. Thereafter, an account of broad historical events and issues are given to cover the expense of breached records, real world data breaches in academia and their effects, issues of cybersecurity within high schools, how some laws and policies have affected cybersecurity, issues regarding cybersecurity and academic research, and legal cases and issues within the cybersecurity of academia. Next the motivations and what makes an institution more likely to be the target of a cyber attack is discussed. Then the deeper issues are discussed, including the shortcomings of academia’s IT departments, the lack of cybersecurity awareness and compliance among staff and students, the general populace not valuing cybersecurity as a primary concern in academia and the issues pertaining to that, and the deductive nature of information. Finally the information discussed throughout the work is recapped and possible solutions to the issues of cybersecurity in academia are discussed.
Introduction
Approximately 22 million people are within higher education, as either faculty or students, and any of these people can be put at risk whenever a cyber incident occurs (Mello, 5). Putting faculty and students at risk puts the very future at risk. These members of academia will enter various industries and their influence shall surely be felt, or will it? Perhaps their endeavors will be wasted. Without cyber safety these students and faculty may never flourish and achieve what they sought out and all their efforts may be for not. As most students are aware, Berea like many colleges is flooded by phishing attacks and spam mail. These are all cyber incidents. I feel it is my duty to protect myself and our future by doing whatever I can to bolster Berea’s cyber defenses from maleficent actors. With the invention of the internet and advancements in data storage came a means to connect billions of people and store and transfer an innumerable amount of information. This also brought about a new avenue of possible crime. These result in crimes that occur all over the world known as data breaches, an incident in which an individual’s name and non-directory personal information (e.g. social security number) are put at risk of exposure and may be used to commit identity theft, violations of privacy, or fraud (Beaudin 659,660). According to the Cyber Emergency Response Team Coordination Center of Carnegie Mellon University and the U.S. Secret Service’s 2005 E-crime survey where 819 participants were surveyed about their experiences with cybercrime and cybercriminals, consisting of cybersecurity magazine, CSO subscribers and members of the U.S. Secret Service’s Electronic Crimes Task Forces,  35% reported an increase in cybercrime attempts, 68% said at least one E-crime was committed against their institution in 2004, and 31% of the organizations lacked a formal system to track possible E-crime threats (Borja). According to the Ponemon Institute the average cost per breached record in academia was $142 (Davidson and Hasledalen 69). Thousands of records can be compromised with just one security breach. This topic is noteworthy because students and faculty are at risk across the world to cyber incidents, and thus the very future is at risk as many could be disenfranchised from their own efforts and hard work, all while something can be done about it.
History of Data Breaches in Academia
Academic institution with medical centers that are considered part of institution, that treat both the affiliates of the institution and the general republic are legally responsible in the US for the sensitive data of their staff and clients. Under section 13402(e)(4) of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), institutions that experience a breach that results in the exposure of 500 or more individuals unsecured protect health information must report to the Secretary of the Department of Health and Human Services who must post a list of these breaches. Thus US academic institutions with such facilities must publicize any large scale breaches they endure (Beaudin 664). These statistics may be publicized in graphs or other visual similar to these data breach reports given by the Maryland Health Care Comission
 
Many institutions within academia release data on their experience with data breaches and cyber incidents in the hopes that the data can be used by the academic community to better maintain the cyber security across academia. This data can be analyzed to adjust the protective measures of a particular institution given their particular situation and the characteristics of that institution. Due to this practice and regulations there is a rich pool of data on the topic.
In 2011, the Internet Crime Complaint Center (IC3) received over 300,000 complaints about cybercrimes being committed across the internet, more than six times more complaints then ten years prior. These crimes were estimated to account for $485.3 million worth of damages (Kim 171). This goes to show that the number of reported cybercrimes committed throughout cyberspace in general, is steadily increasing as time goes on. The cyberspace of academia is no exception to this increase in cyber security threats. To further elaborate on the context of cybersecurity in academia, there were over 700 data breaches in academia publicly recorded from 2005 to 2014 (Beaudin 658). According to one study of 599 data breaches within the US from 2005-2017, 1,067,453 records were breached. The two main sources of these breaches were hacking/malware (39.24%) and unintended disclosures (28.64%). Unintended disclosures were the unintentional release of sensitive data, usually due to phishing attacks. Almost a third of the data breaches originated internally most of which were unintentional while a small percentage were due to malicious insiders. The most common things to be stolen in this study were social security numbers, personal data, and addresses (Mello). In 2012 1,977,412 records were reported as breached from 51 institutions according to Help Net Security (Davidson and Hasledalen 70) According to the Poneman Institute claim these sets of data breaches would cost around $151,578,326 and $280,792,504 respectively.
Looking over the top ten data breaches in academia as of 2012, 


 at least 5,939,100 records were affected. Which using the Poneman Institute average would estimate at about $843,352,200 of damage caused these breaches. In many of these cases just like those in the first study, the social security numbers, personal data, and addresses of others was uncovered. The greatest security breach at that time which occurred at the University of Utah costed around $3.35 million. Another breach with in these cases occurred at Ohio State and costed an estimated $4.1 million. These were the only breaches in the list that mentioned the costs of the breach (Advisen). It is obvious given this list that millions were affected, and it costed these institutions millions to resolve these incidents. Let this speak for the broadness and the severity of cyber security threats in academia and the importance of vigilance and defense against these threats.
            Institutions across academia are susceptible to cyber incidents and data breaches and that includes high schools as well. In Sacramento, a student was charged with 89 felonies for hacking into his district’s networks. After three students breached the Massillion, Ohio district’s computers they caused over $400,000 worth of damage. In 2003 a student hacker breached into Chino Valley Unified district’s databases and viewed 1,744 social security numbers of students causing at least $220,000 of damage. Even Acts of Congress can have effects on cyber security in academia. The No Child Left Behind Act has largely encouraged and influenced academic districts to centralize academic and affiliated information to be better organized to make data-driven decisions. The unintended consequence of this was that these institutions are now more open to security breaches since all the information is conveniently stored together (Borja). As stated, any establishment with the potential of containing sensitive data can be the target by malicious actors and these actors certainly do not discriminate between academic institutions, they are all receptacles for potentially valuable data.
            In this paragraph and the next two the security issues fraught within academic research will be covered, specifically the extremely formidable malicious actors that may seek their research out, the lack of defensive capabilities and weaknesses of those developing cutting edge cyber security means, and policy within research projects that hampers their defensive capabilities. Academic institutions can even face threats from highly trained threat actors in some cases possibly foreign intelligence agents. Pennsylvania State University maybe one college who is victim to such attacks. PSU like other large research universities has multimillion-dollar contracts with the defense department. This makes for quite the alluring target, on an average day PSU experience 22 million cyber-attacks. That would mean that PSU faces about 8,030,000,000 attacks per year. According to the Mandiant Forensic Unit at least one of two attacks that occurred in September 2012 and mid 2014 originated from China. PSU’s association with the Department of Defense could make them a window into espionage against the Department. Ken Westin, the Senior Security Analyst of the IT firm Tripwire speculated that China and other governments may subsidize hackers to try and get Department data and this very well could be what occurred in this case. It was estimated that PSU spent roughly $2.85 million to recover from the attack (Coleman and Purcell DBA 3-5).
This issue becomes suddenly more problematic when one realizes that the same people developing a lot of the strategies to improve cyber security are the same people whose research is at risk and there very discoveries can be used against them. Quis custodiet ipsos custodes? Who will guard those who are creating the very means for cyber defense. David Luzzi, executive director of the Strategic Security Initiative of Northeastern’s Advanced Cyber Security Center stated a few years ago (in the context of 2013) a university that was developing new cryptography and malicious actors utilized it before they could even implement the practices themselves. They managed to find this research after it was published by that very same university. Luzzi goes onto say that after this accident and similar ones, academia is now being more careful about what it publishes in order to avoid this happening again in the future. They are far more vague now in a lot of their published works and only intend to describe enough so that readers may realize the breakthrough but not how it is implemented (Zalaznick 5). This is certainly a step in the right direction when it comes to cyber security, however researchers are far from being out of woods. The limited release of this information could still be considered risky in some respects when one considers deductive disclosure, which will be cover later among the other “deeper issues” within cyber security in academia. To lightly touch on the issue, this limited information can still potentially lead to this discovery being found by the malicious actors. These details may become hints that catalyze a eureka moment among the very people that the researchers hope to keep the secrets to their discoveries from. Furthermore, their research is still stored somewhere on the network and is transported through communication while conducting said research and thus it is still susceptible to a data breach.
The cybersecurity of these strongholds is mitigated by the limits given within the very contracting that spawns it. As stated by the former Cybersecurity Program Director of the National Science Foundation, Anita Nikolich, one of the biggest issues with these contracted research deals is that cyber offensive research is not permitted. On the service level this may seem to be no issue, yet one of the best ways to prepare for attacks on a system is to have insiders attack it and play the roles of malicious actors. This is a common practice in the cyber security world known as penetration testing, without penetration testing cyber security employees lack a vital perspective that may be the closest they will ever get to understanding the perspective of those they wish to defend against. On top of this academia has a myopic stance on cyber security research and commonly overlooks the policy and the very mentality of cyber security (Nikolich). Policy is an important aspect of cyber security which can commonly be improved in academia, a lot of times at little to no additional cost to the institution. Thus, it should not be overlooked by even the most humble of establishments.
            When a data breach occurs many times, it is within the academic institution’s best interest to compensate those affected by the breach.  A common means of compensation is by protection via free fraud protection which can be a huge expense on an institution. The University of Maryland, North Dakota University, and Butler University provided this compensation after a breach in 2014 (Coleman and Purcell DBA 4,5). Laws and regulations of an institution’s country can affect how its cyber security teams operate and they maybe held accountable for their folly resulting in additional losses on top of those incurred by the security breach and maintaining affiliates cyber safety. For instance, between April 2009 and June 2011, multiple campuses of the University of Hawaii were accused of releasing sensitive information of 90,000 individuals. Some of these affected individuals went on to file a class action complaint against the institution. Once the university settled the case by providing benefits to the affected class, they had spent $550,000 not including their legal fees (Beaudin 681). It must be noted that many institutions across the globe have exchange students and international affiliates attending their facilities, causing the laws and regulations of these institution to affect individuals across the world. Thus, by proxy the laws and regulations affecting one country’s academic institutions affect the international affiliates of that country’s institutions, and vice versa.
Motives
To understand how to defend against malicious actors one must understand their motives. What drives their actions and what makes an academic institution more likely to be targeted? One of the most common reasons for the actions of a maleficent actor regardless of who they target is to gain capital. They usually gain this capital through obtaining sensitive data and using it to their advantage. Whether that be through the selling of stolen research documents or the use of someone else’s credentials to purchase something using their victim’s capital. In the end like many domains, academia is targeted for its rich supply of sensitive data, some of which is expensive research, but the main prize is the credentials of those affiliated with the institution (UMBC). Any establishment will usually have the sensitive data of its affiliates through the transactions that they make with the establishment and its affiliated establishments (medical centers, cafes, art exhibit/galleries, and other establishments that are part of the institution). Thus, these establishment’s cyber domains become repositories of sensitive data ripe for the taking of any would-be data breach.
Three factors have proven to make an academic institution more likely to be targeted: how many people are affiliated and attend the academic institution; how wealthy the affiliates and institution are, including how much faculty is paid; and how well the sensitive data is protected. The bigger the faculty and student population, the more records the academic institution will hold and thus it will be more likely to be targeted. The wealthier an institution is, the wealthier the faculty and students are, and the more money that goes through the institution (whether that be through financial transactions or donations), the more like that institution is to be targeted. Theirs is more capital to be made from these targets. The more secure an institution’s data is, the less likely it is to be targeted. This makes a successful breech less likely and requires more work and time of the malicious actor, so they would of course prefer an easier target with a greater guarantee of success (Mello 22). Malicious actors are after big institutions with a lot of capital and little to no measures taken towards data security. Small colleges with small populations and extensive measures taken towards data security may be the least likely to be targeted but they will still probably face occasional cyber incidents from time to time. If there is the potential for profitable sensitive data to be stored in a repository then there will be malicious actors vying to obtain that data. Academia’s cyber security teams have the habit of being behind in tech, staff, and resources. This habit along with academia’s open nature, common tech culture of bring your own device, complicated mixture of open and secure networks usually accessible via a series of intranets and extranets (Beaudin 664), need to share information frequently and easily, common need for 24/7 accessibility in a network, and the need for information to be easily accessible from the instance of the user (once some is in the extranet in a user’s account they usually have very little else stopping them from getting to confidential data, site’s interior usually have very little defense by design) lead to the specific issues in academia’s cyber security (Borja).

Deeper Issues
IT staff within academia are not afraid to admit to some of the more glaring issues within their section of cyber security. The same facilities that suffer from staffing and cyber security budget issues also suffer from a lack of policy and data management. According to a survey of almost 300 IT staff within higher education from February to March of 2014, only 45% of facilities have formal risk assessment and remediation policies in place. The issue gets worse with smaller staff, as only 31% of those with less than 2,000 employees have such policies. Then to compound with this issue only 57% of institutions classify their data and provide guidelines on how to handle said data. Only 55% define appropriate roles when it comes to this information. This means there is no agreed upon manner in which to prioritize which incident should be taken care of first and how an incident shall be taken care. These institutions frankly have no plan of what is most important, data or task-wise and how they will achieve and maintain cyber security, nor do they define who is responsible for what and how they will responsibly hold said data. These practices do not fare much better in respect to the protection of sensitive data. Most institutions have policies restricting access to this information and avoid storage of this information when possible yet only 54% of institutions encrypt this data in transit and only 48% encrypt this data at rest. Whenever this data is not encrypted then it is naked in plain daylight to any prying eyes with not so good intentions and the individual attached to that data is ultimately put at risk. The four biggest concern of IT professionals in higher education was administrative systems (70%), faculty & staff computers (64%), web applications (64%), and faculty & staff mobile devices (60%). Budgeting and staffing of cyber security employees is still a major issue within academia as well with 64% agreeing that they needed 1-5 additional full-time employees on staff, 43% believing they could not appropriately pay one for their skills and effort, and 73% deemed a lack of budget as the main cause of their staffing issues. Cyber security is taken too lightly by academia, especially when they have their pocket books out (Sans Institute 1). As the Internet of Things (IoT) continues to grow and more and more devices become part of the network, the harder it becomes to manage and maintain the network. A study conducted by Forescout and Forrester found that the majority of companies believe that increased use of connected devices leads to significant security challenges (77%) and an even larger majority finds it difficult to identify all of their network devices (82%). Technology is expanding at a nearly exponential rate and this requires the rest of IT world to keep up (Webb and Hume 1). Technology’s rate of growth compounds with the issue of academia’s cyber security efforts being understaffed, underbudgeted, and behind the cutting edge of the modern era. Because of this the strategy and the resources employed by academia’s cyber security staff is that much more important. Every second, cent, and thought counts and they must be used wisely in the face of such an overwhelming disadvantage.
            Another issue is the behavior of users across the networks of academia. Not just the practices of cyber security specialists but also the practices of all members of academia, both students and faculty regardless of their major. According to a survey conducted in spring 2011 by California State University, Los Angeles the major problem with cybersecurity awareness among students isn’t lack of cybersecurity knowledge but instead how they apply their knowledge to real world experiences. The compliance of cybersecurity awareness is lower than the understanding of it among the student body (Slusky and Partow-Navid 3). An example of this lack of compliance among users can be illustrated by the following evidence. An experiment conducted at the American University of Sharjah in UAE including 10,000 students and 1,000 faculty members where a fake phishing attack was staged with warning notifications of the threat, found that 954 users fell for the phishing attack. 96% of which were students (Aloul 3). A study conducted at the University of Hartford found similar results. Students learn cybersecurity from multiple sources including education, occupation, and friends. Students understand most information security topics suggest by the National Institute of Standards and Technology (NIST 800-50). Liberal arts schools should include cybersecurity awareness in their required general study courses, soon after a student’s enrollment or transfer to the college. It is highly recommended that colleges teach practical and applicable cyber security skills rather than just theoretical concepts (Kim 177). Implementing such classes and training in order to develop a positive and active attitude towards cybersecurity within academia should be a major concern. The cost of implementing such training and classes could very cost effective for the institution’s IT budget. It is a financially sound decision because it will hopefully make the users of the network more accountable and responsible with their behavior and practices. Certainly not every individual can be accounted for and humans will always prone to error to some extent, but it is best to lower this chance of error as much as one can.
            Ultimately one of the biggest factors holding back academia from reaching greater information security policy compliance is cognitive expectations’ lack of impact on their organizational efforts. According to Neo-Institutional Theory, which postulates that to survive organizations must take on initial internal organizational efforts to secure legitimacy by conforming to outside expectations and/or pressures, cognitive expectations or pressures are the perception and related expectations of the stakeholder regarding a certain phenomenon. Stakeholder’s perceive academia as the domain of education and research yet not as a bastion of information security, which leads data breaches within academia to not be judged harshly. Stakeholder’s will be far more critical towards a data breach occurring within the financial sector than they ever would academia, leading cyber security to be a primary issue among members of the financial sector but at best a secondary issue in academia. An academic institution’s reputation is rarely affected by a data breach. For instance, after the leakage of 200,000 students’ electronic records the University of Texas, Austin still maintained its ranking (Kam et al.). This is not the case for institutions within the broader business world. According to an analysis of data breaches collected from different sources between 1996 to March of 2006, data breaches have a significant and negative albeit short-lived impact on businesses who are victims to them. Larger firms experience greater effects, perhaps due to a combination of visibility, brand recognition, and gain trust with time; although due the strength of their stock they are usually not harmed nearly as bad. A breach greater than 100,000 subjects will reduce the return on stock price by 1.2%. Larger companies have a greater chance of a more immediate recovery. This means that the shareholders and public at a surface level value the stock 1.2% less than they once did. This can be a significant amount on multimillion and of course billion-dollar businesses. Smaller businesses will face great damage by this as well as it will stunt their development and growth (Acquisto et al.). Stock price is majorly derived from the stock’s reputation to the shareholders and public and by proxy the business of that stock’s reputation, thus it is a worthy comparison with the reputation of academic institutions. Academic institutions should be widely treated the same as businesses are in the context of a data breach, the institutions of both guard a lot of the same sensitive information (e.g. social security numbers, addresses, medical information, etc.). A person should be concerned about the security of say, their social security number as much from their insurance provider as their college. If the public valued the cybersecurity of academic institutions more, then the academic institutions would have a greater incentive to focus on their cyber security capabilities. If cybersecurity was prioritized more within academia, considered when choosing academic institutions, and data breaches had a greater affect on an academic institutions reputation then cybersecurity would have a far greater budget and would be far better off in the academic world. When interacting with an institution as a student or faculty, or just a user of a network one should consider the cybersecurity capabilities of the establishment. Because the individual using the network is making the decision to allow that network to have their data in some capacity with their network and is giving the establishment the responsibility of protecting their data. When consider what institutions to interact with one should research the institution’s cybersecurity history and ask themselves if they would trust that institution with their sensitive data. Should the institution experience a data breach then that individual data and thus money, identity, and future may be at risk, such risk should not be taken lightly.
            The need of academic networks’ openness and connectivity leads to another issue when further inspected, deductive disclosure. With just the use of miscellaneous information one can be identified and their more sensitive information can be found. Information that may seem harmless, whether it be preferential (e.g. likes and interests) or circumstantial (e.g. email, username, etc.) can be used as breadcrumbs to find a person’s hidden information. Institutions, individuals, and networks may see no trouble in releasing some information as long as they “dissociate” from the individual, but the fact of the matter is this left-over information can be used as clues and reverse engineered by malicious actors. This is a common issue across cyber space, it is certainly not specific to academia, but it certainly is one that is very susceptible to more open networks and environments and by that extension the majority of academia. The world of espionage and surveillance is a dangerous mural where the smallest and most seemingly insignificant of features can shape together to be a sinister picture. That isn’t to say that the release of any amount of the most “insignificant” information can lead to the identification of a subject and a trail to manipulation of their identity and information. The chances of being correct in a game of guess who with the only clue that the subject’s favorite color is red is unlikely when looking through a group of billions. Those chances grow however with the favorite color being vermillion out of a much smaller group, with much more clues, and much more targets; each of which has many clues. Many will never be affected just by the luck of chance but if these are considered victories then let them be considered pyrrhic. Because those that remain unaffected by this flaw are not safe but instead remain unscathed despite this weakness. The point of this paragraph isn’t to fear monger in levels of paranoia on par with McCarthyism but instead to demonstrate that the topic of security and identification is a complex issue brought about by the complex nature of humanity and being. Simply put, one can not hope to guard separate individuals with separate circumstances, attributes and cyber histories with one overlapping and uniform solution. Cyber security is not a one size fits all solution (Narayanan and Shmatikov).
Conclusion
As stated cyber security within academia is haunted by a number of deeper issues that cause these problems within vulnerability management, which are linked to the lack of resources available to academic institutions along with the increasing acceleration of growth within the Internet of Things within academia,  the lack of compliance of good cyber security practices among the users within their networks, the lack of consequence or ridicule upon their reputation for data breaches and cybersecurity of academic institutions not being valued or highly considered when choosing an institutions to attend, and the deductive nature of information along with the naïve notion that a uniform cybersecurity plan is ideal. Academic institutions are often seen as easy targets by malicious actors with little risk and work leading to the possibility of a high reward, they are simple advantageous to prey upon than many other establishments with the private sector. Academia has an open nature with the distribution of data and communication carried by the users within their networks while not taking cybersecurity as seriously as most establishments within the private sector, while storing large caches of valuable data that can be manipulated to make capital with sometimes only shabby defenses in between the sensitive data and malicious actors, some of which have great expertise within hacking. To improve upon academia’s current state proper action and care must be taken. Cybersecurity is not a small issue; millions of people, across the world, have their future and well-being at stake. Some of the solutions to solve these problems can be feasibly implemented, some of which will cost little expense upon the participants and the facilities such putting cybersecurity policies in place, promoting practical cybersecurity awareness among their users, and taking cybersecurity within academia more seriously, especially in terms of an institution’s reputation. In order to improve this situation one should allot a greater budget to cybersecurity personnel of academia and policies and practice among personnel should be formalized, institutions should provide and if possible require practical cybersecurity awareness training among the users of their network, cybersecurity of an institution should be prioritized and valued among incoming students and staff who are seeking out institutions, and the deductive nature of data and the complexity of cybersecurity should be realized and respected. Academia is certainly a whole different beast than the private sector and can not completely nor should it fully implement the cybersecurity preventions practices of the private sector, but it stands a lot to gain from implementing those that suit it. If these details are properly considered, then academia can hopefully reflect upon its shortcomings and better prepare its participants for the possible dangers that lie ahead. Hopefully with these practices the futures of so very many and thus the world can be better guaranteed. No person should be disenfranchised of their valiant efforts by those who have no claim to their privacy and prospects. A person should ideally rest assured that their future is within their hands.












Bibliography
“Definition of ‘Academia’ - English Dictionary.” Cambridge Dictionary, 2018, dictionary.cambridge.org/us/dictionary/english/academia.
“Hacking Academia with Cybersecurity Expert Anita Nikolich.” Performance by Anita Nikolich, Hacking Academia with Cybersecurity Expert Anita Nikolich, 29 Aug. 2018, www.youtube.com/watch?v=Jh4PUQe742Q.
Acquisti, Alessandro; Friedman, Allan; and Telang, Rahul, "Is There a Cost to Privacy Breaches? An Event Study" (2006). ICIS 2006 Proceedings. 94.
Advisen Cyber Journal. “Ten Largest Data Breaches for Colleges & Universities Ranked by No. of Records Breached.” Advisen Cyber Journal, 2012.
Aloul, Fadi A. “Information Security Awareness in UAE: A Survey Paper.” American University of Sharjah, 2010.
Beaudin, Katie. “College and University Data Breaches: Regulating Higher Education Cybersecurity Under State and Federal Law.” Journal of College and University Law, 2015.
Borja, Rhea R. “Cyber-Security Concerns Mount as Student Hacking Hits Schools.” Education Week, Editorial Project in Education, 21 June 2018, www.edweek.org/ew/articles/2006/01/18/19hacking.h25.html.
Coleman, Lori, and Bernice M. Purcell. “Www.aabri.com/Manuscripts/162377.Pdf.” Journal of Business Cases and Applications, vol. 15, Dec. 2015, pp. 1–7.
Davidson, Phillip, and Kenneth Haseldalen. “Cyber Threats to Online Education: A Delphi Study.” University of Phoenix, School of Advanced Studies, , 2013.
Kam, Hwee-Joo, et al. “Information Security Policy Compliance in Higher Education: A Neo-Institutional Perspective.” AIS Electronic Library (AISeL), 18 June 2013.
Kim, Eyong B. “Information Security Awareness Status of Business College: Undergraduate Students.” Information Security Journal: A Global Perspective, vol. 22, no. 4, 18 Nov. 2013, pp. 171–179., doi:10.1080/19393555.2013.828803.
Marchany, Randy. “Higher Education: Open and Secure?” Sans Institute, 2014.
Mello, Samantha, "Data Breaches in Higher Education Institutions" (2018). Honors Theses and Capstones. 400. https://scholars.unh.edu/honors/400
Moffit, Robert E., and Ben Steffen. “Health Care Data Breaches: A Changing Landscape.” Maryland Health Care Commission , June 2017.
Ridgon, John C. “Dictionary of Computer and Internet Terms.” Eastern Digital Resources, 2016.
Slusky, Ludwig, and Parviz Partow-Navid. “Students Information Security Practices and Awareness.” Journal of Information Privacy and Security, vol. 8, no. 4, 7 July 2012, pp. 3–26., doi:10.1080/15536548.2012.10845664.
UMBC. “Division of Information Technology.” Why College Campuses Are Big Targets for Cyber Attacks - Division of Information Technology - UMBC, 2 Oct. 2017, 9:13 a.m., doit.umbc.edu/news/?id=70678.
Webb, James, and Dustin Hume. “Campus IoT Collaboration and Governance Using the NIST Cybersecurity Framework .” Living in the Internet of Things: Cybersecurity of the IoT, 2018.
Zalaznick, Matt. “Cyberattacks on the Rise in Higher Education.” University Business, Oct. 2013.


           
           
           


Comments

Popular posts from this blog

Resume

Automatic Pet Feeder