Cyber Security in Academia
Cybersecurity in
Academia
Wade A. Rutherford
Computer and
Information Sciences
Berea College
GSTR 410
Dr. Peter Hackbert
September 30, 2018
Abstract
Ten of millions if not
hundreds of millions of people are affiliated or have made some type of
transaction with an academic institution or one of its properties and are at
risk whenever a data breach occurs. The sensitive data that they gave to the
institution when making their transaction(s) is ripe for the taking of any
would-be malicious actor. The cyber security issues within academia are evident
through the expenses caused by data breaches and expenses related to these
cyber incidents (e.g. legal suits and cyber incident prevention). Cybersecurity
issues in academia stem from the lack of resources available, the lack of
compliance of good cybersecurity practices, the lack of impact to an
institution’s reputation for data breaches, cybersecurity not being considered
when choosing an institution to attend, and the deductive nature of
information. In order to improve this situation one should allot a greater
budget to cybersecurity personnel of academia and policies and practice among
personnel should be formalized, institutions should provide and if possible
require practical cybersecurity awareness training among the users of their
network, cybersecurity of an institution should be prioritized and valued among
incoming students and staff who are seeking out institutions, and the deductive
nature of data and the complexity of cybersecurity should be realized and
respected.
Key words: Academia, Cyber Incident Prevention, Cybersecurity, Cybersecurity
Awareness, Cyberspace, Data Breaches, Malicious Actors, Phishing, Vulnerability
Management
Glossary
Academia: The part of
society including academic institutions and their properties (Cambridge English
Dictionary, 2018).
Cyber Incident Prevention:
The prevention of any event that is not a part of standard operations of a
service, that may cause an interruption or a reduction in the quality of said
service specifically in relation to technology and or network traffic (Rigdon,618).
Cybersecurity: The
protection of a device and its data from harm or loss (Rigdon, 1123).
Cybersecurity Awareness:
Knowledge of good cybersecurity practices and a means of intuition when dealing
with potential threats (things that may become an incident) (Rigdon).
Cyberspace: The internet
and various domains connected to it such as intranet (domains specifically
accessible to a certain device) and extranet (domains specifically accessible
via a certain address or web page, e.g. Berea College’s Moodle network that is accessed
through the myBerea page) (Rigdon, 338).
Data Breach: The
unauthorized and/or unintentional release or viewing of secured data.
Malicious Actors: A user
or an autonomous program that acts as a user, which has the intent or is
programmed to cause harm to the system and or network or use it in an unauthorized
manner (Rigdon, 738).
Phishing: An internet
scam that will ask for certain information via a forged email (Rigdon, 919).
Vulnerability Management:
The management of any weakness, capability, policy, or otherwise that can be
exploited by a threat (Rigdon, 1393).
Methodology
I started my research
doing a review of the literature via a key word search as advised by
professional librarian Angel Rivera. Once I thought of a list of related key
words for my research topic, I defined those terms by basing them off the
definitions and definitions for similar terms or derivative/parent terms given with
the Cambridge English Dictionary and Rigdon’s
Dictionary of Computer and Internet Terms.
I changed these definitions to more specifically reflect what I was referring
to when using these terms. After this I went on continue through my research
via my key word search. I specifically sought peer reviewed academic and
scholarly works. I focused on hard data given from cases of actual data
breaches and professional advice and observations. I intended to have as
complete an understanding of the topic as best I could. To gain a worldly
understanding of the topic I included sources not only from the US but also
some works from South Korea and the United Arab Emirates within my research and
to gain a broad understanding of the topic
I considered not only the computer and information science perspective of
cybersecurity in academia but also included how sociology (i.e.
Neo-Institutional Theory) and law (e.g. the HITECH Act) affected the topic as
well.
Overview
The remainder of this
work is organized as follows. The next section briefly demonstrates the
significance of this topic. Thereafter, an account of broad historical events
and issues are given to cover the expense of breached records, real world data
breaches in academia and their effects, issues of cybersecurity within high
schools, how some laws and policies have affected cybersecurity, issues
regarding cybersecurity and academic research, and legal cases and issues
within the cybersecurity of academia. Next the motivations and what makes an
institution more likely to be the target of a cyber attack is discussed. Then
the deeper issues are discussed, including the shortcomings of academia’s IT
departments, the lack of cybersecurity awareness and compliance among staff and
students, the general populace not valuing cybersecurity as a primary concern
in academia and the issues pertaining to that, and the deductive nature of
information. Finally the information discussed throughout the work is recapped
and possible solutions to the issues of cybersecurity in academia are
discussed.
Introduction
Approximately 22 million
people are within higher education, as either faculty or students, and any of
these people can be put at risk whenever a cyber incident occurs (Mello, 5).
Putting faculty and students at risk puts the very future at risk. These
members of academia will enter various industries and their influence shall
surely be felt, or will it? Perhaps their endeavors will be wasted. Without
cyber safety these students and faculty may never flourish and achieve what
they sought out and all their efforts may be for not. As most students are
aware, Berea like many colleges is flooded by phishing attacks and spam mail.
These are all cyber incidents. I feel it is my duty to protect myself and our
future by doing whatever I can to bolster Berea’s cyber defenses from
maleficent actors. With the invention of the internet and advancements in data
storage came a means to connect billions of people and store and transfer an
innumerable amount of information. This also brought about a new avenue of
possible crime. These result in crimes that occur all over the world known as data
breaches, an incident in which an individual’s name and non-directory personal
information (e.g. social security number) are put at risk of exposure and may
be used to commit identity theft, violations of privacy, or fraud (Beaudin
659,660). According to the Cyber Emergency Response Team Coordination Center of
Carnegie Mellon University and the U.S. Secret Service’s 2005 E-crime survey
where 819 participants were surveyed about their experiences with cybercrime
and cybercriminals, consisting of cybersecurity magazine, CSO subscribers and
members of the U.S. Secret Service’s Electronic Crimes Task Forces, 35% reported an increase in cybercrime
attempts, 68% said at least one E-crime was committed against their institution
in 2004, and 31% of the organizations lacked a formal system to track possible
E-crime threats (Borja). According to the Ponemon Institute the average cost
per breached record in academia was $142 (Davidson and Hasledalen 69). Thousands
of records can be compromised with just one security breach. This topic is
noteworthy because students and faculty are at risk across the world to cyber
incidents, and thus the very future is at risk as many could be disenfranchised
from their own efforts and hard work, all while something can be done about it.
History
of Data Breaches in Academia
Academic institution with
medical centers that are considered part of institution, that treat both the
affiliates of the institution and the general republic are legally responsible
in the US for the sensitive data of their staff and clients. Under section
13402(e)(4) of the Health Information Technology for Economic and Clinical
Health Act (HITECH Act), institutions that experience a breach that results in
the exposure of 500 or more individuals unsecured protect health information
must report to the Secretary of the Department of Health and Human Services who
must post a list of these breaches. Thus US academic institutions with such
facilities must publicize any large scale breaches they endure (Beaudin 664).
These statistics may be publicized in graphs or other visual similar to these
data breach reports given by the Maryland Health Care Comission
Many institutions within
academia release data on their experience with data breaches and cyber
incidents in the hopes that the data can be used by the academic community to
better maintain the cyber security across academia. This data can be analyzed
to adjust the protective measures of a particular institution given their
particular situation and the characteristics of that institution. Due to this practice
and regulations there is a rich pool of data on the topic.
In
2011, the Internet Crime Complaint Center (IC3) received over 300,000
complaints about cybercrimes being committed across the internet, more than six
times more complaints then ten years prior. These crimes were estimated to
account for $485.3 million worth of damages (Kim 171). This goes to show that
the number of reported cybercrimes committed throughout cyberspace in general,
is steadily increasing as time goes on. The cyberspace of academia is no
exception to this increase in cyber security threats. To further elaborate on
the context of cybersecurity in academia, there were over 700 data breaches in
academia publicly recorded from 2005 to 2014 (Beaudin 658). According to one
study of 599 data breaches within the US from 2005-2017, 1,067,453 records were
breached. The two main sources of these breaches were hacking/malware (39.24%)
and unintended disclosures (28.64%). Unintended disclosures were the
unintentional release of sensitive data, usually due to phishing attacks.
Almost a third of the data breaches originated internally most of which were
unintentional while a small percentage were due to malicious insiders. The most
common things to be stolen in this study were social security numbers, personal
data, and addresses (Mello). In 2012 1,977,412 records were reported as
breached from 51 institutions according to Help Net Security (Davidson and
Hasledalen 70) According to the Poneman Institute claim these sets of data
breaches would cost around $151,578,326 and $280,792,504 respectively.
Looking
over the top ten data breaches in academia as of 2012,
at least 5,939,100 records were affected.
Which using the Poneman Institute average would estimate at about $843,352,200
of damage caused these breaches. In many of these cases just like those in the
first study, the social security numbers, personal data, and addresses of
others was uncovered. The greatest security breach at that time which occurred
at the University of Utah costed around $3.35 million. Another breach with in
these cases occurred at Ohio State and costed an estimated $4.1 million. These
were the only breaches in the list that mentioned the costs of the breach
(Advisen). It is obvious given this list that millions were affected, and it
costed these institutions millions to resolve these incidents. Let this speak
for the broadness and the severity of cyber security threats in academia and
the importance of vigilance and defense against these threats.
Institutions across academia are susceptible to cyber
incidents and data breaches and that includes high schools as well. In
Sacramento, a student was charged with 89 felonies for hacking into his
district’s networks. After three students breached the Massillion, Ohio
district’s computers they caused over $400,000 worth of damage. In 2003 a
student hacker breached into Chino Valley Unified district’s databases and
viewed 1,744 social security numbers of students causing at least $220,000 of
damage. Even Acts of Congress can have effects on cyber security in academia.
The No Child Left Behind Act has largely encouraged and influenced academic
districts to centralize academic and affiliated information to be better
organized to make data-driven decisions. The unintended consequence of this was
that these institutions are now more open to security breaches since all the
information is conveniently stored together (Borja). As stated, any
establishment with the potential of containing sensitive data can be the target
by malicious actors and these actors certainly do not discriminate between
academic institutions, they are all receptacles for potentially valuable data.
In this paragraph and the next two the security issues
fraught within academic research will be covered, specifically the extremely
formidable malicious actors that may seek their research out, the lack of
defensive capabilities and weaknesses of those developing cutting edge cyber
security means, and policy within research projects that hampers their defensive
capabilities. Academic institutions can even face threats from highly trained
threat actors in some cases possibly foreign intelligence agents. Pennsylvania
State University maybe one college who is victim to such attacks. PSU like
other large research universities has multimillion-dollar contracts with the
defense department. This makes for quite the alluring target, on an average day
PSU experience 22 million cyber-attacks. That would mean that PSU faces about 8,030,000,000
attacks per year. According to the Mandiant Forensic Unit at least one of two
attacks that occurred in September 2012 and mid 2014 originated from China. PSU’s
association with the Department of Defense could make them a window into
espionage against the Department. Ken Westin, the Senior Security Analyst of
the IT firm Tripwire speculated that China and other governments may subsidize
hackers to try and get Department data and this very well could be what
occurred in this case. It was estimated that PSU spent roughly $2.85 million to
recover from the attack (Coleman and Purcell DBA 3-5).
This
issue becomes suddenly more problematic when one realizes that the same people
developing a lot of the strategies to improve cyber security are the same
people whose research is at risk and there very discoveries can be used against
them. Quis custodiet ipsos custodes? Who will guard those who are creating the
very means for cyber defense. David Luzzi, executive director of the Strategic
Security Initiative of Northeastern’s Advanced Cyber Security Center stated a
few years ago (in the context of 2013) a university that was developing new
cryptography and malicious actors utilized it before they could even implement
the practices themselves. They managed to find this research after it was published
by that very same university. Luzzi goes onto say that after this accident and
similar ones, academia is now being more careful about what it publishes in
order to avoid this happening again in the future. They are far more vague now
in a lot of their published works and only intend to describe enough so that
readers may realize the breakthrough but not how it is implemented (Zalaznick
5). This is certainly a step in the right direction when it comes to cyber
security, however researchers are far from being out of woods. The limited
release of this information could still be considered risky in some respects
when one considers deductive disclosure, which will be cover later among the
other “deeper issues” within cyber security in academia. To lightly touch on
the issue, this limited information can still potentially lead to this
discovery being found by the malicious actors. These details may become hints
that catalyze a eureka moment among the very people that the researchers hope
to keep the secrets to their discoveries from. Furthermore, their research is
still stored somewhere on the network and is transported through communication
while conducting said research and thus it is still susceptible to a data
breach.
The
cybersecurity of these strongholds is mitigated by the limits given within the
very contracting that spawns it. As stated by the former Cybersecurity Program
Director of the National Science Foundation, Anita Nikolich, one of the biggest
issues with these contracted research deals is that cyber offensive research is
not permitted. On the service level this may seem to be no issue, yet one of
the best ways to prepare for attacks on a system is to have insiders attack it
and play the roles of malicious actors. This is a common practice in the cyber
security world known as penetration testing, without penetration testing cyber
security employees lack a vital perspective that may be the closest they will
ever get to understanding the perspective of those they wish to defend against.
On top of this academia has a myopic stance on cyber security research and
commonly overlooks the policy and the very mentality of cyber security
(Nikolich). Policy is an important aspect of cyber security which can commonly
be improved in academia, a lot of times at little to no additional cost to the
institution. Thus, it should not be overlooked by even the most humble of
establishments.
When a data breach occurs many times, it is within the
academic institution’s best interest to compensate those affected by the
breach. A common means of compensation
is by protection via free fraud protection which can be a huge expense on an institution.
The University of Maryland, North Dakota University, and Butler University
provided this compensation after a breach in 2014 (Coleman and Purcell DBA
4,5). Laws and regulations of an institution’s country can affect how its cyber
security teams operate and they maybe held accountable for their folly
resulting in additional losses on top of those incurred by the security breach
and maintaining affiliates cyber safety. For instance, between April 2009 and
June 2011, multiple campuses of the University of Hawaii were accused of
releasing sensitive information of 90,000 individuals. Some of these affected
individuals went on to file a class action complaint against the institution.
Once the university settled the case by providing benefits to the affected
class, they had spent $550,000 not including their legal fees (Beaudin 681). It
must be noted that many institutions across the globe have exchange students
and international affiliates attending their facilities, causing the laws and
regulations of these institution to affect individuals across the world. Thus,
by proxy the laws and regulations affecting one country’s academic institutions
affect the international affiliates of that country’s institutions, and vice
versa.
Motives
To understand how to
defend against malicious actors one must understand their motives. What drives
their actions and what makes an academic institution more likely to be
targeted? One of the most common reasons for the actions of a maleficent actor
regardless of who they target is to gain capital. They usually gain this
capital through obtaining sensitive data and using it to their advantage.
Whether that be through the selling of stolen research documents or the use of
someone else’s credentials to purchase something using their victim’s capital.
In the end like many domains, academia is targeted for its rich supply of
sensitive data, some of which is expensive research, but the main prize is the
credentials of those affiliated with the institution (UMBC). Any establishment
will usually have the sensitive data of its affiliates through the transactions
that they make with the establishment and its affiliated establishments
(medical centers, cafes, art exhibit/galleries, and other establishments that
are part of the institution). Thus, these establishment’s cyber domains become
repositories of sensitive data ripe for the taking of any would-be data breach.
Three
factors have proven to make an academic institution more likely to be targeted:
how many people are affiliated and attend the academic institution; how wealthy
the affiliates and institution are, including how much faculty is paid; and how
well the sensitive data is protected. The bigger the faculty and student
population, the more records the academic institution will hold and thus it
will be more likely to be targeted. The wealthier an institution is, the
wealthier the faculty and students are, and the more money that goes through
the institution (whether that be through financial transactions or donations),
the more like that institution is to be targeted. Theirs is more capital to be
made from these targets. The more secure an institution’s data is, the less
likely it is to be targeted. This makes a successful breech less likely and
requires more work and time of the malicious actor, so they would of course
prefer an easier target with a greater guarantee of success (Mello 22).
Malicious actors are after big institutions with a lot of capital and little to
no measures taken towards data security. Small colleges with small populations
and extensive measures taken towards data security may be the least likely to
be targeted but they will still probably face occasional cyber incidents from
time to time. If there is the potential for profitable sensitive data to be
stored in a repository then there will be malicious actors vying to obtain that
data. Academia’s cyber security teams have the habit of being behind in tech,
staff, and resources. This habit along with academia’s open nature, common tech
culture of bring your own device, complicated mixture of open and secure
networks usually accessible via a series of intranets and extranets (Beaudin
664), need to share information frequently and easily, common need for 24/7
accessibility in a network, and the need for information to be easily
accessible from the instance of the user (once some is in the extranet in a
user’s account they usually have very little else stopping them from getting to
confidential data, site’s interior usually have very little defense by design)
lead to the specific issues in academia’s cyber security (Borja).
Deeper
Issues
IT staff within academia
are not afraid to admit to some of the more glaring issues within their section
of cyber security. The same facilities that suffer from staffing and cyber security
budget issues also suffer from a lack of policy and data management. According
to a survey of almost 300 IT staff within higher education from February to
March of 2014, only 45% of facilities have formal risk assessment and
remediation policies in place. The issue gets worse with smaller staff, as only
31% of those with less than 2,000 employees have such policies. Then to
compound with this issue only 57% of institutions classify their data and
provide guidelines on how to handle said data. Only 55% define appropriate
roles when it comes to this information. This means there is no agreed upon
manner in which to prioritize which incident should be taken care of first and
how an incident shall be taken care. These institutions frankly have no plan of
what is most important, data or task-wise and how they will achieve and
maintain cyber security, nor do they define who is responsible for what and how
they will responsibly hold said data. These practices do not fare much better
in respect to the protection of sensitive data. Most institutions have policies
restricting access to this information and avoid storage of this information
when possible yet only 54% of institutions encrypt this data in transit and
only 48% encrypt this data at rest. Whenever this data is not encrypted then it
is naked in plain daylight to any prying eyes with not so good intentions and
the individual attached to that data is ultimately put at risk. The four
biggest concern of IT professionals in higher education was administrative
systems (70%), faculty & staff computers (64%), web applications (64%), and
faculty & staff mobile devices (60%). Budgeting and staffing of cyber
security employees is still a major issue within academia as well with 64%
agreeing that they needed 1-5 additional full-time employees on staff, 43%
believing they could not appropriately pay one for their skills and effort, and
73% deemed a lack of budget as the main cause of their staffing issues. Cyber
security is taken too lightly by academia, especially when they have their
pocket books out (Sans Institute 1). As the Internet of Things (IoT) continues
to grow and more and more devices become part of the network, the harder it
becomes to manage and maintain the network. A study conducted by Forescout and
Forrester found that the majority of companies believe that increased use of
connected devices leads to significant security challenges (77%) and an even
larger majority finds it difficult to identify all of their network devices
(82%). Technology is expanding at a nearly exponential rate and this requires
the rest of IT world to keep up (Webb and Hume 1). Technology’s rate of growth
compounds with the issue of academia’s cyber security efforts being
understaffed, underbudgeted, and behind the cutting edge of the modern era.
Because of this the strategy and the resources employed by academia’s cyber
security staff is that much more important. Every second, cent, and thought
counts and they must be used wisely in the face of such an overwhelming
disadvantage.
Another
issue is the behavior of users across the networks of academia. Not just the
practices of cyber security specialists but also the practices of all members
of academia, both students and faculty regardless of their major. According to
a survey conducted in spring 2011 by California State University, Los Angeles
the major problem with cybersecurity awareness among students isn’t lack of
cybersecurity knowledge but instead how they apply their knowledge to real
world experiences. The compliance of cybersecurity awareness is lower than the
understanding of it among the student body (Slusky and Partow-Navid 3). An
example of this lack of compliance among users can be illustrated by the
following evidence. An experiment conducted at the American University of
Sharjah in UAE including 10,000 students and 1,000 faculty members where a fake
phishing attack was staged with warning notifications of the threat, found that
954 users fell for the phishing attack. 96% of which were students (Aloul 3). A
study conducted at the University of Hartford found similar results. Students
learn cybersecurity from multiple sources including education, occupation, and
friends. Students understand most information security topics suggest by the National
Institute of Standards and Technology (NIST 800-50). Liberal arts schools
should include cybersecurity awareness in their required general study courses,
soon after a student’s enrollment or transfer to the college. It is highly
recommended that colleges teach practical and applicable cyber security skills
rather than just theoretical concepts (Kim 177). Implementing such classes and
training in order to develop a positive and active attitude towards
cybersecurity within academia should be a major concern. The cost of
implementing such training and classes could very cost effective for the
institution’s IT budget. It is a financially sound decision because it will
hopefully make the users of the network more accountable and responsible with
their behavior and practices. Certainly not every individual can be accounted
for and humans will always prone to error to some extent, but it is best to
lower this chance of error as much as one can.
Ultimately one of the biggest factors holding back
academia from reaching greater information security policy compliance is
cognitive expectations’ lack of impact on their organizational efforts.
According to Neo-Institutional Theory, which postulates that to survive
organizations must take on initial internal organizational efforts to secure
legitimacy by conforming to outside expectations and/or pressures, cognitive
expectations or pressures are the perception and related expectations of the
stakeholder regarding a certain phenomenon. Stakeholder’s perceive academia as
the domain of education and research yet not as a bastion of information
security, which leads data breaches within academia to not be judged harshly.
Stakeholder’s will be far more critical towards a data breach occurring within
the financial sector than they ever would academia, leading cyber security to
be a primary issue among members of the financial sector but at best a
secondary issue in academia. An academic institution’s reputation is rarely
affected by a data breach. For instance, after the leakage of 200,000 students’
electronic records the University of Texas, Austin still maintained its ranking
(Kam et al.). This is not the case for institutions within the broader business
world. According to an analysis of data breaches collected from different
sources between 1996 to March of 2006, data breaches have a significant and
negative albeit short-lived impact on businesses who are victims to them.
Larger firms experience greater effects, perhaps due to a combination of
visibility, brand recognition, and gain trust with time; although due the
strength of their stock they are usually not harmed nearly as bad. A breach
greater than 100,000 subjects will reduce the return on stock price by 1.2%.
Larger companies have a greater chance of a more immediate recovery. This means
that the shareholders and public at a surface level value the stock 1.2% less
than they once did. This can be a significant amount on multimillion and of
course billion-dollar businesses. Smaller businesses will face great damage by
this as well as it will stunt their development and growth (Acquisto et al.).
Stock price is majorly derived from the stock’s reputation to the shareholders
and public and by proxy the business of that stock’s reputation, thus it is a
worthy comparison with the reputation of academic institutions. Academic
institutions should be widely treated the same as businesses are in the context
of a data breach, the institutions of both guard a lot of the same sensitive
information (e.g. social security numbers, addresses, medical information,
etc.). A person should be concerned about the security of say, their social
security number as much from their insurance provider as their college. If the
public valued the cybersecurity of academic institutions more, then the
academic institutions would have a greater incentive to focus on their cyber
security capabilities. If cybersecurity was prioritized more within academia,
considered when choosing academic institutions, and data breaches had a greater
affect on an academic institutions reputation then cybersecurity would have a
far greater budget and would be far better off in the academic world. When
interacting with an institution as a student or faculty, or just a user of a
network one should consider the cybersecurity capabilities of the
establishment. Because the individual using the network is making the decision
to allow that network to have their data in some capacity with their network
and is giving the establishment the responsibility of protecting their data.
When consider what institutions to interact with one should research the
institution’s cybersecurity history and ask themselves if they would trust that
institution with their sensitive data. Should the institution experience a data
breach then that individual data and thus money, identity, and future may be at
risk, such risk should not be taken lightly.
The need of academic networks’ openness and connectivity
leads to another issue when further inspected, deductive disclosure. With just
the use of miscellaneous information one can be identified and their more
sensitive information can be found. Information that may seem harmless, whether
it be preferential (e.g. likes and interests) or circumstantial (e.g. email,
username, etc.) can be used as breadcrumbs to find a person’s hidden
information. Institutions, individuals, and networks may see no trouble in releasing
some information as long as they “dissociate” from the individual, but the fact
of the matter is this left-over information can be used as clues and reverse
engineered by malicious actors. This is a common issue across cyber space, it
is certainly not specific to academia, but it certainly is one that is very
susceptible to more open networks and environments and by that extension the
majority of academia. The world of espionage and surveillance is a dangerous
mural where the smallest and most seemingly insignificant of features can shape
together to be a sinister picture. That isn’t to say that the release of any
amount of the most “insignificant” information can lead to the identification
of a subject and a trail to manipulation of their identity and information. The
chances of being correct in a game of guess who with the only clue that the
subject’s favorite color is red is unlikely when looking through a group of
billions. Those chances grow however with the favorite color being vermillion
out of a much smaller group, with much more clues, and much more targets; each
of which has many clues. Many will never be affected just by the luck of chance
but if these are considered victories then let them be considered pyrrhic.
Because those that remain unaffected by this flaw are not safe but instead
remain unscathed despite this weakness. The point of this paragraph isn’t to
fear monger in levels of paranoia on par with McCarthyism but instead to
demonstrate that the topic of security and identification is a complex issue
brought about by the complex nature of humanity and being. Simply put, one can
not hope to guard separate individuals with separate circumstances, attributes
and cyber histories with one overlapping and uniform solution. Cyber security is
not a one size fits all solution (Narayanan and Shmatikov).
Conclusion
As stated cyber security
within academia is haunted by a number of deeper issues that cause these
problems within vulnerability management, which are linked to the lack of
resources available to academic institutions along with the increasing
acceleration of growth within the Internet of Things within academia, the lack of compliance of good cyber security
practices among the users within their networks, the lack of consequence or ridicule
upon their reputation for data breaches and cybersecurity of academic
institutions not being valued or highly considered when choosing an
institutions to attend, and the deductive nature of information along with the
naïve notion that a uniform cybersecurity plan is ideal. Academic institutions
are often seen as easy targets by malicious actors with little risk and work
leading to the possibility of a high reward, they are simple advantageous to
prey upon than many other establishments with the private sector. Academia has
an open nature with the distribution of data and communication carried by the
users within their networks while not taking cybersecurity as seriously as most
establishments within the private sector, while storing large caches of valuable
data that can be manipulated to make capital with sometimes only shabby
defenses in between the sensitive data and malicious actors, some of which have
great expertise within hacking. To improve upon academia’s current state proper
action and care must be taken. Cybersecurity is not a small issue; millions of
people, across the world, have their future and well-being at stake. Some of
the solutions to solve these problems can be feasibly implemented, some of which
will cost little expense upon the participants and the facilities such putting
cybersecurity policies in place, promoting practical cybersecurity awareness
among their users, and taking cybersecurity within academia more seriously,
especially in terms of an institution’s reputation. In order to improve this
situation one should allot a greater budget to cybersecurity personnel of
academia and policies and practice among personnel should be formalized,
institutions should provide and if possible require practical cybersecurity
awareness training among the users of their network, cybersecurity of an
institution should be prioritized and valued among incoming students and staff
who are seeking out institutions, and the deductive nature of data and the complexity
of cybersecurity should be realized and respected. Academia is certainly a
whole different beast than the private sector and can not completely nor should
it fully implement the cybersecurity preventions practices of the private
sector, but it stands a lot to gain from implementing those that suit it. If
these details are properly considered, then academia can hopefully reflect upon
its shortcomings and better prepare its participants for the possible dangers
that lie ahead. Hopefully with these practices the futures of so very many and
thus the world can be better guaranteed. No person should be disenfranchised of
their valiant efforts by those who have no claim to their privacy and
prospects. A person should ideally rest assured that their future is within
their hands.
Bibliography
“Definition of ‘Academia’ - English
Dictionary.” Cambridge Dictionary, 2018,
dictionary.cambridge.org/us/dictionary/english/academia.
“Hacking Academia with Cybersecurity Expert
Anita Nikolich.” Performance by Anita Nikolich, Hacking Academia with
Cybersecurity Expert Anita Nikolich, 29 Aug. 2018, www.youtube.com/watch?v=Jh4PUQe742Q.
Acquisti, Alessandro; Friedman, Allan; and
Telang, Rahul, "Is There a Cost to Privacy Breaches? An Event Study"
(2006). ICIS 2006 Proceedings. 94.
Advisen Cyber Journal. “Ten Largest Data
Breaches for Colleges & Universities Ranked by No. of Records Breached.”
Advisen Cyber Journal, 2012.
Aloul, Fadi A. “Information Security Awareness
in UAE: A Survey Paper.” American University of Sharjah, 2010.
Beaudin, Katie. “College and University Data
Breaches: Regulating Higher Education Cybersecurity Under State and Federal
Law.” Journal of College and University Law, 2015.
Borja, Rhea R. “Cyber-Security Concerns Mount
as Student Hacking Hits Schools.” Education Week, Editorial Project
in Education, 21 June 2018,
www.edweek.org/ew/articles/2006/01/18/19hacking.h25.html.
Coleman, Lori, and Bernice M. Purcell.
“Www.aabri.com/Manuscripts/162377.Pdf.” Journal of Business Cases and
Applications, vol. 15, Dec. 2015, pp. 1–7.
Davidson, Phillip, and Kenneth Haseldalen.
“Cyber Threats to Online Education: A Delphi Study.” University of Phoenix,
School of Advanced Studies, , 2013.
Kam, Hwee-Joo, et al. “Information Security
Policy Compliance in Higher Education: A Neo-Institutional Perspective.” AIS
Electronic Library (AISeL), 18 June 2013.
Kim, Eyong B. “Information Security Awareness
Status of Business College: Undergraduate Students.” Information Security
Journal: A Global Perspective, vol. 22, no. 4, 18 Nov. 2013, pp. 171–179.,
doi:10.1080/19393555.2013.828803.
Marchany, Randy. “Higher Education: Open and
Secure?” Sans Institute, 2014.
Mello,
Samantha, "Data Breaches in Higher Education Institutions" (2018).
Honors Theses and Capstones. 400. https://scholars.unh.edu/honors/400
Moffit, Robert E., and Ben Steffen. “Health Care Data
Breaches: A Changing Landscape.” Maryland Health Care Commission , June 2017.
Ridgon,
John C. “Dictionary of Computer and Internet Terms.” Eastern Digital Resources,
2016.
Slusky,
Ludwig, and Parviz Partow-Navid. “Students Information Security Practices and
Awareness.” Journal of Information Privacy and Security, vol. 8, no. 4, 7 July
2012, pp. 3–26., doi:10.1080/15536548.2012.10845664.
UMBC. “Division of Information
Technology.” Why College Campuses Are Big Targets for Cyber Attacks - Division
of Information Technology - UMBC, 2 Oct. 2017, 9:13 a.m.,
doit.umbc.edu/news/?id=70678.
Webb, James, and Dustin Hume. “Campus IoT
Collaboration and Governance Using the NIST Cybersecurity Framework .” Living
in the Internet of Things: Cybersecurity of the IoT, 2018.
Zalaznick, Matt. “Cyberattacks on the Rise in
Higher Education.” University Business, Oct. 2013.



Comments
Post a Comment