By Dec. 16: Cyber Threat Response Survey for Grad Student's Thesis

[Valerie Vogel <vvogel () EDUCAUSE EDU>]

Dear Security Discussion list members,

We received a request from a University of Cincinnati employee who is currently in her second year of the MSIT program 
with an emphasis on cybersecurity. She is working on her thesis and has reached out to us for assistance with a survey 
about current cyber threat processes. The survey is 100% anonymous and will only be used for her research.* She has 
also offered to provide HEISC with a brief synopsis of her thesis with some actionable findings that we can share with 
the broader higher ed community. The abstract is included below.

If you have some time over the next two weeks (by Fri., December 16), please consider completing this survey:  
https://www.surveymonkey.com/r/cybersecurity_higher_education

The survey is designed for someone within the institution that has a strong knowledge of the institution’s information 
security policies and procedures along with cyber threat response details. This may include (but is not limited to) the 
CIO, OIS, CSO, IS Director/Manager, IS Threat Response Director/Manager, IT Security Officer/Manager, etc.

*Note: Please be assured that the data collected is confidential. The survey will not collect any information regarding 
IP addresses and does not ask for specifics other than general demographics so that the results can be categorized, 
aggregated, and then compared.

If you have any questions regarding the survey or thesis, please contact Anna Dill-Hartford directly at dillal () 
ucmail uc edu<mailto:dillal () ucmail uc edu> and she will respond as quickly as possible.

Thank you,
Valerie

Valerie Vogel Program Manager, Cybersecurity

EDUCAUSE
Uncommon Thinking for the Common Good
direct: 202.331.5374 | main: 202.872.4200 | twitter: @HEISCouncil | educause.edu<http://www.educause.edu/>

Abstract— Cyber threats in higher education present a unique challenge for university IT departments. By taking a 
systemic look at two large universities’ and two small universities’ procedures and protocols for cyber threat response 
and their documented standards for emergency cyber threat response, I am able to compare their similarities and 
differences. My evaluation results will discuss the challenges that are unique to a university technological landscape 
and present options for better protection opportunities. In order to categorize and generalize the results of this 
study,  I also present quantitative analysis procured through a large scale survey of start-up businesses and 
universities in the same geographic region as the universities studied. The businesses and universities surveyed and 
interviewed are all kept anonymous.

Significance of the Study

All great implementations begin with a great plan.

> From the Information Security Guide published on EDUCAUSE, “The adoption of one or more information security policies 
> is the first step that institutions of higher education take to express their commitment to the protection of 
> institutional information resources and the information entrusted to them by constituencies and partners. The policy 
> statement should clearly communicate the institution's beliefs, goals, and objectives for information security.”

None of the institutions interviewed in this study had a big picture plan for cyber security - a document in place that 
coherently and completely outlined their process for cyber threat prevention and response. Why are universities 
skirting this responsibility?

This study sheds light on the importance of the planning and the importance of documented policies and procedures for 
cyber security. By completing an in-depth study, the researcher is able to fully describe, understand and relate the 
actual inner workings of four universities. The details provide the substance needed to fully understand why an 
institution may choose one policy or procedure over another and also explain their reasons for a specific 
implementation process or reasons for not completing an organization-wide cyber security plan.

With qualitative and quantitative data from this study, other IT security leaders, inside and outside of higher 
education, can relate their own situations and gain useful cyber security strategies. They are able to understand how 
these institutions are attempting to secure a complex landscape while also getting ideas for resource allocation, 
information security team structures, procedural planning, policy use, security communications and training. It is a 
roadmap for cyber threat response presented in a way that is easily relatable to IT professionals.