Educause Security Discussion mailing list archives
By Dec. 16: Cyber Threat Response Survey for Grad Student's Thesis
From: Valerie Vogel <vvogel () EDUCAUSE EDU>
Date: Mon, 5 Dec 2016 16:04:49 +0000
Dear Security Discussion list members, We received a request from a University of Cincinnati employee who is currently in her second year of the MSIT program with an emphasis on cybersecurity. She is working on her thesis and has reached out to us for assistance with a survey about current cyber threat processes. The survey is 100% anonymous and will only be used for her research.* She has also offered to provide HEISC with a brief synopsis of her thesis with some actionable findings that we can share with the broader higher ed community. The abstract is included below. If you have some time over the next two weeks (by Fri., December 16), please consider completing this survey: https://www.surveymonkey.com/r/cybersecurity_higher_education The survey is designed for someone within the institution that has a strong knowledge of the institution’s information security policies and procedures along with cyber threat response details. This may include (but is not limited to) the CIO, OIS, CSO, IS Director/Manager, IS Threat Response Director/Manager, IT Security Officer/Manager, etc. *Note: Please be assured that the data collected is confidential. The survey will not collect any information regarding IP addresses and does not ask for specifics other than general demographics so that the results can be categorized, aggregated, and then compared. If you have any questions regarding the survey or thesis, please contact Anna Dill-Hartford directly at dillal () ucmail uc edu<mailto:dillal () ucmail uc edu> and she will respond as quickly as possible. Thank you, Valerie Valerie Vogel Program Manager, Cybersecurity EDUCAUSE Uncommon Thinking for the Common Good direct: 202.331.5374 | main: 202.872.4200 | twitter: @HEISCouncil | educause.edu<http://www.educause.edu/> Abstract— Cyber threats in higher education present a unique challenge for university IT departments. By taking a systemic look at two large universities’ and two small universities’ procedures and protocols for cyber threat response and their documented standards for emergency cyber threat response, I am able to compare their similarities and differences. My evaluation results will discuss the challenges that are unique to a university technological landscape and present options for better protection opportunities. In order to categorize and generalize the results of this study, I also present quantitative analysis procured through a large scale survey of start-up businesses and universities in the same geographic region as the universities studied. The businesses and universities surveyed and interviewed are all kept anonymous. Significance of the Study All great implementations begin with a great plan.
From the Information Security Guide published on EDUCAUSE, “The adoption of one or more information security policies is the first step that institutions of higher education take to express their commitment to the protection of institutional information resources and the information entrusted to them by constituencies and partners. The policy statement should clearly communicate the institution's beliefs, goals, and objectives for information security.”
None of the institutions interviewed in this study had a big picture plan for cyber security - a document in place that coherently and completely outlined their process for cyber threat prevention and response. Why are universities skirting this responsibility? This study sheds light on the importance of the planning and the importance of documented policies and procedures for cyber security. By completing an in-depth study, the researcher is able to fully describe, understand and relate the actual inner workings of four universities. The details provide the substance needed to fully understand why an institution may choose one policy or procedure over another and also explain their reasons for a specific implementation process or reasons for not completing an organization-wide cyber security plan. With qualitative and quantitative data from this study, other IT security leaders, inside and outside of higher education, can relate their own situations and gain useful cyber security strategies. They are able to understand how these institutions are attempting to secure a complex landscape while also getting ideas for resource allocation, information security team structures, procedural planning, policy use, security communications and training. It is a roadmap for cyber threat response presented in a way that is easily relatable to IT professionals.
Current thread:
- By Dec. 16: Cyber Threat Response Survey for Grad Student's Thesis Valerie Vogel (Dec 05)