Elevating Security Awareness

Increasing the Relevance and Scalability of End-User Education

Topics: Information Technology, Information Security, IT Governance, Data Management

The Challenge

Security Breaches Making Headlines

High-profile incidents across institutional types

Modern higher education institutions generate and use large, complex data sets to shepherd students and research missions. At the same time, they share data in partnership with third parties, vendors, and private-sector research collaborators; all of this creates more threats and vulnerabilities, faster than ever before. Higher education institutions of all types have been the target of new threats; small private schools, community colleges, and research flagships are all at risk.

A Question of When, Not If

CISOs from various industries around the world estimated the probability of data breaches at their own institutions in the next two years and indicated that major losses involving hundreds of thousands of records are likely to remain very rare. However, one in five organizations expects to experience a breach involving at least 10,000 records in the next two years.

Education Breaches Carry High Costs

CISOs, response plans reduce indirect breach costs

The average cost per compromised record is higher in education breaches than the average in other industries. Across global industries, only health care had a higher cost per record in breaches. Twothirds of breach costs are associated with indirect expenses like victim notification, reorganization, and business interruption— losses that are rarely covered by insurance. Only one-third of average costs are direct crisis services, legal penalties, and government fines.

Across industries, breaches were more expensive if they involved lost or stolen devices, third-party data, or if the breached organization engaged with consultants. Organizations reported lower per capita expenses when they had a CISO appointed, a business continuity plan, and an incident response plan in place.

What’s the Worst That Could Happen?

Student enrollments likely not at risk from breach

Student applications, yield, and retention do not show a significant correlation to large breach events across institutional types, indicating that fears about reputation loss with students may be unfounded.

Research, advancement revenue streams at risk

Revenue from major donors, private-sector research partners, and state governments could be at risk when a major breach occurs. In a constrained and competitive funding environment, a data breach could be the difference between winning and losing a major research project or large gift from a private donor.

A Data-Rich ‘Soft Target’

Private sector researchers developed a new formula to supplement traditional ROI analysis in assessing the value of new security controls. Traditionally, institutions have struggled to define the value of not being attacked versus the cost of implementing new controls. Security adversaries, on the other hand, from identity thieves to government-sponsored hackers, can easily identify their own ROI.

The formula measures the ROI to the adversary, pointing the way for targets to decrease the potential return of an attack. The formula also demonstrates why higher education is uniquely at risk; modern universities hold more types of valuable data than any industry, so a successful breach is akin to hitting 10 industries at once. At the same time, vulnerabilities are more distributed, and more opaque, than in any industry; higher education CISOs have immense difficulty in tracking and controlling all campus vulnerabilities.

Higher Education Uniquely Difficult to Secure

To protect a transient and collaborative user base with a proudly decentralized academic culture focused on information sharing, higher education IT leaders face a unique and daunting task.

To protect a transient and collaborative user base with a proudly decentralized academic culture focused on information sharing, higher education IT leaders face a unique and daunting task.

Reactive Crowds Out the Intentional

The need to respond to minor security lapses (e.g., compromised passwords) keeps IT from focusing education on secure behaviors and preparedness. In addition, proactive security awareness campaigns (described on the next page) are sent to everyone on campus without differentiation, using ubiquity and clever slogans that do not change long-term behaviors.

The Predictable Fate of Security-as-Campaign

When institutions treat security awareness as campaign, messaging relies on shock value and ubiquity, to which end users get desensitized quickly. Email reminders and meetings with IT staff make an initial impact, but without buy-in from managers, users don’t internalize the need to improve behavior. Soon enough, end-user turnover obviates the campaign’s early success, and the institution ultimately fails to generate long-term commitment with students, faculty, and staff.

Biggest Opportunity: Elevating Awareness

The vast majority of campus constituents are neither proactive about security nor intentionally trying to harm the institution; most are simply unconcerned or naive about risks; this distribution is an opportunity to improve security through education, as a complement to investment in new technology. Our research identified tactics for moving naive and unaware students, staff, and faculty to reliably secure behaviors.

Security Awareness Diagnostic

Hardwiring Breach Response