Information Security Consciousness among University Students
LITERATURE REVIEW
- INTRODUCTION
The goal of ensuring information security in higher learning institutions is to work on security threats and come up with excellent strategies to diminish cybersecurity or rather information technology security susceptibilities, as well as know-how to recuperate after a network interruption. These policies may play a role in setting students and employees in institutions on what to do and what not to do. It can be done by defining how much aces of information is given and who gets access to what and what are the consequences for not following rules. (Pourkhomani, 2020)
Most institutions lack well-designed information security policies to ensure the success of cybersecurity strategies and efforts are put in place. Among universities, rapid changes are taking place as exposure to the internet has also grown. These changes comprise a rising number of awareness programs, including steady growth in the creation of posts for information technology officers in higher learning institutions and an increased number of policy offices.
One of the loose ends of information security is when the end-users try to access secured information. It can be reduced by the creation of more acceptable and supportable security profiles by administrators. (Pourkhomani, 2020) These measures, along with appropriate policy and training, can lead to extra secured information coordination and improved end-user performance.
- METHODOLOGY
This researcher has gathered very comprehensive information to support this literature review. This information is from various books, articles, magazines, journals, research websites, and materials. Some seminars and conferences attended have also contributed valuable information.
III. FUNDAMENTALS OF INFORMATION SECURITY
Referring to the guidelines by Thomas R. Peltier, who is an expert in Information Security practiced since 1977 on effective Information Security Management, the following are the approaches needed to ensure information security in higher learning institutions.;
Information security in institutions requires a comprehensive and integrated approach as the institution develops, with information security. Every department of the institution must be able to the same must happen come up with a business impact analysis and information cataloging documents and do a risk analysis. The responsibility of all departments should work with the desired goal of information security.
Information security helps to support the objectives of an institution. For instance, students’ data and information must be protected to facilitate the smooth running of operations in school without cyber-crime and theft. Often, information security officers and personnel lose track and get distracted, and the irresponsibility leads to failure in the institution’s systems.
Leaders of the institution have critical information about students that they need to protect. It means they have a responsibility to become loyal and care for the interest of the institution. A duty to be loyal denotes that all decisions are formulated in the best interest of the students or institutions. The obligation to care indicates that all the students’ information shall be protected and make very informed decisions.
Universities should deliver sensible and suitable measures to assure discretion, integrity, and accessibility of information technology resources. The mechanism to help detect and avert the compromise of information and mishandling of institution data, networks, computer systems, and applications. Moreover, there must be guidelines and measures to manage and control information, whether electronic or paper data.
Universities should also provide strict policies to facilitate the protection of university students and prevent information loss critical for university operations. Precisely ensure the security and stability of sensitive information by protecting the institution’s data’s validity and integrity by having documented data on measures to manage and control information that is considered confidential in both paper and electronic data form.
Institutions do awareness to their students and even staff/ employees on information security. It is not only about the leaders but also the institution’s members in general to protect their information. Their responsibility is to monitor their data used to be by the user profile and authorization of the users. Institutions should provide knowledge of the existence of control measures on a system with external users to guarantee information security to the end-users.
Information security reassessment periodically concerning time, objective, and need. A sound information protection system must be re-examined from time to time and make consistent modifications if possible or necessary. A dynamic information security system is a process that should be reviewed every eighteen months or even before considering the occasion (Thomas, 1977).
In every institution, information security is guarded by organizational culture. Officer in charge of information system security advises on what the institution should do. However, there can be adjustments that can be made to meet specific needs. It is done considering how big or diversified the institution is following culture in its location.
Responsibilities and accountabilities on Information security should be made evident. The information security statements should be published with the security group mission statement. The information security statement must able to identify the roles and responsibilities of all members of the institutions, including students. To in, their policy statements must be incorporated in the contracts signed by contract personnel, consultants, leaders, and students.
Information security, however, should be cost-effective. Confirmation of imminent risk is essential, and the implementation of the policies must be proposed. It is necessary because the execution of an appropriate risk analysis procedure can undertake this.
Privacy in most universities has high expectations. Gaps occur when declaring what should be regarded as delicate or private, and operational terms challenge most universities. Privacy requires the protection of sensitive physical and electronic data. Some of this potentially sensitive information include; monetary aid, research, donor information, health records, student information, application information, collective security numbers, performance grades, credit card information, names, addresses, communication information, physical activity, e-mail content and network logins.
Privacy violations are mostly reported to the ombudsman of a university. They are hardly publicly disclosed. These violations lead to potential criminal violations. Some of these examples include; access to e-mail data, access to voicemail, access to private data on hired or loaned laptops, access to an individual’s desk, hacking, salary questions, nosy supervisors, discomfort with undressing in certain areas due to physical abnormalities, inquiries about personal health, disability needs and majorly stalking. Both students, university staff, parents, and faculty report these concerns. Often, a conversation by affected parties and the ombudsperson resolve these matters.
Kruger, Drevin, and Steyn proposed the most extensive tool for assessing information security awareness. Like it is proven in many studies, Kruger, Drevin, and Steyn acknowledge that an information security program necessitates institutional survival. The study proposed the awareness of information security by the students in a university. The feasibility of knowledge on information security was the main aim of the study.
Student information security awareness has been critically regarded as a decisive contributing factor in successful institutional information security plans. I am because, considering the amount of personal data and financial data the academic institutions have, they become the next targets of malicious activity like cybersecurity that threatens information security.
- INFORMATION SECURITY POLICY DEVELOPMENT
Making policies on information security is one of the many security control and measures to guarantee the effective operation of information security in institutions (Wade, 2004). These policies protect an organization/institution against the increased cyber-attacks from both inside sources and external sources. Nevertheless, many institutions get it to be a complicated task to form the policies. It is because it is a multifaceted task. The formulation of strategy is hardly an upfront task, which subsequently relays on various factors (Karyada, 2005). However, there are methods of creating information security policies effectively. International standards like international organization for standardization (ISO) and Control objectives for information technologies (COBIT) have delivered directions and necessities for inscription an operational policy on information security.
- Information Security Standards
Standards of information security are one of the most widely used methods of development of information security policies. It provides authoritative statements, procedures, and best practices that institutions can adopt to ensure commitment to information security (Hagen, Alberchesten, Hovden, 2008). These standards can also be applied by institutions when using for endorsement, certification, and acquiescence of its cybersecurity (Siponen, Wilson, 2009).
Some of these information security standards provide an elaboration on what the policies should contain, and how it is supposed to look. These security standards propose that the information security policies should comprise management’s obligation towards information security in the institution alongside students’ responsibilities and a clear description of information security violations and punitive action. Security standards should not just be depended on solely for direction since they aren’t all-inclusive in their handling concerning the establishment of information security policies (Hone, Eloff, 2002).
Besides, most of these standards being ordinary or universal in range. They can easily overlook security requirements in institutions. Therefore, the rules should be used as a reference to information security management. The principles are more concerned with the processes instead of processes’ quality. For instance, security procedures should be strictly followed when delivering awareness activities on information security to students to become information security conscious. Still, it does not specify how students should be trained and motivated to learn about information security (Siponen, Wilson, 2009).
- Information security frameworks/ models.
A framework being a high level and a thorough strategy in shaping the organization’s tactical security policy solutions concerning the institution’s objectives can be used as a reference for assessing, refining, and developing their policies on information security. There are policy frameworks with clear security goals and perspectives in steps logically organized for creating and maintaining adequate security policies. (Rees, Bandyopadhyay, Spafford, 2003).
- An organizational-level process model
This information security policy model for contemporary institutions is a general yet comprehensive process portraying a broader organizational perspective that includes crucial external and internal influences that substantially impact the institution’s operations. This model provides unique value as it was captured from the vast experiences of those who have been working to develop and implement institutional information security policies.
However, there are limitations to their study. Cross-cultural differences being one of them. It may impact the advancement and running of an institution’s information security. Another is the model describes broadly a comprehensive framework rather than a definite model for a particular institution in which not all of its elements will apply in the same way to all institutions.
- A Contextual Perspective
Although several surveys have been conducted scrutinizing security management concerns, they are commercially oriented hence are more quantitative than qualitative oriented. Therefore, they focus on a broad range of information security issues rather than the problems concerning the application of information security policies and their effectiveness (Karyda, Kiountouzis, Kokolakis, 2005). This gap is, however, filled by the theory of contextualism.
Moreover, the contextualism theory was invented to interpret human action’s diverse aspects based on the fact that human behavior cannot be fully predicted. Dominant conceptions in contextualism are content, context, and processes of organizational change that are interconnected. Furthermore, contextualism is for tracing dynamic interlinking over time in research, and illustrate how transformation has been molded by developments within the context where they happen.
- A Policy Framework for Information Security.
Policy Framework for interpreting risk in E-Business security (PFIRES) offers a starting point for professionals in information security and institution managers on developing, implementing, and maintaining information security policies. This framework supports institutions to adapt rapidly to varying environments and security-related requirements. This framework has four steps: plan policy requirements and decisions, provide the definition and carrying out of controls, and operate observing of operations, valuation of predispositions, and supervision of events.
- Security Management Process within the Six Sigma Framework.
This framework was proposed by Anand, Sandie, and Oruklu, who suggested a security policy creation and their administration process established on the six sigma methodology; define-measure-analyze-improve –control (DMAIC). It is an efficient framework because it helps institutions create an efficient system by considering the student’s centric needs. Hence, the data gets enumerated against the identified data and scrutinize threats in security policy management in decision making (Anand, Saniie, Oruklu, 2012)
The application of the six sigma process model, the security policy management process, can be assimilated with industrial policy, which in turn sanctions other procedures to be incorporated with security policy by providing a precise feedback mechanism. The model offers a means to quantify risk in security policy management for decision making in institutions.
- CONCLUSIONS
Information security policy is an essential security control, which is considered the foundation of security in an institution. Lack of these policies in an institution is one of the deadliest sins in information security management. Nevertheless, the construction or development of this process is a complex and multifaceted activity. It is that it should be put in place before planning, instigating an information security policy. Many institutions have difficulty when it comes to putting together this document together, especially content and its arrangements. However, even those who have, have a problem of effectiveness in the implementation of this information security policies.
Therefore, the goal of this study was to survey contemporary literature on the development processes of an information security policy, particularly by looking at the existing frameworks and models to identify gaps and recommend conceivable ways to ensure information security is guaranteed in institutions. In general, the study is about recommendations on the invention and enactment of information security policy. The research is geared towards integrated theory-based security policy frameworks and models on the advancement of an information security policy.’
- REFERENCES
Anand V. Saniie J. and Oruklu E. (2012). “Security policy management process within six sigma framework,” Journal of Information Security, vol. 3, pp. 49-58.
Höne K. and Eloff J.“Information security policy – what do international information security standards say?” Information Security Policy, pp. 402-409.
Karyda M. Kiountouzis E. and Kokolakis S. (2005) “Information systems security policies: A contextual perspective,” Computers & Security, vol. 24, no. 3, pp. 246-260.
Rees J. Bandyopadhyay S. and Spafford, E. (2003). “PFIRES: A policy framework for information security,” Communications of the ACM, vol. 46, no. 7, pp. 101-106.
Siponen M. and Willison R.( 2009) “Information security management standards: Problems and solutions,” Information & Management, vol. 46, pp. 267-270.
Thomas, R. (2002). Information Security Policies, Procedures, and Standards, Guidelines for Effective Information Security Management, Auerbach Publications. Pg. (1-3).
Wade, J. (2004). “The weak link in IT security,” Risk Management, vol. 51, no. 7, pp. 32-37.