Raising information security awareness in the academic setting
| Date | 01 June 2001 |
| Pages | 11-16 |
| Published date | 01 June 2001 |
| DOI | https://doi.org/10.1108/03055720010803961 |
| Author | Andrew Cox,Sarah Connolly,James Currall |
| Subject Matter | Information & knowledge management |
VINE 123 — 11
Raising information
security awareness
in the academic
setting
by Andrew Cox and Sarah Connolly,
LITC, South Bank University and
James Currall, University of Glasgow
This paper exam ines three approaches to
increasing aware ness in an academic setting:
a discussion session, a checklist and a web
based tutorial. All three are found to be
effective in raising motivation and
understanding of security because they
present the issues in an accessible, interes ting
way.
The research for the paper was funded by the
JISC Committee for Aw areness, Liaison and
Training as part of a project on the human and
organisational issues associated with netw ork
security. http://litc.sbu.ac.uk/jcalt/
Universities, like many other institutions, are
working more and more online. Vital and confi-
dential messages about research or administrative
arrangements are exchanged by email. Documents
sitting on computers or the network represent
many man hours of work. Budget is spent online.
The more institutions depend on computers the
more important computer security becomes.
By security we could mean anything from virus
scanning, backing up work, choosing and changing
passwords - to interacting with secure servers and
encrypting or signing electronic messages. We
have seen great advances in security technology,
and the reliability of the network in the last few
years, but technology cannot mitigate all the risks.
All along the line users have to make decisions
with security implications, e.g. to keep their virus
files up to date, to up date so ftware, to treat email
attachments with caution, to make sensible choices
about when to encrypt message - or when not to
send information in electronic form at all. Al-
though some of this, such as automatic updates of
virus fixes, can be provided as a background
service, there will always be points at which the
user has to make responsible decisions, with a
security risk attached.
The risks are as serious in the academic sector as
in, say, the financial sector. It may be more
straightforward to measure the potential cost of a
security breach or of system downtime at a bank.
The damage can be measured in terms of lost
business, in monetary terms. But even if less easily
quantifiable the risks for a University are still
great. And so too for users. For institutions secu-
rity failu res can cause a loss of tim e, of data and of
reputation. The individual has those same things at
stake, and also their privacy.
So it is important that users need to understand
security at some level, but there are some barriers
to this. On the surface security does not seem an
inherently interesting topic, particularly as usually
presented. A student comes to a computer to write
a paper or do research, how the computer works is
not usually of inherent interest. Security may
threaten their ability to complete work, but it is not
something they wish to be concerned with. Users
are already struggling to understand computers and
networks. Is trying to explain security issues to
them just adding another layer of complexity that
they probably wont be able to cope with ? Even if
one acknowledges this but decides that training
users is unavoid able, t here is a furth er barrie r. It is
difficult to come to terms with the nature of risk: ie
how much effort should one spend on countering a
very unlikely event, which would be absolutely
disastrous if it happened? But ultimately the
difficulty of the topic is an argument for more
training, rather than less.
This article evaluates three simple approaches to
raising awareness, that may be able to overcome
these apparent barriers. One of the assumptions the
paper makes is that in fact security is not necessar-
ily boring. It is also the contention here that users,
though struggling with the technology, are both
interested and motivated to use the network re-
sponsibly. It probably goes without saying that an
awareness programme should be developed as part
of a wider Information Strategy (for which see
Alan Robiette. “Developing an information secu-
rity pol icy”. http://www.jisc.ac.uk/pub01/
security_policy.html).
To continue reading
Request your trial