SECURING USER EXPERIENCE: A SURVEY ON INFORMATION SECURITY CONTROLS IN A HIGHER EDUCATION INSTITUTION

Authors

  • Noli B. Lucila Jr College of Science, Bicol University, Legazpi City, Philippines. Author

Keywords:

Information Security, Information Security Controls, Information Security In Higher Education

Abstract

Information security in education is more important than ever in a digital world. As educational institutions use technology to improve learning, protecting sensitive data is crucial. Over time, information security has become a socio-technical issue, incorporating both technology and human elements. It is also widely believed that insiders with privileged access to the organization’s systems and data are the key information security concern. For instance, bring your own device, which offers users access to the internal network and sensitive data, benefits enterprises but also increases security threats. End users are the most vulnerable aspect of information security, but some researchers believe they are the most important asset in protecting enterprises. As “the first line of defense”, end users must be vigilant and skilled to secure organizations. Thus, organizations must include human factors in security. Despite various security technology studies, end-user factors have been little studied. Therefore, this research evaluates information security controls used by end-users, notably students in an educational setting. A Likert scale-based questionnaire was given to 378 university students as primary data collection. Validated scales and study objectives-related items based on the Center of Internet Security (CIS) Controls, which comprise basic security procedures for hygiene and cyber attack protection, were included in a structured survey questionnaire. Overall, the mean score indicates modest information security control maturity, with several areas having strong procedures but others needing improvement to enhance security. This study, like others, has limitations; for instance, the university’s current network infrastructure and security operations organizational setup were not included because of the risk of external and internal attacks. Disclosing this information could compromise the network infrastructure and other critical servers. Furthermore, the generalizability of this study’s findings may be limited to specific organizational contexts, as various qualities, corporate culture, and technology frameworks might have varying impacts on information security controls. Hence, it is imperative for future research to address these constraints by undertaking cross-industry investigations, integrating additional information security measures, employing a longitudinal study framework, and evaluating controls in the face of increasing cybersecurity risks. Additionally, examining and comparing different organizational environments might provide insights into the aspects that contribute to the efficiency of information security.

 

References

W. J. Triplett, “Addressing Human Factors in Cybersecurity Leadership,” J. Cybersecurity Priv., vol. 2, no. 3, pp. 573–586, 2022.

I. Corradini, Building a Cybersecurity Culture in Organizations: How to Bridge the Gap between People and Digital Technology. Berlin/Heidelberg, Germany: Springer Nature, 2020.

J. Jeong, J. Mihelcic, G. Oliver, and C. Rudolph, “Towards an Improved Understanding of Human Factors in Cybersecurity,” in IEEE 5th International Conference on Collaboration and Internet Computing, 2019, pp. 12–14, pp. 338–345.

K. Khando, S. Gao, S. M. Islam, and A. Salman, “Enhancing employees information security awareness in private and public organisations: A systematic literature review,” Comput. Secur., vol. 106, p. 102267, 2021.

N. Khan, J. R. Houghton, and S. Sharples, “Understanding factors that influence unintentional insider threat: A framework to counteract unintentional risks,” Cogn. Technol. Work, pp. 1–29, 2021.

N. Klimburg-Witjes and A. Wentland, “Hacking humans? Social Engineering and the construction of the ‘deficient user’ in cybersecurity discourses,” Sci. Technol. Hum. Values, vol. 46, no. 6, pp. 1316-1339., 2021.

Y. Lee, S. Rathore, J. H. Park, and J. H. Park, “A blockchain-based smart home gateway architecture for preventing data forgery,” Human-centric Comput. Inf. Sci., vol. 10, no. 1, pp. 1–14, 2020.

U. D. Ani, H. He, and A. Tiwari, “Human factor security: Evaluating the cybersecurity capacity of the industrial workforce,” J. Syst. Inf. Technol., vol. 21, no. 1, pp. 2–35, 2019.

C. Posey, T. L. Roberts, P. B. Lowry, and R. T. Hightower, “Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders,” Inf. Manag., vol. 51, no. 5, pp. 551–567, 2014.

R. E. Crossler, A. C. Johnston, P. B. Lowry, Q. Hu, M. Warkentin, and R. Baskerville, “Future directions for behavioral information security research,” Comput. Secur., vol. 32, pp. 90–101, 2013.

M. Nieles, K. Dempsey, and V. Y. Pillitteri, “An introduction to information security,” NIST Spec. Publ., vol. 800, no. 12, p. 101, 2017.

A. B. Garba, J. Armarego, and D. Murray, “Bring your own device organizational information security and privacy,” ARPN J. Eng. Appl. Sci., vol. 10, no. 3, pp. 1279–1287, 2015.

R. Ogie, “Bring your own device: an overview of risk assessment,” IEEE Consum. Electron. Mag., vol. 5, no. 1, pp. 114–119, 2015.

R. E. Crossler, J. H. Long, T. M. Loraas, and B. S. Trinkle, “Understanding compliance with bring your own device policies utilizing protection motivation theory: Bridging the intention- behavior gap,” J. Inf. Syst., vol. 28, no. 1, pp. 209–226, 2014.

J. Webb, A. Ahmad, S. B. Maynard, and G. Shanks, “A situation awareness model for information security risk management,” Comput. Secur., vol. 44, pp. 1–15, 2014.

F. Moreira, M. P. Cota, and R. Gonçalves, “The Influence of the Use of Mobile Devices and the Cloud Computing in Organizations,” New Contrib. Inf. Syst. Technol., vol. 1, pp. 275– 284, 2015.

J.-Y. Son, “Out of fear or desire? Toward a better understanding of employees’ motivation to follow IS security policies,” Inf. Manag., vol. 48, no. 7, pp. 296–302, 2011.

M. Ratchford, O. El-Gayar, C. Noteboom, and Y. Wang, “BYOD security issues: A systematic literature review,” nformation Secur. J. A Glob. Perspect., vol. 31, no. 3, pp. 253– 273, 2022.

C. J. Utter and A. Rea, “The" Bring your own device" conundrum for organizations and investigators: An examination of the policy and legal concerns in light of investigatory challenges,” J. Digit. Forensics, Secur. Law, vol. 10, no. 2, p. 4, 2015.

L. Kim, “Cybersecurity: Ensuring confidentiality, integrity, and availability of information,”

Nurs. Informatics A Heal. Informatics, Interprofessional Glob. Perspect., pp. 391–410, 2022.

A. S. Sikder, “Cybersecurity Framework for Ensuring Confidentiality, Integrity, and Availability of University Management Systems in Bangladesh.: Cybersecurity framework on UMS in Bangladesh,” Int. J. Imminent Sci. Technol., vol. 1, no. 1, pp. 17–39, 2023.

V. Viegas and O. Kuyucu, “IT Security Controls,” 2022.

W. A. Cram, “Data security and quality,” Routledge Handb. Account. Inf. Syst., vol. 65, 2022.

S. Pawar and H. Palivela, “LCCI: A framework for least cybersecurity controls to be implemented for small and medium enterprises (SMEs),” Int. J. Inf. Manag. Data Insights, vol. 2, no. 1, p. 100080, 2022.

Downloads

Published

2024-06-21

Issue

Vol. 3 No. 1 (2024): INTERNATIONAL JOURNAL OF INFORMATION SECURITY (IJIS)

Section

Articles

License

Copyright (c) 2024 Noli B. Lucila Jr (Author)

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

How to Cite

SECURING USER EXPERIENCE: A SURVEY ON INFORMATION SECURITY CONTROLS IN A HIGHER EDUCATION INSTITUTION. (2024). INTERNATIONAL JOURNAL OF INFORMATION SECURITY (IJIS), 3(1), 33-46. https://mylib.in/index.php/IJIS/article/view/IJIS_03_01_004