Information Security in Academic Institutions

Abstract Academic institutions face unique information security threats as well as increasingly frequent and severe incidents, yet they have invested relatively few resources to define and address these issues. Incidents such as information theft, data tampering, viruses, worms, and terrorist activity constitute significant threats to the security of academic institutions. Adverse impacts on academic institutions and the general public include compromised private data, potential attacks on U.S. critical infrastructure, and substantial financial losses. Strategies to remediate these issues must be identified, developed and implemented to curb the trend of increasingly frequent and severe information security incidents as well as the damage they incur. The purpose of this article is to define these emerging information security issues and to propose strategies to remediate them. First, empirically based knowledge of information security in academic institutions must be developed and shared, including quantification of issues, use of appropriate metrics, and identification of best and worst practices. Second, policies for information security must be developed, promulgated and implemented. These policies must balance learning, experimentation, and openness with adequate security measures. Third, the current narrow and fragmented approach to information security practices must be expanded to a holistic, integrated view and the current reactive stance must be changed to a proactive, prescriptive orientation toward information security. Directions for future research, suggestions for policy and practice, and recommendations for information sharing between universities, research institutions, government and law enforcement are provided.