What's In Your Policy? An Analysis of the Current State of Information Security Policies in Academic Institutions

Colleges and universities across the United States have seen data breaches and intellectual property theft rise at a heightened rate over the past several years, partly driven by the historically open nature of academic institutions. An integral step in the first line of defense against various forms of attacks, both in the corporate and academic space, are (written) security policies designed to prescribe the construction and function of a technical system, while simultaneously guiding the actions of individuals operating within such a system. Unfortunately, policy analysis and development in the context of these security policies is an insufficiently discussed topic in many academic communities, with very little research being conducted in this space. Consequently, this work aims to assess the current state of information security policies as it exists within the top 200 universities and colleges in the United States, with the goal of identifying important features and general attributes of these documents, as well as to build a foundation for further research. To summarize high-level results, we find that only 54% of the top 200 universities had publicly accessible information security policies, and the policies that were examined lacked consistency. Additionally, we find that while shorter policies were more difficult to read, that they often contained more information, while longer policies contained significantly less practically relevant content.

[1]  Terry Anthony Byrd,et al.  Information security policy: An organizational-level process model , 2009, Comput. Secur..

[2]  Robert Willison,et al.  Understanding the perpetration of employee computer crime in the organisational context , 2006, Inf. Organ..

[3]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[4]  Colin Potts,et al.  Privacy policies as decision-making tools: an evaluation of online privacy notices , 2004, CHI.

[5]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[6]  Ross Brewer,et al.  Ransomware attacks: detection, prevention and cure , 2016, Netw. Secur..

[7]  I Kirlappos,et al.  Learning from "shadow security": understanding non-compliant behaviours to improve information security management , 2016 .

[8]  M. Friedman,et al.  The Methodology of Positive Economics , 2010 .

[9]  Aron Laszka,et al.  The Rules of Engagement for Bug Bounty Programs , 2018, Financial Cryptography.

[10]  William N. Dunn,et al.  Public Policy Analysis , 1981 .

[11]  C. Weible,et al.  The Advocacy Coalition Framework , 2012, Theories of the Policy Process.

[12]  R. Zeckhauser,et al.  The Methodology of Normative Policy Analysis , 2011 .

[13]  Jens Grossklags,et al.  I Like It, but I Hate It: Employee Perceptions Towards an Institutional Transition to BYOD Second-Factor Authentication , 2017, ACSAC.

[14]  Kevin Ortbach,et al.  Are You Ready to Lose Control? A Theory on the Role of Trust and Risk Perception on Bring-Your-Own-Device Policy and Information System Service Quality , 2015, ECIS.

[15]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[16]  FulfordHeather,et al.  The information security policy unpacked , 2009 .

[17]  Debi Ashenden,et al.  Risk Management for Computer Security , 2005 .

[18]  Gianluca Stringhini,et al.  International comparison of bank fraud reimbursement: customer perceptions and contractual terms , 2016, J. Cybersecur..

[19]  Nathaniel Good,et al.  Empirical Studies on Software Notices to Inform Policy Makers and Usability Designers , 2007, Financial Cryptography.

[20]  M. Whitman,et al.  Management Of Information Security , 2004 .

[21]  Lijun Feng,et al.  A Comparison of Features for Automatic Readability Assessment , 2010, COLING.

[22]  Neil F. Doherty,et al.  The information security policy unpacked: A critical study of the content of university policies , 2009, Int. J. Inf. Manag..

[23]  M A Graber,et al.  Readability levels of patient education material on the World Wide Web. , 1999, The Journal of family practice.

[24]  Anat Hovav,et al.  Employees' Compliance with BYOD Security Policy: Insights from Reactance, Organizational Justice, and Protection Motivation Theory , 2014, ECIS.

[25]  Jan Guynes Clark,et al.  Why there aren't more information security research studies , 2004, Inf. Manag..

[26]  Rainer Böhme,et al.  Secure Team Composition to Thwart Insider Threats and Cyber-Espionage , 2014, TOIT.

[27]  Florencia Marotta-Wurgler,et al.  What's in a Standard Form Contract? An Empirical Analysis of Software License Agreements , 2007 .

[28]  Jerry N. Luftman Key Issues for IT Executives 2004 , 2005, MIS Q. Executive.