The least secure places in the universe? A systematic literature review on information security management in higher education

Current research has demonstrated the progressively more strategic role that information security has in modern organisations. Higher education is no exception. The reported increasing number of security breaches experienced in recent years by higher education institutions epitomises the importance of confidentiality, integrity and availability of information in universities. To synthesise research in this field, this literature review systematically examines papers that have been published in the last thirteen years. The present review aims at expanding our understanding of the sub-topics, perspectives, methodologies, and trends that characterise this nascent field of investigation. Literature gaps are highlighted and an agenda for further work is proposed. First of its kind, this review concludes that information security management in higher education is a highly under-investigated topic. Areas for further research include information security culture; comparative studies on information security management in industries other than higher education; comparative studies across universities; and economics of information security management.

[1]  Richard T. Watson,et al.  Analyzing the Past to Prepare for the Future: Writing a Literature Review , 2002, MIS Q..

[2]  Henry Lucas,et al.  IT Centralization, Security Outsourcing, and Cybersecurity Breaches: Evidence from the U.S. Higher Education , 2017, ICIS.

[3]  Xinli Li The Design of Information Security Management System in College , 2017 .

[4]  Roy George,et al.  Computer security and ethics awareness in university environments: a challenge for management of information systems , 2006, ACM-SE 44.

[5]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[6]  Siddhi Pittayachawan,et al.  Comparing intention to avoid malware across contexts in a BYOD-enabled Australian university: A Protection Motivation Theory approach , 2015, Comput. Secur..

[7]  Ana Paula Cabral Seixas Costa,et al.  A multidimensional approach to information security risk management using FMEA and fuzzy theory , 2014, Int. J. Inf. Manag..

[8]  Ann S. Abdelwahed,et al.  Information Security Policies and their Relationship with the Effectiveness of the Management Information Systems of Major Palestinian Universities in the Gaza Strip , 2016 .

[9]  Bin Xu,et al.  Identifying Harmful Web Pages in Laboratory Information Security Management , 2010, 2010 2nd International Workshop on Intelligent Systems and Applications.

[10]  Jing Nie,et al.  On the Information Security Issue in the Information Construction Process of Colleges and Universities , 2016, 2016 12th International Conference on Computational Intelligence and Security (CIS).

[11]  Malcolm Robert Pattinson,et al.  Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q) , 2014, Comput. Secur..

[12]  Anthea Sutton,et al.  Systematic Approaches to a Successful Literature Review , 2012 .

[13]  Paul Benjamin Lowry,et al.  Using Accountability to Reduce Access Policy Violations in Information Systems , 2013, J. Manag. Inf. Syst..

[14]  Kentaro Oda,et al.  Enhancing information security of a university using computer ethics video clips, managed security service and an information security management system , 2013, SIGUCCS '13.

[15]  Brandis Phillips,et al.  Information Technology Management Practice: Impacts upon Effectiveness , 2013, J. Organ. End User Comput..

[16]  Malcolm Robert Pattinson,et al.  The Human Aspects of Information Security Questionnaire (HAIS-Q): Two further validation studies , 2017, Comput. Secur..

[17]  Rabih Bashroush,et al.  Economic valuation for information security investment: a systematic literature review , 2016, Information Systems Frontiers.

[18]  Simon K. S. Cheung Information Security Management for Higher Education Institutions , 2014, ECC.

[19]  Elfi Furtmueller,et al.  Using grounded theory as a method for rigorously reviewing literature , 2013, Eur. J. Inf. Syst..

[20]  C. Baskin,et al.  Information security for compliance with select agent regulations. , 2015, Health security.

[21]  Neil F. Doherty,et al.  The information security policy unpacked: A critical study of the content of university policies , 2009, Int. J. Inf. Manag..

[22]  Arunabha Mukhopadhyay,et al.  Today's Action is Better than Tomorrow's Cure - Evaluating Information Security at a Premier Indian Business School , 2013, J. Cases Inf. Technol..

[23]  Sari Sultan,et al.  Developing an ISO27001 Information Security Management System for an Educational Institute: Hashemite University as a Case Study , 2014 .

[24]  Serpil Aytac,et al.  Factors influencing information security management in small- and medium-sized enterprises: A case study from Turkey , 2011, Int. J. Inf. Manag..

[25]  Umesh Kumar Singh,et al.  Information security risks management framework - A step towards mitigating security risks in university network , 2017, J. Inf. Secur. Appl..

[26]  Stephen Flowerday,et al.  STUDENT INFORMATION SECURITY BEHAVIOURAL INTENT: ASSESSING THE ACTIONS AND INTENTIONS OF STUDENTS IN A DEVELOPMENTAL UNIVERSITY , 2014 .

[27]  Neil F. Doherty,et al.  Reinforcing the security of corporate information resources: A critical review of the role of the acceptable use policy , 2011, Int. J. Inf. Manag..

[28]  Bernhard M. Hämmerli,et al.  The Human Aspect in Data Leakage Prevention in Academia , 2012, ISSE.

[29]  Jan Guynes Clark,et al.  Why there aren't more information security research studies , 2004, Inf. Manag..

[30]  Kyung-shick Choi,et al.  Theoretical analysis of cyber-interpersonal violence victimization and offending using cyber-routine activities theory , 2017, Comput. Hum. Behav..

[31]  Fabio Massacci,et al.  Using a security requirements engineering methodology in practice: The compliance with the Italian data protection legislation , 2005, Comput. Stand. Interfaces.

[32]  Hisham M. Haddad,et al.  Asset Assessment in Web Applications , 2010, 2010 Seventh International Conference on Information Technology: New Generations.

[33]  Dattatraya S. Bhilare,et al.  Protecting intellectual property and sensitive information in academic campuses from trusted insiders: leveraging active directory , 2009, SIGUCCS '09.

[34]  Rossouw von Solms,et al.  Information Security Assurance Model (ISAM) for an Examination Paper Preparation Process , 2014, 2014 Information Security for South Africa.

[36]  Paul Benjamin Lowry,et al.  security and privacy research lies , 2017 .

[37]  A. Edmondson,et al.  METHODOLOGICAL FIT IN MANAGEMENT FIELD RESEARCH. , 2007 .

[38]  Mary Tate,et al.  Contextualizing the twin concepts of systematicity and transparency in information systems literature reviews , 2016, Eur. J. Inf. Syst..

[39]  Mahmood Hussain Shah,et al.  Information security management needs more holistic approach: A literature review , 2016, Int. J. Inf. Manag..

[40]  A. Picot,et al.  Information Security Management (ISM) Practices: Lessons from Select Cases from India and Germany , 2013 .

[41]  Puspita Kencana Sari,et al.  Factor analysis on information security management in higher education institutions , 2016, 2016 4th International Conference on Cyber and IT Service Management.

[42]  Tim Lane Information security management in Australian universities : an exploratory analysis , 2007 .

[43]  George Whitson,et al.  Computer security: theory, process and management , 2003 .

[44]  Thomas Herrmann,et al.  Information security management systems and socio-technical walkthroughs , 2011, 2011 1st Workshop on Socio-Technical Aspects in Security and Trust (STAST).

[45]  Yacine Rezgui,et al.  Information security awareness in higher education: An exploratory study , 2008, Comput. Secur..

[46]  M. Steinke,et al.  Information Security Risk Management in Higher Education Institutions: From Processes to Operationalization , 2015 .

[47]  Maslin Masrom,et al.  Bridging information security framework for higher learning institutions of Malaysia , 2010 .

[48]  Candiwan,et al.  Assessment of Information Security Management on Indonesian Higher Education Institutions , 2016 .

[49]  Dhanapal Durai Dominic,et al.  Information security policies: Investigation of compliance in universities , 2016, 2016 3rd International Conference on Computer and Information Sciences (ICCOINS).

[50]  A. N. Zainab,et al.  A holistic approach to collection security implementation in university libraries , 2012 .

[51]  Gurpreet Dhillon,et al.  Using Actor Network Theory to Understand Information Security Management , 2010, SEC.

[52]  Tim Lane,et al.  A Model for Improving e-Security in Australian Universities , 2006, J. Theor. Appl. Electron. Commer. Res..

[53]  B. Okibo,et al.  Challenges Facing Information Systems Security Management in Higher Learning Institutions: A Case Study of the Catholic University of Eastern Africa - Kenya , 2014 .

[54]  Robert LaRose,et al.  Keeping our network safe: a model of online protection behaviour , 2008, Behav. Inf. Technol..