Information Security in Academic Institutions
NEWS:
August 31, 2006 - Research study results now available! For more information, email us at contact@infosecurityresearch.org.

America’s colleges and universities are faced with the paradox of maintaining an open culture of free information exchange while protecting
their information assets and networks from compromise.  Attacks are increasingly methodical, frequent and severe: phishing, pharming and
botnets are quickly becoming as prevalent as traditional malware incidents such as spam, viruses and worms.  While the government and
commercial organizations face similar threats, academia's needs to maintain open networks, ensure freedom of information and enable
collaboration may leave its networks disproportionately vulnerable to threats from those with malicious intent.

Academic institutions may find that perpetrators can exploit vulnerabilities with little risk of detection due to their unique conditions.  
Perpetrators on the "inside" (e.g., students, staff, or faculty) or on the "outside" (e.g., hackers, terrorists, organized criminals) may incur a
wide range of security breaches.  Potential incidents may include hacking, stealing private data, data tampering, copyright infringement,
viruses and worms, file sharing, system downtime and bandwidth issues, and potential violations of federal mandates.  The anonymity and
diversity of IT users, and students' high risk activities such as peer-to-peer (P2P) networking and instant messaging (IM) exacerbate the
situation.

A shortage of data exists to empirically assess information security in academic institutions and the ramifications for public safety and
security. To explore this critical issue,  the US Department of Justice's National Institute of Justice (NIJ) awarded approximately $200,000 to
ISAI, a New York-based research team, to investigate information security in academic institutions.  The team will analyze current information
security levels and provide practical recommendations for improvement.  This 18-month research project, conducted through Columbia
University’s Teachers College, will integrate policy from federal agencies such as NIST and alliance organizations with universities’ pressing
issues to develop a wide range of solutions that will help raise the bar for information security standards.

The research involves the collection of survey, interview, and network activity data from academic institutions across the US to quantify their
exposure and potential threat to critical infrastructure.  Approximately one-hundred IT Directors will complete an on-line survey that explores
the issues, challenges, and approaches involved in securing the systems and information of academic institutions.  Fifteen IT Directors will be
interviewed via a semi-structured protocol to obtain textured data and real-life scenarios regarding securing the systems and information of
academic institutions.  Three universities will provide their network activity: three universities will provide firewall and intrusion detection logs
and one university will provide granular-level data on network activity. The research team will publish its results in Q1 2006 which will
establish the groundwork for understanding academia's unique risks, challenges, objectives and approaches.

The team is actively reaching out to stakeholders across academia, government and private sector to provide input to our research and
ensure that we maximize our effectiveness for all interested parties.  If you have information that you believe would be valuable to our work or
would like to collaborate with us, please get in touch by Steffani Burd Ph.D., Executive Director, at
sburd@infosecurityresearch.org or
Scott Cherkin, Strategic Development Director, at
scherkin@infosecurityresearch.org.
What does this research mean to you?

Did you know?
For more information:
contact@infosecurityresearch.org
(917) 783 – 8496

This project was supported by Grant No. 2004-IJ-CX-0045 awarded by the National Institute of Justice, Office of Justice Programs, US Department of Justice. Points of view
in this document are those of the author and do not necessarily represent the official position or policies of the US Department of Justice.