Goals & Methodology

Although academic institutions are plagued by information security incidents and their potential damage to public safety is growing
exponentially, little research has been conducted to address these issues.

This research project is the first empirical baseline of information security in academic institutions as it relates to public safety.  The
purpose of the
Information Security In Academic Institutions (ISAI) project is three-fold:
  • Provide empirical data on the current state of information security issues in academic institutions, including the exposure of
    universities to attackers and the potential threat of universities to critical infrastructure;
  • Develop practical solutions that universities and policy-makers can use to effectively deal with these issues;
  • Enhance cooperation between universities, policy-makers, law enforcement, and technical solution providers.  

The outcomes of this project will be critical to universities, policy-makers, law enforcement agencies, and technical solution providers.  
ISAI will provide these stakeholders with objective data, recommendations for policy, and a roadmap for implementation.  Specifically,
we will:
  • Identify and quantify the unique information security issues of academic institutions;
  • Create an empirically based profile of threats and vulnerabilities;
  • Determine the balance of costs with assets to be protected;
  • Create a roadmap for implementation; and
  • Distribute project results and insights to universities, government, industry and the general public.


ISAI will ensure maximum benefit to our stakeholders and the public by collecting data from IT Directors across the United States.  To
maximize impact for policy as well as practice, we will integrate this data with federal policy of agencies such as National Institute of
Standards and Technology (NIST) and insights of information technology organizations.  ISAI will collect data via three methods:
  • Web-based survey data obtained from approximately one hundred IT Directors of academic institutions across the United States;
  • One-on-one semi-structured interviews with additional IT Directors of academic institutions;
  • Forensic analysis of computer network activity from three universities, integrating traditional firewall and intrusion detection
    system log analysis with cutting-edge network abuse analysis and emerging threat detection analysis methodologies.  

This combination of methods provides a robust data set from which insights from the current study and directions for future research
can be obtained.  Activities will leverage strategic input from academic institutions, key policy-makers, and team members’ expertise to
maximize our research outcomes.  The quantitative survey and forensic analysis data will be integrated with the qualitative interview
data using the Research Methodology Process (Burd, 2001).

Our project is tightly managed to ensure stakeholders' expectations are met within appropriate timeframes.  
Thirteen specialists, each
hand-picked for their expertise, are involved in this project and dedicated to its success.  
For more information:
(917) 783 – 8496
(646) 365-3148 (fax)

This project is supported by Grant No. 2004-IJ-CX-0045 awarded by the National Institute of Justice, Office of Justice Programs, US Department of Justice. Points of
view in this document are those of the author and do not necessarily represent the official position or policies of the US Department of Justice.