Higher education institutions face many cybersecurity threats and should be thinking of ways to improve the effectiveness and design of their security awareness programs.
EDUCAUSE is helping institutional leaders, technology professionals, and other staff address their pressing challenges by sharing existing data and gathering new data from the higher education community. This report is based on an EDUCAUSE QuickPoll. QuickPolls enable us to rapidly gather, analyze, and share input from our community about specific emerging topics.Footnote1
EDUCAUSE collaborated with Infosec Institute, part of Cengage Group, to help bring this QuickPoll information to the higher education community during Cybersecurity Awareness Month.
For the purposes of this QuickPoll survey, we offer the following definition of security awareness training:
Security awareness training is designed to educate all members of a campus community about cybersecurity best practices, such as password security, data privacy, and recognizing and reporting phishing. The training can be presented in various formats, such as training videos, in-person sessions, assessments, posters, infographics, and newsletters. The goal of this training program would be to provide people with knowledge that will enable them to protect the sensitive data of individuals and the institution.
The Challenge
Higher education institutions have diverse populations of students, faculty, and staff, each with varying levels of technical expertise and cybersecurity awareness. Tailoring security awareness training to meet such diverse needs can be challenging. Additionally, budget constraints and a limited number of security-focused staff make it difficult for higher education institutions to allocate sufficient resources to create security awareness programs. Meanwhile, it can be difficult to keep training up to date, with new devices, software, and online services continually emerging, in addition to various regulatory requirements, such as FERPA (Family Educational Rights and Privacy Act) and HIPAA (Health Insurance Portability and Accountability Act), that impose additional demands for cybersecurity training and protection. Higher education institutions are also often the targets of phishing attacks and other social engineering attempts. Training users to recognize and resist these tactics is critical but can be challenging due to the sophistication of attackers.
The Bottom Line
Higher education institutions should continue to develop and enhance their security awareness programs so that they consider the unique characteristics of their user base and the evolving threat landscape. These programs should be adaptable, ongoing, and regularly updated to stay ahead of emerging threats. Additionally, engaging students, faculty, and staff in the process of developing and implementing security policies can help foster a culture of cybersecurity within the institution, providing knowledge and awareness and reducing risk for the institution.
The Data: Management and Effectiveness
Though most institutions mandate security awareness training, the design and frequency of training vary. The majority of respondents (94%) reported that their institution does have a security awareness training program in place, and among them, about half (49%) indicated that they exclusively use third-party services to create security awareness training content, almost a quarter (23%) are using both third-party and in-house resources for content creation, and just 14% are exclusively developing their content in-house. Most respondents (90%) indicated that security awareness training is mandatory for employees, though required frequency is inconsistent. The majority of respondents reported that training is required annually (65%), followed by more than once per year (19%), and once during an individual's entire tenure at the institution (6%). Notably, 10% reported that security awareness training is not mandatory for employees. Nearly three-quarters of respondents (71%) said that security awareness training is part of new-employee training.
The efficacy and availability of security awareness training leave room for improvement. Just 1% of respondents reported that they consider their institution's security awareness training to be not at all effective. Still, only 38% feel that their security awareness training is effective or very effective, while a majority of respondents (61%) see their training as only somewhat effective (see figure 1).
Institutions have an opportunity to expand their security awareness programs to a broader audience. Although nearly all respondents reported that their training is available for staff (99%) and faculty (97%), only about a third (36%) reported that training is available for students (see figure 2). About a third of the respondents who selected "other" identified student employees as an additional audience for security training.
The Data: Recording and Reporting
Most institutions record some information on training completion, but this is not widely shared. Nearly all respondents (97%) indicated that their institution records the percentage of employees who have completed security awareness training, and 66% record phishing test failure rates (see figure 3). Of those who said their institution records phishing test failure rates, half (50%) said that individuals who fail phishing tests must go through additional security awareness training.
Respondents who indicated that any type of information about security awareness training is collected were then asked to whom that recorded information is reported. A majority indicated that this information is reported to the IT office (60%) and to institutional leadership (56%), while a few said that this information is not reported to anybody (7%) (see figure 4). Approximately 12% of respondents said that this information is reported to other individuals not listed—these respondents noted that training information is reported to supervisors in addition to other cybersecurity, compliance, and IT-related groups/individuals (e.g., auditors, cybersecurity insurance agencies, and security governance committees).
Training is largely focused on federal regulations and institutional security policies. A majority of respondents (69%) indicated that their institution's cybersecurity awareness training includes federal regulations (e.g., HIPAA, FERPA) and institutional security policies (67%) (see figure 5). The topics that were least likely to be included in training were other types of policies and regulations, such as the Gramm-Leach-Bliley Act, (7%), state or regional regulations (12%), and international regulations (17%). Notably, institutional policies concerning privacy and data governance—if they exist at all on a campus—are still relatively infrequently included in security awareness training. Compared to the 67% who said that institutional security policies are included in their training, only about a third of respondents (35%) reported that training includes institutional privacy policies, and just 23% said training covers institutional data governance policies.
The Data: Risks and Rewards
Inadequate training introduces immeasurable risk. Open-ended comments from respondents highlight the biggest risks to institutions that have insufficient security awareness training. Perhaps the greatest risk to institutions is employee behavior, with the result of these behaviors putting sensitive data at risk. When data are compromised, obtaining adequate insurance can become more difficult or expensive.
Employees, especially new ones, are not aware of how they are targeted.
Inadequate training results in users that are more likely to click on malicious attachments and links. Users [are] less likely to report issues or be able to identify potential security issues.
Lack of phishing awareness opens the door to malware and ransomware attacks.
The human factor is the biggest risk/weakest link. Proper/tailored awareness is vital.
Data privacy. As we are constantly dealing with student data, their PII is most at risk due to poor security practices and inattentive users.
Disclosure of PII and reputational risk: This could affect funding or new student recruitment, or personnel recruitment, or all of the above.
Insurance: not able to obtain if we are breached and found negligent.
Security awareness training has observable impacts. Respondent comments described the positive impacts security awareness training is having on their institutions. It all starts with a foundational understanding of security issues and responsibilities.
A positive impact that we have seen is that our staff/faculty know how to recognize potential security risks and how to report them to the appropriate department. They also understand why certain policies are in place, and there is a consistent understanding and knowledge throughout the institution.
Pop-up events have made students and faculty much more aware of and attuned to cybersecurity. Video training has also instructed faculty and staff with in-depth training on cybersecurity issues.
That basic knowledge and preparedness leads to better reporting metrics and even improved financial outcomes, such as discounted insurance rates.
An increase in reporting of suspicious email and a greater awareness of cybersecurity overall
Better phishing reporting and response, increased reporting of security incidents
Discount in cybersecurity liability rate
Common Challenges
Security awareness training programs are inconsistent. While nearly all respondents said that their institution has some kind of security training program, many of the survey responses and comments indicate that institutions are still struggling to figure out how to support and maintain their security awareness programs. Above and beyond federal regulations, institutional privacy and data governance policies are important pieces that remain missing from a lot of programs, as is training for students. Recording and reporting of data related to security awareness vary extensively between organizations, but there is an opportunity for security personnel to use these data to highlight the benefits of training.
Bad training is bad for everyone. Many respondents indicated that users continue to lack awareness of best practices for security due to training that is seen as boring or overly long and complicated, and the consequences of poor training can be severe. Inadequate or ineffective security awareness training can lead to major data breaches that expose sensitive data or ransomware attacks, which can affect an institution's reputation. Many respondents indicated that their institution didn't have any personnel dedicated to the running or management of training programs and that, as a result, there were inconsistent updates, lack of power to enforce training, and no customizations of training for institutional policies and populations.
Promising Practices
Building a culture of cybersecurity means students, faculty, and staff can act as an early-warning system. Similar to law enforcement campaigns that encourage the population to report situations using the line "if you see something, say something," institutions with a culture of cybersecurity awareness can receive early warnings from users. Early warnings for cyberattacks can be a huge benefit for security services because time is of the essence when it comes to a cybersecurity incident. If a user reports a phishing link to the security office, the security staff can act to prevent machines within the campus from accessing the fraudulent link. Cultivating a cybersecurity awareness culture across campus can help reduce potential incidents, even as phishing report rates increase, because security staff can get reports from the user base earlier.
Trainings should be required, more frequent, and more targeted. With so many different and evolving threats to security and privacy at higher education institutions, it would be helpful for users to receive training that is shorter, more effective, and more frequent—at least twice a year. Moreover, training should go beyond faculty and staff—students, especially first-year students, can benefit from awareness training on security and privacy best practices as they make the transition from young adulthood to independence. The various populations and departments across campus stand to benefit from more targeted training on cybersecurity risks and institutional or other security and privacy policies based on the types of data available to those groups. Although it might not be possible for institutions to allocate the necessary resources to make all of these improvements, requiring training for users and making forward strides on any of the additional recommendations will improve cybersecurity.
Interested in learning more about security awareness and education? Join the EDUCAUSE HEISC Awareness and Education Community Group.
All QuickPoll results can be found on the EDUCAUSE QuickPolls web page. For more information and analysis about higher education IT research and data, please visit the EDUCAUSE Review EDUCAUSE Research Notes topic channel, as well as the EDUCAUSE Research web page.
Note
- QuickPolls are less formal than EDUCAUSE survey research. They gather data in a single day instead of over several weeks and allow timely reporting of current issues. This poll was conducted between October 23 and 24, 2023, consisted of 22 questions, and resulted in 173 responses. The poll was distributed by EDUCAUSE staff to EDUCAUSE members via relevant EDUCAUSE Community Groups. We are not able to associate responses with specific institutions. Our sample represents a range of institution types and FTE sizes. Jump back to footnote 1 in the text.
Sean Burns is Corporate Researcher at EDUCAUSE.
Jenay Robert is Senior Researcher at EDUCAUSE.
Nicole Muscanell is Researcher at EDUCAUSE.
© 2023 Sean Burns, Jenay Robert, and Nicole Muscanell. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.