Beyond Passwords and PINs: Students and InfoSec Training

min read

October is National Cyber Security Awareness Month (NCSAM). Throughout the month of October, EDUCAUSE will highlight higher education information security issues. This blog post is part of a series of entries published in the Data Bytes, Security Matters, and Transforming Higher Education EDUCAUSE Review columns focusing on faculty and student perceptions of information security research results from ECAR's 2017 Technology Research in the Academic Community.

Most higher education information security training is given to faculty and staff who work or come in contact with sensitive institutional, personnel, and student data. Students are not seen as being as great a risk to institutional data protection, despite the sheer number of system access points they and their host of personal devices represent.1 For campus information security professionals, students and their devices are not as worrisome, given that student accounts rarely, if ever, can be used to access institutional data requiring the highest levels of protection. Institutions, therefore, generally take calculated risks to not provide students with systematic information security training on protecting institutional data, as the cost of providing training at scale likely outweighs the potential benefits or protections of data. An exception to this general rule might be student workers whose positions may put them in contact with sensitive systems (at which point, they might be effectively considered employees instead of students with respect to training). Generally, however, students are more likely to receive basic information security hygiene training (e.g., self-defense, security policies, usage policies, regulatory compliance)2 as part of an orientation when matriculating, than the routine, specialized training that faculty and staff receive.

Indeed, 2017 EDUCAUSE data on undergraduate students offers evidence that students do not receive systematic information security training (see figure 1). Only 13% of students report that their institution provides mandatory or optional training; a quarter (26%) say none is provided; the remainder of students (60%) simply do not know if their institution provides any training. Of the 13% that said their institution provides training, only a third (32%) said that they had participated in the last 12 months. Students' year in school is associated with when they received their information security training. Here we find support for our argument that cybersecurity training is offered to students during their first year orientation: first-year students were more likely to report receiving training in the past 12 months than second-year students and above. Regardless of the timing of the training, an overwhelming majority of students who received it found it at least moderately useful (88%).

Figure 1. Student perception of institutional information security training
Figure 1. Student perception of institutional information security training

What is to be done? We recommend that undergraduate students need more than the basic spiel about protecting passwords and sharing devices offered during first year orientation. We agree with Stephanie Kumi that students need mandatory training on information security and online safety provided annually, as students need to be up to date with current practices. Furthermore, as challenging as it may be to reach and attract the attention of the undergraduate student population, institutions need to consider engaging ways to help make students aware of new threats as they emerge.3 Students may not have access to institutionally-critical systems, but they can learn to protect private and personal data. Developing an information security training protocol for students that moves beyond the basics helps to promote a culture of security awareness on campus and cultivates security awareness practices that they can take with them into society and the workforce after they graduate.


  1. In 2017, 98% of students report owning two or more internet capable devices; 82% of students say they typically connect (or try to connect) two or more devices to their campus wireless network at the same time when they are on campus. See D. Christopher Brooks and Jeffrey Pomerantz, ECAR Study of Undergraduate Students and Information Technology, 2017, research report (Louisville, CO: ECAR, October 2017) for more details on student device ownership and use.
  2. According to EDUCAUSE Core Data Service (CDS), students are more likely to receive training about usage policies than self-defense measures. See Joanna L. Grama and Leah Lang, CDS Spotlight: Information Security, research bulletin (Louisville, CO: ECAR, August 15, 2016) for more details.
  3. The Campus Security Awareness Campaign is a framework created by EDUCAUSE volunteers that is designed to support security professionals and IT communicators year-round as they develop or enhance their own security plans.

Learn more about what students and faculty think of IT by visiting the 2017 Student and Faculty Technology Studies research hub.

D. Christopher Brooks is the director of research at EDUCAUSE.

Jeffrey Pomerantz is a senior researcher at EDUCAUSE.

© 2017 D. Christopher Brooks and Jeffrey Pomerantz. This EDUCAUSE Review blog is licensed under Creative Commons BY-NC-SA 4.0.