An analysis of 2019 ECAR data reveals that students and faculty want security and convenience when it comes to institutional security policies, but both have a clear preference for the importance of security.
"Just because you're paranoid doesn't mean they aren't after you." —Joseph Heller, Catch-22
When it comes to information security, well-informed paranoia is a good trait for everyone to cultivate.1 Security remains at the top of the EDUCAUSE list of "Top Ten IT Issues" year after year, reflecting the importance of cybersecurity and the need to foster an institutional culture of security. Even though it is National Cybersecurity Awareness Month, convenience is still an important consideration, right? Why would someone bother going through extra steps for a login when a quick social login with Facebook or Google is so much more convenient?2 Do you really need a password manager if you add a symbol, dollar sign, or ampersand to your dog's birthday? (Yes!) But in an age of unprecedented convenience, don't people deserve ease, utility, and simplicity?3 In fact, aren't things like social logins and online shopping catering to the desire for convenience?
This year, the EDUCAUSE Center for Analysis and Research (ECAR) analyzed data from 2019 EDUCAUSE Technology Research in the Academic Community (ETRAC) student and faculty surveys to learn what is most important to students and faculty when it comes to using campus technology: security or convenience. These preferences may shape how frequently faculty contact IT support services (e.g., for challenges accessing online resources) or how students rate their network connectivity. The survey data also tell us something about what faculty and students need in a time of heightened awareness of security breaches and undisclosed harvesting of private data.4 Faculty and students need security, but how much convenience would they be willing to give up for this peace of mind? To help answer this question, we asked students and faculty what is more important to them when it comes to connecting personal devices, accessing resources (on and off campus), and user account policies.
When it comes to security versus convenience, many faculty want a balance between the two. In fact, 41–46% of faculty appreciate the need for balance, but overall, faculty prefer security over convenience (see figure 1).
Looking at the frequency of responses for the four categories we asked faculty to assess (figure 1) illustrates some distinctions across responses. Across the board, relatively few faculty place a higher priority on convenience than they do on security. But a slightly larger percentage (20%) of faculty reported that convenience is more important for connecting personal devices. Still, nearly twice as many (35%) reported that security is more important than convenience for connecting devices. Nearly half (45%) reported that security and convenience are equally important when connecting their devices. And other areas show an even stronger preference for security—as high as 4-to-1 for accessing institutional resources while working off campus. Houston, I think we've found faculty's probable pain point in the security versus convenience continuum. Multiple logins, such as with two or multifactor authentication, may be pain points for faculty, and their responses appear to mirror this. If instructors want to check the campus learning management system (LMS) on their mobile devices, multiple logins may increase their desire for convenience.
A respectable percentage (35–40%) of students rate security and convenience as equally important, reinforcing the need to carefully balance these two priorities (see figure 2). Like faculty, students also want seamless, frictionless connectivity that does not involve having to jump through myriad security hoops. In other words, students want both security and convenience, but they have a preference for security.
For the four areas students assessed, between two and five times as many students reported a preference for security compared to those who say convenience is more important.
But students want convenience, too. We know that students want seamless access as they roam from classroom to library or from cafes to outdoor spaces on campus. A larger percentage of students (21%) wanted convenience for logging on to networks compared to the other three categories. Being knocked off a network and having to log back in or having to go through multiple portals to access a network while using a smartphone may be pain points for students, and their responses appear to mirror this.
Digital Users Want the Best of Both Worlds
In the age of convenience, where do digital users in general come down on security and/or convenience? Users may be inclined to favor security, as security questions or multifactor authentication have become common ways to login to secure sites. Or they may be frustrated with the inconvenience of things like logging in to multiple Twitter accounts on the same browser. In fact, companies are currently researching these polarized preferences to identify how to not only increase security for users but also ensure a seamless user experience.5 A more granular approach to user experience has been suggested, i.e., that different users have different needs or preferences when it comes to security or convenience. However, an overarching approach to user experience would be clear, simple, and consistent.
The good news from this year's survey data is that faculty and students both prefer having security over convenience. That's great to know, since institutions can then approach pain points in students' and faculty's experiences with the understanding that security wins over rapid, unauthenticated logins. However, one way to ensure students and faculty continue to err on the side of caution and security is to make it easier to use systems and networks by taking an end-user approach and asking how this approach will be received by students and institutional staff, and how will it affect their technology experience. One suggestion is a simple but noninvasive approach. Networks could accept all passwords but provide a red, yellow, or green indicator for password strength, letting users calibrate based on their preferences.6 So, logging on to a network with a personal device might trigger a green indicator, while trying to access more complex, security-sensitive, or FERPA-protected data might trigger a red indicator, i.e., multiple authentication. This approach may help to ensure that faculty and students lean toward security even when it comes to logging onto a network with their personal devices. Distinctions between what is crucial and what is less so may serve to strengthen the drive for cybersecurity on campuses. Well-informed paranoia is a good trait, but aligning best practices to users' needs is essential for creating a culture of security.
For more information and analysis about higher education IT research and data, please visit the EDUCAUSE Review Data Bytes blog as well as the EDUCAUSE Center for Analysis and Research. For more on information security governance, compliance, data protection, and privacy programs, please visit the EDUCAUSE Review Security Matters blog as well as the Cybersecurity Program page. Access additional information security and data privacy resources through the Awareness Campaign page.
- Joanna Grama, Valerie Vogel, Mike Corn and Sharon Pitt, "The Third Time's the Charm? Information Security at the Top of the List Again," EDUCAUSE Review, January 29, 2018. ↩
- "Pros and Cons of Using Social Logins on Campus," University Business, June 16, 2014. ↩
- "Six Factors Driving Consumers' Quest for Convenience" [https://www.nielsen.com/us/en/insights/article/2018/six-factors-driving-consumers-quest-for-convenience/], Nielsen (website), August 16, 2018. ↩
- Davey Winder, "Data Breaches Expose 4.1 Billion Records in First Six Months of 2019," Forbes, August 20, 2019; Adam Forrest, "Facebook Data Scandal: Social Network Fined $5bn over 'Inappropriate' Sharing of Users' Personal Information," Independent, July 12, 2019. ↩
- Salim Hasham, Chris Rezek, Maxence Vancauwenberghe, and Josh Weiner, "Is Cybersecurity Incompatible with Digital Convenience," McKinsey Digital, August 2016. ↩
- Ibid. ↩
Joseph Galanek is a Senior Researcher at EDUCAUSE.
© 2019 Joseph D. Galanek. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.