Professional Documents
Culture Documents
https://doi.org/10.1007/s12243-020-00783-2
Abstract
Effective information security management (ISM) practices to protect the information assets of organizations from security
intrusions and attacks is imperative. In that sense, a systematic literature review of academic articles focused on ISM in
higher education institutions (HEIs) is conducted. For this purpose, an empirical study was performed. Studies carried out
from 2012 onward reporting results from HEIs data that perform the ISM through various means, such as a set of framework
functions, implementation phases, infrastructure services, and securities to their assets, have been explored. The articles
found were then analyzed following a methodological procedure consisting of a systematic mapping study with their research
questions, inclusion and exclusion criteria, selection of digital libraries, and analysis of the respective search strings. A
set of competencies, resources, directives, and strategies that contribute to designing and to developing an ISM framework
(ISMF) for HEIs is identified based on standards such as ISO 27000, COBIT, ITIL, NIST, and EDUCAUSE. This study
introduces a strategic reference that guides HEIs on the development of an ISMF and provides recommendations that should
be considered for its implementation in an era of ever-evolving security threats.
18% of vulnerabilities addressed during the 12-week patch Table 1 Review protocol
cycle [7].
Stages defined at [15] Stages established
When a cyberattack threatens a HEI, the effect goes
beyond the loss of student and employee personally Data source and Section 2.1 Approach of the review
identifiable information (PII). There can be operational, search strategy Section 2.2 General research question
reputation, and/or financial impacts, as well as national Section 2.3 Information sources
security and privacy concerns: the latter, because some Section 2.4 Search methods
HEIs are involved with state companies’ research projects Section 2.5 Search string
and funding. Due to this, information security planning, Section 2.6 Inclusion Criteria (IC)
education, and training are essential in the overall ISM Study selection
Section 2.7 Exclusion Criteria (EC)
framework (ISMF) in HEIs. Study quality assessment Section 2.8 Quality assessment
The HEIs are facing challenges and demands of tech- Data extraction Section 2.9 Methods for data extraction
nological advancements on their campuses and finding an Data synthesis Section 2.10 Synthesis methods
applicable ISMF [8]. Factors affecting ISM can be classified
into system management, institution policies, information
security culture awareness, information security outsourc- column describes the stages defined at [15], and the second
ing, data backup, and information security awareness [9]. column shows the stages established for our protocol.
The HEIs must implement and enforce the policies, pro-
cedures, and standards in compliance with the institution’s 2.1 Approach of the review
laws and regulations to safeguard and secure their assets.
However, although many of these frameworks already exist Education and research are increasingly dependent on IT
for various industries (i.e., ISO 27000 [10], COBIT [11], and the HEIs demand for technological advancements on
ITIL [12], CIS controls [13], NIST [14]), few works have their campuses, particularly in the information security field
been done so far for HEIs. where an applicable ISMF is needed to safeguard and secure
To adequately address the challenges mentioned above, their assets.
this article presents a systematic literature review (SLR) of A study by EDUCAUSE [16] highlights some issues
ISMF for HEIs, aiming at (i) supporting CIOs and personnel related to the topic: institution-wide IT strategy; balance
responsible for ISM in the definition of an ISMF, and (ii) and adjust both IT’s priorities and budget to support the
establishing the relevant strategies when performing ISM. institutional efficiencies and innovations enabled by IT in
To achieve this, we carried out an empirical study in four the context of institutional funding realities; IT staffing and
databases: IEEE, ACM, ScienceDirect, and Scopus. Then, organizational models.
the articles found were analyzed; finally, ISM standards On the other hand, factors affecting ISM can be classified
and frameworks applicable for HEIs were defined jointly into system management, institution policies, information
with strategies to perform ISM. We expect that this study security culture awareness, information security outsourc-
becomes a strategic reference for organizations that aim to ing, data backup, and information security awareness [9];
apply an ISMF or need strategies to perform ISM. nevertheless, not all ISMF cover the total of these factors;
This paper is organized as follows. Section 2 introduces therefore, a comprehensive review is carried out.
the methodology used to conduct the SLR and describes Widely accepted international initiatives for the develop-
each step conducted. Section 3 presents the results, ment and operation of an ISMF [17] are considered, such
innovation points, application value of the SLR, and as the ISO 27000 series [10], ITIL [12], and COBIT [11].
a proposal to select an ISMF, specifically for HEIs, Besides identifying the state-of-the-art on how the HEIs per-
that is the scope of this paper. Section 4 analyzes the form ISM, this work aims to define strategies that guide
different strategies applied in HEIs and presents some and advise HEIs on the development of ISMF and provide
recommendations. Finally, in Section 5, some concluding directions that should be considered for its implementation.
remarks are made, and future works are proposed.
2.2 General research question (RQ) and specific
research questions (SRQ)
2 Research methodology
RQ: What methods/strategies do HEIs use to ISM in
In what follows, we describe each of the steps followed in their institutions? This question allows the construction
conducting the SLR. The methodology used in this study of the classification of security frameworks for HEIs,
is mainly based on Kitchenham et al. [15]. Table 1 shows architecture, and types of information security used in
the review protocol defined for this work, where the first HEIs.
Ann. Telecommun.
2.8 Quality assessment were used to classify the scientific articles and map the
results and studies aiming at answering the formulated
The method proposed in [15] is used to validate the research questions. Although several criteria can be defined,
quality of the selected items, which best fits as a solution we established nine criteria (ETC1-ETC9, as detailed in
to the RQ: What methods/strategies do HEIs use to Tables 5, 6, and 7) that are directly related to the scope
manage information security in their establishments? The of this study [9, 14, 15, 18–34]. Each criterion has several
first steps to evaluate the quality of the articles are the answers to map any article. Tables 5, 6, and 7 show the
inclusion and exclusion criteria presented in Sections 2.6 classification of each ETC where the first three columns
and 2.7, respectively (Tables 3 and 4). The metrics used represent Item, Criteria, and Answer, respectively.
for validation are the extraction criteria (ETC) described in The data extraction strategy defines a specific criterion
Tables 5, 6, and 7. The following codification is used: (1) for each research question. Each criterion has a set of
to verify that it affirmatively solves the specific questions, answers. In Tables 5, 6, and 7, four columns are defined; the
and (0) otherwise. Additionally, it is crucial to define the first column is the identifier of the extraction criteria; the
relevance of each article; the description of this metric is second column is the defined extraction criteria; the third
detailed in what follows. column contains elements of the set of extraction criteria
(possible answers); and finally, the fourth column indicates
Relevance metric Each SRQ has several criteria; each both the number of papers Ak , k = {1, . . . , n} of each
criterion has several answers; each criterion answer is not answer that belongs to the ETC and the percentage pk of
mutually exclusive. The total number of answers is n = 43, each answer (normalized per the total number of papers per
but ETC5 and ETC9 are not considered because each paper ETC Nh , h = {1, . . . , 9}) that is computed as:
belongs to either ETC5 or ETC9 criteria; then, the total Ak
number of answers is reduced to n = 36. Each answer xi pk = × 100, (2)
Nk→h
has two values: 1 if the answer is solved by the paper, and 0
otherwise (i.e., xi ∈ {0, 1}, i = {1, . . . , n}). The relevance where Ak = m i=1 xi . Note that k → h takes the number h
of each study is computed as: of the ETC where the answer k is located.
n
xi 2.10 Synthesis methods
i=1
rj = (1)
n In order to respond to the RQ and SRQ, a descriptive
where j = {1, . . . , m}, m is the total number of selected synthesis is developed. The extracted information is
articles, and n is used as normalization factor. Note that rj tabulated, and a Venn diagram is used to help this
can take values between 0 and 1; rj = 1 when the paper description.
solves all possible answers. A bubble chart is used to represent the quantitative
Note that the search strategy could inevitably omit some synthesis. It consists of two x − y scatter plots with bubbles
articles; for example, those that are very short or those in in the category intersections. It reports the frequencies
which their authors are not included in the used databases. of combining the results from different research specific
Also, we considered the studies published in the last seven questions, and it is particularly used to compare the selected
years. frameworks by HEIs.
0.78 P21 [35] Information security awareness in higher education: An exploratory study
0.72 P15 [36] UNITA: A Reference Model of University IT Architecture
0.72 P33 [25] IT governance mechanisms at universities: an exploratory study
0.69 P03 [19] A practical implementation of ISM System
0.69 P17 [37] A New Perspective to Information Security: Total Quality Information Security Management
0.67 P27 [38] Security risk management at the Computer Center of X University
0.67 P28 [39] Analysis and implementation of operational security management on computer center at the university X
0.67 P31 [20] An analysis of IT assessment security maturity in higher education institution
0.67 P34 [24] An analysis of Indonesia’s information security index: A case study in a public university
0.64 P07 [21] Analysis of information security through asset management in academic institutes of Pakistan
0.61 P08 [40] Information Security Management in academic institutes of Pakistan
0.61 P11 [41] A generic framework for information security policy development
0.58 P02 [42] Risk-assessment based academic information System security policy using octave Allegro and ISO 27002
0.58 P25 [43] IT Governance mechanisms in higher education
0.56 P32 [44] Introducing the six-ware cyber security framework concept to enhancing cyber security environment
0.53 P18 [22] Information security risks management framework - A step towards mitigating security risks in university
network
0.53 P24 [23] Assessment of Information System Risk Management with Octave Allegro at Education Institution
0.50 P16 [45] Assessing Security of Cloud Services in Malaysian Universities: A review
0.47 P10 [46] Recommendation of cloud computing use for the academic data storage in University in Lampung
Province, Indonesia
0.47 P19 [47] Evaluating the explanatory power of theoretical frameworks on intention to comply with information
security policies in higher education
0.47 P22 [48] Towards an Unified Information Systems Reference Model for Higher Education Institutions
0.44 P06 [49] Quantitative Information Security Risk Assessment Model for University Computing Environment
0.44 P26 [50] Design and implementation of management information system based on SSH architecture for departments
of colleges and universities
0.44 P30 [51] Information security management for higher education institutions
0.42 P12 [52] Perceptions and expectations of IT service delivery Post Migration to a Microsoft Platform at a university
of technology in South Africa
0.42 P14 [53] Producing Video Clips for Information Ethics and Security in Higher Education
0.42 P23 [54] An IT Value Management Capability Model for Portuguese Universities: A Delphi Study
0.39 P20 [55] Information Security Behaviour Profiling Framework (ISBPF) for student mobile phone users
0.36 P01 [56] Vulnerability Assessment, Remediation, and Automated Reporting: Case Studies of Higher Education
Institutions
0.36 P09 [57] A study on integrating penetration testing into the information security framework for Malaysian higher
education institutions
0.36 P13 [58] Enhancing information security of a university using computer ethics video clips, managed security service
and an information security management system
0.36 P29 [59] Constructing an university scientific research management information system of NET platform
0.28 P04 [60] Research on information security evaluation model of public institution
0.22 P05 [61] Factors affecting user experience with security features: A case study of an academic institution in Namibia
applying each one of the filters. The selection process is and magazines. The list of selected articles is presented in
represented in Fig. 1. Table 4. This list is ordered by the relevance metric (as
The total number of selected articles, the result of the detailed in Section 2.8) of each paper, which is represented
SLR, is m = 34. They include conferences, journals, in Fig. 2. This metric takes values between 0 and 1. A polar
Ann. Telecommun.
Table 5 Results of systematic mapping review of SRQ1 Table 7 Results of systematic mapping review of SRQ3
Item Criteria Answer No. of papers Item Criteria Answer No. of papers
Item Criteria Answer No. of papers Table 5 shows the results of two extraction criteria of
SRQ1: ETC1 and ETC2. The ETC1 presents the used
ETC3 Relevant Identify 30 (27.78%)
framework Protect 31 (28.70%)
functions Detect 25 (23.15%)
Respond 19 (17.59%)
Recover 3 (2.78%)
Fig. 6 Venn diagram showing the mapping of ETC3 criterion Fig. 7 Venn diagram showing the mapping of ETC4 criterion
Ann. Telecommun.
3.3 Comparison of used frameworks in HEIs review the main strategies that HEIs can use to improve
their ISM based on the main factors that we found through
The bubble graph presented in Fig. 11 illustrates the the conducted SLR when implementing an ISMF. We aim
systematic mapping in terms of frameworks/standards at providing guidelines for HEIs on the development of an
(ETC1), types of HEIs (ETC2), and validation methods ISMF. Some recommendations are suggested that would
(ETC9). If a HEI uses a hybrid solution (i.e., implements be useful to overcome the ever-evolving security threats.
more that one framework, for instance, EDUCAUSE, NIST, Table 8 is based on Table 7. It is sorted based on the number
ISO 27000, COBIT, and/or ITIL), this solution counts for of articles wherein the answer appears as a keyword.
the framework and as a hybrid. It can be observed that the The strategy list order is based on the number of times
most used framework in public academic institutions is the that an answer appears as a keyword in the selected papers.
ISO 27000, with a case study as the validation method;
also, it is the most implemented framework as the reviewed 4.1 Risk assessment
literature indicates. On the other hand, it is worth noting
that, besides ISO 27000, the public HEIs usually implement As defined by the standards, the risk is the probability
a hybrid solution using the same validation method. that a threat exploits a vulnerability of an asset [42]; this
Although there are relatively new frameworks such as is why the diverse threats and vulnerabilities for data and
EDUCAUSE and COBIT, it is observed that the traditional information assets should be evaluated first. As observed
ones proposed by organizations such as ISO and NIST are in Table 8, both risk and data and information answers
the most implemented and considered frameworks for ISM. appear in more than the 85% of the selected papers. For this
Figure 12 depicts the systematic mapping concerning reason, the risk assessment is the first strategy in our list that
frameworks/standards (ETC1), analysis and evaluation pro- comprises the answers mentioned earlier, together with the
cedures (ETC7), and relevant framework implementation software system (Section 4.1.1) and hardware infrastructure
phases (ETC4). As can be observed, risks and policies are (Section 4.1.2).
the most used evaluation procedures together with risk anal- Note that an information asset is all valuable data for
ysis and control selection as implementation phases in the a HEI. Besides habitual information (accounting, grades,
frameworks. Also, it can be observed that the phases that student, and faculty profiles), HEIs have been producing
are not usually implemented are define policy and system important discoveries in science and engineering. All these
review. data could be a target for attackers that, if they are
compromised, can represent losses to the HEIs. Studies
related to this topic suggest establishing a profile of
4 Strategies in HEIs critical information assets to guarantee confidentiality,
integrity, and data availability. It allows identifying and
In Section 3.2.3, we presented a first approach to the quantifying the cost that an attack would represent. Under
strategies used in HEIs. In the following, we introduce and this analysis, risk measurement criteria can be established
by identifying threat scenarios. Identifying the protection ITIL, COBIT, and others (OCTAVE Allegro) that can help
levels, vulnerabilities, and threats of the information assets’ to implement this strategy. Once implemented, a periodic
containers facilitates the risks’ analysis and the mitigation re-evaluation of the risk assessment is recommended.
approach selection in the occurrence of events.
Then, performing the risk assessment strategy will pro- 4.1.1 Software system
tect the information assets from threats on confidentiality,
integrity, and availability. Also, due to the automation and Software systems include several types of software, for
digitization of HEIs processes, the information systems instance, stand-alone applications, network-based applica-
used in HEIs increased its inherent risk. Therefore, the risk tions, and others such as Platform as a Service (PaaS) and
assessment provides the necessary risk treatment plans and Software as a Service (SaaS). The control measures that
controls to the information assets. For instance, a risk man- can be applied to protect these software systems must be
agement and treatment plan should be seen as a process of implemented from the initial stages of development and/or
the information security life cycle. There are available stan- acquisition. This involves identifying the security require-
dards such as ISO27003, NIST SP 800-30, EDUCAUSE, ments for the acquisition, development, implementation,
and maintenance of the systems to prevent unauthorized
or unscheduled modifications. The control measures imply
Table 8 Results of systematic mapping review of SRQ3 establishing the roles and their access levels, implementing
audit trails of all accesses and modifications made, and any
Answer Strategy No. of papers
modification to the systems must be properly documented.
Risks Risk assessment 30 (88.24%) Furthermore, it is essential to have a well-established update
Data and information Risk assessment 29 (85.29%) and backup procedures, as well as to carry out simulations
Software system Risk assessment 27 (79.41%) of events that affect the stability of the systems and thereby
User service User’s awareness 24 (70.59%) guarantee the immediate recovery of services.
Policies Establishing procedures 21 (61.76%)
Vulnerabilities IT Government 18 (52.94%) 4.1.2 Hardware infrastructure
Hardware infrastructure Risk assessment 16 (47.06%)
Cybersecurity IT Government 15 (44.12%) The HEI’s software runs on hardware infrastructure. This
Case study Validation 11 (32.35%) infrastructure is considered an important asset that com-
Regulations Establishing procedures 10 (29.41%) prises the following: (i) terminal devices (servers, PCs,
IT Government IT Government 10 (29.41%) laptops, storage drives, mobile devices, Internet of Things
Surveys Validation 7 (20.59%) (IoT) terminal sensors, surveillance camera, scanner,
Controlled Experiment Validation 7 (20.59%)
among others); (ii) computing and data storage (servers,
Prototype Validation 6 (17.65%)
large-capacity storage, high-performance computing
Simulations Validation 3 (8.82%)
equipment, etc.); (iii) network communications (routers,
switches, physical fireworks, load balancer equipment,
Ann. Telecommun.
wired cable, wireless access points, IoT transmission equip- about how to educate the user should be performed,
ment, satellite receivers, etc.); and, finally, environmental together with how to follow written regulations and
infrastructure (generators, uninterruptible power supplies, its sanctions in case of violation. Thus, the awareness
air conditioners, security monitoring and alarm systems, of the HEI legal context will help understand possible
access control systems, fire-fighting equipment, etc.). threats and remediation measures. In what follows, we
Therefore, it is necessary to plan protection measures since elaborate on establishing procedures that involve policies
physical attack or damage can severely affect the hardware and regulations.
infrastructure.
Computer systems and critical information storage of 4.3 Establishing procedures
HEIs must be hosted in a data center with physical access
controls (to prevent unauthorized entries), environmental Table 8 shows that regulations answer represents 29.41%
controls (temperature, humidity, voltage variations, fire of the selected articles, whereas policies represent 61.76%.
protection to safeguard the equipment from physical dam- More than 67% of the selected articles are related to
age), and resilience and redundancy systems. As part of regulations or policies. As both answers are related to the
the control measures regarding network administration, it is procedure definition, then establishing procedures is the
advisable to define system boundary and boundary protec- third strategy in our list. In our opinion, it is important
tion, the application of periodic password change policies, to have these procedures such that the framework can be
the remote network access management, and network adapted to the HEI environment. In particular, regulations
access restriction to mandatory accounts. These methods will allow molding the framework to a specific context in
should be based on well-defined access control tables for which it will be applied.
each role user, including those from mobile devices. Note that the HEIs should be familiarized with the laws
and regulations that apply to it. Also, regulatory violations
4.2 User’s awareness should be part of the weight parameters affecting the impact
of the risk analysis. Besides, the internal auditor has to
More than 70% of selected papers are related to user ser- evaluate the regulatory compliance program to check its
vice answer. This answer is the second to appear according effectiveness.
to Table 8. The users have different roles in the institution’s On the other hand, policies are used to improve the HEIs’
processes. These roles are part of the academic, admin- services and information security. After risk assessment,
istrative, and research departments. Students and teachers security controls are generated, and every control implies to
are involved in academic departments, mainly working define a security policy. Furthermore, it is recommended to
on teaching and learning environments. The administrative use templates and guidance documents as a reference, such
departments are related to business transaction processes. as the guidelines generated by the universities and colleges’
The research departments conduct scientific research and information security associations. The policies must comply
innovation. Finally, HEIs must also consider visitors at the with the HEIs’ objectives to support them by the ISMF.
campus; this is the most challenging regarding users’ aware- Also, the HEIs should inform periodically about the policies
ness. All these roles involve multiple user terminals and to the community in order to make sure they understand
multiple service access approaches; for all of them, getting its use. Additionally, policies must involve sanctions when
users’ satisfaction is a must [36]. they are not followed. The policy awareness should consider
All HEI members should know and understand their aspects such as the socio-cultural and human dimensions to
roles and responsibility clearly. This can be achieved with commit users with the policies.
awareness campaigns on the importance of information Additionally, one important finding to consider from the
security in the HEI. Several control measures have to be studies is that when an employee is concerned about the
implemented to know the improvements, as recommended risks and the responsive course of action, he will possess
by several studies [19, 20, 51]. By doing so, the risks more security compliance [47].
and threats to which they are exposed are shown. Also,
it is recommended to provide all the mechanisms so that 4.4 IT government (ITG)
the personnel can backup and protect both personal and
institutional information. For instance, one of the strategies This strategy is responsible for structuring and directing
may be to implement e-mail and messaging systems all the information security mechanisms and procedures in
with the appropriate safeguards that support electronic HEIs [37]. It must be aligned with the HEI’s mission and
communication that guarantee the confidentiality, integrity, vision, and the HEI should align itself closely with the
and availability of users’ information. Furthermore, since ITG. Knowledge and implementation of ITG frameworks
the user’s awareness is a crucial issue in security, studies and processes help HEIs to acquire cybersecurity skills
Ann. Telecommun.
22. Joshi C, Singh UK (2017) Information security risks management 40. Rehman H, Masood A, Cheema AR (2013) Information security
framework—a step towards mitigating security risks in university management in academic institutes of Pakistan. In: 2013 2nd
network. J Inf Secur Appl 35:128–137 National conference on information assurance (NCIA). IEEE,
23. Suroso JS, Fakhrozi MA (2018) Assessment of information pp 47–51
system risk management with octave allegro at education 41. Ismail WBW, Widyarto S, Ahmad RATR, Ghani KA (2017) A
institution. Procedia Comput Sci 135:202–213 generic framework for information security policy development.
24. Yustanti W, Qoiriah A, Bisma R, Prihanto A (2018) An analysis In: 2017 4th International conference on electrical engineering,
of indonesia’s information security index: a case study in a computer science and informatics (EECSI). IEEE, pp 1–6
public university. In: IOP conference series: materials science and 42. Jufri MT, Hendayun M, Suharto T (2017) Risk-assessment based
engineering, vol 296. IOP Publishing, p 012038 academic information system security policy using octave allegro
25. Bianchi IS, Sousa RD, Pereira R (2017) It governance mechanisms and iso 27002. In: Second international conference on informatics
at universities: an exploratory study. In: Strategic and competitive and computing (ICIC), p 2017
use of information technology (SCUIT) 43. Bianchi IS, Sousa RD (2016) It governance mechanisms in higher
26. Valencia-Duque FJ, Orozco-Alzate M (2017) Metodologı́a para education. Procedia Comput Sci 100:941–946
la implementación de un Sistema de Gestión de Seguridad de la 44. Gultom R, Midhio W, Silitonga T, Pudjiatmoko S (2018)
Información basado en la familia de normas ISO/IEC 27000. In: Introducing the six-ware cyber security framework concept to
RISTI - Revista Ibérica de Sistemas e Tecnologias de Informação, enhancing cyber security environment. In: ICCWS 2018 13th
pp 73–88, 06 international conference on cyber warfare and security. Academic
27. Sarwar A, Khan MN (2013) A review of trust aspects in cloud conferences and publishing limited, p 262
computing security. Int J Cloud Comput Serv Sci 2(2):116 45. Mohamad FS, Albahaloul HA (2018) Assessing security of cloud
28. Popović K, Hocenski Ž (2010) Cloud computing security issues services in Malaysian universities a review. In: Proceedings of
and challenges. In: The 33rd international convention MIPRO. the international conference on E-business and mobile commerce.
IEEE, pp 344–349 ACM, p 2018
29. Younis YA, Kifayat K (2013) Secure cloud computing for critical 46. Nugroho LE, Santosa PI, Ferdiana R et al (2017) Recommenda-
infrastructure: a survey. Liverpool John Moores University, United tion of cloud computing use for the academic data storage in uni-
Kingdom, Tech. Rep. versity in Lampung province, Indonesia. In: 2017 7th International
30. Zhang X, Wuwong N, Li H, Zhang X (2010) Information annual engineering seminar (InAES). IEEE, pp 1–5
security risk management framework for the cloud computing 47. Rajab M, Eydgahi A (2019) Evaluating the explanatory power of
environments. In: 2010 10th IEEE international conference on theoretical frameworks on intention to comply with information
computer and information technology. IEEE, pp 1328–1334 security policies in higher education. Comput Secur 80:211–
31. Peltier TR (2016) Information security policies, procedures, 223
and standards: guidelines for effective information security 48. Sanchez-Puchol F, Pastor-Collado JA, Borrell B (2017) Towards
management. Auerbach Publications an unified information systems reference model for higher
32. Jerman-Blažič B et al (2012) Quantitative model for economic education institutions. Procedia Comput Sci 121:542–553
analyses of information security investment in an enterprise 49. Joshi C, Singh UK (2016) Quantitative information security risk
information system. Organizacija 45(6):276–288 assessment model for university computing environment. In: 2016
33. Liu F, Tong J, Mao J, Bohn R, Messina J, Badger L, Leaf D International conference on information technology (ICIT). IEEE,
(2011) Nist cloud computing reference architecture. NIST Spec pp 69–74
Publ 500(2011):1–28 50. Zhang H, Li HB, Liu HJ (2013) Design and implementation of
34. Soomro ZA, Shah MH, Ahmed J (2016) Information security management information system based on ssh architecture for
management needs more holistic approach: a literature review. Int departments of colleges and universities. In: Advanced materials
J Inf Manag 36(2):215–225 research, vol 756. Trans Tech Publ, pp 1933–1937
35. Rezgui Y, Marks A (2012) Information security awareness in 51. Cheung SKS (2014) Information security management for higher
higher education: an exploratory study. Comput Secur 27(7– education institutions. In: Intelligent data analysis and its
8):241–253 applications, vol I. Springer, pp 11–19
36. Chen S, Tang Y, Li Z (2016) Unita: a reference model of 52. Reddy N, Singh P, Petkov D (2013) Perceptions and expectations
university it architecture. In: Proceedings of the 2016 international of it service delivery post migration to a microsoft platform at a
conference on communication and information systems. ACM, university of technology in South Africa. In: Proceedings of the
pp 73–77 South African Institute for computer scientists and information
37. Sharbaf MS (2014) A new perspective to information security: technologists conference. ACM, pp 85–89
total quality information security management. In: Proceedings of 53. Wada T, Fuse I, Okabe S, Tatsumi T, Ueda H, Uehara T,
the 7th international conference on security of information and Nakanishi M, Tagawa T, Murata I (2017) Producing video clips
networks. ACM, p 56 for information ethics and security in higher education. In:
38. Gunawan I, Noertjahyana A, Rusli H (2014) Security risk Proceedings of the 2017 ACM annual conference on SIGUCCS.
management at the computer center of X university. ARPN J Eng ACM, pp 129–131
Appl Sci 9:2906–2911 54. Pereira C, Ferreira C, Amaral L (2018) An it value management
39. Gunawan I, Noertjahyana A, Rusli H, Zavareh AA, Abdullah capability model for Portuguese universities: a delphi study.
R, Fadilah SI, Shibghatullah AS, Abas ZA, Wahab MHA, Nur Procedia Comput Sci 138:612–620
W, Hashim W et al (2014) Analysis and implementation of 55. Ngoqo B, Flowerday SV (2015) Information security behaviour
operational security management on computer center at the profiling framework (isbpf) for student mobile phone users.
university X. Journal Comput Secur 53:132–142
Ann. Telecommun.
56. Harrell CR, Patton M, Chen H, Samtani S (2018) Vulnerability Applied mechanics and materials, vol 441. Trans Tech Publ,
assessment, remediation, and automated reporting: case studies pp 984–988
of higher education institutions. In: 2018 IEEE international 60. Feng H, Wei W, Kong Z, Yang S (2017) Research on information
conference on intelligence and security informatics (ISI). IEEE, security evaluation model of public institution. In: International
pp 148–153 symposium on intelligent signal processing and communication
57. CM Kang, PSJ Ng, K Issa (2015) A study on integrating systems (ISPACS), p 2017
penetration testing into the information security framework for 61. Shava FB, Van Greunen D (2013) Factors affecting user
malaysian higher education institutions. In: 2015 international experience with security features: a case study of an academic
symposium on mathematical sciences and computing research institution in Namibia. In: 2013 Information security for South
(iSMSC). IEEE, pp 156–161 Africa. IEEE, pp 1–8
58. Yamanoue T, Furuya T, Shimozono K, Masuya M, Oda K, Mori 62. Siponen MT (2000) A conceptual foundation for organizational
K (2013) Enhancing information security of a university using information security awareness. Inf Manag Comput Secur
computer ethics video clips, managed security service and an 8(1):31–41
information security management system. In: Proceedings of the 63. Ashenden D (2008) Information security management: a human
41st annual ACM SIGUCCS conference on User services. ACM, challenge? Inf Secur Techn Rep 13(4):195–201
pp 101–104
59. Xie JH, Xiao JH (2014) Constructing an university scientific Publisher’s note Springer Nature remains neutral with regard to
research management information system of net platform. In: jurisdictional claims in published maps and institutional affiliations.