Annals of Telecommunications

https://doi.org/10.1007/s12243-020-00783-2

Information security management frameworks and strategies

in higher education institutions: a systematic review
Jorge Merchan-Lima1 · Fabian Astudillo-Salinas1 · Luis Tello-Oquendo2 · Franklin Sanchez3,4 ·
Gabriel Lopez-Fonseca3,4 · Dorys Quiroz5

Received: 17 February 2020 / Accepted: 18 June 2020

© Institut Mines-Télécom and Springer Nature Switzerland AG 2020

Abstract
Effective information security management (ISM) practices to protect the information assets of organizations from security
intrusions and attacks is imperative. In that sense, a systematic literature review of academic articles focused on ISM in
higher education institutions (HEIs) is conducted. For this purpose, an empirical study was performed. Studies carried out
from 2012 onward reporting results from HEIs data that perform the ISM through various means, such as a set of framework
functions, implementation phases, infrastructure services, and securities to their assets, have been explored. The articles
found were then analyzed following a methodological procedure consisting of a systematic mapping study with their research
questions, inclusion and exclusion criteria, selection of digital libraries, and analysis of the respective search strings. A
set of competencies, resources, directives, and strategies that contribute to designing and to developing an ISM framework
(ISMF) for HEIs is identified based on standards such as ISO 27000, COBIT, ITIL, NIST, and EDUCAUSE. This study
introduces a strategic reference that guides HEIs on the development of an ISMF and provides recommendations that should
be considered for its implementation in an era of ever-evolving security threats.

Keywords Higher education institution · Framework · Information security · ISMF

1 Introduction The World Economic Forum declared data as a new class of

Nowadays, it is the era of the data revolution, since a
significant amount of data is generated every day from a
variety of sources, such as computers, phones, or sensors.
In a study performed by the software alliance, 90% of
business leaders cite data as one of the critical resources
and a fundamental distinguishing factor for business, along
with primary resources such as land, labor, and capital [1].
 Fabian Astudillo-Salinas
fabian.astudillos@ucuenca.edu.ec
1 Departamento de Eléctrica Electrónica y Telecomunicaciones,
Universidad de Cuenca, Cuenca, Ecuador
2 College of Engineering, Universidad Nacional
de Chimborazo, Riobamba, Ecuador
3 Departamento de Electrónica Telecomunicaciones y Redes
de Información, Escuela Politécnica Nacional, Quito, Ecuador
4 Facultad de Informática, Universidad Nacional de la Plata,
La Plata, Argentina
5 Departamento de Ciencia de la Computación, Universidad
de las Fuerzas Armadas, Quito, Ecuador
economic asset, like currency or gold [2]. Thus, like other
assets, data needs to be secured.
Higher education institutions (HEIs) are a specific type
of organization with their particular needs. The goals
of HEIs are mainly education and research. Like other
organizations, they depend on information technology (IT)
since it is used for everyday activities. Data in HEIs
is considered a very high-value asset in information
security management (ISM), which consists of teaching
data, learning data, scientific research data, administrative
management data, public service data, and cultural data.
Data is sensitive, interactive, and collaborative, particularly
those related to the educational process [3].
Most cyberattacks and threats target HEI data [4], which
is why all the institution members should take steps to
secure data. Research shows that between 2005 and 2014,
562 data breaches were reported at 324 HEIs, most of which
are research institutions (63%) [5]. The breaches of data in
a HEI could negatively impact their reputation, operations,
and/or finances. Data breaches in 2016 cost organizations on
average $3.62 million [6]. On the other hand, the education
industry has been labeled as the slowest to patch, averaging

18% of vulnerabilities addressed during the 12-week patch
cycle [7].
When a cyberattack threatens a HEI, the effect goes
beyond the loss of student and employee personally
identifiable information (PII). There can be operational,
reputation, and/or financial impacts, as well as national
security and privacy concerns: the latter, because some
HEIs are involved with state companies’ research projects
and funding. Due to this, information security planning,
education, and training are essential in the overall ISM
framework (ISMF) in HEIs.
The HEIs are facing challenges and demands of tech-
nological advancements on their campuses and finding an
applicable ISMF [8]. Factors affecting ISM can be classified
into system management, institution policies, information
security culture awareness, information security outsourc-
ing, data backup, and information security awareness [9].
The HEIs must implement and enforce the policies, pro-
cedures, and standards in compliance with the institution’s
laws and regulations to safeguard and secure their assets.
However, although many of these frameworks already exist
for various industries (i.e., ISO 27000 [10], COBIT [11],
ITIL [12], CIS controls [13], NIST [14]), few works have
been done so far for HEIs.
To adequately address the challenges mentioned above,
this article presents a systematic literature review (SLR) of
ISMF for HEIs, aiming at (i) supporting CIOs and personnel
responsible for ISM in the definition of an ISMF, and (ii)
establishing the relevant strategies when performing ISM.
To achieve this, we carried out an empirical study in four
databases: IEEE, ACM, ScienceDirect, and Scopus. Then,
the articles found were analyzed; finally, ISM standards
and frameworks applicable for HEIs were defined jointly
with strategies to perform ISM. We expect that this study
becomes a strategic reference for organizations that aim to
apply an ISMF or need strategies to perform ISM.
This paper is organized as follows. Section 2 introduces
the methodology used to conduct the SLR and describes
each step conducted. Section 3 presents the results,
innovation points, application value of the SLR, and
a proposal to select an ISMF, specifically for HEIs,
that is the scope of this paper. Section 4 analyzes the
different strategies applied in HEIs and presents some
recommendations. Finally, in Section 5, some concluding
remarks are made, and future works are proposed.
2 Research methodology
In what follows, we describe each of the steps followed in
conducting the SLR. The methodology used in this study
is mainly based on Kitchenham et al. [15]. Table 1 shows
the review protocol defined for this work, where the first
Ann. Telecommun.
Table 1 Review protocol
Stages defined at [15] Stages established
Data source and Section 2.1 Approach of the review
search strategy Section 2.2 General research question
Section 2.3 Information sources
Section 2.4 Search methods
Section 2.5 Search string
Section 2.6 Inclusion Criteria (IC)
Study selection
Section 2.7 Exclusion Criteria (EC)
Study quality assessment Section 2.8 Quality assessment
Data extraction Section 2.9 Methods for data extraction
Data synthesis Section 2.10 Synthesis methods
column describes the stages defined at [15], and the second
column shows the stages established for our protocol.
2.1 Approach of the review
Education and research are increasingly dependent on IT
and the HEIs demand for technological advancements on
their campuses, particularly in the information security field
where an applicable ISMF is needed to safeguard and secure
their assets.
A study by EDUCAUSE [16] highlights some issues
related to the topic: institution-wide IT strategy; balance
and adjust both IT’s priorities and budget to support the
institutional efficiencies and innovations enabled by IT in
the context of institutional funding realities; IT staffing and
organizational models.
On the other hand, factors affecting ISM can be classified
into system management, institution policies, information
security culture awareness, information security outsourc-
ing, data backup, and information security awareness [9];
nevertheless, not all ISMF cover the total of these factors;
therefore, a comprehensive review is carried out.
Widely accepted international initiatives for the develop-
ment and operation of an ISMF [17] are considered, such
as the ISO 27000 series [10], ITIL [12], and COBIT [11].
Besides identifying the state-of-the-art on how the HEIs per-
form ISM, this work aims to define strategies that guide
and advise HEIs on the development of ISMF and provide
directions that should be considered for its implementation.
2.2 General research question (RQ) and specific
research questions (SRQ)
RQ: What methods/strategies do HEIs use to ISM in
their institutions? This question allows the construction
of the classification of security frameworks for HEIs,
architecture, and types of information security used in
HEIs.
Ann. Telecommun.

SRQ1: According to [18–20], what kind of ISM Table 2 Search strings

standards/frameworks is proposed for HEIs?
Id Search string
SRQ2: According to [21–23], how do institutions perform
ISM? 1 (FRAMEWORK) AND (MANAGEMENT) AND
SRQ3: According to [18, 24, 25], what strategies do HEIs (INFORMATION) AND (SECURITY) AND
use for ISM? (HIGHER EDUCATION INSTITUTES)
2 (FRAMEWORK OR STANDARD OR STRATEGY)
2.3 Information sources AND (MANAGEMENT OR IMPLEMENTATION OR
ADMINISTRATION) AND (INFORMATION) AND
The most commonly used databases in the area of infor- (SECURITY) AND (HIGHER EDUCATION OR
mation security are IEEE Xplore (http://ieeexplore.ieee. UNIVERSITY OR INSTITUTES)
org); ACM Digital Library (http://dl.acm.org); ScienceDi- 3 (FRAMEWORK OR STANDARD OR STRATEGY)
rect (http://www.sciencedirect.com/); and Scopus (http:// AND (MANAGEMENT OR IMPLEMENTATION
www.scopus.com/). OR ADMINISTRATION OR GOVERNANCE)
AND (INFORMATION) AND (SECURITY) AND
2.4 Search methods (HEI OR COLLEGE OR HIGHER EDUCATION
OR UNIVERSITY OR UNIVERSITIES OR
1. Coverage (a large number of conference proceedings ACADEMIC INSTITUTES)
and journals in different areas of knowledge);
2. Content update (publications are updated periodically);
3. Availability (the full text of the documents is available); observed new terms related to our topic of interest; then,
4. Quality of the results (accuracy of the results obtained the search string was reconsidered including the following
by the search); terms:
5. Versatility to export (there is a mechanism to export the
– “HEI”
search results).
– “governance”
– “academic institutes”
2.5 Search string
– “college”
– “universities”
The search is conducted by applying the search string to the
same metadata (i.e., title, abstract, and keywords) of each Finally, the used search string was the one with Id=3 in
article for all the sources (the search string syntax will be Table 2. Thus, the result of articles related to information
adapted in order for it to be applied in each digital library). security management applied in HEIs was adequately
Following the methodology in [15], next, we describe the filtered.
evolution of the search string to get the results.
First, we conducted an initial search in which we used 2.6 Inclusion criteria (IC)
keywords and search terms closely related to:
IC1: Studies that are within the area of ISM.
– “framework information security”;
IC2: Studies that present a protocol and/or the description
– “information security management”;
of the implementation of an ISMF.
– “information security in higher education”.
IC3: Studies that present methods or tools for ISM.
The first search string used is shown in Table 2 as Id=1. IC4: Studies published from 2012 onwards.
We observed that the obtained results were limited, and no
articles related to the search string were found. For this 2.7 Exclusion criteria (EC)
reason, we added the following search terms to the search
string: EC1: The study does not have an abstract.
EC2: The study has just been published as an abstract.
– “standard”
EC3: The study is not written in English.
– “administration”
EC4: The study is an earlier version of another study
– “strategy”
already considered.
– “implementation”
EC5: The study is not a scientific study, such as editorials,
– “university”
conference proceedings, workshops, and tutorials.
Therefore, a refined search string was obtained, it is EC6: The study is a short paper, with less than four pages.
shown in Table 2 as Id=2. However, after the search, we EC7: The study is a book chapter or a guide.
 Ann. Telecommun.

2.8 Quality assessment
The method proposed in [15] is used to validate the
quality of the selected items, which best fits as a solution
to the RQ: What methods/strategies do HEIs use to
manage information security in their establishments? The
first steps to evaluate the quality of the articles are the
inclusion and exclusion criteria presented in Sections 2.6
and 2.7, respectively (Tables 3 and 4). The metrics used
for validation are the extraction criteria (ETC) described in
Tables 5, 6, and 7. The following codification is used: (1)
to verify that it affirmatively solves the specific questions,
and (0) otherwise. Additionally, it is crucial to define the
relevance of each article; the description of this metric is
detailed in what follows.
Relevance metric Each SRQ has several criteria; each
criterion has several answers; each criterion answer is not
mutually exclusive. The total number of answers is n = 43,
but ETC5 and ETC9 are not considered because each paper
belongs to either ETC5 or ETC9 criteria; then, the total
number of answers is reduced to n = 36. Each answer xi
has two values: 1 if the answer is solved by the paper, and 0
otherwise (i.e., xi ∈ {0, 1}, i = {1, . . . , n}). The relevance
of each study is computed as:

n
xi
i=1
rj = (1)
n In order to respond to the RQ and SRQ, a descriptive
where j = {1, . . . , m}, m is the total number of selected
articles, and n is used as normalization factor. Note that rj
can take values between 0 and 1; rj = 1 when the paper
solves all possible answers.
Note that the search strategy could inevitably omit some
articles; for example, those that are very short or those in
which their authors are not included in the used databases.
Also, we considered the studies published in the last seven
years.
were used to classify the scientific articles and map the
results and studies aiming at answering the formulated
research questions. Although several criteria can be defined,
we established nine criteria (ETC1-ETC9, as detailed in
Tables 5, 6, and 7) that are directly related to the scope
of this study [9, 14, 15, 18–34]. Each criterion has several
answers to map any article. Tables 5, 6, and 7 show the
classification of each ETC where the first three columns
represent Item, Criteria, and Answer, respectively.
The data extraction strategy defines a specific criterion
for each research question. Each criterion has a set of
answers. In Tables 5, 6, and 7, four columns are defined; the
first column is the identifier of the extraction criteria; the
second column is the defined extraction criteria; the third
column contains elements of the set of extraction criteria
(possible answers); and finally, the fourth column indicates
both the number of papers Ak , k = {1, . . . , n} of each
answer that belongs to the ETC and the percentage pk of
each answer (normalized per the total number of papers per
ETC Nh , h = {1, . . . , 9}) that is computed as:
Ak
pk = × 100, (2)
Nk→h

where Ak = m i=1 xi . Note that k  → h takes the number h
of the ETC where the answer k is located.
2.10 Synthesis methods
synthesis is developed. The extracted information is
tabulated, and a Venn diagram is used to help this
description.
A bubble chart is used to represent the quantitative
synthesis. It consists of two x − y scatter plots with bubbles
in the category intersections. It reports the frequencies
of combining the results from different research specific
questions, and it is particularly used to compare the selected
frameworks by HEIs.

2.9 Data extraction

3 Results of the systematic literature review
The ETCs were established heuristically based on the
research questions defined in Section 2.2. These criteria To select the papers, we applied four filters in each
digital library. The first one was the search string (Id=1
Table 3 Filters applied in the selection of articles in Table 2). Then, we refine the search string after some
search tests (Id=2 in Table 2). This subset was filtered using
Digital Search Refined search Keywords Abstract
four keywords (Id=3 in Table 2): framework, information
library string string reading
security management, higher education institutes, and
IEEE Xplore 2250 525 60 11 academic institutes. Finally, an abstract reading filter was
ACM 2975 300 12 6 applied to get the subset of selected articles. The number of
ScienceDirect 3935 700 19 8 papers obtained by each filter is presented in the Table 3.
Scopus 535 40 25 9 The first column presents the digital library used. The next
four columns present the number of papers selected by
Ann. Telecommun.

Table 4 Selected papers

Relevance metric Item Study Title

(Section 2.8)

0.78 P21 [35] Information security awareness in higher education: An exploratory study
0.72 P15 [36] UNITA: A Reference Model of University IT Architecture
0.72 P33 [25] IT governance mechanisms at universities: an exploratory study
0.69 P03 [19] A practical implementation of ISM System
0.69 P17 [37] A New Perspective to Information Security: Total Quality Information Security Management
0.67 P27 [38] Security risk management at the Computer Center of X University
0.67 P28 [39] Analysis and implementation of operational security management on computer center at the university X
0.67 P31 [20] An analysis of IT assessment security maturity in higher education institution
0.67 P34 [24] An analysis of Indonesia’s information security index: A case study in a public university
0.64 P07 [21] Analysis of information security through asset management in academic institutes of Pakistan
0.61 P08 [40] Information Security Management in academic institutes of Pakistan
0.61 P11 [41] A generic framework for information security policy development
0.58 P02 [42] Risk-assessment based academic information System security policy using octave Allegro and ISO 27002
0.58 P25 [43] IT Governance mechanisms in higher education
0.56 P32 [44] Introducing the six-ware cyber security framework concept to enhancing cyber security environment
0.53 P18 [22] Information security risks management framework - A step towards mitigating security risks in university
network
0.53 P24 [23] Assessment of Information System Risk Management with Octave Allegro at Education Institution
0.50 P16 [45] Assessing Security of Cloud Services in Malaysian Universities: A review
0.47 P10 [46] Recommendation of cloud computing use for the academic data storage in University in Lampung
Province, Indonesia
0.47 P19 [47] Evaluating the explanatory power of theoretical frameworks on intention to comply with information
security policies in higher education
0.47 P22 [48] Towards an Unified Information Systems Reference Model for Higher Education Institutions
0.44 P06 [49] Quantitative Information Security Risk Assessment Model for University Computing Environment
0.44 P26 [50] Design and implementation of management information system based on SSH architecture for departments
of colleges and universities
0.44 P30 [51] Information security management for higher education institutions
0.42 P12 [52] Perceptions and expectations of IT service delivery Post Migration to a Microsoft Platform at a university
of technology in South Africa
0.42 P14 [53] Producing Video Clips for Information Ethics and Security in Higher Education
0.42 P23 [54] An IT Value Management Capability Model for Portuguese Universities: A Delphi Study
0.39 P20 [55] Information Security Behaviour Profiling Framework (ISBPF) for student mobile phone users
0.36 P01 [56] Vulnerability Assessment, Remediation, and Automated Reporting: Case Studies of Higher Education
Institutions
0.36 P09 [57] A study on integrating penetration testing into the information security framework for Malaysian higher
education institutions
0.36 P13 [58] Enhancing information security of a university using computer ethics video clips, managed security service
and an information security management system
0.36 P29 [59] Constructing an university scientific research management information system of NET platform
0.28 P04 [60] Research on information security evaluation model of public institution
0.22 P05 [61] Factors affecting user experience with security features: A case study of an academic institution in Namibia

applying each one of the filters. The selection process is and magazines. The list of selected articles is presented in
represented in Fig. 1. Table 4. This list is ordered by the relevance metric (as
The total number of selected articles, the result of the detailed in Section 2.8) of each paper, which is represented
SLR, is m = 34. They include conferences, journals, in Fig. 2. This metric takes values between 0 and 1. A polar
 Ann. Telecommun.

Table 5 Results of systematic mapping review of SRQ1 Table 7 Results of systematic mapping review of SRQ3

Item Criteria Answer No. of papers Item Criteria Answer No. of papers

ETC1 Standards/ ITIL 6 (8.82%) ETC7 Analysis Risks 30 (37.97%)

frameworks COBIT 9 (13.24%) and Vulnerabilities 18 (22.78%)
ISO 27000 13 (19.12%) evaluation Regulations 10 (12.66%)
NIST 12 (17.65%) procedures Policies 21 (26.58%)
EDUCAUSE 6 (8.82%)
ETC8 Operational Hardware infrastructure 16 (13.22%)
Their own framework 8 (11.76%)
architecture Data and information 29 (23.97%)
Hybrid solution 14 (20.59%)
Software system 27 (22.31%)
ETC2 Type of Public 24 (60%) User service 24 (19.83%)
HEIs Private 10 (25%) Cybersecurity 15 (12.40%)
Hybrid 6 (15%) IT Government 10 (8.26%)

ETC9 Validation Simulations 3 (8.82%)

plot represents it; the greater the relevance, the greater the Method Surveys 7 (20.59%)
magnitude that represents each paper. Controlled Experiment 7 (20.59%)
Case study 11 (32.35%)
3.1 Selected articles per country and per publication Prototype 6 (17.65%)
year
most number of papers on this topic was published in 2017.
All the selected articles are related to the topic of ISMF
We cannot identify a trend, but research is still going on
for HEIs. From these studies, we noticed that HEIs from
in the last 3 years; also, we analyzed that the 32% of the
13 countries are involved in this topic (see Fig. 3) being
selected articles had planned future work.
Indonesia, China, and the USA the countries with the most
number of papers.
3.2 Answering research questions
Figure 4 illustrates both the number of selected articles
and their percentage published by year. As can be seen, the
3.2.1 SRQ1: What kind of information security management
standards/frameworks is proposed for HEIs?
Table 6 Results of systematic mapping review of SRQ2

Item Criteria Answer No. of papers Table 5 shows the results of two extraction criteria of
SRQ1: ETC1 and ETC2. The ETC1 presents the used
ETC3 Relevant Identify 30 (27.78%)
framework Protect 31 (28.70%)
functions Detect 25 (23.15%)
Respond 19 (17.59%)
Recover 3 (2.78%)

ETC4 Relevant Define policy 17 (12.88%)

framework Define scope 25 (18.94%)
implementation Risk analysis 33 (25.00%)
phases Risk management 30 (22.73%)
Selection controls 27 (20.45%)
Applicability statement 24 (18.18%)
System review 11 (8.33%)

ETC5 Infrastructure Cloud computing 7 (20.59%)

services Traditional infrastructure 27 (79.41%)

ETC6 Security Organizational structures 19 (33.93%)

factors Level of maturity 15 (26.79%)
Training/awareness 10 (17.86%)
User experiences 12 (21.43%)
Fig. 1 Description of the study selection process
Ann. Telecommun.
Fig. 2 Relevance of the literature considered for this study
frameworks by the HEIs. In this case, answers are not
mutually exclusive. In 14 out of 34 studies, the authors
generate a framework by combining ITIL, COBIT, ISO
27000, NIST, or EDUCAUSE; the groups are shown in
Fig. 5 through a Venn diagram. HEIs that use a specific
framework are analyzed in 12 articles: ITIL (P12), COBIT
(P10), ISO 27000 (P02, P13, P14, P30), and NIST (P01,
P06, P16, P18, P27, P28). Furthermore, 8 HEIs develop
their framework (P04, P05, P09, P19, P20, P24, P26,
P29).
To complement the first question through ETC2, we
analyzed the type of HEIs involved in the studies. Among
the universities involved in the studies, 24 correspond
to public academic institutions, 10 to private academic
institutions, and 6 to academic institutions that have
an agreement between public and private ones (hybrid)
Fig. 3 Countries of the selected articles
Fig. 4 Number of articles by year
(P03, P10, P11, P14, P22, P34). Regarding the studies
that received external funding, eight were conducted in
public academic institutions (P01, P06, P13, P15, P18,
P23, P25, P33), two hybrids (P03, P29), and one private
academic institution (P27). The rest of the studies are
financed by the HEIs themselves or in collaboration with
students.
3.2.2 SRQ2: How do institutions perform information
security management?
Table 6 shows the results from ETC3 to ETC6. ETC3
presents the studies related to characteristics of the National
Initiative for Cybersecurity Education (NICE) [14]. The
answers to this criterion are not mutually exclusive. From
the 34 primary studies, 30 focus on identifying security
risks; 31 focus on protecting assets; 25 focus on detecting
threats or vulnerabilities; 19 focus on conducting a response
planning beforehand; and finally, three studies focus on
analyzing a recovery plan to make improvements or
mitigate threats. Figure 6 illustrates through a Venn diagram
the articles working on the different framework functions.

Fig. 5 Venn diagram showing the standards involved in hybrid
solutions
In [26], Valencia-Duque et al. present seven phases to
implement an ISMS. These phases are taken into account
as answers in ETC4. The goal of this ETC is to know
how many works focus on some or all phases. In ETC4,
the articles answer back the research question SRQ2. The
articles P03, P07–P09, P11, P15, P17–P19, P21, P24, P27,
P28, P30, P31, P33, and P34 implement the policy definition
phase; P02, P03, P07, P08, P10–P18, P20–P24, P26–
P28, P30, P31, P33, and P34 implement the define scope
phase; P01–P21 and P23–P34 implement the risk analysis
phase; P02–P12, P15–P21, and P23–P34 implement the
risk management phase; P01–P03, P06–P08, P11, P13–P19,
P21–P28, and P30–P34 implement the selection controls
Fig. 6 Venn diagram showing the mapping of ETC3 criterion
Ann. Telecommun.
phase; P01–P04, P06–P08, P11–P18, P21, P22, P26–P29,
and P32–P34 implement the applicability statement phase;
P02, P03, P06–P08, P21, P22, P24, P31, P33, and P34
implement the system review phase. Figure 7 illustrates
through a Venn diagram the set of phases analyzed by each
article, as mentioned above.
The ETC5 criterion is related to the use of traditional
infrastructure or cloud computing infrastructure in HEIs.
In [27–29], cloud computing is proposed as another infras-
tructure to manage information security. This is because
cloud computing offers higher security standards than tra-
ditional infrastructures (through multi-factor authentica-
tion, physical security, security certificates, patch manage-
ment, among other features) that play an essential role
when taking care of information security. From the SLR
results, in P06, P10, P16, P28, and P29, cloud comput-
ing is proposed as an alternative infrastructure for ISM in
HEIs.
The ETC6 answers back the question SRQ2. The authors
in [9, 62, 63] describe four security factors to take into
account in the ISM. From the SLR results, the articles
P03, P07, P08, P11, P12, P17, P20, P21, P23, and P25–
P34 analyze the organizational structure, and P06–P08,
P10, P11, P15–P17, P24, P26–P28, P31, P33, and P34
analyze the maturity level as key factors in ISMF. The
papers P02, P03, P12–P14, P17, and P19–P22 recommend
taking into account the training and awareness, whereas the
articles P12–P15, P17, P19–P23, P25, and P32 recommend
considering the user experience as factors to improve
ISM in HEIs. Figure 8 illustrates the articles grouping,
which takes into account the security factors, as mentioned
earlier.
Fig. 7 Venn diagram showing the mapping of ETC4 criterion
Ann. Telecommun.

Fig. 9 Venn diagram showing the mapping of ETC7 criterion

consider user service; P04, P06, P09–P12, P15, P17, P19,

Fig. 8 Venn diagram showing the mapping of the ETC6 criterion
P21, P25, and P31–P34 consider cybersecurity; and finally,
P15, P21–P23, P25, P27, P28, and P32–P34 consider IT
government. Therefore, these components are examined
3.2.3 SRQ3: What strategies do HEIs use for information and analyzed, and their implementation is recommended to
security management? increase the protection in HEIs (Fig. 10).
ETC9 is a complementary answer to SRQ3. It proposes
The ETC7 criterion analyzes the strategies used by HEIs a validation method according to [15]. In P01, P04, and
for ISM based on [30–32]. These strategies are related P33, simulations are used; in P09, P15, P22, and P27–
to the analysis and evaluation procedures proposed to be P29, a prototype is used; in P05, P07, P10, P12, P19,
considered in ISM. From the SLR results, P02–P04, P06– P20, and P23, surveys are used, whereas in P06, P13, P14,
P21, and P24–P34 consider the analysis and evaluation P16, P18, P32, and P34, experiments are used; the other
procedures to handle risks; P01, P04–P09, P11, P15, P19– articles use case studies as validation method (P02, P03,
P21, P24, P27, P28, and P32–P34 consider the analysis P08, P11, P17, P21, P24–P26, P30, P31). Details of the
and evaluation procedures to handle vulnerabilities; P01– strategies used by HEIs to improve ISM are shown in
P03, P07, P08, P15, P21, P23, P27, and P28 consider the Section 4.
analysis and evaluation procedures to follow regulations;
P02, P03, P07–P09, P11, P15, P17–P19, P21, P22, P24–
P28, P30, P31, P33, and P34 consider the analysis and
evaluation procedures to establish policies; therefore, these
strategies can be developed in the HEIs. Figure 9 illustrates
the mapping of the ETC7 criterion; furthermore, we can see
graphically the articles related to each answer.
The ETC8, namely operational architecture, is a strategic
criterion to answer the question SRQ3 (What strategies do
HEIs use for information security management?) to protect
the operational architecture of an ISMF. According to [9, 33,
34], this architecture is composed of structures, processes,
and relational mechanisms; each one of these mechanisms
has a function and, when implemented, will impact on
the organization positively. P02, P03, P06, P10, P15–
P18, P21, P25, P27, P28, and P30–P33 consider hardware
infrastructure; P01–P03, P05, P07, P08, P10, P11, P13–
P31, P33, and P34 consider data and information; P01–P03,
P07–P11, P15–P22, and P24–P34 consider software system;
P02, P03, P05, P10, P12–P17, P19–P29, P31, P33, and P34 Fig. 10 Venn diagram showing the mapping of ETC8 criterion

3.3 Comparison of used frameworks in HEIs
The bubble graph presented in Fig. 11 illustrates the
systematic mapping in terms of frameworks/standards
(ETC1), types of HEIs (ETC2), and validation methods
(ETC9). If a HEI uses a hybrid solution (i.e., implements
more that one framework, for instance, EDUCAUSE, NIST,
ISO 27000, COBIT, and/or ITIL), this solution counts for
the framework and as a hybrid. It can be observed that the
most used framework in public academic institutions is the
ISO 27000, with a case study as the validation method;
also, it is the most implemented framework as the reviewed
literature indicates. On the other hand, it is worth noting
that, besides ISO 27000, the public HEIs usually implement
a hybrid solution using the same validation method.
Although there are relatively new frameworks such as
EDUCAUSE and COBIT, it is observed that the traditional
ones proposed by organizations such as ISO and NIST are
the most implemented and considered frameworks for ISM.
Figure 12 depicts the systematic mapping concerning
frameworks/standards (ETC1), analysis and evaluation pro-
cedures (ETC7), and relevant framework implementation
phases (ETC4). As can be observed, risks and policies are
the most used evaluation procedures together with risk anal-
ysis and control selection as implementation phases in the
frameworks. Also, it can be observed that the phases that
are not usually implemented are define policy and system
review.
4 Strategies in HEIs
In Section 3.2.3, we presented a first approach to the
strategies used in HEIs. In the following, we introduce and
Fig. 11 Frameworks’ usage
comparison considering type of
academic institution,
infrastructure, and validation
method
Ann. Telecommun.
review the main strategies that HEIs can use to improve
their ISM based on the main factors that we found through
the conducted SLR when implementing an ISMF. We aim
at providing guidelines for HEIs on the development of an
ISMF. Some recommendations are suggested that would
be useful to overcome the ever-evolving security threats.
Table 8 is based on Table 7. It is sorted based on the number
of articles wherein the answer appears as a keyword.
The strategy list order is based on the number of times
that an answer appears as a keyword in the selected papers.
4.1 Risk assessment
As defined by the standards, the risk is the probability
that a threat exploits a vulnerability of an asset [42]; this
is why the diverse threats and vulnerabilities for data and
information assets should be evaluated first. As observed
in Table 8, both risk and data and information answers
appear in more than the 85% of the selected papers. For this
reason, the risk assessment is the first strategy in our list that
comprises the answers mentioned earlier, together with the
software system (Section 4.1.1) and hardware infrastructure
(Section 4.1.2).
Note that an information asset is all valuable data for
a HEI. Besides habitual information (accounting, grades,
student, and faculty profiles), HEIs have been producing
important discoveries in science and engineering. All these
data could be a target for attackers that, if they are
compromised, can represent losses to the HEIs. Studies
related to this topic suggest establishing a profile of
critical information assets to guarantee confidentiality,
integrity, and data availability. It allows identifying and
quantifying the cost that an attack would represent. Under
this analysis, risk measurement criteria can be established
Ann. Telecommun.

Fig. 12 Comparison of the

phases of implementation of an
ISM system, with the
frameworks considered, and the
type of academic institution
where the study is carried out

by identifying threat scenarios. Identifying the protection ITIL, COBIT, and others (OCTAVE Allegro) that can help
levels, vulnerabilities, and threats of the information assets’ to implement this strategy. Once implemented, a periodic
containers facilitates the risks’ analysis and the mitigation re-evaluation of the risk assessment is recommended.
approach selection in the occurrence of events.
Then, performing the risk assessment strategy will pro- 4.1.1 Software system
tect the information assets from threats on confidentiality,
integrity, and availability. Also, due to the automation and Software systems include several types of software, for
digitization of HEIs processes, the information systems instance, stand-alone applications, network-based applica-
used in HEIs increased its inherent risk. Therefore, the risk tions, and others such as Platform as a Service (PaaS) and
assessment provides the necessary risk treatment plans and Software as a Service (SaaS). The control measures that
controls to the information assets. For instance, a risk man- can be applied to protect these software systems must be
agement and treatment plan should be seen as a process of implemented from the initial stages of development and/or
the information security life cycle. There are available stan- acquisition. This involves identifying the security require-
dards such as ISO27003, NIST SP 800-30, EDUCAUSE, ments for the acquisition, development, implementation,
and maintenance of the systems to prevent unauthorized
or unscheduled modifications. The control measures imply
Table 8 Results of systematic mapping review of SRQ3 establishing the roles and their access levels, implementing
audit trails of all accesses and modifications made, and any
Answer Strategy No. of papers
modification to the systems must be properly documented.
Risks Risk assessment 30 (88.24%) Furthermore, it is essential to have a well-established update
Data and information Risk assessment 29 (85.29%) and backup procedures, as well as to carry out simulations
Software system Risk assessment 27 (79.41%) of events that affect the stability of the systems and thereby
User service User’s awareness 24 (70.59%) guarantee the immediate recovery of services.
Policies Establishing procedures 21 (61.76%)
Vulnerabilities IT Government 18 (52.94%) 4.1.2 Hardware infrastructure
Hardware infrastructure Risk assessment 16 (47.06%)
Cybersecurity IT Government 15 (44.12%) The HEI’s software runs on hardware infrastructure. This
Case study Validation 11 (32.35%) infrastructure is considered an important asset that com-
Regulations Establishing procedures 10 (29.41%) prises the following: (i) terminal devices (servers, PCs,
IT Government IT Government 10 (29.41%) laptops, storage drives, mobile devices, Internet of Things
Surveys Validation 7 (20.59%) (IoT) terminal sensors, surveillance camera, scanner,
Controlled Experiment Validation 7 (20.59%)
among others); (ii) computing and data storage (servers,
Prototype Validation 6 (17.65%)
large-capacity storage, high-performance computing
Simulations Validation 3 (8.82%)
equipment, etc.); (iii) network communications (routers,
switches, physical fireworks, load balancer equipment,

wired cable, wireless access points, IoT transmission equip-
ment, satellite receivers, etc.); and, finally, environmental
infrastructure (generators, uninterruptible power supplies,
air conditioners, security monitoring and alarm systems,
access control systems, fire-fighting equipment, etc.).
Therefore, it is necessary to plan protection measures since
physical attack or damage can severely affect the hardware
infrastructure.
Computer systems and critical information storage of
HEIs must be hosted in a data center with physical access
controls (to prevent unauthorized entries), environmental
controls (temperature, humidity, voltage variations, fire
protection to safeguard the equipment from physical dam-
age), and resilience and redundancy systems. As part of
the control measures regarding network administration, it is
advisable to define system boundary and boundary protec-
tion, the application of periodic password change policies,
the remote network access management, and network
access restriction to mandatory accounts. These methods
should be based on well-defined access control tables for
each role user, including those from mobile devices.
4.2 User’s awareness
More than 70% of selected papers are related to user ser-
vice answer. This answer is the second to appear according
to Table 8. The users have different roles in the institution’s
processes. These roles are part of the academic, admin-
istrative, and research departments. Students and teachers
are involved in academic departments, mainly working
on teaching and learning environments. The administrative
departments are related to business transaction processes.
The research departments conduct scientific research and
innovation. Finally, HEIs must also consider visitors at the
campus; this is the most challenging regarding users’ aware-
ness. All these roles involve multiple user terminals and
multiple service access approaches; for all of them, getting
users’ satisfaction is a must [36].
All HEI members should know and understand their
roles and responsibility clearly. This can be achieved with
awareness campaigns on the importance of information
security in the HEI. Several control measures have to be
implemented to know the improvements, as recommended
by several studies [19, 20, 51]. By doing so, the risks
and threats to which they are exposed are shown. Also,
it is recommended to provide all the mechanisms so that
the personnel can backup and protect both personal and
institutional information. For instance, one of the strategies
may be to implement e-mail and messaging systems
with the appropriate safeguards that support electronic
communication that guarantee the confidentiality, integrity,
and availability of users’ information. Furthermore, since
the user’s awareness is a crucial issue in security, studies
Ann. Telecommun.
about how to educate the user should be performed,
together with how to follow written regulations and
its sanctions in case of violation. Thus, the awareness
of the HEI legal context will help understand possible
threats and remediation measures. In what follows, we
elaborate on establishing procedures that involve policies
and regulations.
4.3 Establishing procedures
Table 8 shows that regulations answer represents 29.41%
of the selected articles, whereas policies represent 61.76%.
More than 67% of the selected articles are related to
regulations or policies. As both answers are related to the
procedure definition, then establishing procedures is the
third strategy in our list. In our opinion, it is important
to have these procedures such that the framework can be
adapted to the HEI environment. In particular, regulations
will allow molding the framework to a specific context in
which it will be applied.
Note that the HEIs should be familiarized with the laws
and regulations that apply to it. Also, regulatory violations
should be part of the weight parameters affecting the impact
of the risk analysis. Besides, the internal auditor has to
evaluate the regulatory compliance program to check its
effectiveness.
On the other hand, policies are used to improve the HEIs’
services and information security. After risk assessment,
security controls are generated, and every control implies to
define a security policy. Furthermore, it is recommended to
use templates and guidance documents as a reference, such
as the guidelines generated by the universities and colleges’
information security associations. The policies must comply
with the HEIs’ objectives to support them by the ISMF.
Also, the HEIs should inform periodically about the policies
to the community in order to make sure they understand
its use. Additionally, policies must involve sanctions when
they are not followed. The policy awareness should consider
aspects such as the socio-cultural and human dimensions to
commit users with the policies.
Additionally, one important finding to consider from the
studies is that when an employee is concerned about the
risks and the responsive course of action, he will possess
more security compliance [47].
4.4 IT government (ITG)
This strategy is responsible for structuring and directing
all the information security mechanisms and procedures in
HEIs [37]. It must be aligned with the HEI’s mission and
vision, and the HEI should align itself closely with the
ITG. Knowledge and implementation of ITG frameworks
and processes help HEIs to acquire cybersecurity skills
Ann. Telecommun.

(Section 4.4.2) and to create proper IT vulnerability 4.4.1 Vulnerabilities

management (ITVM) practices (Section 4.4.1). Thus, each
HEI must select its own set of ITG practices, appropriate for The institutions should be aware that data must be protected
its dimension, culture, and ITG/ITVM maturity level. by applying vulnerability management since it depends
Some general mechanisms to improve ITG [35] are on integrity and confidentiality. It is a concern that the
outlined below: education industry had been labeled as the slowest to
patch vulnerabilities in a 12-week patch cycle [56]. Also,
1. Resolve the contractual status of the staff;
vulnerability management supports risk assessment; thus,
2. Establish policies and procedures that regulate access
its performance depends mutually.
to information systems. As well as rewards in case of
Scanners, such as Nessus, generally support the vul-
compliance and punishments in case of misuse;
nerability assessment, but these tools tend to produce an
3. Train HEI community through induction processes on
overload of information and an absence of quick fixes in
basic safety issues;
its reports. The studies recommend automating vulnerability
4. Carry out continuous evaluations and readjustments.
checking and remediation to have an effective and efficient
As mentioned in Section 4.2, the success of any vulnerability management process.
mechanism or strategy that can be implemented to increase
information security depends on the awareness of all 4.4.2 Cybersecurity
HEI members; this is supported by studies [37, 47, 55]
where users are more aware of information security threats Cybersecurity’s main objective is protecting computers, net-
in the areas with the most knowledge; therefore, ITG works, programs, and data from unintended or unauthorized
suggests: access, change, or destruction of its information assets,
attacks that may be perpetrated by external entities using
1. Create and adopt a new culture related to the quality of
security breaches in their networks. Some of the solutions
information security.
that are envisaged to increase the level of cybersecurity
2. Develop a constant purpose to improve the quality of
include a series of equipment and advanced security tech-
information security.
nology, among which we can highlight firewall, Intrusion
3. Establish plans and programs for training, education,
Detection and Prevention System (IDS/IPS), Virtual Pri-
and awareness related to the quality of information
vate Network (VPN), Anti DDoS System (ADS), Unified
security at work.
Threat Management (UTM), anti-spam system, Web Appli-
4. Involve everyone in the university community in the
cation Firewall (WAF), antivirus gateway, antivirus soft-
responsibility of achieving quality information security;
ware, security assessment system, vulnerability scanning
this breaks down the barriers between IT and other
system, Database Audit System (DAS), security monitor-
departments.
ing, log and security analytics, cloud data center security
5. Develop and apply robust, consistent, and mandatory
gateway, backup, and disaster recovery system, Certification
policies on quality information security and apply it
authority (CA), SSL Certificate, among others.
within your organization, which includes rewards for
All these solutions require to be supported by clear and
those who fully comply and sanctions for those who
forceful policies, training, and awareness programs, in
ignore their application.
addition to conducting tests to determine security breaches.
6. Develop and monitor mechanisms to evaluate the qual-
In this sense, several studies have proposed frameworks
ity of information security that allow these mechanisms
to identify cybersecurity breaches, which, among their
to be readjusted.
recommendations, include conducting penetration testing,
7. Establish an effective quality information security pro-
designing and implementing awareness programs, estab-
gram through the information security life cycle that
lishing appropriate physical and logical access control,
supports the risk management process, the measure-
and establishing a well-defined risk management plan and
ment process, the improvement process, and the man-
security policies.
agement process.
8. Technology, processes (policies, standards, proce-
4.5 Validation
dures), and people are the essential elements of an
effective quality information security program; there-
As described in Section 3.2.3, the validation methods iden-
fore, strategies must consider these three edges.
tified by ETC9 correspond to a variety of approaches
Finally, the participation and commitment of the senior that have been grouped as simulations, prototypes, sur-
management of HEIs are critical to making everything veys, experiments, and case studies. This dispersion of
proposed by the IT government viable. approaches does not allow conclusions drawn about a

specific validation method that might be recommended for
the validation of ISM implementation in HEIs. However, the
case studies are some of the most used.
5 Conclusions and future work
We conducted a systematic literature review regarding
frameworks and strategies for information security man-
agement (ISM) in higher education institutions (HEIs). We
followed the methodology proposed in [15], defining one
general research question that is scrutinized in three spe-
cific sub-questions related to frameworks and strategies for
ISM in HEIs. For these sub-questions, several criteria were
established heuristically.
Among the main findings were several standards for
ISM that HEIs use as a reference. These standards are
ITIL, COBIT, ISO 27000, NIST, and EDUCAUSE. Hybrid
frameworks are also proposed where a combination of
them is used. Also, several HEIs have devised their own
framework. These standards/frameworks provide guidelines
to HEIs aiming at advising on the development and use of
directives that should be considered for implementing ISM.
Besides, we considered the criteria related to the type of
HEI: public, private, or hybrid.
The HEIs perform the ISM applying a set of framework
functions, implementation phases, infrastructure services,
and securities to their assets. Also, the HEIs use strategies
such as analysis, evaluation, and procedures, that take into
account operational architecture validated with different
methods.
As future work, we have planned to create a reference
framework specifically devised for HEIs, aiming at helping
them in their ISM plan. We will establish security
management categories and controls for environment
academy through a framework of reference that matches
the efforts made so far and encourages to increase the
level of maturity in information security management in
HEIs. We also contemplate the cost evaluation, the mapping
of regulations according to the local context applied to
HEIs. The study about how to educate the users, and the
mechanism to support HEIs to choose the appropriate risk
assessment model to their needs.
Funding information The authors would like to thank the financial
support of the Ecuadorian Corporation for the Development of
Research and Academy (RED CEDIA) for the development of this
work, under Research Team GT-II-2018 (Cybersecurity). The research
team was co-financed by the Research Department of the University
of Cuenca (DIUC), Cuenca-Ecuador.
Ann. Telecommun.
References
1. BSA-The Software Alliance and Galexia (2015) What’s the big
deal with data? https://data.bsa.org/wp-content/uploads/2015/10/
BSADataStudy en.pdf. (Accessed: 20 Apr 2019)
2. Foro Económico Mundial (2012) Big data, big impact: new
possibilities for international development. Foro Económico
Mundial. Cologny, Suiza. Disponible en:< www3.weforum.org/
docs/WEF TC MFS BigDataBigIm-pact Briefing 2012.pdf
3. González-Martı́nez J, Bote-Lorenzo ML, Gómez-Sánchez E,
Cano-Parra R (2015) Cloud computing and education: a state-of-
the-art survey. Comput Educ 80:132–151
4. Carlton MP, Wyrick P, Frederique N, Lopez B (2017) States’ roles
in keeping schools safe: opportunities and challenges for state
school safety centers and other actors. National Institute of Justice
Report. National Institute of Justice
5. Dahlstrom E, Bichsel J (2014) Ecar study of undergraduate
students and information technology. In: Educause, 2014
6. Ponemon L (2017) Cost of data breach study. Ponemon Institute
7. Smyth G (2017) Using data virtualisation to detect an insider
breach. Comput Fraud Secur 2017(8):5–7
8. McRobbie MA, Wheeler B (2010) Three insights for presidents
and cios. EDUCAUSE Rev 45(3):8–9
9. Eloff JHP, Eloff MM (2005) Information security architecture.
Comput Fraud Secur 2005(11):10–16
10. Disterer G (2013) ISO/IEC 27000, 27001 and 27002 for
information security management. J Inf Secur
11. Khther RA, Othman M (2013) Cobit framework as a guideline
of effective it governance in higher education: a review. Int J Inf
Technol Converg Serv 3(1):21
12. Office of Government Commerce Großbritannien (2007) The
official introduction to the ITIL service lifecycle TSO,(The
Stationary Office)
13. Center for Internet Security (2019) Cis critical security con-
trols - version 7.0. https://www.sans.org/critical-security-controls.
(Accessed: 20 May 2019)
14. Newhouse W, Keith S, Scribner B, Witte G (2017) National
Initiative for Cybersecurity Education (NICE) cybersecurity
workforce framework. NIST Special Publ 800:181
15. Kitchenham B (2004) Procedures for performing systematic
reviews. Keele, UK, Keele University 33(2004):1–26
16. Grajek S (2018) Top 10 it issues, 2018: the remaking of higher
education. In: EDUCAUSE review, 2018. EDUCAUSE, pp 55–62
17. Susanto H, Almunawar MN, Tuan YC (2011) Information security
management system standards: a comparative study of the big five.
Int J Electr Comput Sci IJECSIJENS 11(5):23–29
18. Hentea M, Dhillon HS, Dhillon M (2006) Towards changes in
information security education. J Inf Technol Educ: Res 5(1):221–
233
19. Asosheh A, Hajinazari P, Khodkari H (2013) A practical
implementation of isms. In: 7th international conference on e-
commerce in developing countries: with focus on e-security.
IEEE, pp 1–17
20. Suwito MH, Matsumoto S, Kawamoto J, Gollmann D, Sakurai K
(2016) An analysis of it assessment security maturity in higher
education institution. In: Information science and applications
(ICISA) 2016. Springer, pp 701–713
21. Mumtaz N (2015) Analysis of information security through asset
management in academic institutes of Pakistan. In: International
conference on information and communication technologies
(ICICT). IEEE, p 2015
Ann. Telecommun.
22. Joshi C, Singh UK (2017) Information security risks management
framework—a step towards mitigating security risks in university
network. J Inf Secur Appl 35:128–137
23. Suroso JS, Fakhrozi MA (2018) Assessment of information
system risk management with octave allegro at education
institution. Procedia Comput Sci 135:202–213
24. Yustanti W, Qoiriah A, Bisma R, Prihanto A (2018) An analysis
of indonesia’s information security index: a case study in a
public university. In: IOP conference series: materials science and
engineering, vol 296. IOP Publishing, p 012038
25. Bianchi IS, Sousa RD, Pereira R (2017) It governance mechanisms
at universities: an exploratory study. In: Strategic and competitive
use of information technology (SCUIT)
26. Valencia-Duque FJ, Orozco-Alzate M (2017) Metodologı́a para
la implementación de un Sistema de Gestión de Seguridad de la
Información basado en la familia de normas ISO/IEC 27000. In:
RISTI - Revista Ibérica de Sistemas e Tecnologias de Informação,
pp 73–88, 06
27. Sarwar A, Khan MN (2013) A review of trust aspects in cloud
computing security. Int J Cloud Comput Serv Sci 2(2):116
28. Popović K, Hocenski Ž (2010) Cloud computing security issues
and challenges. In: The 33rd international convention MIPRO.
IEEE, pp 344–349
29. Younis YA, Kifayat K (2013) Secure cloud computing for critical
infrastructure: a survey. Liverpool John Moores University, United
Kingdom, Tech. Rep.
30. Zhang X, Wuwong N, Li H, Zhang X (2010) Information
security risk management framework for the cloud computing
environments. In: 2010 10th IEEE international conference on
computer and information technology. IEEE, pp 1328–1334
31. Peltier TR (2016) Information security policies, procedures,
and standards: guidelines for effective information security
management. Auerbach Publications
32. Jerman-Blažič B et al (2012) Quantitative model for economic
analyses of information security investment in an enterprise
information system. Organizacija 45(6):276–288
33. Liu F, Tong J, Mao J, Bohn R, Messina J, Badger L, Leaf D
(2011) Nist cloud computing reference architecture. NIST Spec
Publ 500(2011):1–28
34. Soomro ZA, Shah MH, Ahmed J (2016) Information security
management needs more holistic approach: a literature review. Int
J Inf Manag 36(2):215–225
35. Rezgui Y, Marks A (2012) Information security awareness in
higher education: an exploratory study. Comput Secur 27(7–
8):241–253
36. Chen S, Tang Y, Li Z (2016) Unita: a reference model of
university it architecture. In: Proceedings of the 2016 international
conference on communication and information systems. ACM,
pp 73–77
37. Sharbaf MS (2014) A new perspective to information security:
total quality information security management. In: Proceedings of
the 7th international conference on security of information and
networks. ACM, p 56
38. Gunawan I, Noertjahyana A, Rusli H (2014) Security risk
management at the computer center of X university. ARPN J Eng
Appl Sci 9:2906–2911
39. Gunawan I, Noertjahyana A, Rusli H, Zavareh AA, Abdullah
R, Fadilah SI, Shibghatullah AS, Abas ZA, Wahab MHA, Nur
W, Hashim W et al (2014) Analysis and implementation of
operational security management on computer center at the
university X. Journal
40. Rehman H, Masood A, Cheema AR (2013) Information security
management in academic institutes of Pakistan. In: 2013 2nd
National conference on information assurance (NCIA). IEEE,
pp 47–51
41. Ismail WBW, Widyarto S, Ahmad RATR, Ghani KA (2017) A
generic framework for information security policy development.
In: 2017 4th International conference on electrical engineering,
computer science and informatics (EECSI). IEEE, pp 1–6
42. Jufri MT, Hendayun M, Suharto T (2017) Risk-assessment based
academic information system security policy using octave allegro
and iso 27002. In: Second international conference on informatics
and computing (ICIC), p 2017
43. Bianchi IS, Sousa RD (2016) It governance mechanisms in higher
education. Procedia Comput Sci 100:941–946
44. Gultom R, Midhio W, Silitonga T, Pudjiatmoko S (2018)
Introducing the six-ware cyber security framework concept to
enhancing cyber security environment. In: ICCWS 2018 13th
international conference on cyber warfare and security. Academic
conferences and publishing limited, p 262
45. Mohamad FS, Albahaloul HA (2018) Assessing security of cloud
services in Malaysian universities a review. In: Proceedings of
the international conference on E-business and mobile commerce.
ACM, p 2018
46. Nugroho LE, Santosa PI, Ferdiana R et al (2017) Recommenda-
tion of cloud computing use for the academic data storage in uni-
versity in Lampung province, Indonesia. In: 2017 7th International
annual engineering seminar (InAES). IEEE, pp 1–5
47. Rajab M, Eydgahi A (2019) Evaluating the explanatory power of
theoretical frameworks on intention to comply with information
security policies in higher education. Comput Secur 80:211–
223
48. Sanchez-Puchol F, Pastor-Collado JA, Borrell B (2017) Towards
an unified information systems reference model for higher
education institutions. Procedia Comput Sci 121:542–553
49. Joshi C, Singh UK (2016) Quantitative information security risk
assessment model for university computing environment. In: 2016
International conference on information technology (ICIT). IEEE,
pp 69–74
50. Zhang H, Li HB, Liu HJ (2013) Design and implementation of
management information system based on ssh architecture for
departments of colleges and universities. In: Advanced materials
research, vol 756. Trans Tech Publ, pp 1933–1937
51. Cheung SKS (2014) Information security management for higher
education institutions. In: Intelligent data analysis and its
applications, vol I. Springer, pp 11–19
52. Reddy N, Singh P, Petkov D (2013) Perceptions and expectations
of it service delivery post migration to a microsoft platform at a
university of technology in South Africa. In: Proceedings of the
South African Institute for computer scientists and information
technologists conference. ACM, pp 85–89
53. Wada T, Fuse I, Okabe S, Tatsumi T, Ueda H, Uehara T,
Nakanishi M, Tagawa T, Murata I (2017) Producing video clips
for information ethics and security in higher education. In:
Proceedings of the 2017 ACM annual conference on SIGUCCS.
ACM, pp 129–131
54. Pereira C, Ferreira C, Amaral L (2018) An it value management
capability model for Portuguese universities: a delphi study.
Procedia Comput Sci 138:612–620
55. Ngoqo B, Flowerday SV (2015) Information security behaviour
profiling framework (isbpf) for student mobile phone users.
Comput Secur 53:132–142

56. Harrell CR, Patton M, Chen H, Samtani S (2018) Vulnerability
assessment, remediation, and automated reporting: case studies
of higher education institutions. In: 2018 IEEE international
conference on intelligence and security informatics (ISI). IEEE,
pp 148–153
57. CM Kang, PSJ Ng, K Issa (2015) A study on integrating
penetration testing into the information security framework for
malaysian higher education institutions. In: 2015 international
symposium on mathematical sciences and computing research
(iSMSC). IEEE, pp 156–161
58. Yamanoue T, Furuya T, Shimozono K, Masuya M, Oda K, Mori
K (2013) Enhancing information security of a university using
computer ethics video clips, managed security service and an
information security management system. In: Proceedings of the
41st annual ACM SIGUCCS conference on User services. ACM,
pp 101–104
59. Xie JH, Xiao JH (2014) Constructing an university scientific
research management information system of net platform. In:
Ann. Telecommun.
Applied mechanics and materials, vol 441. Trans Tech Publ,
pp 984–988
60. Feng H, Wei W, Kong Z, Yang S (2017) Research on information
security evaluation model of public institution. In: International
symposium on intelligent signal processing and communication
systems (ISPACS), p 2017
61. Shava FB, Van Greunen D (2013) Factors affecting user
experience with security features: a case study of an academic
institution in Namibia. In: 2013 Information security for South
Africa. IEEE, pp 1–8
62. Siponen MT (2000) A conceptual foundation for organizational
information security awareness. Inf Manag Comput Secur
8(1):31–41
63. Ashenden D (2008) Information security management: a human
challenge? Inf Secur Techn Rep 13(4):195–201
Publisher’s note Springer Nature remains neutral with regard to
jurisdictional claims in published maps and institutional affiliations.