Article Review 2: Cybersecurity Posture and Higher Education Institutions

            History has proved that no organization, institution, or government is safe from cyberattack, with billions being lost every year to cybercrime. High education institutions (HEI), such as colleges and universities, struggle heavily with nefarious cyber actions globally. Anna Piazza and Srinidhi Vasudevan illuminate this problem in their research paper “Cybersecurity in UK Universities: mapping (or managing) threat intelligence sharing within the higher education sector”. The author’s point of focus was regional cybersecurity posture, with researchers documenting the current state of the United Kingdom’s cybersecurity practices and reporting regarding higher learning, that being colleges and universities. They accomplish this through interviews, questionnaires, and social network analysis. Social network analysis, or SNA, “… refers to a set of theories and techniques that helps researchers to understand how social actors—organizations, in this case–interact with others.” (Piazza, 2023) This was one of the main processes by which the researchers discerned the ability of universities to report and get resources from government and private cybersecurity firms. This review will briefly detail data types and concerns uncovered in the research, as well as connect social science principles and concepts to the paper’s contentions.

            As previously detailed, the methods by which the researchers obtained data were through interviews and questionnaires. The interviews were conducted first with university chief intelligence security officers or CISOs. If no CISO was present, whoever was responsible for data resiliency on campus gave a statement. Using these interviews, Piazza and the research team formulated a questionnaire to be delivered to other information technology executives. Data gained from these questionnaires focused on three main themes, “(1) collaboration networks; (2) perceptions about collaboration including the factors that facilitate or impede collaboration in the sector; and (3) demographic information at individual and organizational levels.” (Piazza 2023) Using all this data, several graphs were produced to display the connections between HEIs, non-profit, and private sector organizations. An overarching theme of their paper revolves around the social connections between cyber report aggregators and policy creators like the National Cyber Security Center (NCSC), the Cyber security information sharing platform (CiSP) and private HEIs. The authors note that current connections are weak, with there being a lack of reciprocation between these two groups. Researchers conclude one of the issues lies with government institutions like NCSC and CiSP, dubbed “information receiving nodes” (Piazza 2023), not alerting other institutions of potential attack vectors. Elaborating on one of the social network graphs, the paper explains “Reciprocity in this network is also low at 30%.”, “…the low reciprocity score reveals that information receiving nodes (in this case, those organizations we would expect to lead on collaboration) do not always send threat intelligence back to the nodes that share with them (the universities).” (Piazza 2023) One social science concept that this paper properly illuminates is that of social systems. Colleges and universities have created peer networks, which, sometimes, collaborate with one another with threat sharing. The institutional problem detailed by Piazza is that organizations like CiSP and NCSC as part of the social system will receive data, but not transmit it to HEIs. The aforementioned social system that has been constructed fails to properly alert network members (the HEIs) of threats from received information from the very same HEIs.       

One of the simplest, but most potent principles I’ve learned through my reading and evaluation of cybersecurity is “Cybercrime affects everyone”. Be it an individual or nation, a small business or enterprise, a homeschool co-op, or Harvard, everyone is at risk. In the case of this research paper, in particular, the colleges, universities, and students are at risk. An effective cyberattack on a university can result in many, layered, consequences. On the surface, the halting of university cyberspace operations can affect payment processing, class scheduling, and announcements. (If I’m correct, I believe at the beginning of the fall semester there was an accident where thousands of students were unable to get onto their canvas for almost a day, and that was an accident!) After an attack, however, there can be the leak of personally identifiable information, sensitive research data, or passwords and emails that can be used to commit other cybercrimes. At large, it can affect entire economies. Prolonged cyber-attacks could cause outages that prevent online classes from commencing or concluding, which, in extreme cases, could stop students from graduating on time. This in turn affects the ability of students to enter the workforce, depriving the students of employment. No organization is safe, with cyber-attacks occurring daily, Piazza’s paper, “Cybersecurity in UK Universities: mapping (or managing) threat intelligence sharing within the higher education sector” accentuates the necessity of enhanced collaboration between organizations and HEIs to provide ample warning of attacks.

References

Piazza, Anna, et al. “Cybersecurity in UK Universities: Mapping (or Managing) Threat Intelligence Sharing within the Higher Education Sector .” Academic.Oup.Com, Journal of Cybersecurity, 23 Sept. 2023, academic.oup.com/cybersecurity/article/9/1/tyad019/7281495.