{"id":8463,"date":"2016-12-04T09:40:31","date_gmt":"2016-12-04T09:40:31","guid":{"rendered":"http:\/\/www.lifeandnews.com\/articles\/?p=8463"},"modified":"2016-12-07T05:24:16","modified_gmt":"2016-12-07T05:24:16","slug":"balancing-cybersecurity-and-academic-freedom-is-a-challenge-on-campus","status":"publish","type":"post","link":"https:\/\/www.lifeandnews.com\/articles\/balancing-cybersecurity-and-academic-freedom-is-a-challenge-on-campus\/","title":{"rendered":"Balancing cybersecurity and academic freedom is a challenge on campus"},"content":{"rendered":"

Jungwoo Ryoo<\/a>, Pennsylvania State University<\/a><\/em><\/span><\/p>\n

Cybersecurity concerns crop up everywhere you turn lately \u2013 around the<\/a> election<\/a>, email services<\/a>, retailers<\/a>. And academic institutions<\/a> haven\u2019t been immune to security breaches either. According to a recent report by VMware<\/a>, almost all universities (87 percent) in the United Kingdom have been the victims of cyber crime. In general, from 2006 to 2013, 550 universities suffered data breaches<\/a>. When higher ed breaches occur, attackers typically steal student information<\/a>, intellectual property<\/a> or research data. Among the criminals behind these attacks are nation-states<\/a> and organized crime<\/a> groups motivated by the economic gain. <\/p>\n

A common knee-jerk reaction to a cyberattack \u2013 wherever it happens \u2013 is to clamp down on access and add more security control. For example, in 2005 after a major attack against a credit card processor affected 40 million customers<\/a>, there were urgent calls for new mandatory encryption standards<\/a> in the U.S. Senate. As paranoia sets in, a sense of urgency to do something about a possible next attack takes over, just like what happened in the University of California system<\/a>. After a 2015 hack<\/a>, the university administration started monitoring user traffic without consulting faculty and students (not to mention receiving their consent), resulting in a huge backlash.<\/p>\n

As is so often the case, too much of anything is not good. Cybersecurity is a delicate balancing act between usability and countermeasures designed to reduce or prevent threats. A one-size-fits-all, or Procrustean, approach usually leads to lower productivity and a large group of unhappy users<\/a>. And it\u2019s particularly tricky to get the balance right in an academic setting.<\/p>\n

Much of what we in academia do hinges upon our academic freedom<\/a>. American scholars count on the freedom to pursue academic projects without administrators imposing any political, religious or philosophical beliefs from above. Our free access to information technology (IT) resources is a big part of how we accomplish our scholarly work. But unlimited access may no longer be realistic as we start to grapple with the realities of an ever-hostile cyberthreat environment. Campus security leaders must walk a fine line when considering how to improve cybersecurity, particularly in the wake of an attack.<\/p>\n

Unique aspects of on-campus cybersecurity<\/h2>\n

Cybersecurity in higher education is different than in corporate milieus. Companies have a much easier time compelling employees to comply with and enforce access-control policies to protect intellectual property and trade secrets. <\/p>\n

But the free flow of information among students, faculty members and the surrounding community is part of what allows academic communities to flourish. Unfortunately, the academic ideal of openness conflicts with some of cybersecurity\u2019s major goals and can lead to more vulnerabilities \u2013 and the attacks that exploit them. <\/p>\n

In this sensitive environment, I\u2019d suggest security practitioners on campus should avoid an \u201call-or-nothing\u201d approach. Their mission is to help faculty members do their jobs effectively and safely. Productivity in both research and teaching needs to be supported as much as possible and balanced with security requirements.<\/p>\n

Take a two-factor authentication scenario. A faculty member may be required to carry an additional device (like a cellphone) to generate a code to be entered in addition to his system password. It\u2019s safer, but cuts into productivity because he has to spend extra time and care to generate the secret code on his second device.<\/p>\n

Sometimes it may be appropriate to compromise \u2013 accepting some risk while trying to maximize productivity and minimize security vulnerabilities. The administration can decide on an acceptable risk level<\/a> and translate it into security policies. Then it\u2019s up to security and IT professionals to enforce them. In an academic setting, input from faculty and students needs to be factored into this process since they\u2019re the organization\u2019s primary customers.<\/p>\n

\n \"\"<\/a>
\n Probably not adequately secured.<\/span>
\n Drive image via www.shutterstock.com.<\/a><\/span>
\n <\/figcaption><\/figure>\n

Context is going to count on campus. There are bound to be faculty and staff members who need more access to IT resources simply to do their jobs. For example, instructors teaching an ethical hacking course will want administrative access, while those mostly doing clerical work on their computers don\u2019t usually request the same kind of privileges. By accommodating each individual\u2019s occupational needs as much as possible, a chief information officer can hopefully avoid rogue users who do IT tasks in their own way without authorization \u2013 and end up introducing new security vulnerabilities without the security group\u2019s knowledge.<\/p>\n

It is also crucial for the security experts to listen to the users and establish trust and transparency. They need as much buy-in as possible so everyone on campus is, in effect, on the same cybersecurity team. The last thing a CIO wants is users not sounding the alarm about a potential security problem and trying to solve it on their own due to a lack of trust. It\u2019s mutually beneficial for users and security people to freely communicate with each other about anything that could have an impact on their professional lives. This could mean announcements of additional security restrictions imposed on end users by the IT group, or a user\u2019s confession of a personal security oversight.<\/p>\n

Strategies for cybersecuring the ivory tower<\/h2>\n

Logging and monitoring are a CIO\u2019s best friend. For employees this means that every move they make on their computer is being tracked and recorded. Due to the fact that colleges need flexibility in their security management landscape, looking out for potential security incidents and responding to them are critical. The quicker you detect an attack before it can do irreversible damage, the better. On the other hand, academics may feel uneasy about this type of surveillance that could potentially impinge on their academic freedom.<\/p>\n

CIOs should educate, not babysit, and think of users as resources. One of the biggest challenges in cybersecurity is that its scope is beyond the capabilities of a single person or even a small group. If security professionals attempt to do it all themselves and keep users out of the loop, they are destined to fail. There are simply too many things to protect and too few resources<\/a>, including manpower, time and budget. In addition, an uninformed or misinformed user can turn out to be a major security vulnerability, as demonstrated by social engineering cyberattack techniques such as phishing<\/a> \u2013 an impersonation attack that gets victims to surrender sensitive information.<\/p>\n

A better approach is to educate the users about how to protect themselves and delegate some security-related responsibilities to them, depending on their knowledge and roles. Using a \u201ccarrot and stick\u201d strategy can help. There need to be consequences for repeated violations of security policies \u2013 for instance, visiting an unauthorized website can mean losing privileges such as full access to a computer system. Desirable behaviors can be reinforced by rewards, even as simple as a chance to win a gift certificate or other swag<\/a>. This way the users can better protect themselves, and IT staff can get some relief in terms of their workload.<\/p>\n

\n \"\"<\/a>
\n Don\u2019t get yourself technologically exiled.<\/span>
\n ep_jhu<\/a>, CC BY-NC<\/a><\/span>
\n <\/figcaption><\/figure>\n

Academics: You don\u2019t know everything<\/h2>\n

As an end user, be reasonable. Don\u2019t say you need unlimited rights and privileges. Do you really require full access to everything? Probably unrestricted access to all student records since the university\u2019s founding is overkill. Unnecessary access makes the job of security professionals almost impossible because it introduces an uncontrollable number of security vulnerabilities. Even a system administrator doesn\u2019t typically have this kind of unlimited power anymore because of concerns about insider threats<\/a>.<\/p>\n

At the same time, that\u2019s not to say an academic should allow his rights to be stifled. Scholars should be proactive and communicate their IT needs to the appropriate people. You may assume that your request for a personal wireless router in your office will be either ignored or outright rejected; but an IT team\u2019s primary security goal may simply be awareness of what\u2019s going on in their network \u2013 including connection of the router. Many security incidents result from a lack of visibility. It\u2019s users\u2019 responsibility to notify IT staff before taking any security-relevant actions.<\/p>\n

Lastly, you can be the master of your own cybersecurity destiny. End users are frequently the weakest link. Faculty members should demand systematic training on how to take their own precautions against common security attacks. For example, a majority of phishing attempts can be defeated with an elevated level of awareness and education.<\/p>\n

Whether you\u2019re an IT service user or a security professional, a common goal should be making security more usable and transparent. If possible, we need to make any security efforts as unobtrusive and usable as possible<\/a>. Unfortunately, most security solutions today are highly visible and can be detrimental to \u201cgetting things done.\u201d We can all do better when we meet in the middle as higher education\u2019s core mission \u2013 teaching and research \u2013 hinges on both its academic freedom and cybersecurity.<\/p>\n

\"The<\/p>\n

Jungwoo Ryoo<\/a>, Associate Professor of Information Sciences and Technology at Altoona campus, Pennsylvania State University<\/a><\/em><\/span><\/p>\n

This article was originally published on The Conversation<\/a>. Read the original article<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

Jungwoo Ryoo, Pennsylvania State University Cybersecurity concerns crop up everywhere you turn lately \u2013 around the election, email services, retailers. And academic institutions haven\u2019t been immune to security breaches either. According to a recent report by VMware, almost all universities (87 percent) in the United Kingdom have been the victims of cyber crime. In general, […]<\/p>\n","protected":false},"author":43,"featured_media":8464,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[8],"tags":[967,1660,1661,612,1662,687,1659],"_links":{"self":[{"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/posts\/8463"}],"collection":[{"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/users\/43"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/comments?post=8463"}],"version-history":[{"count":1,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/posts\/8463\/revisions"}],"predecessor-version":[{"id":8465,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/posts\/8463\/revisions\/8465"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/media\/8464"}],"wp:attachment":[{"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/media?parent=8463"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/categories?post=8463"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/tags?post=8463"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}