Cybersecurity risks in higher education, Part 1: Background, assets, threat events, and threat agents.

This essay is a short version of the findings from A Systematic Review of Cybersecurity Risks in Higher Education

Master student Joachim Ulven called me in late January 2020. I had never spoken to him before, but he told me that his original plans for his master’s thesis had crashed, and he had heard that there might be hopes for an assignment with the digital security section, where I worked at the time. His call came conveniently as we were just getting started with our strategic risk assessment of cybersecurity at the university. He agreed to join us and shape his new topic within that task. I co-supervised and worked with Joachim Ulven in the spring semester, and he handed in his thesis in June. He did an excellent job in several aspects, but his literature review really impressed me, and I asked him if we should work together to expand and publish it. He agreed, and our paper got published last month (Jan 2021). The report builds on Joachim’s initial work using the Comprehensive Literature Review (CLR) method to investigate previous work and synthesize knowledge on assets, threat, vulnerabilities, and risks commonly found in higher education (HE). We did not intend for the report to turn out as long as it did, but it is fairly comprehensive, as the CLR name implies. Anyway, here is the short version of the findings (please refer to the paper for explanations and citations):

Background

Two important tenets of higher education (HE) is Academic freedom and openness, both of which are universal for most of the sector. Academic freedom is defined by Encyclopædia Britannica as “the freedom of teachers and students to teach, study, and pursue knowledge and research without unreasonable interference or restriction from the law, institutional regulations, or public pressure.” At the same time, openness is commonly characterized by an emphasis on transparency and collaboration. In practice, this means that academics enjoy intellectual freedom, free from the constraints of short-term deadlines typical for the industry counterpart. Freedom of choice to pursue and research ideas is primarily limited by the ability to secure funding and resources. Autonomy, individuality, and freedom of choice characterize the HE environment, with few restrictions regarding collaboration and knowledge dissemination.

In contrast to cybersecurity’s emphasis on secrecy, the academic environment thrives upon openness, building on a tradition of trust, information exchange, and discussion. Therefore, typical characteristics of universities are to be open and including, meaning few physical perimeters and security controls. HE is also characterized by the yearly enrollment of new students and temporary staff and visiting researchers. Faculties often operate autonomous entities and build their own IT networks designed to support research, development, and teaching activities.

Yet, HE are commonly exploited in cybercrime and have suffered several severe incidents the last ten years, ranging from ransomware, fraud, espionage, and abuse of resources. Academic institutions manage large amounts of valuable research, and sensitive personal data, which makes them an attractive target for cyber-criminals, espionage, and hacktivists. The threat landscape consists of everything from opportunists seeking financial gain, to heavily funded state-sponsored actors who intend to steal trade secrets. Furthermore, the free flow of workforce and annual rotations of new students, guest, and employees also adds to the universities’ information security challenges.

Figure 1: The asset, threat, and vulnerability model for information risk.

A commonly accepted model for risk analysis in information security is the asset, threat and vulnerability model. It is within this frame we present our results, and hopefully this will provide some direction for future infosec work and research in HE.

The Primary Information Assets in Higher Education

Our results showed that the asset portofolio of the common University is very diverse. Considering just the kinds of personal data being managed summarized from approx. 1150 breach records by Mello, Figure 2.

Figure 2: Overview of breached data record types (y-axis) and percentages (x-axis) from Mello

However, while personal data is pherhaps what we worry most about in information security it is just a small part of the puzzle in HEI. The Queensland University of Technology has made an impressive asset register which provides us with an in-depth understanding of the complexity. When we reviewed the literature we found several common denominators. We did not rank them beyond recording the amount of mentions per asset type. The results are summarized in Figure 3, references are found in the original paper. The assets are coupled with key performance indicators (KPI) identified in the orignal paper.

Figure 3: Critical information assets in HE

Most sources mentioned student information, financial information, research data, and employee information as critical information assets. Student PII and records are the most frequently mentioned in the literature, together with financial management and sensitive research data. According to FireEye, some universities also have student health centers that store information. These assets will require extra protection. Other information assets that might be included are learning and teaching information, such as curriculum information, exam information, general corporate finance information, research management data (e.g. resources, business and industry engagement) and government data. Additionally, the universities manage infrastructure resources that are interesting to attackers, such as computing power and resources, bandwidth capacity, and hosting.

Threat events

We found few reliable sources for threat event statistics for HE. Additionally, it was really a huge challenge to synthesize the results, because most of them used their own classification schemes. Some classifications are very primitive and some were a lot more detailed and modern. Figure 4 illustrates the problem well enough. Most of these categories are self-explanatory, but definitions are available in the paper and in the original sources. We did not have the original distribution numbers from Chapman. The figure shows the data sources, data collection year, and the frequency distributions of threat events from each source. The final row shows the total amount of events in each data set.

Figure 4: Threat event statistics from multiple sources with distributions

Despite different classifications it seems clear that Hacking, Malware, and Social engineering-attacks appears to be the most occurring threat events in HE. Related threat events, such as Compromised asset and Compromise also occurr frequently. The figure also illustrates that Error, Misuse and Unintended disclosure occur frequently in educational institutions. Other threat events like: Physical loss, Stolen, Insider, and Defacement are also present threats in educational institutions but occur in minor quantities.

The reviewers encouraged us to further synthesize the threat event statistics. As you can see We made an attempt to categorize the events for further analysis. We left out the results that were collected from the same source and the cases where we were missing the initial distributions. This left us with a data set consisting of 2984 events. Figure 5 describes the events, definitions, and distributions.

Figure 5: The most common threat events for HE in the synthesized dataset.

A quick note here is that the dataset from Chapman contains two times more incidents than our joined dataset. It is not included, but it would heavily bias the results.

Who targets higher education?

In our review of threat agents, we linked the actors to motivations, intentions, and threat events, seen in Figure 6. By reviewing the sources, we found a high degree of agreement that the primary threat agents are (i) Cyber-crime and enterprise-like criminals, which can be groups or individuals in it for financial gain. This category was mentioned by all the sources who discussed threat agents. (ii) State-sponsored Cyber Espionage, which is state-sponsored groups tasked with information gathering and espionage. The latter can also be classified as Advanced Persistent Threats (APT1). Their motivation is to steal classified and valuable information. Additionally, the literature mentioned human errors, such as causing unintended disclosure (Figure 5). Opportunists are looking for vulnerabilities and other paths to self-assertion. Although the literature did not present many hacktivism examples, the threat is definitely still there for those conducting controversial research. Finally, insiders are a threat in HE, just as in other industries.

Figure 6: Proposed threat model for Higher Education.

Additional threat agents not present in Figure 6, but mentioned in the literature are:

• Cyberstalkers looking to exploit HE infrastructure to hide their activity and pursue their victims.
• Competitors looking to gain an unfair advantage.
• Students looking to gain an unfair advantage is a threat specific to HEI that should also be considered in various scenarios.

Summary

In this essay, I have gone through our results from reviewing the existing literature on assets, threat events, and threat agents in HE. If you found it interesting, be sure to check out our paper which has a lot more information. Next up, I will summarize our findings on vulnerabilities and risks.
If you want to cite our findings, the citation is:

Ulven, J.B.; Wangen, G. A Systematic Review of Cybersecurity Risks in Higher Education. Future Internet 2021, 13, 39. https://doi.org/10.3390/fi13020039