An Information Security Analysis of a University: The Case of a Ghanaian University
An Information Security Analysis of a University: The Case of a Ghanaian University
Information Systems in Universities are set up to address several requirements, ranging from openness, flexibility, scalability and performance to security and privacy as well as support the key role of teaching, learning and research. This paper analyses the information system environment of a Ghanaian university and discusses the state of information security. It discusses the short falls, and some improvements that may assuage the identified risks. This is a descriptive research informed by a pragmatist viewpoint. The study focused on technical and non-technical staff of the university. In all, 180 respondents were stratified into technical and non-technical users. The results indicated that respondents viewed confidentiality as the most important information security objective followed by integrity and availability. The university assets that respondents viewed as most valuable were students records and research data as compared to computers and mobile devices. Respondents also indicated that they experienced malware attacks frequently with very few experiencing unauthorised change of information on systems. It is recommended that there should be regular training programs to create awareness on cyber security threats among stakeholders especially within a typical BYOD Bring Your Own Device environment such as a university. In addition, security policies on antiviruses should be developed, implemented and enforced to ensure protection of sensitive data.
___
- [1] C. E. Harris and L. R. Hammargren, "Establishing a
Written Information Security Program to address
exposure," Professional Media Group, Trumbull, 2016.
- [2] AT&T, "Security for Higher Education," AT&T, Dallas
TX, 2009.
- [3] C. Holman, D. N. Harrison, and A. Swann, Creating a
Culture of Security: The Coca Cola Company, 2011.
- [4] T. Kayworth and D. Whitten, "Effective Information
Security Requires a Balance of Social and Technology
Factors," MIS Quarterly Executive, vol. 9, pp. 165-175,
September 2010.
- [5] ISACA, "An Introduction to the Business Model for
information Security," ISACA, Rolling Meadows, USA,
2009.
- [6] S. D. Franklin, "Information Technology Managing
Information Assets " University of California, California,
2011.
- [7] British Standards Institution, "Information TechnologySecurity Techniques-Code of Practice for Information
Security Management " vol. BS/IEC 17799, ed: British
Standards Institution, 2005.
- [8] G. L. Orgill, G. W. Romney, M. G. Bailey, and P. M.
Orgill, "The urgency for effective user privacy-education
to counter social engineering attacks on secure computer
systems " presented at the 5th conference on Information
technology education Salt Lake City, UT, USA, pp. 177-
181, 28-30 October 2004.
- [9] M. E. Whitman and H. J. Mattord, Principles of
Information Security, Fourth Edition ed.: Course
Technology, 2012.
- [10] C. W. Flink, "Weakest Link in Information System
Security," presented at the Workshop for Application of
Engineering Principles to System Security Design,
Boston, Massachusetts, pp. 61-68, 6-8 November 2002.
- [11] P. Shamala, R. Ahmada, and M. Yusoff, "A
conceptual framework of info structure for information
security risk assessment (ISRA)," Journal of
Information Security and Applications, vol. 18, pp. 45-
52, September 2013.
- [12] B. Schneier, Beyond Fear. USA: Copernicum
Books, 2006.
- [13] A. Alkalbani, H. Deng, and B. Kam, "A Conceptual
Framework for Information Security in Public
Organizations for E-Government Development,"
presented at the Australasian Conference on Information
Systems, Auckland, pp. 1-11, 8-10 December 2014.
- [14] J. Wolff, "Can Campus Networks Ever Be Secure?,"
The Atlantic Monthly Group, 2015.
- [15] The National Archives, "Identifying Information
Assets and Business Requirements," Open Government
Licence, London, 2017.
- [16] Universities UK, "Cyber security and universities:
managing the risk," Universities UK2013.
- [17] D. D. Clark and D. R. Wilson, "A Comparison of
Military and Commercial Computer Security Policies," in
IEEE Symposium on Computer Security and Privacy,
Oakland California, pp.184-194, 27-29 April 1987.
- [18] University of Wisconsin, "Information Asset
Classification," University of Wisconsin, Whitewater,
2017.
- [19] University of Southern Queensland, "Information
Asset and Security Classification Procedure," University
of Southern Queensland, Toowoomba, 2014.
- [20] A. Ibrahim, "Lack of funding, a threat to quality
tertiary education - Outgoing KNUST Vice-Chancellor,"
in myjoyonline.com, ed. Accra: Multimedia group, 2016.
- [21] R. C. Abaidoo, "The Future of Postgraduate
Education and Training in Ghana " presented at the
National Summit on Tertiary Education In Ghana, Accra,
pp. 2-4 November 2016.
- [22] K. Adu, "Funding of Tertiary Institutions in the Era
of Global Economic Challenges," presented at the
KNUST Summer School, Kumasi, 2015.
- [23] D. Debrah, "Financing Higher Education:
Challenges for Students at the University of Ghana,"
Master of Philosophy, Institute for Educational Research,
Faculty of Education, University of Oslo, Oslo, 2008.
- [24] S. Isahaku, "An Analysis of Dominant and
Alternative Approaches to Education Reform in SubSaharan Africa: the case of Ghana," Doctor of
Philosophy, Department of Education, Faculty of Social
Sciences and Technology Management, Norwegian
University of Science and Technology, Trondheim, 2009.
- [25] Ghana News Agency, "Teachers Criticise
Government For Delayed Subventions," Peace fm, Accra,
2013.
- [26] Ernst and Young, "Bring your own device: Security
and risk considerations for your mobile device program,"
Ernst and Young, 2013.
- [27] A. Gonsalves, "With universities under attack,
security experts talk best defenses," CSO, 2013.
- [28] J. Gramage, "Just in Time Research: Data Breaches
in Higher Education," EDUCAUSE Louisville,
USA.2014.
- [29] J. Bolkan, "Education Data Breaches Double in
First Half of 2017," Campus Technology, Chatsworth,
2017.
- [30] S. E. Chang and C. B. Ho, "Organizational factors
to the effectiveness of implementing information security
management," Industrial Management & Data Systems,
vol. Vol. 106, pp. pp. 345-361, 2006.
- [31] M. Suter, "Information security surveys as
instrument of risk analysis " European CIIP Newsletter,
vol. 2, pp. 22-24, 2006.