Assessing the current state of information security policies in academic organizations

Colleges and universities across the USA have seen data breaches and intellectual property theft rise at a heightened rate over the past several years. An integral step in the first line of defense against various forms of attacks are (written) security policies designed to prescribe the construction and function of a technical system, while simultaneously guiding the actions of individuals operating within said system. Unfortunately, policy analysis is an insufficiently discussed topic in many academic communities with very little research being conducted in this space.

This work aims to assess the current state of information security policies by analyzing in-use policies from 200 universities and colleges in the USA with the goal of identifying important features and general attributes of these documents. The authors accomplish this through a series of analyzes designed to examine the language and construction of these policies.

To summarize high-level results, the authors found that only 54 per cent of the top 200 universities had publicly accessible information security policies, and the policies that were examined lacked consistency with little shared source material. The authors also found that the tonal makeup of these policies lacked a great deal of emotion, but contained a high amount of tentative or ambiguous language leading toward policies that could be viewed as “unclear.”

This work is an extension of a paper that was presented at ECIS 2018. The authors have added additional analyzes including a cross-policy content and tonal analysis to strengthen the findings and implications of this work for the wider research audience.