Cyber-Risk: Balancing Access, Security and Privacy (Part 2)Ken Udas | Deputy Vice Chancellor and Chief Information Officer, University of Southern Queensland
In the first instalment of this series, we suggested that the attitudes of many learners in many colleges and universities have shifted from those of a traditional student to those of a student-customer. This is particularly evident when students are engaged in receiving university services. This part of the relationship between the university and the student has become transactional in nature and has been increasingly characterised by—and measured as—a commercial exchange of value.
In these cases, our students are frequently expecting the convenience, flexibility and reliability they have grown accustomed to from other transaction service providers (like Amazon), while also maintaining some elements of their traditional relationships with the university. This has contributed to a challenging balance for using student information as a vital tool to better meet expectations while maintaining privacy.
Privacy And Cyber Risk
The topics of private information, privacy and cyber risk are often conflated. Not surprisingly, private information is a target for cyber-crime. After all, people’s personal information has value and is worth stealing. Privacy on the other hand is tied to how people behave and how they value their personal information. It is well recognised that privacy for individuals is a negotiable asset, and people will exchange privacy for goods and services of value. In a data-driven, digital world personal information has become a key economic resource.
One way of viewing cyber risk is the negative consequence of the private data becoming uncontrolled. Being a student is only one component of an individual’s life journey. When a student’s private information, such as a medical condition, failing grades, or disciplinary record becomes uncontrolled—either stolen, accidentally shared or made searchable by hackers for whatever reason—the student may suffer material long-term consequences in other parts of their life now or in the future. It is now commonly recognised that once something is available on the Internet it is there forever.
Even when there are not high financial or reputational risks for learners associated with a privacy breach, we as responsible custodians have an obligation to protect the intellectual property that our learners provide, share and generate during the learning experience. At most universities, students maintain the rights and all of the benefits associated with their intellectual productivity. These products are frequently created and stored in university-managed systems and we have an obligation to allow learners to make decisions about how open they want to be, while managing environments that are both permissive and protected as needed. This need represents a level of due care and personalisation that strikes at the very core purposes of the university as a home conducive to education, production, dissemination of data and information, and the growth of knowledge.
The Nature of the Problem/Challenge
The challenge with responding to cyber security threats is that it becomes an economic problem. Low-cost resources on the criminal side pitted against individuals’ time, which is expensive and valuable whether the student is protecting themself or the institution staff is acting as custodian. The economics are in favour of the criminals. To appropriately mitigate this risk, resources and technology need to be brought to bear.
Combatting/Managing the Risk University Obligations (Actions)
The university can provide resources in multiple ways, common to resourcing any business problem. It can add people to build and maintain mitigating systems and buy-in tools, or partner with external organizations that can bring economies of scale to the problem—for example, distributed support, hosting and cloud services. These need to be cost effective and targeted at the high return on investment options, fully in the knowledge that in a more polite and considerate society this would be unnecessary.
As the cyber threats become more sophisticated, so do response mechanisms, and this cyber arms race is expected to continue. At an individual level, modern sophisticated online tools also have a role to play. For example when students and teachers log in to their browser, not only do they get shared bookmarks, but an online profile can also be built from their Internet access. This can be used for marketing and presents a privacy risk, but also can be a powerful tool in protecting our clients from threats. The profile can tell if our students or teachers are trying to login from two different countries at the same time and alert you or block this. Shared information from millions of consumers can build analytic data in conjunction with cyber security agencies to block malicious websites, or identify when you are sharing potentially sensitive information and alert you to this.
Student Responsibilities (Behaviors)
The most effective response in terms of cost and impact on an individual level is safe behaviour online. Universities have a remarkable opportunity coupled with a critical responsibility to support the development of digital fluency among our students and establish safe patterns of behaviours as part of our core academic mission. Information and digital fluency built into the academic journey, which leads to cybersecurity awareness skills, benefits students directly and also forms the foundation for the university to more effectively deal with this issue.
To paraphrase an ancient saying (more recently adapted by Christopher Harris); “Filter a website, and you protect a student for a day. Educate students about online safety in the real-world environment, and you protect the student for a lifetime.”
This is where a student’s responsibility and a university’s obligations meet.
The university must effectively deal with cyber security not only because of its traditional sensibilities regarding the well-being of the students in its charge, but also because, according to expectations as a responsible corporate citizen, it must protect the information of its customers. The commercial rationale has been magnified as universities have adopted increasingly more corporate practices, such as actively marketing and competing for students on a large scale, personalising services, and collecting far more data. Combining this new reality for universities with traditionally assumed expectations and responsibilities tied to enriching students’ lives and leading students to new futures will be an ongoing challenge. Providing a protective environment at low cost to the enterprise and the individual is an immediate necessity. Equally, establishing student behaviors and attributes to allow them to engage safely with current and future cyber security challenges is an even greater necessity.
Author Perspective: Administrator