Start date: 31 December 9999
End date: 30 September 2002
Funding programme: JISC Organisational Support programme
In the second half of 2000 the JISC Committee for Awareness, Liaison and
Training (JCALT) commissioned a study of the human and organisational
issues associated with network security by South Bank University and the
University of Glasgow. The full report is available as an attachment
at the foot of the page.
Higher Education and Further Education's increasing reliance on
computers and computer networks across a wide range of their activities
mean that digital security is of increasing importance. Security can never
be completely watertight, and technical solutions do not offer the whole
answer to protecting the institution or the individual from a breach.
Users' attitudes and behaviour are also critical, but little research
has been conducted into them.
The purpose of the study was to examine user behaviour and attitudes to
computers and computer security with a view to discovering how far these
were congruent with good and safe practice. The study looked at users'
sense of responsibility and what they saw as the greatest and most likely
threats, their attitudes to viruses, policies, backups and passwords. The
study also encompassed some enquiry into attitudes to plagiarism, and
software piracy.
The study was conducted primarily through a questionnaire, piloted at the
host institutions, and also applied to groups of users at six 'outer
core' institutions. Some more in depth interviews were conducted. Two
workshops and a conference were also held to gather views, as well as a
means of disseminating initial results.
Variations were expected between different institutions and different
groups based on their role (e.g. support staff, IT staff, students). But
from the questionnaire significant minorities showed surprising and often
risky attitudes and behaviour. Respondents tended to underestimate the
affect of their actions on others. A few people do get a lot of viruses,
but there was evidence of quite widespread bad practice, and that users do
not fully understand the institutional cost of viruses. Many people seem
not to read policies, and on the whole policies seem to be viewed quite
negatively. Users are confused about backups, recognising their importance
but not consistently making them. Risky password practices are alarmingly
common. Impersonation is underestimated as a risk. Users do not fully
recognise the risks associated with sending confidential information by
email. Although ignorance and uncertainty were quite widespread, users did
seem motivated to security.
The report reviews some of the possible methods for raising security
awareness. In particular awareness raising training sessions and a list of
'ten personal action points' are presented in some detail.
The study found that users do not understand security very well. We
recommend that awareness among senior managers, IT managers and users needs
to be raised. This could in part be accomplished through a senior
management briefing paper; and conferences and good practice guides for IT
managers. The report recommends further research in the area of security
awareness methods, attitudes to plagiarism and software piracy.