Securing User Experience: A Survey on Information Security Controls in a Higher Education Institution

Information security in education is more important than ever in a digital world. As educational institutions use technology to improve learning, protecting sensitive data is crucial. Over time, information security has become a socio-technical issue, incorporating both technology and human elements. It is also widely believed that insiders with privileged access to the organization’s systems and data are the key information security concern. For instance, bring your own device, which offers users access to the internal network and sensitive data, benefits enterprises but also increases security threats. End users are the most vulnerable aspect of information security, but some researchers believe they are the most important asset in protecting enterprises. As “the first line of defense”, end users must be vigilant and skilled to secure organizations. Thus, organizations must include human factors in security. Despite various security technology studies, end-user factors have been little studied. Therefore, this research evaluates information security controls used by end-users, notably students in an educational setting. A Likert scale-based questionnaire was given to 378 university students as primary data collection. Validated scales and study objectives-related items based on the Center of Internet Security (CIS) Controls, which comprise basic security procedures for hygiene and cyber attack protection, were included in a structured survey questionnaire. Overall, the mean score indicates modest information security control maturity, with several areas having strong procedures but others needing improvement to enhance security. This study, like others, has limitations; for instance, the university’s current network infrastructure and security operations organizational setup were not included because of the risk of external and internal attacks. Disclosing this information could compromise the network infrastructure and other critical servers. Furthermore, the generalizability of this study’s findings may be limited to specific organizational contexts, as various qualities, corporate culture, and technology frameworks might have varying impacts on information security controls. Hence, it is imperative for future research to address these constraints by undertaking cross-industry investigations, integrating additional information security measures, employing a longitudinal study framework, and evaluating controls in the face of increasing cybersecurity risks. Additionally, examining and comparing different organizational environments might provide insights into the aspects that contribute to the efficiency of information security.