Security without risk? Investigating information security among Dutch Universities

Leeden, Kasper (2010) Security without risk? Investigating information security among Dutch Universities.

[img]
Preview
PDF
1MB
Abstract:Research goal While the University of Twente has a lot of experience with resolving the information security incidents, the organisational process of performing information security is relatively new. This thesis set out within this context to investigate the current status of information security at the University of Twente and at other universities in the Netherlands in order to answer the question: “What is the status of information security at the University of Twente and other universities in the Netherlands and how can information security practices at the University of Twente be improved?” Research setup This research includes an examination of literature in the field of information security which revealed that risk management, information security controls, information security incident management and analysing and acting upon incidents are crucial steps in information security. Using literature as base, the status of information security at the University of Twente and several other universities in the Netherlands was investigated by means of case studies. The universities chosen for these case studies were the TU Eindhoven, the TU Delft, Wageningen University and Research and the Open University. The universities were deliberately chosen to include universities which show great resemblance to the University of Twente (TU Eindhoven and TU Delft) but also universities which show less resemblance to account for possible differences. Conclusions Based on the literature and the case studies, it was found that:  none of the investigated universities performs a risk analysis on the subject of information security .  none of the investigated universities try to quantify the impact of incidents which occur.  the information security controls at the universities follow best practices in the field of Information Security.  individual practices at the different universities show that the best practices for universities have not yet been discovered.  at most universities, the information security incidents are not investigated in terms of vulnerability or threat involved, making it very difficult to correctly adjust the information security practices.  user awareness among all universities is perceived as low. For the University of Twente is can be concluded that:  the registration process of incidents is limited by the application in use.  reporting solely the frequency of incidents does not show where the problems in information security are located  some incidents are reported directly to Workstation Support for resolution and are not registered at information security incident management Recommendations In order to improve information security at the University of Twente, clarity is needed where to focus the information security practices. It is therefore recommended to:  perform an information security risk analysis at the University of Twente  investigate incidents in terms of vulnerabilities, threat and impact  register incidents in one single application instead of two separate ones
Item Type:Essay (Master)
Faculty:BMS: Behavioural, Management and Social Sciences
Subject:85 business administration, organizational science
Programme:Business Information Technology MSc (60025)
Link to this item:http://purl.utwente.nl/essays/60026
Export this item as:BibTeX
EndNote
HTML Citation
Reference Manager

 

Repository Staff Only: item control page