J Shanghai Jiaotong Univ Sci ›› 2020, Vol. 25 ›› Issue (6): 689-699.doi: 10.1007/s12204-020-2231-y

Previous Articles     Next Articles

New Approach for Information Security Evaluation and Management of IT Systems in Educational Institutions

New Approach for Information Security Evaluation and Management of IT Systems in Educational Institutions

WANG Mingzheng (王明政), WANG Yijie (王毅杰), WANG Tianyu (王天予), HOU Linzao (侯林早), LI Mian (李冕)    

  1. (1. Information Center of Shanghai Municipal Education Commission, Shanghai 200003, China; 2. University of
    Michigan - Shanghai Jiao Tong University Joint Institute, Shanghai Jiao Tong University, Shanghai 200240, China)
  2. (1. Information Center of Shanghai Municipal Education Commission, Shanghai 200003, China; 2. University of
    Michigan - Shanghai Jiao Tong University Joint Institute, Shanghai Jiao Tong University, Shanghai 200240, China)
  • Online:2020-12-28 Published:2020-11-26
  • Contact: LI Mian (李冕) E-mail:mianli@sjtu.edu.cn
  • About author:

Abstract: Security evaluation and management has become increasingly important for Web-based information technology (IT) systems, especially for educational institutions. For the security evaluation and management of IT systems in educational institutions, determining the security level for a single IT system has been well developed. However, it is still difficult to evaluate the information security level of the entire educational institution considering multiple IT systems, because there might be too many different IT systems in one institution, educational institutions can be very different, and there is no standard model or method to provide a justifiable information security evaluation among different educational institutions considering their differences. In light of these difficulties,a security evaluation model of educational institutions’ IT systems (SEMEIS) is proposed in this work to facilitate the information security management for the educational institutions. Firstly, a simplified educational industry information system security level protection rating (EIISSLPR) with a new weight redistribution strategy for a single IT system is proposed by choosing important evaluation questions from EIISSLPR and redistributing the weights of these questions. Then for the entire educational institution, analytic hierarchy process (AHP) is used to redistribute the weights of multiple IT systems at different security levels. Considering the risk of possible network security vulnerabilities, a risk index is formulated by weighting different factors, normalized by a utility function, and calculated with the real data collected from the institutions under the evaluation. Finally,the information security performance of educational institutions is obtained as the final score from SEMEIS. The results show that SEMEIS can evaluate the security level of the education institutions practically and provide an efficient and effective management tool for the information security management.


Key words: information security management| information technology (IT) systems| analytic hierarchy process
(AHP)|educational institution

摘要: Security evaluation and management has become increasingly important for Web-based information technology (IT) systems, especially for educational institutions. For the security evaluation and management of IT systems in educational institutions, determining the security level for a single IT system has been well developed. However, it is still difficult to evaluate the information security level of the entire educational institution considering multiple IT systems, because there might be too many different IT systems in one institution, educational institutions can be very different, and there is no standard model or method to provide a justifiable information security evaluation among different educational institutions considering their differences. In light of these difficulties,a security evaluation model of educational institutions’ IT systems (SEMEIS) is proposed in this work to facilitate the information security management for the educational institutions. Firstly, a simplified educational industry information system security level protection rating (EIISSLPR) with a new weight redistribution strategy for a single IT system is proposed by choosing important evaluation questions from EIISSLPR and redistributing the weights of these questions. Then for the entire educational institution, analytic hierarchy process (AHP) is used to redistribute the weights of multiple IT systems at different security levels. Considering the risk of possible network security vulnerabilities, a risk index is formulated by weighting different factors, normalized by a utility function, and calculated with the real data collected from the institutions under the evaluation. Finally,the information security performance of educational institutions is obtained as the final score from SEMEIS. The results show that SEMEIS can evaluate the security level of the education institutions practically and provide an efficient and effective management tool for the information security management.


关键词: information security management| information technology (IT) systems| analytic hierarchy process
(AHP)|educational institution

CLC Number: