New Approach for Information Security Evaluation and Management of IT Systems in Educational Institutions

doi:10.1007/s12204-020-2231-y

Abstract

Abstract: Security evaluation and management has become increasingly important for Web-based information technology (IT) systems, especially for educational institutions. For the security evaluation and management of IT systems in educational institutions, determining the security level for a single IT system has been well developed. However, it is still difficult to evaluate the information security level of the entire educational institution considering multiple IT systems, because there might be too many different IT systems in one institution, educational institutions can be very different, and there is no standard model or method to provide a justifiable information security evaluation among different educational institutions considering their differences. In light of these difficulties,a security evaluation model of educational institutions’ IT systems (SEMEIS) is proposed in this work to facilitate the information security management for the educational institutions. Firstly, a simplified educational industry information system security level protection rating (EIISSLPR) with a new weight redistribution strategy for a single IT system is proposed by choosing important evaluation questions from EIISSLPR and redistributing the weights of these questions. Then for the entire educational institution, analytic hierarchy process (AHP) is used to redistribute the weights of multiple IT systems at different security levels. Considering the risk of possible network security vulnerabilities, a risk index is formulated by weighting different factors, normalized by a utility function, and calculated with the real data collected from the institutions under the evaluation. Finally,the information security performance of educational institutions is obtained as the final score from SEMEIS. The results show that SEMEIS can evaluate the security level of the education institutions practically and provide an efficient and effective management tool for the information security management.

Key words: information security management| information technology (IT) systems| analytic hierarchy process
(AHP)|educational institution

摘要： Security evaluation and management has become increasingly important for Web-based information technology (IT) systems, especially for educational institutions. For the security evaluation and management of IT systems in educational institutions, determining the security level for a single IT system has been well developed. However, it is still difficult to evaluate the information security level of the entire educational institution considering multiple IT systems, because there might be too many different IT systems in one institution, educational institutions can be very different, and there is no standard model or method to provide a justifiable information security evaluation among different educational institutions considering their differences. In light of these difficulties,a security evaluation model of educational institutions’ IT systems (SEMEIS) is proposed in this work to facilitate the information security management for the educational institutions. Firstly, a simplified educational industry information system security level protection rating (EIISSLPR) with a new weight redistribution strategy for a single IT system is proposed by choosing important evaluation questions from EIISSLPR and redistributing the weights of these questions. Then for the entire educational institution, analytic hierarchy process (AHP) is used to redistribute the weights of multiple IT systems at different security levels. Considering the risk of possible network security vulnerabilities, a risk index is formulated by weighting different factors, normalized by a utility function, and calculated with the real data collected from the institutions under the evaluation. Finally,the information security performance of educational institutions is obtained as the final score from SEMEIS. The results show that SEMEIS can evaluate the security level of the education institutions practically and provide an efficient and effective management tool for the information security management.

关键词: information security management| information technology (IT) systems| analytic hierarchy process
(AHP)|educational institution

CLC Number:

TP 302.7

WANG Mingzheng, WANG Yijie, WANG Tianyu, HOU Linzao, LI Mian . New Approach for Information Security Evaluation and Management of IT Systems in Educational Institutions[J]. J Shanghai Jiaotong Univ Sci, 2020, 25(6): 689-699.

References 20

[1]	WEISH¨AUPL E, YASASIN E, SCHRYEN G. Information security investments: An exploratory multiple case study on decision-making, evaluation and learning [J]. Computers and Security, 2018, 77: 807-823.
[2]	GILLMAN D, LIN Y, MAGGS B, et al. Protecting websites from attack with secure delivery networks [J]. Computer, 2015, 48(4): 26-34.
[3]	RAJAB M. The relevance of social and behavioral models in determining intention to comply with information security policy in higher education environments [D]. Ypsilanti, MI, USA: Eastern Michigan University, 2019.
[4]	KOZLOV O A, RODIONOV D G, GUZIKOVA L A. Information security problems in educational institutions in conditions of network interaction [C]//2018 International Conference on Information Networking (ICOIN ). Chiang Mai, Thailand: IEEE, 2018: 267-269.
[5]	HINA S, DOMINIC P D D. Information security policies' compliance: A perspective for higher education institutions [J]. Journal of Computer Information Systems,2020, 60(3): 201-211.
[6]	ANTHONY R N, GOVINDARAJAN V. Management control systems [M]. 10th ed. Boston, USA: McGraw-Hill/Irwin, 2000.
[7]	CHEN C, ZHOU X. Management [M]. Beijing, China: Tsinghua University Press, 2008 (in Chinese).
[8]	HE X H, CHUN Z Z, ZHAO Z Z. Discussion on security protection framework of classified protection construction[J]. Communications Technology, 2011, 44(12):98-100 (in Chinese).
[9]	Standardization Administration of the People's Republic of China. Information security technology — Baseline for classified protection of information system:GB/T 22239-2008 [S]. Beijing, China: Standards Press of China, 2008 (in Chinese).
[10]	JIANG C Z, ZHANG T, YU Y. Research on information security protection model for smart grid based on classified protection [J]. Computer & Modernization,2012 (4): 12-16 (in Chinese).
[11]	ZENG T. Research on combination evaluation model based on game theory integrated weight method and gray fuzzy theory [D]. Lanzhou, China: Lanzhou University,2018 (in Chinese).
[12]	ZHANG H. Research on information security evaluation system of intelligent energy industrial control system[D]. Beijing, China: North China Electric Power University (Beijing), 2018 (in Chinese).
[13]	WANG X. Quantitative research on Bayesian neural network in information security risk assessment [D]. Guiyang, China: Guizhou University, 2019 (in Chinese).
[14]	AMINI A, JAMIL N, AHMAD A R, et al. A fuzzy logic based risk assessment approach for evaluating and prioritizing risks in cloud computing environment[C]//Proceedings of the 2nd International Conference of Reliable Information and Communication Technology.Cham, Switzerland: Springer, 2017: 650-659.
[15]	BASALLO Y A, SENT′I V E, S′ANCHEZ N M. Artificial intelligence techniques for information security risk assessment [J]. IEEE Latin America Transactions,2018, 16(3): 897-901.
[16]	LIU L Q, WAN P, WU C Z, et al. Research on Yangtze River waterway transportation safety evaluation model based on fuzzy logic theory [C]//Proceedings of the 3rd International Conference on Transportation Information and Safety. Wuhan, China: IEEE, 2015: 732-738.
[17]	SAATY T L. How to make a decision: The analytic hierarchy process [J]. Interfaces, 1994, 24(6): 19-43.
[18]	LIU S L, ZHAO Q H, WEN M X, et al. Assessing the impact of hydroelectric project construction on the ecological integrity of the Nuozhadu Nature Reserve,southwest China [J]. Stochastic Environmental Research and Risk Assessment, 2013, 27(7): 1709-1718.
[19]	CLEMEN R T, REILLY T. Making hard decisions with decision tools [M]. Duxbury, USA: Thomson Learning, 2001.
[20]	GUO J Y, ZHANG Z B, SUN Q Y. Study and applications of analytic hierarchy process [J]. China Safety Science Journal, 2008, 18(5): 148-153 (in Chinese).