Study: Increased training, enforced policies
could reduce computer incidents
By Jared Wadley
Computer incidents involving accidental or intentional damage to resources, services or data could be reduced significantly on campuses with strictly enforced policies and proactive efforts to educate users—especially students and information technology staff—a national study conducted by U-M indicates.
The Computer Incident Factor Analysis and Categorization (CIFAC) Project is the first known national study that used actual data from 319 incidents at 36 colleges to look at the prevention and management of computer incidents.
“The results repeatedly showed the importance of having policies, training and automated controls for preventing incidents within these environments,” said project director Virginia Rezmierski.
Rezmierski, an adjunct associate professor at the Gerald R. Ford School of Public Policy and School of Information, said incidents are not limited to computer hacking; they include making fake identification cards, improperly using copyrighted materials or installing computer viruses.
Many universities nationwide spend millions of dollars annually to correct computer incidents. CIFAC, which was funded by the National Science Foundation, invited university representatives to learn more about the factors related to cause and to share successful practices in preventing and managing incidents.
The study examined computer incidents in detail and discovered many factors related to the occurrence of particular problems. Respondents looked at approximately 80 variables regarding the cause, severity and focus of each incident, what was needed to prevent it, and what led to action. The schools recommended best practices to prevent, mitigate and manage the incident.
In 40 percent of the situations, Rezmierski said, institutions did not have procedures in place to correct the problems or existing procedures were considered inadequate.
“I expected to hear that unauthorized external intrusions topped the list of incidents, but this was not the case,” she said. “Three of the four factors related to cause were about people within the community—their lack of training, their mistakes due to inadequate procedures, or their lack of education about policies and standards. These factors can and must be addressed.”
The involvement of people in different institutional roles to handle incidents was relatively well-established with the exception of auditors and risk managers, where only 24 percent and 20 percent, respectively, responded to reported incidents.
Respondents said more education, job performance and technology use requirements, and knowledge prior to use of systems were important in preventing accidental behaviors of non-IT staff and students. More education, training and procedural requirements were considered critical to prevent IT staff incidents associated with accidental or careless behaviors.
Other project conclusions:
• The basis for networked environments was not adequately set prior to technological launch. Rules and policies, education and training were not in place.
• There is a fragmentation of response to incidents. This appears to decrease as interdisciplinary teams work together, especially with risk managers and auditors.
• Control of networks needs to be re-established to manage resources. This seems to be happening as quarantine zones—areas in which machines are separated from the campus network until they can be inoculated and cleaned before reconnection—automated access control tools, and enforced configuration requirements are implemented.
Paul Howell, chief information technology security officer, said University officials understand the importance of IT security, and he agreed with Rezmierski’s conclusion of the need for policy and procedures on campuses.
U-M has created an IT security services central office that coordinates efforts to minimize disruptions of technical incidents, he said.