Towards a standard framework for cybersecurity readiness for Nigerian universities

Abstract

niversities rely substantially on digital infrastructure and host vast amounts of data that are of interest to malicious actors.  Thus, they are vulnerable to cyber-attacks, making their protection a significant issue. While technology continues to improve, educational system infrastructures and system security lag behind. However, to ensure the continuous availability of university digital assets, the infrastructure must be prepared to withstand cyber-attacks. The results of research indicate that several models exist for evaluating the readiness of universities for cybersecurity. These models have been established for developed nations with more sophisticated and mature cyber networks, and may not be directly applicable to developing economies like Nigeria. Therefore, the Design Science Research strategy was adapted to develop a framework for assessing cybersecurity readiness in Nigerian universities. Taking into account pre-event, event management, and post-event factors, the concept of Cybersecurity Readiness Tiers (CRT) was developed to compare the cybersecurity readiness of universities. The Cybersecurity Readiness Framework was evaluated using data collected from candidate universities sampled for this study; Principal Component Analysis was carried out on the dataset to reduce the dimension. The Cybersecurity Readiness Index (CRI) scores, along with their respective distributions, indicate that 14 (65%) of the twenty universities fall in T1, while 6 (35%) fall in T2. The grouping was based on their overall cybersecurity readiness, as computed using the mathematical equations of the framework. Thus, it implies universities in T2 have a high level of readiness to resist cybersecurity incidents, while universities in T1 are at a very low level of readiness due to the weak and inconsistent cybersecurity controls implemented. This study suggests that these universities have gaps in event management and post-event capabilities that require attention. Therefore, a holistic web-based Cybersecurity Assessment tool that will incorporate all security and privacy regulations and best practices can be considered for future studies.