Colleges and universities across the United States have seen data breaches and intellectual property theft rise at a heightened rate over the past several years, partly driven by the historically open nature of academic institutions. An integral step in the first line of defense against various forms of attacks, both in the corporate and academic space, are (written) security policies designed to prescribe the construction and function of a technical system, while simultaneously guiding the actions of individuals operating within such a system. Unfortunately, policy analysis and development in the context of these security policies is an insufficiently discussed topic in many academic communities, with very little research being conducted in this space. Consequently, this work aims to assess the current state of information security policies as it exists within the top 200 universities and colleges in the United States, with the goal of identifying important features and general attributes of these documents, as well as to build a foundation for further research. To summarize high-level results, we find that only 54% of the top 200 universities had publicly accessible information security policies, and the policies that were examined lacked consistency. Additionally, we find that while shorter policies were more difficult to read, that they often contained more information, while longer policies contained significantly less practically relevant content.



To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.