Colleges and universities across the United States have seen data breaches and intellectual property theft rise at a heightened rate over the past several years, partly driven by the historically open nature of academic institutions. An integral step in the first line of defense against various forms of attacks, both in the corporate and academic space, are (written) security policies designed to prescribe the construction and function of a technical system, while simultaneously guiding the actions of individuals operating within such a system. Unfortunately, policy analysis and development in the context of these security policies is an insufficiently discussed topic in many academic communities, with very little research being conducted in this space. Consequently, this work aims to assess the current state of information security policies as it exists within the top 200 universities and colleges in the United States, with the goal of identifying important features and general attributes of these documents, as well as to build a foundation for further research. To summarize high-level results, we find that only 54% of the top 200 universities had publicly accessible information security policies, and the policies that were examined lacked consistency. Additionally, we find that while shorter policies were more difficult to read, that they often contained more information, while longer policies contained significantly less practically relevant content.
Weidman, Jake and Grossklags, Jens, "What's In Your Policy? An Analysis of the Current State of Information Security Policies in Academic Institutions" (2018). Research Papers. 23.