1 THE USE AND SECURITY OF DATA IN THE HIGHER EDUCATION ENVIRONMENT Jacobson-Schulte, Patrick College of Saint Benedict / Saint John's University Schmidt, Mark B. St. Cloud State University Yoshimoto, Gary St. Cloud State University ABSTRACT In a world that is increasingly global and technologically driven, institutions of higher education are faced with levels of customer scarcity that were not present 20 years ago. In an effort to remain highly competitive, higher education institutions need to make strategic decisions in a timely and efficient manner. The strategic use of data in the decision making process allows institutions to remain competitive in areas of enrollment and planning, as well as finance and administration. All the efforts to obtain competitive advantage may be in vein if the university faces major legal ramifications or suffers other consequences due to security breaches. This manuscript outlines the importance of data collection, as well as knowledge management and knowledge management systems. Next, data utilization for higher education institutions in areas of enrollment, financial aid, and strategic financial planning are addressed. Finally, security and analyzing the safe storage and retrieval of vital data, are considered. INTRODUCTION: Higher education institutions face the same decision making cycles that face corporate America. Higher education is often thought to conduct business functions far differently than non-educational entities, due to factors such as the client base, employment factors such as tenure, and their missions. The underlying truth is that higher education faces the same decision making conundrums that other
2 multimillion dollar businesses face. It is easy to get lost in the shuffle of higher education and focus on the curriculum and mission of each independent institution. Unfortunately, these institutions are subject to the same competitive factors that plague the world economy. Attracting students is a key factor to the success of any higher educational institution. Many of the institutions fill their class quotas on a yearly basis, but this result is not achieved by accident. Many of the world s higher educational institutions use data to drive their success. Analyzing enrollment, student composition, financial aid offerings, and room and board are only a few ways these corporate institutions look at the future. In order to be as strategic as possible, higher educational institutions utilize a variety of decision support tools to aid in strategic planning. Colleges Board of Directors are charged with upholding institutional missions, while enhancing the college or university in a competitive industry. Because many of these boards are composed of individuals who function outside higher education, they need to be given information that quickly allows them to assess the situation and come up with logical and informed decisions. This type of data driven information would not be possible without the use of decision support systems. Well informed decision making is critical to the success of colleges and universities that have outside board designation. If the college or university is not data driven, then the board will lean heavily on the President and his/her cabinet for direction. If the cabinets do not have the data required to make educated decisions, then decisions would be made without the appropriate analysis, which could lead to disaster (Palmer 2008). College and universities are not only collecting vital data to aid in their decision making process, but they are also utilizing the data to help potential students (clients) make decisions about their institutions. Data is being leveraged by both internal and external constituent groups about a particular entity. An example of this is the U.S. News and World Report ranking of College and Universities. This document utilizes key data from institutions to rank them in order to aid student (client) decision making when assessing potential schools. Many individuals utilize this data to help make their decisions quickly on the basis of a few key factors. In the past as individuals spent the time visiting college and university campuses to truly get a better understanding of what the institution had to offer (U.S. News 2008). DATA COLLECTION: The data collected in higher education institutions is often funneled through the area of institutional research and planning. Although this functional area can differ across institutions, a specific description is presented. Institutional Research and Planning is responsible for the development and maintenance of data resources to support the strategic planning and policy-making processes (Georgia Tech, 2008). For many institutions, the flow of accurate, timely information assists all levels of management in defining issues, obtaining information, and interpreting results. Data collected includes admission and new entering student data, undergraduate student data, academic and instructional data, alumnae and alumni data, financial and human resource data, and peer comparison data. In most cases, information is presented for multiple years, typically in five- or ten-year increments (McGee, 2008). To help achieve competitive advantage, many institutions utilize their data resources to make informed decisions. The data collected aids in the development of student curriculum, budgetary oversight, and annual giving. By leveraging the information provided, institutions can use a decision support tool to develop what-if scenarios to find out the optimal position. This can lead to enhancements on all levels of the institution. Many colleges and universities are dependent on their net financial revenue, outside of endowment, and need to be strategic in the allocation of funds to receive the best return on investment. Executives would not be able implement or develop funding strategies without the use of computer aided analysis (Mustafa, Goh Omega, 1996).
3 In years past, colleges and universities were faced with potential budget cutbacks due to a lack of student demand (Paulsen 2006 p. 2). Faced with the prospect of reduced enrollment, budget deficit, retrenchment, and institutional closings, many administrators paid more attention to enrollment maintenance, became more responsive to market interests and more aware of the increasingly competitive nature of student recruitment, and began to engage in market-oriented activities intended to attract students (Paulsen 2006 p.4). In the area of enrollment, colleges and universities want to plan and forecast their enrollment more effectively, and they want to influence the college-going decision making process of desired students (Paulsen 2006 p.4). By analyzing their potential pool of clients, they can make informed decisions on who to admit and who to turn away. An institution should expend the necessary effort to attract the students who best fit the institution (Paulsen 2006). Understanding the enrollment effects of such characteristics can help enrollment managers tailor and target their college s marketing mix of programs, price, and places to those students possessing characteristics similar to those who most often matriculate at their college (Paulsen 2006 p.4). Many institutions are tuition driven. If such an institution falls short of its budgeted class size, it would face real-time budget reallocations that could have compounding negative implications. Utilizing the information provided in the area of enrollment and planning helps us to avoid this budget shortfalls and reallocation of funds (McGee, 2008). Financial allocation is a difficult task that requires a vast amount of information and numerous individuals to make strategic decisions. Resource scarcity and efficiency are at the forefront of college and university budget discussions (Palmer, 2008). Gone are the days where accountants made closed door decisions and budgets were set without strategic thought and comment from all vested parties (Palmer, 2008). Information flow is vital to key budget development and resource allocation (Fandel, 2001). Data collection at the college and university level extends beyond the institutional research office. Data is being collected in all areas to aid in the development of strategic decisions. College and university business offices are no exception. Data collection on student financial patterns, as well as departmental spending patterns allows institutions to assess their budgetary constraints (Braunstein et al. 1999). UTILIZING DATA DRIVEN DECISIONS In addition to the prediction of enrollment cohorts, colleges and universities need to utilize decision support systems to aid them in the development of their pricing position. Admission tutors are in charge of a product whose market has to be understood; product price has to be set at the correct level; they need to know who their competitors are, how successful these competitors are, and what policies and pricing strategies are being followed by these competitors (Molinero, Qing, 1990, p. 222). Because numerous variables influence the pricing position on a yearly basis, key individuals need to be able to take these variables into consideration when developing a pricing strategy. Failure to utilize key variables appropriately could cause an institution to be priced outside of their competitive market position, which could have severe financial implications. By utilizing decision support tools to control key variables, colleges and universities can make highly educated estimations based on past and present knowledge (Bontrager, 2004). Higher education institutions are faced with a number of variable components that factor into their decision making process on a yearly basis. Due to the fact that institutions do not know with any certainty how many students they will be able to enroll in the next year, they need to utilize the tools and data available to assist them in estimating their future position (Bontrager, 2004). In the process of student selection, it is not only important to know the targeted number of students each institution wants to attract, but to analyze the type of student they would like to attract. Both of these key enrollment variables can be obtained through the use of decision support tools. By utilizing predictive modeling, institutions
4 can leverage future positions on past year s actual data. This can allow institutions to get a sound estimate of what the future may hold for them. Institutions can use characteristics of students who have chosen an institution in the past to predict which prospective students will enroll in the future (Bontrager, 2004, p. 11). The admissions process has become much more fluid and unpredictable due to the sophistication of applicants who are likely to research and apply to multiple institutions over varying time periods (Maltz, Murphy, Hand, 2007, p. 111). After an institution knows its enrollment target and pricing position, it can begin to construct its financial aid position. Through the use of decisions support strategies, enrollment and financial aid managers are able to input applicant student data into their support tool to assess the discount package that would apply to each student. Financial aid packages are awarded in various amounts on a per student basis. If we enroll 2000 students, we will have 2000 different prices (McGee, 2008). Utilizing a matrix of past and present student financial data allows enrollment and financial aid managers to make allocation decisions based on the dollars available for distribution (Gaither, Dukes, Swanson, 1981; Maltz, Murphy, Hand, 2007; Pope, Evans, 1985). Higher education institutions are faced with resource scarcity on a yearly basis. The process of resource allocation is fundamental to their strategic function. Many colleges and universities are caught in a cycle of adding new initiatives, but they never really assess what they should not be doing (Palmer, 2008). Through the utilization of decision support systems, many colleges and university are relying on technology to help them sort through their resource allocations. By bringing data together, institutions can assess the return on investment of each key component and assess the future allocation based on their return on investment (Kwak, Lee, 1997). Decision support tools also allow college and university business offices to apply a weighted average structure that aids in the distribution of additional funds. If a college or university has increased enrollment, they will find themselves with additional net tuition revenue. By utilizing a decision support tool, Chief Financial Officers (CFOs) can quickly assess the best use of those resources to accomplish strategic goals. Without the use of a decision support tool, many CFOs would not know the most cost effective use of those additional resources and may apply them elsewhere. Improper allocation of funds could cause future resource constraints as costs compound in future years (Fandel, Gal, 1999). Financial resource allocation is a fundamental factor in the success of any college or university. Through the use of decision support tools, college and university business offices are able to develop highly informed decisions that influence the strategic position of all parties involved. KNOWLEDGE MANAGEMENT AND DATA SECURITY Both corporations and educational institutions alike are increasingly reliant on computer based information systems in order to increase efficiency and effectiveness. Paradoxically, this increased use of and reliance on information systems has lead to increased incidents of computer abuse (see Dhillon & Backhouse, 2000). As evidence of this computer abuse, the most recent CSI/FBI report, which was based on feedback from 522 computer security practitioners, and represents a diverse slice of corporate America, found that 43% of the respondents reported some form of malicious attack within the past year. This figure is down from 46% the previous year (Richardson, 2008).
5 Yet another metric that attempts to enumerate the number of attacks comes from idefense. They report monitoring more than 27,000 attacks last year, of which more than half were designed to covertly steal information or take over computers (Brenner, 2005). Unfortunely, the under reporting of computer attacks is prevalent for many reasons, and most of these reasons center on a desire to avoid negative press. Given the corporate world s propensity to under report, other efforts and strategies are needed to examine threats and continue to raise awareness of these threats. However, much effort is being made at both the state and federal level to develop notification laws which require people to be informed when their personal information is compromised. Due to today s reliance on computer networks and the Internet, more attention is being given to security issues that affect computer networks and the Internet. This coverage can be observed both in the popular press as well as academic literature. Many journals include security articles or have special issues devoted to security and malware. As an example, the August 2005, Communications of the ACM was devoted to spyware (Stafford, 2005). As technology advances, the collection of data is becoming easier for all institutions. Colleges and universities are faced with threats to data both internally and externally. As a result, The ability to manage data securely is a very important topic of discussion. According to Securing Data 101 featured in the January/February issue of The Information Management Journal, In August 2007, a flash drive containing more than 7,000 student names, Social Security numbers and dates of attendance was stolen from a desk at a College of Applied Science (Securing Data 101, 2008). College and University data security has become a target for many information thieves. According to Privacy Rights Clearinghouse, U.S. universities suffered more than 50 of the 300-plus data braches that occurred in 2006 (ID Thieves Targeting Universities, 2007, p. 7). Because colleges and universities host enormous amounts of student driven data, as well as alumni data, they have become increasingly attractive to information thieves. Data breaches at this level are of particular concern as the university data typically includes personal and highly sensitive data such as social security numbers. As a result of these increased threats, managers and academics have recently become more aware of the need for better management of organizational knowledge (Alvari and Leidner, 2001, p.107). Organizations should regard data as their greatest asset and invest in data management accordingly (Swartz, 2007, p. 28). Data management is a vital task that every business needs to take seriously as the threat to information is increasing. Further, due to new notification laws, universities may face an unprecedented level of bad press should a breach occur. Alvari and Leidner also emphasize that there are three general conclusions to knowledge management. There is no single approach to the development of knowledge management systems, knowledge management is a dynamic, continuous organizational phenomenon of interdependent processes, and information technology can be used to extend knowledge management beyond storage and retrieval (Alvari, Leidner, 2001, p.107). In the process of developing a data management system, it is important for institutions to understand what they desire from their system. Retrieval of data is easy, but retrieval of information is a more difficult task. Additionally, there needs to be a appropriate level of security in order to safeguard the data. Institutions need to have involvement in the development process from all parties involved (Hartono, Santhanam, Holsapple, 2006). User participation in the development and deployment of a management support system not only helps shape the system to address users needs and desires, it also fosters a buy in by those in the organization who will be using the system (Hartono, Santhanam, Holsapple, 2006, p. 262). When analyzing information threats, there are a number of critical threats to institutional data. Risks can vary from human errors, system failures or natural disaster. The most common source of threat to
6 records is people (Lee, Chung, 2008, p. 39). As Lee and Chung point out in Building a Framework to Measure and Minimize Information Risks, human error is a high risk factor in the management and security of data. Institutions need to be aware of all threat factors when developing and implementing a data management system (Lee, Chung, 2008). The process of data management is one that can be time consuming and expensive. Institutions need to be prepared to address all fiscal factors that extend beyond the development of a management system (Bodin, Gordon, Loeb, 2008). Managing the risk associated with potential breaches is an integral part of resource-allocation decisions associated with information security activities (Bodin, Gordon, Loeb, 2008, p. 64). Given the paramount nature of security concerns in many industries and organizations, there is a need to increase understanding of security concerns (Goodhue and Straub, 1989: Whitman, 2003). Institutions need to be prepared to analyze their information management system and develop the necessary assessments of data risk to be able to combat possible infiltration (Lee, Chung, 2008). In Information Security and Risk Management, Boden stated, Anyone responsible for information security must be able to manage risk. Information technology managers need to analyze the process of assessing information security (Bodin, Gordon, Loeb, 2008). In order to fully understand area threats institutions can apply a weighting factor that would allow them to determine the threat of data security (Bodin, Gordon, Loeb, 2008). Based on this measure, the larger the expected loss, the larger would be the risk associated with a breach of information (Bodin, Gordon, Loeb, 2008, p. 64). If institutions fail to take these precautions, they place their institution s vital information at risk. Developing appropriate data risk assessment will allow institutions to learn how to prevent data loss (Lee, Chung, 2008) (Yue, Çakanyıldırım, Ryu, Young, Liu, 2007). With advancements in technology, many institutions are moving in the direction of wireless connectivity for ease and convenience. According to Alfred Loo in The Myths and Truths of Wireless Security, when it comes to wireless, many users believe that their doors are at least locked, the truth of wireless communication is the doors are not even closed, they are actually wide open (Loo, 2008, p. 68). As institutions transfer information via a wireless connection, they are putting the institution at risk. A demand for efficient flow of data has lead to many new establishments in technology, but the processes utilized open the door for information security threats (Loo, 2008). It is up to the institutions to educate their employees on responsible use of information. Education in the areas of risk and risk management, as well as the security features available at their institution to prevent numerous threats in vital in data security (Loo, 2008). Wireless access points create a point of differentiation for customers in industries such as hospitality and service (Schmidt, Johnston, & Arnett, 2004). Further, the presence of wireless access points can create a competitive environment if they are deployed by certain competitors in an industry. For instance, if a particular university in a given market offers wireless access while other universities in that same market do not, the university that has wireless may advertise their relative level of connectivity and capitalize on the fact that they are a wired or a connected but wireless campus. Wireless networks are in many cases, complementary to existing wired networks. As the level of connectivity is often a factor in the best colleges and universities polls, those campuses offering wireless access may have a competitive advantage over those that do not. For instance, the University of Notre Dame asserts they have earned the distinction of making the America s 100 Most Wired Colleges list for the last three years (University of Notre Dame, 2005). Many colleges are now considering wireless networks to not only provide a point of differentiation but also to reduce the overall costs of providing campus wide connectivity. In doing so, the universities need to put the security of their data at the forefront of their efforts.
7 CONCLUSION: With advancements in technology, data collection and storage capacity have increased significantly. Because institutions want to remain competitive and maintain any competitive advantage they may obtain, colleges and universities collect more data than maybe required on their customers (students). Since colleges and universities obtain this highly sensitive information database, they need to employ appropriate information management techniques to make certain that the data that they retain will remain secure regardless where the data is stored and weather the data is transmitted via a wired or wireless network. Resource allocation will play a key role in keeping the retained data safe. Advancements in information technology demand colleges and universities to stay at the cutting edge of development. If a college or university does not heed these guidelines, it puts its data and its institution at risk. The utilization of the data collected allows many of the strategic management areas of colleges and universities to make educated decisions based on a historical perspective. Utilizing decision supports systems in the area of enrollment, financial aid, and finance gives colleges and universities the ability to make key strategic decisions in a timely manner with ease and sophistication. The development of such tools can be time and resource consuming, but the results of such developments give colleges and universities a very positive return on their investment. Making strategic decisions by utilizing data allows higher education institutions to assess past, present, and future variables to outline its strategic position and goals. This has proven successful as we witness institutions operating in a very competitive marketplace. With resource constraints influencing the decision making bodies, higher educational institutions would not be able to accurately estimate future positions without the strategic use of decision support tools. Leveraging data to make informed decisions is essential to any modern day business practice. Higher education institutions are no exception and will continue to employ data driven decision support techniques. Based on her interview with Ian Dobson, Security Director of the Open Group Consortium, Dudman (2004) found one of the most prevalent challenges for IT directors is the rate of business change which then leads to IT infrastructure change. In some cases, the change is so frantic that it is out of control (Dudman, 2004, p. 3). Dobson adds that wireless networks are a major source of the security problems, people are blasting holes in the firewall to let in legitimate traffic without realizing their potential vulnerability (Dudman, 2004, p. 3). Schmidt & Arnett (2005) found that students perceived their contemporaries were less informed about and less prepared to deal with various security issues. Other research finds that users often have an optimistic cognitive bias when comparing their level of vulnerability to security threats to others vulnerability to the same threats (Rhee, Ryn, & Kim, 2005). Similar to the aforementioned findings, it is possible that universities will view themselves as more prepared than they view their competitors. The sense of hubris can lead to increased vulnerability and should be avoided at all costs.
8 REFERENCES Alavi, M.; Leidner, D.E. (2001). Review: knowledge management and knowledge management systems: Conceptual Foundations and Research Issues; MS Quarterly; Vol. 25 Issue 1, p , 30p. Bodin, L., Gordon, L., & Loeb, M. (2008, April). Information Security and Risk Management. Communications of the ACM, 51(4), Retrieved September 19, 2008, doi: / Bontrager, B. (2004). Strategic enrollment management: core strategies and best practices; College and University Journal; Vol. 79 Issue 4, p9-16, 8p. Braunstein, A.; McGrath, M.; Pescatrice, D. (1999). Measuring the impact of income and financial aid offers on college enrollment decisions; Research in Higher Education; Vol. 40 Issue 3, p , 13p. Brenner, B. (2005). Botnets are more menacing than ever. Retrieved September, 2005, from Dudman, J. (2004, November, 9). Manning the Breaches. Computer Weekly, Dhillon, G., & Backhouse, J. (2000). Information System Security Management in the New Millennium. Communications of the ACM, 43(7), Fandel, G.; Gal, T. (2001). Redistribution of funds for teaching and research among universities: The case of North Rhine - Westphalia; European Journal of Operational Research; Vol. 130, p , 10p. Gaither, G.H., Dukes, F.O., Swanson, J.R., (1981). Enrollment forecasting: use of a multiplemethod model for planning and budgeting, Decisions Sciences 12 (2) Georgia Tech. Retrieved September 11, 2008, from Goodhue, D. L., & Straub, D. W. (1989). Security Concerns of System Users: A Proposed Study of User Perceptions of the Adequacy of Security Measures. Paper presented at the Proceedings of the Twenty-Second Annual Hawaii International Conference on System Science (HICSS), Kailua-Kona, HI. Hartono, E., Santhanam, R., Holsapple, C.W. (2007). Factors that contribute to management support systems success: an analysis of field studies, Decision Support Systems 43 (1) (2007) ID Thieves Targeting Universities. (2007, March). Information Management Journal, Retrieved September 19, 2008, from Academic Search Premier database. Kwak, N.K.; Changwon, L. (1998). A multicriteria decision making approach to university resource allocations and information infrastructure planning; European Journal of Operational Research; 1998 Vol. 110 Issue 2, p , 9p. Lee, S., & Chung, H. (2008, May). Building a Framework to Measure and Minimize Information
9 Risks. Information Management Journal, 42(3), Retrieved September 19, 2008, from Academic Search Premier database. Loo, A. (2008, February). The Myths and Truths of Wireless Security. Communications of the ACM, 51(2), Maltz, Elliot N., Murphy, Kenneth E., Hand, Michael L. (2007, March). Decision Support for University Enrolment Management: Implementation and Experience. Decision Support Systems, 44, McGee, Jon. Vice President of Enrollment, Planning and Public Affairs College of Saint Benedict/Saint John s University. Personal Interview. September 12, Molinero, C.A.; Qing, M. (1990). Decision support systems for university undergraduate admissions; Journal of the Operational Research Society; 1990 Vol. 41 Issue 3, p , 10p. Mustafa, A.; Goh Omega, M. (1996). Multi-criterion models for higher education administration; 1996 Vol. 24 Issue 2, p , 12p. Palmer, Susan. Vice President of Finance College of Saint Benedict. Personal Interview. September 15, Paulsen, M.B. (2006). College choice: understanding student enrollment behavior; Higher Education Report No. 6, George Washington University, School of Education and Human Development, Washington, DC; Pope, J.A.; Evans J.P. (1985). A forecasting system for college admissions; College and University Journal; 1985 Vol. 60, p , 19p. Rhee, H.-S., Ryu, Y., & Kim, C.-T. (2005). I Am Fine but You Are Not: Optimistic Bias and Illusion of Control on Information Security. Paper presented at the Twenty-Sixth International Conference on Information Systems, Las Vegas, NV. Richardson, R. (2008) CSI/FBI Computer Crime and Security Survey. Schmidt, M. B., & Arnett, K. P. (2005). Spyware: A Little Knowledge is a Wonderful Thing. Communications of the ACM, 48(8). Schmidt, M. B., Johnston, A. C., & Arnett, K. P. (2004, August ). Wireless Network Security in Hospitality SMEs. Paper presented at the Americas Conference on Information Systems (AMCIS), New York, NY. Stafford, T. F. (2005). Spyware. Communications of the ACM, 48(8), Swartz, N. (2007, September). Data Management Problems Widespread. Information Management Journal, 41(5), Securing Data 101. (2008, January). Information Management Journal, Retrieved September 19, University of Notre Dame. (2005). Indicators of Excellence. Retrieved November, 21, 2008,
10 from U.S. News and World. Report Retrieved September 12, 2008 from Whitman, M. E. (2003). Enemy at the Gate: Threats to Information Security. Communications of the ACM, 46(8), Yue, Wei T.; Çakanyıldırım, Metin; Ryu, Young U.; Liu, Dengpan. (2007). Network externalities, layered protection and IT security risk management. Decision Support Systems, Nov2007, Vol. 44 Issue 1, p1-16.