A Systematic Review of Cybersecurity Risks in Higher Education
Round 1
Reviewer 1 Report
The paper is very well written. Authors have highlighted the challenges and explored the security aspect very well. It is interesting to see how the authors have summarized the cyber threats. It would have been great if the authors could highlight more on the countermeasures part.
This reviewer is interested to see if the authors some discussion on the following topics:
- The role of security awareness towards the resiliency against HE cyber attacks.
- How to enhance security awareness to mitigate the issue?
- And, What are the possible strategies?
Overall, a very well written informative paper.
Author Response
Dear reviewer 1,
Thank you for your kind feedback. We tried to avoid countermeasures in the first version because the paper was already overly long and to restrict the scope. We have added some discussion countermeasures according to your recommendation, but we do not dig deep into these issues seeing that the paper is already very long.
We have made major revisions on readability, restricted the literature review scope, and added more citations since last version.
Hope these changes are to your liking.
Best regards,
Joachim Ulven and Gaute Wangen
|
1 |
(It would have been great if the authors could highlight more on the countermeasures part. ) |
Add discussion on countermeasures in to section 9, Cyberrisks in HE |
9 |
We have added some discussion of cybersecurity awareness issues in the cyberrisk and future work sections. |
|
2 |
1. The role of security awareness towards the resiliency against HE cyber attacks. |
Discuss security awareness |
9 |
We have added some superficial discussion of countermeasures. |
|
3 |
2. How to enhance security awareness to mitigate the issue? |
Enhancing security awareness |
9 |
|
|
4 |
3. And, What are the possible strategies? |
Possible approaches |
9 |
We have added some suggestions in the future work and limitations discussion. |
|
1 |
In this paper, a review on the cybersecurity risks in higher education is presented. The paper adopts a literature review model to summarize the research on assets, threat, vulnerabilities, and cybersecurity risk. Overall, the idea of the paper is very interesting. However, the organization of the paper needs improvement. |
We have worked on the organization of the paper |
|
Have re-written the asset and threat agent parts of the paper to improve the readability. Hopefully, this change will clarify the answers to the research questions. |
Author Response File: 
Author Response.pdf
Reviewer 2 Report
In this paper, a review on the cybersecurity risks in higher education is presented. The paper adopts a literature review model to summarize the research on assets, threat, vulnerabilities, and cybersecurity risk. Overall, the idea of the paper is very interesting. However, the organization of the paper needs improvement.
To be considered for publishing, the following aspects should be addressed:
- The authors proposed to systematically analyze the cybersecurity risks, however, there is a lot of discussions on assets, threats which are not closely related to cybersecurity risks. It is suggested to improve the organization of the paper to better serve the topic.
- The answers to the five research questions needs more thorough discussion by incorporating your investigation results. For example, two research questions are answered by Table 7, and Figure 3. However, Table 3 are the results from Verizon, and Figure 3 is data from a website Hackmageddon.com.
- Section 3, Method. It is suggested to add a diagram or table showing the relations between seven steps and three main phases. It is not very clear to the readers.
- Section 4, line 183, you mentioned you reviewed 82 different literature. I suggest you should cite them in your paper. The total number of references is only 42, which is too little for a typical survey paper. You should increase the number of references.
- Section 4, line 184, you mentioned that you include 19 MODES. In Table 1, there are only 14 MODES. Please check this.
- Section 5, Assets in HE. It is suggested that authors should only discuss the higher education assets which are the target of the cybersecurity attacks. The section 5.1.1 should be expanded, and other sections are related to the focus of this paper.
- Figure 3 only list the data in two years which is not sufficient to answer the research question “which are the most frequent threat events in HE?” The source of the data is from a website. Why do you choose this website? Does any other website provide similar data?
- The primary finding of this research is not clear to me. The authors claimed in the abstract that the primary finding is “empirical research on cybersecurity risk in higher education is scarce and there are large gaps in the literature”, which does not advance the current research and shows very limited novelty and societal impact.
- Several typos below:
- Page 1, Line 1, “The demands for secure …” -> “The demands for securing…”
- Page 2, Line 67, “The findings of this also article require” -> “The findings of this article also require”
- Page 3, Line 115, “with the purpose of explore ….” -> “With the purpose of exploring…”
- Page 4, Line 138-139, “we also chose to reviewed ….”-> “ we also chose to review..”
- Page 4, Line 155, “ studies published before year 2000” -> “studies published after year 2000”
- Page 6, Line 239-240 “on a dataset and is lacking lacks…” -> “on a dataset and is lacking…”
Author Response
Dear reviewer 2,
Thank you for your kind and comprehensive feedback.
We have made major revisions on readability and organization, restricted the literature review scope, and added more citations since last version. See the table below for detailed responses to your comments.
Hope these changes are to your liking.
Best regards,
Joachim Ulven and Gaute Wangen
|
1 |
In this paper, a review on the cybersecurity risks in higher education is presented. The paper adopts a literature review model to summarize the research on assets, threat, vulnerabilities, and cybersecurity risk. Overall, the idea of the paper is very interesting. However, the organization of the paper needs improvement. |
We have worked on the organization of the paper |
|
Have re-written the asset and threat agent parts of the paper to improve the readability. Hopefully, this change will clarify the answers to the research questions. |
|
2 |
The authors proposed to systematically analyze the cybersecurity risks, however, there is a lot of discussions on assets, threats which are not closely related to cybersecurity risks. It is suggested to improve the organization of the paper to better serve the topic. |
Tighten the discussion on assets and threats and make it more relevant to the topic |
5 and 6 |
Have tightened this discussion. |
|
3 |
The answers to the five research questions needs more thorough discussion by incorporating your investigation results. For example, two research questions are answered by Table 7, and Figure 3. However, Table 3 are the results from Verizon, and Figure 3 is data from a website Hackmageddon.com. |
We should clarify that the summarized results of this research question is in Table 8. |
|
We have clarified these results throughout the paper. We experimented with an additional discussion of the findings, but the paper is already overly long. |
|
4 |
Section 3, Method. It is suggested to add a diagram or table showing the relations between seven steps and three main phases. It is not very clear to the readers. |
Add a table of the CLR seven step model is added |
3 |
Table added. |
|
5 |
Section 4, line 183, you mentioned you reviewed 82 different literature. I suggest you should cite them in your paper. The total number of references is only 42, which is too little for a typical survey paper. You should increase the number of references. |
While we agree with this sentiment, that there are few references for this review article, this is also one of our key findings. We will go throught the literature again to see if anything can be added. |
4 |
All reviewed articles are included in a new previous work section 2.3 |
|
6 |
Section 4, line 184, you mentioned that you include 19 MODES. In Table 1, there are only 14 MODES. Please check this. |
|
|
Added clarification and updated to source according to the review comments |
|
7 |
Section 5, Assets in HE. It is suggested that authors should only discuss the higher education assets which are the target of the cybersecurity attacks. The section 5.1.1 should be expanded, and other sections are related to the focus of this paper. |
Make the section more related to cybersecurity risk. |
|
We have re-written the assets-part of the paper and clarified the contribution |
|
8 |
Figure 3 only list the data in two years which is not sufficient to answer the research question “which are the most frequent threat events in HE?” The source of the data is from a website. Why do you choose this website? Does any other website provide similar data? |
This figure is not meant to answer the research question 2, it is a presentation of the data source hackmageddon. A summary and comparison of the findings are in Table 8 (of the submitted draft) "The rank of the threat events present in the educational industry according to literature". We assume that this is connected to the fact that our findings are poorly communicated. |
|
Updated the threat events sections and improved the tables 7 and 9. Table 9 summarizes the results |
|
9 |
The primary finding of this research is not clear to me. The authors claimed in the abstract that the primary finding is “empirical research on cybersecurity risk in higher education is scarce and there are large gaps in the literature”, which does not advance the current research and shows very limited novelty and societal impact. |
re-address abstract and conclusion |
Abstract and conclusion |
Edited the abstract and conclusion to clarify the contribution |
|
10 |
Several typos below: |
Done |
|
All recommended changes has been made. |
Author Response File: Author Response.pdf
Reviewer 3 Report
I added reviews as a file because it contains drawings.
Comments for author File: Comments.pdf
Author Response
Dear reviewer 3,
Thank you for your kind and comprehensive feedback.
We have made major revisions on readability and organization, restricted the literature review scope, and added more citations since last version. See the table below for detailed responses to your comments.
Hope these changes are to your liking.
Best regards,
Joachim Ulven and Gaute Wangen
|
1 |
The article is a review of the literature and threats in the area of cybersecurity in higher education. At |
|
|
|
|
2 |
1. The article shows a very weak relationship between the topic of the article and the Key |
Tighten the discussion on assets and KPIs and make it more relevant to the topic |
|
Have conducted a major revision on the assets and KPI parts. |
|
3 |
2. The article should indicate how the HE systems differs from classical Enterprise IT systems. |
Add a section about how HE systems differ from enterprise IT systems to the background-chapter. |
Added section 2.2 |
New section 2.2 "What separates HE from classic industry?" |
|
4 |
3. The article is difficult to read. In my opinion, the work should contain more graphic and |
Readability and summarization of results. |
|
We have added some more tables and figures, merged findings, and tried to improve the readability. Especially the assets and threat agents sections have been revised. We have tried to improve the readability of the whole paper. We did not have any metrics on importance beyond tha no of citations, so we did not go into this issue. |
|
5 |
4 The cyberscurity area is developing very dynamically. However, the authors present very old |
|
|
We have tightened the research years from 20 to 12 years to remove the obvious gap that you point to in your graph. |
|
6 |
|
Nice summary of the included data. |
|
|
|
7 |
5. For example, the 2003 publication is about "Security and Online Learning: To Protect and |
Add and review suggested litterature |
|
We have added over 30 new citations: New previous work section 2.3. Two new sources in the review and one removed. |
|
8 |
6. I suggest including more publication databases than those listed on lines 122 to 124, for |
Add suggested databases, conduct additional searches, and add findings |
|
See above answer |
|
9 |
7. On line 917, the authors say: The amount of empirical studies featuring information assets |
Consider the comparison to enterprise systems and expand. |
|
Added to as suggestion for future work |
|
10 |
8. The authors very often use the term risk management (eg line 144-145). I would suggest |
Add definition of risk management in the background |
2.1 |
Added definition of risk management in section 2.1 |
|
11 |
In conclusion, the authors have done a lot of work, which is an attempt to systematize knowledge |
|
|
|
Author Response File: Author Response.pdf
Round 2
Reviewer 2 Report
The authors have addressed my concerns. However, there are still some aspects that should be addressed:
- Figure 4 is based on the data is from one website. I suggest that the authors should get information from several sources and analyze them. Just use one website to support your claim is not sufficient.
- Analyzing the frequency of the specific types of risks, and countermeasures to solve them is one of the important research questions of this paper. However, the authors fail to address this. The authors should give definitions on the major cyber risks in HE, for example brute force, spear-phishing, DDoS, Sabotage, Botnets, SQLi, etc.
Finally, the authors should highlight the changes in Red or Yellow in the submission file, so that reviewers can easily check where you made the changes.
Author Response
Dear Reviewer 2,
Thank you for taking the time to review our article a second time. Please find our answers and changes to your comments attached. The major change is that we have added the section 9.1 "Risk analysis"
Best regards,
Joachim Ulven and Gaute Wangen
Author Response File: Author Response.pdf
Reviewer 3 Report
The authors improved the article and put a lot of work into it. I believe that with minor editorial corrections the article may be published, e.g .:
- The table presented on page 17 has the designation Table 4 and is signed as Figure 3. I know that the table comes from the source [2], but it is necessary to standardize the notation and improve the quality of the table.
- The quality of the explanations (the text used in the figure) in figure 4 is poor - drawings should be prepared in higher resolution I assume that errors of this type will be corrected at the editorial correction stage.
The article is a source of important knowledge and may be the starting point for further research.
Author Response
Dear Reviewer 3,
Thank you for taking the time to review our article a second time. Please find our answers and changes to your comments attached. The major change is that we have added the section 9.1 "Risk analysis."
Best regards,
Joachim Ulven and Gaute Wangen
Author Response File: Author Response.pdf
Round 3
Reviewer 2 Report
The authors have addressed all my concerns.
