Paradigm-shifting back to the future: Evolutionary vs revolutionary shifts in cybersecurity best practices for U.S. colleges

Abstract

This qualitative multi-case study examines the impact of cybersecurity insurance, third-party providers, and endpoint protection on U.S. colleges' cybersecurity policies while highlighting the importance of internal IT skill growth and community involvement as a frontline defense. The Qualitative Case Study Research Design and the National Institute of Standards and Technology (NIST) CSF 2.0 are used as frameworks to explore U.S. colleges' cybersecurity risk management policies and practices. This study emphasizes fostering internal IT expertise, preventing IT staff deskilling, and enhancing the effectiveness of cybersecurity measures. The insights gained will inform best practices, policy development, and risk management strategies for cybersecurity in higher education. The findings indicate that leveraging the latest cybersecurity solutions, such as NIST CSF 2.0 and HEISC, is crucial for establishing a robust defense strategy. However, an over-reliance on third-party cyber vendors and cybersecurity insurance may be counterproductive due to minimal return on investment and substantial premiums. Instead, institutions should prioritize direct investments in cybersecurity measures, such as ongoing staff training and IT skill development, as evidenced by successful programs incorporating regular hands-on training sessions at larger institutions. Continuous risk assessments, adaptive best practices, and a focus on internal IT growth were identified as effective strategies, particularly for colleges that regularly updated their policies in alignment with NIST and HEISC frameworks. The study also emphasizes the deskilling IT personnel, which can occur when institutions overly depend on third-party providers or insurance. Participants engaging with state and federal cybersecurity programs was shown to be valuable for enhancing security beyond relying on insurance. These findings underscore the importance of proactive internal measures to strengthen resilience.