The December 19, 2008 issue of the Chronicle of Higher Education contained an interesting article by Jeffrey Young (Vol. 55, No. 17, p. 9) describing the “Top 10″ cyber-security risks to university communities.  In ascending order of seriousness (10 low, 1 high), these ten threats/risks/activities are:

Note that according to the article, this list was based on surveys and interviews with over a “dozen college technology leaders.”

This article reminds me of a 1976 study that asked three different communities (“experts”, students, and members of the League of Women Voters) for their opinions on how set of 30 activities and technologies should be ranked in order of seriousness (see this link for the results, and this link for the questionnaire).  However, unlike the 1976 where different groups were asked to rank order an activity based on the chances of someone dying from it in a given year, it is unclear what the basis for seriousness is.  Does the ordering have to do with probability of victimization due to the malicious code or user action?  If so, this list is surely missing the consequence dimension.  Or is it ranked ordered based on probability of each activity being the proximate cause of bad consequences?  My guess is that the ordering takes an “all things considered” approach.  I really wish there was more a description of what “seriousness” means in this context so I could better appreciate the basis for the rank ordering.

Despite this, we should all be aware of what can cause us harm – after all, the first step in risk reduction is to identify what can hurt you (our number one vulnerability is ignorance, as I always say).  At the very least, this list highlights to higher-education readers (most likely faculty and staff, fewer students) some of the cyber challenges of modern computing.  But I must ask, what threats/risks/activities are missing from this list?

Send article as PDF to