End User Security Training for Identification and Access Management

End User Security Training for Identification and Access Management

Tonia San Nicolas-Rocca (School of Library and Information Science, San Jose State University, San Jose, CA, USA) and Lorne Olfman (Center for Information Systems and Technology, Claremont Graduate University, Claremont, CA, USA)
Copyright: © 2013 |Pages: 29
DOI: 10.4018/joeuc.2013100104
OnDemand PDF Download:
No Current Special Offers


Identification and access management (I/AM) is among the top security issues facing institutions of higher education. Most institutions of higher education require end users to provide usernames and passwords to gain access to personally identifiable information (PII). This leaves universities vulnerable to unauthorized access and unauthorized disclosure of PII as, according to recent literature, usernames and passwords alone are insufficient for proper authentication of users into information and information systems. This study examines a critical element in the successful implementation of any information security initiative, end user training. Specifically, this study advances research in the area of end user security training by using canonical action research (CAR) to develop and refine an IT security training framework that can guide institutions of higher education in the implementation of USB security tokens for two-factor authentication using public key infrastructure (PKI).
Article Preview


Recent research (Allison et al., 2008; Camp et al., 2007) addresses the need to implement identification and access management (I/AM) solutions within higher education. However, none specifically addresses implementation issues such as awareness and training. A framework that focuses on the implementation of an I/AM solution within higher education for some level of assurance will not only contribute to the field of information systems and technology but will also assist higher education institutions in ensuring some level of I/AM.

Identification and access management, and security have been among the top ten information technology (IT) issues concerning institutions of higher education for the last few years (Ingerman et al., 2010). In the United States, institutions of higher education are both empowered by and dependent on electronic information for academic and administrative communications and services (Hawkins, 2007). Most of this information is considered sensitive and, as such, protected by state and federal regulations (which include the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), the Protection of Pupil Rights Amendment (PPRA), and the Gramm-Leach-Bliley Act (GLBA)) (SanNicolas-Rocca & Olfman, 2009). Unauthorized access into institution computers or network systems and/or unauthorized disclosure of data of any sort can lead to lawsuits, loss of students, bad public relations, termination of employees responsible for unauthorized access, loss of donations, and costs associated with risk assessment and management (SanNicolas-Rocca & Olfman, 2009).

This paper describes the creation and refinement of an IT security training framework at West Coast State University (WCSU) to implement a two-factor authentication system. WCSU was interested in implementing USB eTokens using PKI (public key infrastructure) for two-factor authentication to support federal and state requirements for the protection of PII (personally identifiable information), retention, and preservation of business-critical information, and to ensure I/AM requirements. The IT security training strategy framework was revised and updated by using canonical action research (CAR) with the goal of adapting it for other institutions of higher education, or any other type of organization, for the implementation of an IT security training initiative.

The structure of the paper is as follows. First, we review the literature on identification and access management. We then present the problem situation and describe our canonical action research method. We explain the process of designing the training framework and the implementation of each of the training sessions to the end users. Follow up sessions were provided and subsequent training sessions were refined accordingly. We describe results and modifications to the framework, and discuss limitations, implications and future research directions.

Complete Article List

Search this Journal:
Volume 34: 6 Issues (2022): 5 Released, 1 Forthcoming
Volume 33: 6 Issues (2021)
Volume 32: 4 Issues (2020)
Volume 31: 4 Issues (2019)
Volume 30: 4 Issues (2018)
Volume 29: 4 Issues (2017)
Volume 28: 4 Issues (2016)
Volume 27: 4 Issues (2015)
Volume 26: 4 Issues (2014)
Volume 25: 4 Issues (2013)
Volume 24: 4 Issues (2012)
Volume 23: 4 Issues (2011)
Volume 22: 4 Issues (2010)
Volume 21: 4 Issues (2009)
Volume 20: 4 Issues (2008)
Volume 19: 4 Issues (2007)
Volume 18: 4 Issues (2006)
Volume 17: 4 Issues (2005)
Volume 16: 4 Issues (2004)
Volume 15: 4 Issues (2003)
Volume 14: 4 Issues (2002)
Volume 13: 4 Issues (2001)
Volume 12: 4 Issues (2000)
Volume 11: 4 Issues (1999)
Volume 10: 4 Issues (1998)
Volume 9: 4 Issues (1997)
Volume 8: 4 Issues (1996)
Volume 7: 4 Issues (1995)
Volume 6: 4 Issues (1994)
Volume 5: 4 Issues (1993)
Volume 4: 4 Issues (1992)
Volume 3: 4 Issues (1991)
Volume 2: 4 Issues (1990)
Volume 1: 3 Issues (1989)
View Complete Journal Contents Listing