A Systematic Literature Review of Cybersecurity Risk Assessment and Management Frameworks in Higher Education Institutions

Beatrice Akoth Owino; Collins Oduor; Gerald Chege

doi:10.59952/tuj.v7i2.404

Authors

Beatrice Akoth Owino United States International University – Africa
Collins Oduor United States International University – Africa
Gerald Chege United States International University – Africa

Keywords:

Cybersecurity, Risk Assessment, Risk Management, Higher Education Institutions, Information Security

Abstract

Cybersecurity threats continue to pose significant risks to higher education institutions (HEIs), which increasingly depend on digital infrastructure for academic, administrative, and research activities. However, the effectiveness of cybersecurity risk assessment and management (CSRA&M) frameworks in addressing these threats within university contexts remains unclear. This study presents a systematic literature review to identify, analyze, and synthesize existing CSRA&M models relevant to HEIs. The review followed the PRISMA methodology to ensure transparency and rigor in article selection and analysis. Peer-reviewed journal articles and academic conference papers were sourced from databases including IEEE Xplore, Scopus, and ScienceDirect. Inclusion criteria focused on studies that applied, evaluated, or discussed CSRA&M frameworks in the context of universities or higher education environments. Findings indicate that frameworks such as ISO 27001, ISO/IEC 27005, OCTAVE, and COBIT are frequently referenced. However, many are not fully tailored to universities’ socio-technical and governance structures, particularly in developing regions. The review highlights a need for hybrid, context-sensitive approaches that combine technical controls with strategic planning, stakeholder engagement, and regulatory alignment. This study contributes to the cybersecurity literature by providing a consolidated understanding of how existing frameworks address risk in HEIs and identifying key gaps for future research and model development. It offers insights for academic policymakers, IT leaders, and researchers seeking to strengthen cybersecurity resilience in university settings.

References

Aborujilah, A., Al-Othmani, A. Z., Hussien, N. S., Mokhtar, S. A., Long, Z. A., & Nizam, M. (2022).

Cybersecurity Risk Assessment Approach for Malaysian Organizations: Malaysian Universities as Case Study. 2022 9th International Conference on Electrical and Electronics Engineering, ICEEE 2022, 440–450. https://doi.org/10.1109/ICEEE55327.2022.9772546

Alam, M. S. (2022). Need of Cyber Security in Higher Education in Present Era. International

Journal of Creative Research Thoughts, 10(3), 2320–2882. www.ijcrt.org

Aliyu, A., Maglaras, L., He, Y., Yevseyeva, I., Boiten, E., Cook, A., & Janicke, H. (2020). A holistic cybersecurity maturity assessment framework for higher education institutions in the United Kingdom. Applied Sciences (Switzerland), 10(10). https://doi.org/10.3390/app10103660

Almuhammadi, S., & Alsaleh, M. (2017). I NFORMATION S ECURITY M ATURITY M ODEL F OR NIST C YBER S ECURITY. 51–62.

Bada, M., Sasse, A., & Bada, M., Sasse, A., Nurse, J. (2014). Cyber Security Awareness Campaigns: Why They Fail to Change Behavior. International Conference on Cyber Security for Sustainable Society, July, 38.

Badamasi, B., & Utulu, S. C. A. (2021). Framework for Managing Cybercrime Risks in Nigerian.

Proceedings of the 1st Virtual Conference on Implications of Information and Digital

Technologies for Development, 2021, 853–866.

Binduf, A., Alamoudi, H. O., Balahmar, H., Alshamrani, S., Al-Omar, H., & Nagy, N. (2018). Active Directory and Related Aspects of Security. 21st Saudi Computer Society National Computer Conference, NCC 2018, 4474–4479. https://doi.org/10.1109/NCG.2018.8593188

Dioubate, B. M., Daud, W., & Norhayate, W. (2022). Cyber Security Risk Management Frameworks Implementation in Malaysian Higher Education Institutions. International Journal of Academic Research in Business and Social Sciences, 12(4). https://doi.org/10.6007/ijarbss/v12-i4/12300

Fouad, N. S. (2021). Securing higher education against cyberthreats : from an institutional risk to a

national policy challenge. https://doi.org/10.1080/23738871.2021.1973526

Gerl, A., von der Heyde, M., Grob, R., Seck, R., & Watkowski, L. (2020). Applying COBIT 2019 to IT Governance in Higher Education. Lecture Notes in Informatics (LNI), Proceedings - Series of the Gesellschaft Fur Informatik (GI), P-307, 517–530. https://doi.org/10.18420/inf2020_47

Gichubi, P. M., Maake, B., & Chweya, R. (2024). Cybersecurity Framework for Kenyan Universities in Conformity with ISO/IEC 27001:2022 Standard. OALib, 11(08), 1–15. https://doi.org/10.4236/oalib.1110810

Haque, M. A., Ahmad, S., John, A., Mishra, K., Mishra, B. K., Kumar, K., & Nazeer, J. (2023).

Cybersecurity in Universities: An Evaluation Model. SN Computer Science, 4(5). https://doi.org/10.1007/s42979-023-01984-x

Itradat, A., Sultan, S., Al-Junaidi, M., Qaffaf, R. A., Mashal, F. A., & Daas, F. (2014). Developing an ISO27001 Information Security Management System for an Educat...: שופיח. Jordan Journal of Mechanical and Industrial Engineering, 8(2), 102. http://eds.b.ebscohost.com.proxy1.athensams.net/eds/detail/detail?sid=ad4bba9d-557d-49d2-

8718-

6d9c1103c571%40sessionmgr115&crlhashurl=login.aspx%253fdirect%253dtrue%2526profile

%253dehost%2526scope%253dsite%2526authtype%253dcrawler%2526jrnl%253d19956665%2

5

Kure, H. I., Islam, S., & Mouratidis, H. (2022). An integrated cyber security risk management framework and risk predication for the critical infrastructure protection. Neural Computing and Applications, 34(18), 15241–15271. https://doi.org/10.1007/s00521-022-06959-2

Makupi, D., & Masese, N. (2019). Determining Information Security Maturity Level of an organization based on ISO 27001. 6(7), 1–7.

Njoroge, P. M. (2021). An Examination of Threats facing Assets in Use in Kenyan Public Universities. International Journal of Scientific and Research Publications ·, May. https://doi.org/10.29322/IJSRP.11.05.2021.p11372

Njoroge, P. M., Ogalo, J., & Ratemo, C. M. (2019). A Framework for Effective Information Security Risk Management in Kenyan Public Universities. International Journal of Social Sciences and Information Technology, October.

Owino, B. A. (2020). AN EMPIRICAL ASSESSMENT OF AUDIT TOOLS FOR.

Said Kombo, F., Godwin Mwakalinga, P., Inon Kumbo, L., Mihayo Edward, L., & Phillip Bhalalusesa, N. (2023). Assessment of Higher Education Information Security Risk Management Practices in Tanzania. East African Journal of Education and Social Sciences,

4(3), 229–239. https://doi.org/10.46606/eajess2023v04i03.0294

Salahdine, F., Mrabet, Z. El, & Kaabouch, N. (2021). Phishing Attacks Detection A Machine Learning-Based Approach. 2021 IEEE 12th Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON), 250–255. https://doi.org/10.1109/UEMCON53757.2021.9666627

Shaikh, F. A., & Siponen, M. (2023). Information security risk assessments following cybersecurity breaches: The mediating role of top management attention to cybersecurity. Computers and Security, 124, 102974. https://doi.org/10.1016/j.cose.2022.102974

Singh, U. K., & Joshi, C. (2017). Information security risk management framework for University computing environment. International Journal of Network Security, 19(5), 742–751. https://doi.org/10.6633/IJNS.201709.19(5).12

Taherdoost, H. (2018). A review of technology acceptance and adoption models and theories.

Procedia Manufacturing, 22(April), 960–967. https://doi.org/10.1016/j.promfg.2018.03.137

Tarek, M., Mohamed, E. K. A., Hussain, M. M., & Basuony, M. A. K. (2017). The implication of information technology on the audit profession in developing country. International Journal of Accounting & Information Management, 25(2), 237–255. https://doi.org/10.1108/ijaim-03-2016-

0022