Today, academic institution involves digital data to support the educational process. It has advantages, especially related to ease of access and process. However, security problems appear related to digital data. There were several information security incidents in the academic environment. In order to mitigate the problem, metrics identification is required to determine the risk of incidents. There are many risks model and metrics to estimate the risk, such as DREAD, OWASP, CVSS, etc. However, specific metrics are required to obtain appropriate risk values. Therefore, this study aims to define metrics for an academic institution. The proposed metrics are obtained from The Family Educational Rights and Privacy Act (FERPA) regulation. It consists of directory information, educational information, personally identifiable information, and risk of information leakage. In order to achieve the objective, this study involves survey and reliability analysis to result in output. The survey is conducted by involving 90 respondents with various levels of education and jobs. The Cronbach's alpha and Test-retest are methods to determine this study's reliability. According to reliability analysis, the Cronbach's alpha method results in coefficients for the metrics between 0.730 - 0.911, while the Test-retest method results in coefficients between 0.630 - 0.797. These coefficients have a reliable category, so the proposed metrics are adequate for determining risk of information security incidents in academic environments. The reliable metrics will be developed as variables of the risk assessment model for the academic environment in the future study.

 

N. S. Fouad, "Securing higher education against cyberthreats: from an institutional risk to a national policy challenge," J. Cyber Policy, vol. 6, no. 2, pp. 137–154, May 2021, doi: 10.1080/23738871.2021.1973526.

A. R. Alzighaibi, "Cybersecurity Attacks on Academic Data and Personal Information and the Mediating Role of Education and Employment," J. Comput. Commun., vol. 09, no. 11, pp. 77–90, 2021, doi: 10.4236/jcc.2021.911006.

K. Chetioui, B. Bah, A. O. Alami, and A. Bahnasse, "Overview of Social Engineering Attacks on Social Networks," 12th Int. Conf. Emerg. Ubiquitous Syst. Pervasive Netw. 11th Int. Conf. Curr. Future Trends Inf. Commun. Technol. Healthc., vol. 198, pp. 656–661, Jan. 2022, doi: 10.1016/j.procs.2021.12.302.

F. Kareem et al., "SQL Injection Attacks Prevention System Technology: Review," Asian J. Res. Comput. Sci., Jul. 2021, doi: 10.9734/AJRCOS/2021/v10i330242.

F. Mateo Tudela, J.-R. Bermejo Higuera, J. Bermejo Higuera, J.-A. Sicilia Montalvo, and M. I. Argyros, "On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web Applications," Appl. Sci., vol. 10, no. 24, 2020, doi: 10.3390/app10249119.

A. Alanda, D. Satria, M. I. Ardhana, A. A. Dahlan, and H. A. Mooduto, "Web Application Penetration Testing Using SQL Injection Attack," JOIV Int. J. Inform. Vis., vol. 5, no. 3, p. 320, Sep. 2021, doi: 10.30630/joiv.5.3.470.

S. K. Lala, A. Kumar, and S. T., "Secure Web development using OWASP Guidelines," in 2021 5th International Conference on Intelligent Computing and Control Systems (ICICCS), May 2021, pp. 323–332. doi: 10.1109/ICICCS51141.2021.9432179.

N. A. Bakar, M. Mohd, and R. Sulaiman, "Information leakage preventive training," in 2017 6th International Conference on Electrical Engineering and Informatics (ICEEI), Nov. 2017, pp. 1–6. doi: 10.1109/ICEEI.2017.8312403.

I. M. A. G. Azmi, Q. M. Ashraf, S. Zulhuda, and M. B. Daud, "Critical data leak analysis in educational environment," in 2016 4th International Conference on Cyber and I.T. Service Management, Apr. 2016, pp. 1–6. doi: 10.1109/CITSM.2016.7577523.

N. A. Odeh, D. Eleyan, and A. Eleyan, "A SURVEY OF SOCIAL ENGINEERING ATTACKS: DETECTION AND PREVENTION TOOLS,". Vol., no. 18, p. 12, 2021.

S. Wijayanto and J. C. Pratama Putra, "The Effectiveness of a Virtual Reality Marketing Video on the People Desire to Buy a Product," JOIV Int. J. Inform. Vis., vol. 5, no. 4, p. 360, Dec. 2021, doi: 10.30630/joiv.5.4.483.

J. B. Ulven and G. Wangen, "A Systematic Review of Cybersecurity Risks in Higher Education," Future Internet, vol. 13, no. 2, p. 39, Feb. 2021, doi: 10.3390/fi13020039.

P. D. Ibnugraha, L. E. Nugroho, and P. I. Santosa, "Risk model development for information security in organization environment based on business perspectives," Int. J. Inf. Secur., vol. 20, no. 1, pp. 113–126, Feb. 2021, doi: 10.1007/s10207-020-00495-7.

K. Gencer and F. Başçiftçi, "The fuzzy common vulnerability scoring system (F-CVSS) based on a least squares approach with fuzzy logistic regression," Egypt. Inform. J., vol. 22, no. 2, pp. 145–153, Jul. 2021, doi: 10.1016/j.eij.2020.07.001.

H. Bolívar, H. D. Jaimes Parada, O. Roa, and J. Velandia, "Multi-criteria Decision Making Model for Vulnerabilities Assessment in Cloud Computing regarding Common Vulnerability Scoring System," in 2019 Congreso Internacional de Innovación y Tendencias en Ingenieria (CONIITI ), Oct. 2019, pp. 1–6. doi: 10.1109/CONIITI48476.2019.8960909.

I. Kuzminykh, B. Ghita, V. Sokolov, and T. Bakhshi, "Information Security Risk Assessment," Encyclopedia, vol. 1, no. 3, 2021, doi: 10.3390/encyclopedia1030050.

P. H. Meland, D. A. Nesheim, K. Bernsmed, and G. Sindre, "Assessing cyber threats for storyless systems," J. Inf. Secur. Appl., vol. 64, p. 103050, Feb. 2022, doi: 10.1016/j.jisa.2021.103050.

G. Kavallieratos, G. Spathoulas, and S. Katsikas, "Cyber Risk Propagation and Optimal Selection of Cybersecurity Controls for Complex Cyberphysical Systems," Sensors, vol. 21, no. 5, 2021, doi: 10.3390/s21051691.

L. Zhang, A. Taal, R. Cushing, C. de Laat, and P. Grosso, "A risk-level assessment system based on the STRIDE/DREAD model for digital data marketplaces," Int. J. Inf. Secur., Sep. 2021, doi: 10.1007/s10207-021-00566-3.

A. Paraskevas, "Cybersecurity in Travel and Tourism: A Risk-Based Approach," in Handbook of e-Tourism, Z. Xiang, M. Fuchs, U. Gretzel, and W. Höpken, Eds. Cham: Springer International Publishing, 2020, pp. 1–24. doi: 10.1007/978-3-030-05324-6_100-1.

P. Deshanta Ibnugraha, L. E. Nugroho, and P. I. Santosa, "Metrics analysis of risk profile: A perspective on business aspects," in 2018 International Conference on Information and Communications Technology (ICOIACT), Mar. 2018, pp. 275–279. doi: 10.1109/ICOIACT.2018.8350675.

P. D. Ibnugraha, L. E. Nugroho, and P. I. Santosa, "Reliability Analysis of Risk Model Metrics Based on Business Approach in Information Security," Ingénierie Systèmes Inf., vol. 25, no. 4, pp. 475–480, Sep. 2020, doi: 10.18280/isi.250410.

A. Koohang, J. H. Nord, Z. V. Sandoval, and J. Paliszkiewicz, "Reliability, Validity, and Strength of a Unified Model for Information Security Policy Compliance," J. Comput. Inf. Syst., vol. 61, no. 2, pp. 99–107, Mar. 2021, doi: 10.1080/08874417.2020.1779151.

C. Haythornthwaite, "An Information Policy Perspective on Learning Analytics," in Proceedings of the Seventh International Learning Analytics & Knowledge Conference, New York, NY, USA, 2017, pp. 253–256. doi: 10.1145/3027385.3027389.

C. Lang, C. Woo, and J. Sinclair, "Quantifying Data Sensitivity: Precise Demonstration of Care When Building Student Prediction Models," in Proceedings of the Tenth International Conference on Learning Analytics & Knowledge, New York, NY, USA: Association for Computing Machinery, 2020, pp. 655–664. [Online]. Available: https://doi.org/10.1145/3375462.3375506

Quentin Docter and Cory Fuchs, "Compliance and security in the cloud," in CompTIA Cloud Essentials+ Study Guide: Exam CLO-002, Wiley, 2020, pp. 253–302. doi: 10.1002/9781119642138.ch7.

J. P. Cole, "The Family Educational Rights and Privacy Act (FERPA): Legal Issues," p. 20.

A. T. Jebb, V. Ng, and L. Tay, "A Review of Key Likert Scale Development Advances: 1995-2019," Front. Psychol., vol. 12, pp. 637547–637547, May 2021, doi: 10.3389/fpsyg.2021.637547.

H. J. Muhasin, R. Atan, M. A.Jabar, S. Abdullah, and S. Kasim, “Multilayered Framework to Enhance Management Information Systems Decision on Sensitive Data in Cloud Computing Environment,†JOIV Int. J. Inform. Vis., vol. 1, no. 4–2, p. 179, Nov. 2017, doi: 10.30630/joiv.1.4-2.83.

S. Vaz, T. Falkmer, A. E. Passmore, R. Parsons, and P. Andreou, "The case for using the repeatability coefficient when calculating test-retest reliability," PloS One, vol. 8, no. 9, pp. e73990–e73990, Sep. 2013, doi: 10.1371/journal.pone.0073990.

F. Zinzendoff Okwonu, B. Laro Asaju, and F. Irimisose Arunaye, "Breakdown Analysis of Pearson Correlation Coefficient and Robust Correlation Methods," IOP Conf. Ser. Mater. Sci. Eng., vol. 917, no. 1, p. 012065, Sep. 2020, doi: 10.1088/1757-899x/917/1/012065.

J. V. da Silva and M. N. Baptista, "Vitor Quality of Life Scale for the Elderly: evidence of validity and reliability," SpringerPlus, vol. 5, no. 1, p. 1450, Aug. 2016, doi: 10.1186/s40064-016-3130-4.