Abstract
Higher education institutions (HEIs) increasingly rely on digital systems to store sensitive information. However, their culture of academic openness and transparency also presents vulnerabilities, with most failing to regulate internet usage of their staff and students, thus attracting cyberattacks via unregulated social networks and other platforms. The current study sought to explore cybersecurity risks and initiatives at higher education institutions. The study aimed to achieve this goal by describing the most frequent cybersecurity threat events, common cybersecurity threat agents, and common cybersecurity vulnerabilities in higher education institutions, as well as describing cybersecurity controls and measures currently employed to mitigate identified cybersecurity risks in higher education institutions. To achieve these objectives, the study employed a systematic literature review (SLR) methodology where 72 quality articles were extracted and analysed into 8 qualitative themes. Studies included publications within a 5 year period and excluded unpublished literature or non-academic sources, which were irrelevant to cybersecurity in HEIs. The study found that external technological threats like phishing, ransomware, and malware are prevalent in HEIs. However, the study also found that internal insider threats like lack of awareness and irresponsible user behaviour lead to serious accidental or intentional breaches. The study also found that technology is advancing, and with its development comes new forms of AI-driven threats. These findings have far reaching implications. HEIs must prioritise cybersecurity awareness training, focusing on best practices, reporting suspicious activities, and promoting a culture of security. This training should be tailored to address the specific needs of students, faculty, and staff. However, the scope of the study on cyber risks and associated mitigation strategies is limited to HEIs, and does not cover a broad area in the field. This may affect the findings’ transferability and applicability in other contexts