Learning analytics packages data, such as a student’s utilized resources and performance, to produce a digestible report on the variety of factors that affect that student’s ability to learn. This can include giving educators preventative alerts about what factors may be impeding a student’s learning, especially when there is a high student-to-teacher ratio.
With this data, institutions have insight into student outcomes and the capability to craft or enhance individual education experiences. However, these insights come with new data privacy risks, especially without proper guardrails like data anonymization.
Not only do data breaches put students at risk, they can be costly for educational institutions, both financially and reputationally. To mitigate threats to data privacy, school cybersecurity leaders need to evaluate the ways they protect and use confidential information.
THREATS TO LEARNING ANALYTICS DATA
Information collected for learning analytics is often personal, including names, grades and other information protected by the Family Educational Rights and Privacy Act (FERPA). This data may seem to only be valuable to those within the school community, but that’s what makes it an attractive ransomware target, as school administrators will pay hackers to avoid public exposure of this sensitive data.
Once a threat actor is inside a network, they can deploy malware like ransomware to encrypt the system’s data, preventing users and IT professionals from accessing the network. The data is then held for ransom, only to be given back if the educational institution pays for it.
CHALLENGES IN SAFEGUARDING DATA COLLECTED VIA LEARNING ANALYTICS
While learning analytics has solved challenges in the classroom, it has complicated educational institutions’ attack surfaces, creating new obstacles for IT teams to navigate. For example, data collection is often siloed across organizations. This means that each silo must be monitored for potential security gaps independently, requiring time and resources that the IT team may not have.
On the other hand, some institutions have moved student data to data lakes or warehouses. With this approach, however, more users have potential access to student PII, making it imperative to implement strong user-based access controls. These scenarios provide more opportunities for accidental leaks, potentially through a well-meaning insider manipulated by a social engineering attack.
Furthermore, institutions are increasingly turning to AI and automation tools as force multipliers for learning analytics, especially at larger organizations where students outnumber faculty and administrators to a greater extent. As with siloed data environments, institutions tend to make the mistake of applying the same assumptions about safety features and controls across all their tools, possibly leaving student data vulnerable.
But it’s not just technology that threatens data privacy when it comes to learning analytics. Students may not be aware of, or understand, how their data is collected and used, as well as how it may be accessed in malicious attacks against their institutions, preventing them from being active defenders against breaches.
SOLUTIONS TO ENSURE DATA IS SECURE
A data breach is not inevitable — several best practices can help institutions safeguard student data privacy while leveraging learning analytics:
Ensure the right cybersecurity controls are in place. Institutions need appropriate security guardrails to mitigate internal and external threats and stop bad actors from bypassing role-based access. For example, PII should not be collected within a learning analytics platform if it’s not required.
Anonymize student data. Keeping data anonymous protects students from harm in the event of a breach. Institutions should prioritize collecting cohort data, for which information about individuals, like names, may not be needed for analyzing macro-outcomes. Data sets that lack PII are not very valuable and attractive to potential hackers.
Create policies that promote transparency. Institutions must also have policies in place that inform students how their data is being collected and used, both in the classroom and throughout the campus community. If there are changes to how their data is being collected or used, institutions must alert students and ensure their consent to the updates.
Invest in student and faculty education. Educating students and faculty about how their data is stored and used for learning analytics, as well as the potential implications of a data breach, can help stop social engineering hackers in their tracks. By investing in hands-on security training and learning opportunities, institutions can help ensure the entire campus community knows their role.
Ensure there’s a human in the loop. As some institutions turn to AI and automation tools to augment learning analytics platforms, they must ensure that there is human oversight monitoring data and response accuracy. Furthermore, AI tools must be individually audited to ensure they meet the safety standards required to protect student data.
Learning analytics has empowered institutions to drive student success by giving educators a real-time look at how students understand and interact with coursework and materials. However, these outcomes can only be achieved if the data collected and used is safeguarded from falling into the wrong hands.
Michael Sink is the chief technology adviser for higher education at the IT service management company World Wide Technology.
