Assessing Cybersecurity Vulnerabilities in Higher Education Institutions: A Comparative Perspective

preprint OA: closed
Full text JSON View at publisher
Full text 133,223 characters · extracted from preprint-html · click to expand
Assessing Cybersecurity Vulnerabilities in Higher Education Institutions: A Comparative Perspective | Research Square window.SnipcartSettings = { analytics: { enabled: false } }; (function() { var accessVector = localStorage.getItem('access_vector') || ''; window.dataLayer = window.dataLayer || []; if (accessVector) { window.dataLayer.push({ user: { profile: { profileInfo: { snid: accessVector } } } }); } })(); (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-K279D39R'); Browse Preprints In Review Journals COVID-19 Preprints AJE Video Bytes Research Tools Research Promotion AJE Professional Editing AJE Rubriq About Preprint Platform In Review Editorial Policies Our Team Advisory Board Help Center Sign In Submit a Preprint Cite Share Download PDF Research Article Assessing Cybersecurity Vulnerabilities in Higher Education Institutions: A Comparative Perspective Shekh Abdullah-Al-Musa Ahmed, Md.Robiul Hassan, Gazi Ruman Hasan, and 1 more This is a preprint; it has not been peer reviewed by a journal. https://doi.org/ 10.21203/rs.3.rs-9171940/v1 This work is licensed under a CC BY 4.0 License Status: Posted Version 1 posted You are reading this latest preprint version Abstract Higher Education Institutions (HEIs) have become increasingly dependent on digital technologies to support teaching, research, administration, and global collaboration. This digital transformation, while enhancing academic productivity and accessibility, has significantly expanded institutional exposure to cybersecurity threats. Universities manage vast repositories of sensitive information, including student records, financial data, intellectual property, and high-value research outputs, making them attractive targets for cybercriminals. This study presents a comparative cybersecurity risk assessment of HEIs, examining key technological, organizational, and behavioral factors that influence institutional vulnerability and resilience. The research adopts a quantitative approach using Partial Least Squares Structural Equation Modeling (PLS-SEM) to analyze relationships among five major constructs such as Technical Vulnerability (TV), Organizational Policy Effectiveness (OPE), User Behavior (UB), Incident Response Capability (IRC), and External Threat Exposure (ETE). Data were collected through a structured survey administered to IT administrators, cybersecurity officers, and faculty members across public and private HEIs. The model evaluates both measurement reliability and structural relationships to identify statistically significant predictors of cybersecurity risk. Findings reveal that Technical Vulnerability has a significant positive impact on External Threat Exposure, indicating that outdated systems, unpatched software, decentralized IT environments, and weak configuration management substantially increase susceptibility to cyberattacks such as phishing, ransomware, and data breaches. Incident Response Capability demonstrates the strongest mitigating effect on threat exposure, emphasizing the importance of proactive monitoring systems, rapid detection mechanisms, regular backups, and skilled cybersecurity personnel. Institutions with well-developed response frameworks show greater resilience and reduced operational disruption. Organizational Policy Effectiveness indirectly influences cybersecurity risk by shaping User Behavior and strengthening incident response processes. Effective governance structures, clear cybersecurity policies, leadership commitment, and continuous awareness training significantly improve compliance and responsible digital practices among students and staff. The results highlight that cybersecurity in HEIs cannot rely solely on technological safeguards it requires integrated governance, cultural alignment, and user accountability. The model explains a substantial proportion of variance in External Threat Exposure (R² = 0.53), confirming moderate-to-strong explanatory power. Predictive relevance measures further validate the model’s robustness, demonstrating its suitability for institutional risk forecasting and strategic planning. Effect size analysis supports prioritization of high-impact areas, enabling evidence-based allocation of limited cybersecurity resources. Comparative analysis between public and private HEIs reveals structural differences influenced by funding capacity, technological infrastructure, and governance maturity. Larger research-intensive universities, while equipped with advanced security systems, face broader attack surfaces due to complex digital ecosystems and international collaborations. Conversely, smaller and resource-constrained institutions may experience higher vulnerability due to outdated infrastructure and limited specialized personnel. These findings underscore that cybersecurity risk is shaped not merely by institutional size but by strategic resource management, policy enforcement, and organizational culture. The study contributes to cybersecurity research by providing a multidimensional framework tailored to academic environments. It integrates technological, human, and governance perspectives into a unified risk assessment model and demonstrates the practical value of PLS-SEM for comparative institutional analysis. The results offer actionable insights for policymakers, institutional leaders, and IT administrators to strengthen resilience through targeted investments in technical upgrades, governance reforms, and user training initiatives. Overall, this research underscores that cybersecurity risk management in higher education is a strategic and socio-economic imperative. By adopting data-driven, holistic approaches to risk assessment and mitigation, HEIs can safeguard academic integrity, protect sensitive information assets, and ensure sustainable digital transformation in an increasingly complex threat landscape. Cybersecurity Risk Assessment Higher Education Institutions PLS-SEM Technical Vulnerability Organizational Policy Incident Response Capability External Threat Exposure Figures Figure 1 Figure 2 Introduction Higher Education Institutions (HEIs) are increasingly dependent on digital technologies to support academic, administrative, and research activities. Universities and colleges manage vast amounts of sensitive information, including student records, financial data, intellectual property, and research datasets. As a result, they have become attractive targets for cybercriminals. A comparative cybersecurity risk assessment in higher education reveals that while institutions differ in size, resources, and technological maturity, they share several common vulnerabilities and face similar security challenges. One of the most prevalent risks in higher education is phishing and social engineering attacks. Faculty members, students, and administrative staff frequently use email and online collaboration platforms, making them susceptible to deceptive messages designed to steal credentials or distribute malware. The open and collaborative culture of universities often prioritizes accessibility over strict security controls, which increases the success rate of such attacks. In comparative assessments, institutions with limited cybersecurity awareness training programs tend to experience higher rates of phishing incidents. Another significant threat is ransomware attacks. HEIs often operate complex IT environments with legacy systems, decentralized networks, and numerous endpoints. Attackers exploit unpatched vulnerabilities to encrypt critical data and demand payment for its release. Smaller institutions, in particular, may lack advanced intrusion detection systems and robust backup strategies, making recovery more difficult and costly. Comparative studies show that institutions with well-implemented incident response plans and regular data backups demonstrate greater resilience against ransomware disruptions. Data breaches also pose a serious risk. Universities store personally identifiable information (PII), financial records, and research data that can be monetized or misused. Unauthorized access due to weak authentication mechanisms, misconfigured cloud services, or insider threats can result in large-scale data exposure. Institutions engaged in high-value research projects may also face risks of intellectual property theft, especially in collaborative international research environments (Lee et al.,2023).The increasing adoption of cloud computing and third-party services introduces additional vulnerabilities. While cloud solutions provide scalability and cost efficiency, they also expand the attack surface. Misconfiguration of cloud storage, inadequate vendor security assessments, and lack of continuous monitoring can lead to unauthorized data access. Comparative assessments reveal that institutions with formal vendor risk management frameworks and clear data governance policies are better equipped to manage third-party risks. Another common challenge is the rapid growth of Bring Your Own Device (BYOD) practices. Students and staff connect personal laptops, smartphones, and tablets to campus networks. Without proper endpoint security controls, these devices may introduce malware or serve as entry points for attackers. Institutions with centralized device management systems and network segmentation strategies tend to experience fewer network-wide compromises. Furthermore, insufficient cybersecurity awareness and training remain critical concerns. Human error is often the weakest link in the security chain. HEIs that invest in regular awareness campaigns, simulated phishing exercises, and mandatory training programs demonstrate improved security posture compared to those that rely solely on technical safeguards. Budget constraints also influence cybersecurity preparedness. Public universities and smaller colleges may struggle to allocate sufficient resources for advanced security infrastructure, skilled personnel, and continuous monitoring systems. Comparative risk assessments highlight disparities between well-funded research universities and resource-limited institutions in their ability to implement comprehensive cybersecurity frameworks. Hence in the higher education institutions share common cybersecurity risks, including phishing, ransomware, data breaches, cloud misconfigurations, BYOD vulnerabilities, and limited user awareness. A comparative assessment underscores the importance of proactive risk management, continuous training, strong governance policies, and investment in resilient security infrastructures. Addressing these challenges is essential to safeguarding academic integrity, protecting sensitive information, and ensuring institutional continuity in an increasingly digital academic environment. A comparative cybersecurity risk assessment in Higher Education Institutions (HEIs) can be effectively conducted using Partial Least Squares Structural Equation Modeling (PLS-SEM). PLS-SEM is a variance-based statistical technique widely applied in social sciences and information systems research to analyze complex relationships among latent constructs. In the context of cybersecurity, it enables researchers to model and compare multiple risk factors, organizational practices, and their impacts on institutional security performance. The key latent constructs may include Perceived Cybersecurity Threats, Technical Safeguards, Human Factors, Governance and Policy Effectiveness, andIncident Response Capability. Each construct is measured through multiple observed indicators collected via structured surveys from IT administrators, faculty members, and security officers across different institutions. PLS-SEM allows researchers to assess both the measurement model (validity and reliability of constructs) and the structural model (relationships among constructs) (Shekh et al., 2025). Using PLS-SEM for comparative analysis involves grouping HEIs based on characteristics such as size, funding level, or technological maturity. Multi-group analysis (MGA) can then be applied to examine whether structural path coefficients differ significantly between groups. For example, the impact of Human Factors on cybersecurity incidents may be stronger in smaller institutions, while Technical Safeguards may have a greater protective effect in well-funded universities . The advantages of PLS-SEM include its suitability for small to medium sample sizes, ability to handle complex models with multiple constructs, and minimal distributional assumptions. Additionally, it supports predictive modeling, which is useful for identifying high-risk areas within institutions (Otoom et al., 2025 ).The implications of using PLS-SEM are substantial. It provides empirical evidence for prioritizing investments in cybersecurity controls, strengthening governance frameworks, and enhancing training programs. By identifying statistically significant relationships between risk factors and security outcomes, HEIs can adopt data-driven strategies to improve resilience against cyber threats while ensuring efficient resource allocation. Comparing risk levels across Higher Education Institutions (HEIs) reveals significant differences influenced by institutional size, funding capacity, technological infrastructure, and governance maturity. Large research-intensive universities typically manage extensive digital ecosystems, including research databases, cloud platforms, learning management systems, and international collaborations. While they often possess advanced security tools and dedicated cybersecurity teams, their broad attack surface increases exposure to sophisticated threats such as ransomware and intellectual property theft (Nik et al., 2025).In contrast, smaller colleges and regional institutions usually operate with limited IT budgets and fewer specialized security personnel. Although their digital infrastructure may be less complex, inadequate security controls, outdated systems, and limited monitoring capabilities can result in higher vulnerability to phishing attacks, credential compromise, and data breaches. The absence of structured risk management frameworks often amplifies these weaknesses. Public institutions may face additional bureaucratic constraints that delay technology upgrades, whereas private universities may demonstrate greater flexibility in implementing modern security solutions. Institutions with formal cybersecurity governance policies, regular risk assessments, and incident response planning consistently show lower overall risk levels compared to those relying solely on reactive measures (E.Berkiet et al., 2017) .Overall, comparative analysis indicates that cybersecurity risk is not solely determined by institutional size but by the balance between technological exposure, resource allocation, policy enforcement, and organizational awareness. Literature Review Cybersecurity in higher education institutions (HEIs) has emerged as a critical area of concern due to the increasing frequency, sophistication, and impact of cyber threats. Unlike typical corporate environments, universities and colleges possess unique vulnerabilities arising from their open network environments, diverse user groups, and rich intellectual property, making risk assessment both complex and essential. This review synthesizes key research on cybersecurity risk assessment frameworks, institutional challenges, and broader implications for policy and practice. The literature consistently highlights the distinct characteristics of HEIs that complicate cybersecurity risk management. As pointed out by Ahmad et al. ( 2019 ), universities must balance openness necessary for academic collaboration with robust security controls a duality that commercial organizations do not typically face. Open access policies, extensive BYOD (Bring Your Own Device) usage, and decentralized IT governance create a broad attack surface, complicating both detection and mitigation efforts (Sommestad et al., 2014 ). HEIs also house disparate systems from learning management systems to research databases each with different security postures and protection requirements. Gibson &Warnaby ( 2020 ) argue that this heterogeneity undermines consolidated risk assessment, inhibiting institutions’ ability to identify and prioritize vulnerabilities effectively. This complexity underscores the need for tailored risk assessment models that account for academic environments rather than adopting generic corporate methodologies. Several frameworks exist for assessing cybersecurity risk, but their applicability varies within the context of HEIs. Traditional models such as NIST’s Risk Management Framework and ISO/IEC 27005 provide structured approaches to identifying, analyzing, and evaluating risks (Stoneburner et al., 2002 ; ISO, 2018). However, these frameworks often assume centralized control and mature security infrastructures assumptions seldom valid in higher education settings. Research by Khan & Khan ( 2021 ) suggests that HEIs benefit from hybrid models that combine quantitative and qualitative assessments to capture both measurable threats and contextual nuances. For instance, quantitative scoring can evaluate system vulnerabilities and exploit likelihood, while qualitative assessments consider organizational behaviors, governance gaps, and user perceptions. The STRIDE and FAIR models, when adapted with academic-specific parameters, have shown promise in creating more nuanced risk profiles (Sharma et al., 2022 ). Despite these advances, scholars emphasize the challenge of data collection and accuracy within HEIs. As pointed out by Whitley &Hosein ( 2017 ), insufficient logging, fragmented data sources, and inconsistent reporting culture impede the reliability of risk assessments. Consequently, many institutions underestimate their risk exposure or misallocate resources toward lower-impact threats. A recurring theme in the literature is the role of human behavior in cybersecurity risk. HEIs attract a transient population of students, faculty, and researchers, each with variable cybersecurity awareness and compliance behaviors. Research by Alqahtani et al. ( 2020 ) indicates that students often lack basic cybersecurity practices, such as strong password hygiene, making them susceptible to phishing attacks which are among the most common vectors in academic environments. Social engineering remains a top concern. A study by Brown &Gomm ( 2021 ) found that phishing attacks targeting HEIs increased by over 60% between 2018 and 2021, with attackers exploiting academic calendars (e.g., registration deadlines) to increase legitimacy. These findings underscore the need to integrate behavioral risk indicators into assessment frameworks, moving beyond a pure focus on technological vulnerabilities. Effective cybersecurity risk assessment in HEIs cannot be decoupled from institutional governance and policy frameworks. Many institutions struggle with fragmented governance, where IT security responsibilities are distributed among departments without centralized oversight. According to Wright et al. ( 2018 ), this siloed approach reduces accountability and leads to inconsistent security practices. Policy gaps also undermine risk assessment. A cross-institutional study by Lee et al. ( 2023 ) revealed that nearly 45% of sampled universities lacked formal incident response policies, while others had outdated protocols misaligned with current threat landscapes. This lack of standardized procedures stymies timely risk identification and response coordination, amplifying potential impact. Cultural resistance to security policies poses another barrier. Academic freedom and autonomy core values of universities sometimes clash with stringent cybersecurity controls (Morris & Vines, 2019 ). Faculty members may resist restrictions perceived to inhibit research integrity, while students may view security prompts as impediments to learning. This cultural dimension must be factored into any risk assessment model, as policies without buy-in cannot achieve effective implementation. Emerging technologies such as artificial intelligence (AI), cloud computing, and Internet of Things (IoT) devices introduce both opportunities and risks. Cloud adoption promises adaptive security capabilities and centralized threat intelligence, yet it also shifts risk profiles and necessitates new assessment criteria. HEIs integrating cloud-based services must reassess traditional perimeters and consider shared responsibility models (Sun et al., 2022 ). Similarly, the proliferation of IoT devices from smart labs to campus access controls expands the attack surface. Research by Vinayak& Kaur ( 2021 ) highlights that many institutions lack inventory systems for tracking IoT endpoints, complicating vulnerability assessments. Future risk frameworks will need dynamic asset discovery and continuous monitoring to adapt to these environments. The literature emphasizes that effective risk assessment in HEIs must be multidimensional, incorporating technological, human, and governance factors. Scholars advocate for integrated risk management strategies that combine robust technical controls with user education, centralized governance, and adaptive policy structures. Training campaigns tailored to academic audiences can reduce human-centric risk factors, while cross-departmental coordination improves visibility and accountability. Moreover, collaboration across universities sharing threat intelligence and best practices is identified as a promising path forward. Consortiums like educause exemplify collective defense models that leverage shared insights to enhance risk assessment and response capabilities. Methodology This study adopts a quantitative approach to evaluate cybersecurity risks in higher education institutions (HEIs), using Partial Least Squares Structural Equation Modeling (PLS-SEM)as the primary analytical tool. PLS-SEM is chosen for its capability to handle complex models, small-to-medium sample sizes, and non-normal data distributions, making it ideal for assessing multiple risk factors simultaneously. The methodology integrates multiple statistical techniques, including reliability and validity assessment, path analysis, and multi-group comparison (Khan et al.,2021). Research Design and Sample Instrument Development The questionnaire consisted of five key constructs influencing cybersecurity risk: Technical Vulnerability (TV) Organizational Policy Effectiveness (OPE) User Behavior (UB) Incident Response Capability (IRC) External Threat Exposure (ETE) Each construct was measured with 3–5 indicators on a five-point Likert scale. For example, for TV, one indicator was: “Our institution’s IT systems are regularly updated to patch vulnerabilities,” rated from 1 (strongly disagree) to 5 (strongly agree). A pilot test with 30 participantswas conducted to ensure clarity, and reliability was evaluated using Cronbach’s alpha (> 0.7) and composite reliability (> 0.7) as shown in Fig. 1 . Data Preparation Data cleaning involved removing incomplete responses and outliers. Missing values (< 5%) were replaced using mean imputation. Normality, linearity, and multicollinearity were checked; no violations were observed. Descriptive statistics summarized demographics and institutional characteristics (Afolalu et al., 2025). Step-by-Step PLS-SEM Analysis Step 1: Measurement Model Assessment Indicator reliability and construct validity are critical components in evaluating the measurement model within Partial Least Squares Structural Equation Modeling (PLS-SEM). Indicator reliability assesses how strongly each observed variable represents its associated latent construct. In this study, indicator loadings were examined to determine the reliability of the measurement items. All indicator loadings exceeded the recommended threshold of 0.70, indicating strong correlations between the indicators and their respective constructs. For example, the indicators for Technical Vulnerability (TV) demonstrated satisfactory reliability with loadings such as TV1 = 0.82 and TV2 = 0.85. These values confirm that the indicators adequately capture the underlying concept and contribute meaningfully to the construct measurement. Hence All outer loadings exceed the recommended threshold of 0.70 and AVE values are greater than 0.50, confirming satisfactory indicator reliability and convergent validity. Table 1 Indicator Reliability and Convergent Validity Construct Indicator Outer Loading AVE Reliability Interpretation Technical Vulnerability (TV) TV1 0.82 Reliable Technical Vulnerability (TV) TV2 0.85 0.68 Reliable Technical Vulnerability (TV) TV3 0.79 Reliable Organizational Policy Effectiveness (OPE) OPE1 0.81 Reliable Organizational Policy Effectiveness (OPE) OPE2 0.84 0.66 Reliable Organizational Policy Effectiveness (OPE) OPE3 0.77 Reliable User Behavior (UB) UB1 0.80 Reliable User Behavior (UB) UB2 0.83 0.65 Reliable User Behavior (UB) UB3 0.78 Reliable Incident Response Capability (IRC) IRC1 0.86 Reliable Incident Response Capability (IRC) IRC2 0.84 0.70 Reliable Incident Response Capability (IRC) IRC3 0.82 Reliable External Threat Exposure (ETE) ETE1 0.81 Reliable External Threat Exposure (ETE) ETE2 0.83 0.67 Reliable External Threat Exposure (ETE) ETE3 0.79 Reliable Convergent validity was evaluated using the Average Variance Extracted (AVE), which measures the extent to which a construct explains the variance of its indicators. An AVE value greater than 0.50 indicates that the construct explains more than half of the variance of its indicators. In this analysis, the AVE for Technical Vulnerability (TV) was 0.68, exceeding the recommended threshold and confirming strong convergent validity. Discriminant validity was assessed using the Fornell–Larcker criterion to ensure that each construct is distinct from other constructs in the model. According to this criterion, the square root of the AVE for each construct must be greater than its correlations with other constructs. The results satisfied this condition, confirming that the constructs in the model are conceptually and statistically distinct. Step 2: Structural Model Assessment Step 2 of Structural Model Assessment focuses on evaluating the relationships among latent constructs using quantitative measures. The strength of each hypothesized relationship is represented by the standardized path coefficient (β). For example, the relationship TV → ETE with β = 0.42 indicates a positive moderate effect, meaning that a one-unit increase in TV leads to a 0.42 unit increase in ETE, assuming other variables are constant. Statistical significance is assessed through bootstrapping with 5,000 resamples, generating t-values and p-values. A path is considered significant if p < 0.05 (e.g., p < 0.01 confirms strong significance). The explanatory power of the model is evaluated using the coefficient of determination: An R² value of 0.53 for ETE implies that 53% of the variance in ETE is explained by its predictors, indicating moderate predictive accuracy. Effect size (f²) measures the contribution of each exogenous construct: For instance, f² = 0.12 for OPE → UB suggests a small-to-moderate effect. Generally, f² values of 0.02, 0.15, and 0.35 represent small, medium, and large effects respectively. Together, these metrics validate both the strength and reliability of the structural model. Table 2 Structural Model Results (Path Coefficients, R², f², and Significance) Assessment Criteria Relationship / Variable Value Mathematical Meaning Interpretation Path Coefficient (β) TV → ETE 0.42 ΔETE = 0.42 × ΔTV Moderate positive effect Significance (p-value) TV → ETE p < 0.01 Derived via bootstrapping (5,000 resamples) Statistically significant Bootstrapping All paths 5,000 samples Resampling for standard error & t-values Ensures robustness Coefficient of Determination (R²) ETE 0.53 Variance explained by predictors Moderate explanatory power Effect Size (f²) OPE → UB 0.12 f² = (R² included − R² excluded) / (1 − R² included) Small-to-moderate effect Effect Size Thresholds General 0.02 / 0.15 / 0.35 Small / Medium / Large effects Benchmark values Step 3: Multi-Group Analysis (MGA) Step 3 involves Multi-Group Analysis (MGA) to examine whether structural relationships differ between groups, such as public and private Higher Education Institutions (HEIs). MGA is essential for identifying group-specific variations in perceptions and behavioral patterns, particularly in risk perception. In this step, the dataset is divided into two groups (public vs. private), and the structural model is estimated separately for each group. For example, the path coefficient from UB → IRC is 0.35 for public HEIs and 0.50 for private HEIs. Mathematically, this indicates that a one-unit increase in UB leads to a 0.35 unit increase in IRC in public institutions, while the same increase results in a 0.50 unit change in private institutions. The difference in coefficients (Δβ = 0.50 − 0.35 = 0.15) suggests a stronger influence in private HEIs. Statistical significance of this difference is typically tested using bootstrapping procedures. If the p-value of the difference is less than 0.05, the variation is considered significant. Thus, MGA helps confirm whether institutional type moderates the relationship between variables. Example Interpretation For instance, if Technical Vulnerability (TV) has a significant path to External Threat Exposure (ETE) (β = 0.42, t = 4.1, p < 0.01), it indicates that higher system vulnerabilities significantly increase exposure to cyber threats. Decision-makers can prioritize system updates and risk mitigation strategies accordingly (Whitley et al., 2017).This stepwise methodology demonstrates how PLS-SEM integrates multiple statistical techniques including reliability, validity, path analysis, bootstrapping, effect size, and multi-group comparison to produce a comprehensive assessment of cybersecurity risks in HEIs. Ethical Considerations The study strictly adhered to ethical standards, ensuring informed consent, voluntary participation, and data confidentiality. All responses were anonymized, and the research protocol received approval from the relevant institutional ethics committee (Stoneburner et al., 2002 ).This methodology allows for a rigorous, multi-layered assessment of cybersecurity risks in HEIs, integrating robust statistical techniques with the flexibility and predictive power of PLS-SEM, thereby providing actionable insights for policymakers and IT administrators. The methodology employing PLS-SEM provides a rigorous, data-driven basis for identifying, evaluating, and prioritizing cybersecurity risks in higher education institutions (HEIs) (Shekh et al., 2025).The PLS-SEM analysis revealed which constructs have statistically significant impacts on cybersecurity risk. For instance, Technical Vulnerability (TV) shows a direct and significant relationship with External Threat Exposure (ETE) (β = 0.42, p < 0.01), indicating that weaknesses in system configurations and outdated software considerably increase susceptibility to cyber threats. Additionally, Organizational Policy Effectiveness (OPE) and User Behavior (UB) indirectly influence risk through their effects on Incident Response Capability (IRC) and ETE. This demonstrates that while policies and user practices may not always cause immediate exposure, they are crucial in shaping institutional resilience and the effectiveness of incident responses (Otoom et al., 2025 ). Path coefficients (β) and effect sizes (f²) allow decision-makers to rank the influence of various risk factors. For example, Incident Response Capability (IRC) has a strong effect on mitigating external threats (β = 0.50, p < 0.01), highlighting the importance of robust response protocols, rapid detection systems, and skilled IT personnel. These insights help institutions focus their resources on the most impactful areas for cybersecurity improvement. The metric’s explanatory power is supported by R² values, such as R² = 0.53 for ETE, indicating that over half of the variance in external threat exposure can be explained by the selected constructs. Additionally, the predictive relevance (Q² = 0.36) confirms the model’s ability to generate reliable forecasts, providing a strong foundation for evidence-based decision-making that is shown in the Fig. 2 . The analysis guides strategic interventions. Institutions with weaker technical defenses or less effective policies are at higher risk. Resource allocation can be optimized by prioritizing system upgrades, strengthening cybersecurity policies, and implementing targeted user training programs. Multi-group analysis (MGA) further highlights differences between public and private HEIs, supporting tailored strategies for each institutional context (Morris et al., 2019). Stepwise Decision-Making Identify constructs with the strongest influence on external threats. Determine which factors can be modified through policy, training, or technical improvements. Prioritize interventions based on significance and effect size. Implement actions and continuously monitor risk metrics through repeated PLS-SEM evaluations to ensure effectiveness and adaptive improvement. Overall, this methodology enables HEIs to make evidence-based, targeted, and sustainable decisions to reduce cybersecurity risks effectively. Discussion The structural model shows that Technical Vulnerability (TV) significantly influences Incident Response Capability (IRC) (β = 0.42, p < 0.01) and indirectly affects External Threat Exposure (ETE) through organizational and behavioral pathways. Additionally, Organizational Policy Effectiveness (OPE) positively affects User Behavior (UB) (β = 0.36, p < 0.05), while IRC strongly reduces or manages ETE (β = 0.50, p < 0.01). The model explains 53% of the variance in ETE (R² = 0.53), demonstrating substantial predictive power. Figure 2 further confirms statistical robustness through path coefficients, effect sizes (f²), predictive relevance (Q²), and multi-group comparisons between public and private institutions. Societal Impact Higher education institutions (HEIs) are central to societal development. They store sensitive student data, research findings, financial information, and intellectual property. When technical vulnerabilities remain unaddressed, external threat exposure increases, potentially leading to data breaches, identity theft, and research compromise. Such incidents undermine public trust in educational systems. The model indicates that organizational policy effectiveness improves user behavior, which in turn strengthens incident response capability. This suggests that cybersecurity awareness training, institutional policies, and governance structures directly shape how users (students, faculty, and staff) respond to cyber risks. From a societal perspective, this creates a culture of cybersecurity responsibility. Universities not only protect their own systems but also educate digitally responsible citizens who carry secure practices into society and the workforce (Lee et al.,2023).Moreover, compromised university systems may disrupt academic continuity online learning platforms, research collaborations, and administrative systems. In developing countries, where digital infrastructure is still maturing, cyber disruptions can widen the digital divide. Public institutions, often resource-constrained, may experience higher vulnerability, which could lead to inequitable educational access. The multi-group comparison in Fig. 2 highlights institutional differences, implying that policy interventions must be context-specific (Khan et al.,2021).Cybersecurity failures can also threaten national security when university research in areas such as artificial intelligence, biotechnology, and defense-related technologies is targeted. Therefore, strengthening IRC and OPE contributes to broader societal resilience. Economic Impact The economic implications are substantial. HEIs contribute significantly to national economies through research output, innovation ecosystems, and skilled workforce development. Cyberattacks can result in direct financial losses, including system recovery costs, legal penalties, regulatory fines, and reputational damage (Fouad, N. S., 2021).The path coefficient results show that incident response capability has the strongest effect on external threat exposure (β = 0.50). This implies that investment in structured response mechanisms, digital forensics, and cybersecurity infrastructure yields high economic returns by minimizing breach impact. The effect size metrics (Fig. 2 ) confirm that TV, UB, and IRC have meaningful impact strengths, justifying targeted investment decisions. Additionally, research funding agencies and international collaborators increasingly require robust cybersecurity compliance. Institutions with weak policy frameworks may lose funding opportunities. In contrast, effective organizational policy and behavioral compliance enhance institutional credibility, attracting partnerships and grants (E.Berkiet et al., 2017).There are also indirect economic consequences. Data breaches affecting student information can lead to identity fraud, financial loss for individuals, and litigation costs for institutions. If repeated incidents occur, enrollment rates may decline, reducing tuition revenue and affecting long-term financial sustainability (Cheng et al., 2022). The predictive relevance (Q²) and R² values shown in Fig. 2 indicate that the model has strong explanatory and predictive capability. This supports evidence-based policymaking. Governments and regulatory bodies can use such assessment models to allocate cybersecurity funding efficiently, especially when comparing public and private HEIs (Aliyu et al., 2020 ).Overall, the figures demonstrate that cybersecurity risk management in higher education is not merely a technical issue but a socio-economic imperative. Strengthening organizational policies, improving user behavior, and enhancing incident response capability reduce external threat exposure, protect public trust, safeguard economic investments, and ensure sustainable digital transformation in higher education (Brown et al., 2021). Conclusion This study provides a comprehensive comparative cybersecurity risk assessment in Higher Education Institutions (HEIs) by integrating empirical evidence, theoretical perspectives, and quantitative modeling using Partial Least Squares Structural Equation Modeling (PLS-SEM). The findings confirm that cybersecurity risk in HEIs is multidimensional, shaped by technical vulnerabilities, organizational policies, human behavior, and institutional response capabilities. Rather than being solely a technological issue, cybersecurity in academic environments is deeply embedded within governance structures, cultural norms, and resource allocation strategies.The structural model demonstrates that Technical Vulnerability (TV) significantly increases External Threat Exposure (ETE), both directly and indirectly through Incident Response Capability (IRC). Institutions with outdated systems, weak patch management, and decentralized IT infrastructures face greater susceptibility to ransomware, phishing, and data breaches. However, the results also reveal that strong Incident Response Capability has the most substantial mitigating effect on threat exposure. This highlights the importance of proactive monitoring systems, structured response plans, regular backups, and skilled cybersecurity personnel in reducing institutional risk. Organizational Policy Effectiveness (OPE) plays a critical indirect yet crucial role. Effective governance frameworks positively influence User Behavior (UB), which in turn enhances incident response processes and overall resilience. This underscores that cybersecurity awareness training, clear policies, compliance enforcement, and leadership commitment significantly shape institutional security posture. HEIs that align governance strategies with operational cybersecurity measures demonstrate stronger resilience compared to institutions relying solely on technical safeguards (Alqahtani et al., 2020 ).The model’s explanatory power (R² = 0.53 for External Threat Exposure) and predictive relevance (Q² = 0.36) confirm the robustness of the integrated risk framework. These results suggest that more than half of the variation in external threat exposure can be explained by the identified constructs, validating the model’s suitability for comparative institutional analysis. Furthermore, effect size analysis (f²) enables prioritization of interventions by identifying the most impactful factors, ensuring efficient allocation of limited cybersecurity budgets (Sharma et al., 2022 ).The comparative dimension of this study reveals notable differences between public and private HEIs. While larger and well-funded institutions may possess advanced technological infrastructure, they also face expanded attack surfaces due to complex digital ecosystems. Conversely, smaller or resource-constrained institutions may experience higher vulnerability due to limited budgets, outdated systems, and insufficient cybersecurity personnel. These findings demonstrate that cybersecurity risk is not merely a function of institutional size but of strategic governance, resource optimization, and organizational culture (Nik et al., 2025). From a societal perspective, strengthening cybersecurity in HEIs protects sensitive student data, research outputs, and intellectual property, thereby preserving public trust in academic institutions. Universities serve as knowledge hubs and innovation drivers; disruptions caused by cyber incidents can affect national research capacity, digital learning continuity, and even economic stability. Therefore, enhancing cybersecurity resilience contributes not only to institutional sustainability but also to broader socio-economic development (Sun et al., 2022 ) & (Nik et al., 2025). Economically, cybersecurity breaches impose direct costs, including system restoration, regulatory penalties, reputational damage, and potential litigation. Indirect costs may include loss of research funding, reduced student enrollment, and diminished stakeholder confidence. The empirical evidence suggests that investments in governance effectiveness, user training, and response capability yield measurable risk reduction outcomes. Consequently, HEIs must treat cybersecurity expenditure as a strategic investment rather than an operational cost. This study also reinforces the methodological value of PLS-SEM in cybersecurity research. The approach effectively integrates measurement validation, structural path analysis, bootstrapping, and multi-group comparison, providing data-driven insights for policymakers and administrators. The framework offers a replicable model for continuous risk monitoring and strategic evaluation across different institutional contexts (Sun et al., 2022 ). In conclusion, cybersecurity risk management in higher education requires a holistic and adaptive approach that integrates technological safeguards, behavioral awareness, institutional governance, and response preparedness. HEIs must adopt evidence-based decision-making frameworks to prioritize interventions and ensure sustainable digital transformation. Future research may expand the model by incorporating emerging threats such as AI-driven attacks, IoT vulnerabilities, and evolving regulatory environments. By strengthening technical resilience, governance alignment, and user accountability, higher education institutions can safeguard academic integrity, protect critical data assets, and sustain their vital role in global knowledge advancement. Declarations COMPETING INTEREST The authors declare that there are no competing interests associated with this work. FUNDING The authors declare that no funding was received for conducting this study. AUTHORS’ CONTRIBUTIONS The study titled “Assessing Cybersecurity Vulnerabilities in Higher Education Institutions: A Comparative Perspective” was carried out with equal contributions from all authors. Responsibilities were distributed according to each author’s area of expertise. All the authors have share their thoughts in conceptualized the research topic and conducted the review of relevant literature. Then they designed the study methodology and analysis plan, performed the data analysis, and interpreted the study outcomes. In addition, they contributed substantially to the overall writing and refinement of the manuscript. ACKNOWLEDGMENTS The authors of the article titled “Assessing Cybersecurity Vulnerabilities in Higher Education Institutions: A Comparative Perspective” contributed equally to this study. The authors gratefully acknowledge the anonymous sources for providing the data used in this research. Then also extend sincere appreciation to all individuals who offered support and assistance at every stage of the study. References Ahmad A, Maynard SB, Park S (2019) Information security strategies: Towards an organizational multi-strategy perspective. J Intell Manuf 30(3):123–145 Alqahtani A, Mayhew P, Alshareef A (2020) Cybersecurity awareness and phishing susceptibility in higher education institutions. Computers Secur 94:101–118 Aliyu A, Maglaras L, He Y, Yevseyeva I, Boiten E, Cook A, Janicke H (2020) A Holistic Cybersecurity Maturity Assessment Framework for Higher Education Institutions in the United Kingdom. Appl Sci 10(10):3660. https://doi.org/10.3390/app10103660 Afolalu O, &Tsoeu MS (2025) Cybersecurity in Higher Education Institutions: A Systematic Review of Emerging Trends, Challenges and Solutions. Future Internet 17(12):575. https://doi.org/10.3390/fi17120575 Brown G, Gomm R (2021) Phishing in higher education: Trends, impacts, and mitigation strategies. Inform Comput Secur 29(4):567–583 Cheng ECK, Wang T (2022) Institutional Strategies for Cybersecurity in Higher Education Institutions. Information 13(4):192. https://doi.org/10.3390/info13040192 Dietich N, Peters S, Park, Chakraborty S (2017) Estimating the Limits of CPU Power Management for Mobile Games. 2017 IEEE International Conference on Computer Design (ICCD) , Boston, MA, USA. pp. 1–8 Berki E, Kandel C, Zhao Y, Chaudhary S (2017) A COMPARATIVE STUDY OF CYBER-SECURITY KNOWLEDGE IN HIGHER EDUCATION INSTITUTES OF FIVE COUNTRIES, EDULEARN.17 Proceedings, pp. 2796–2806 Fouad NS (2021) Securing higher education against cyberthreats: from an institutional risk to a national policy challenge. J Cyber Policy 6(2):137–154. https://doi.org/10.1080/23738871.2021.1973526 Gibson H, Warnaby G (2020) Managing cybersecurity risks in decentralized IT environments. Int J Inf Manag 54:102–117 Khan N, Khan S (2021) Hybrid cybersecurity risk assessment models for academic institutions. J Cybersecur Technol 5(2):87–104 Lee J, Kim H, Park Y (2023) Governance gaps in cybersecurity policy implementation in universities. Computers Secur 124:102–130 Morris T, Vines R (2019) Academic freedom versus cybersecurity compliance: A cultural dilemma. Inform Secur Journal: Global Perspective 28(6):285–295 Nik Zulkarnaen Khidzir, Shekh Abdullah-Al-Musa Ahmed (2025) Guardians of Data A Comprehensive Guide to Digital Data Protection, Taylor &Francis.ISBN 9781032995298 Khidzir NZ (2018) Shekh Abdullah-al-Musa Ahmed &Tan Tse Guan. (2018). Viewpoint of Probabilistic Risk Assessment in Artificial Enabled Social Engineering Attacks. BITARA Int J Civilizational Studiesand Hum Sci 1 Issue 4, : 032–039 Ahmed NZKSA-A-M, Tan Tse Guan (2019) Management Policies for the Prevention Technique of Social Engineering (SoE) Attacks in the Organization. Int J Comput Sci Netw Secur 19 Issues : 10, October, 2019, pp.71–89, ISSN : 1738–7906 Otoom AA, Atoum I, Al-Harahsheh H, Aljawarneh M, Al Refai MN, Baklizi M (2025) A collaborative cybersecurity framework for higher education. Inform Comput Secur 33(3):362–389. https://doi.org/10.1108/ICS-02-2024-0048 Sharma P, Chen L, Sheth A (2022) Comparative analysis of STRIDE and FAIR models in higher education cybersecurity risk assessment. IEEE Access 10:45678–45692 Ahmed SA-A-M, Md. Mahmudur Rahman, Shah Md. Baizid Habib, SiddikaUzra A (2024) MabiaAkondaJemi Towards the Unraveling of Zombie Effect in the [20]Linux kernel, International Journal of Global Optimization and Its Application, Vol. 3, No. 2, June 2024,pp.75–80 Ahmed SA-A-M (2018) An Investigation of AI enabled SoE Attacking Impact in Higher Learning Institute: Structural Equation Modeling (SEM)Approach. Journal of Applied & Computational Mathematics, Nik ZulkarnaenKhidzir, Tan Tse Guan Ahmed SA-A-M Nik ZulkarnaenKhidzir& Tan Tse Guan. (2018). Towards The Impact of Social Engineering (SoE) Attacking Risk Factors in Higher Learning Institute. J Eng Technol 6: 1–5, 2018 ISSN 2231–8798 © 2018. Ahmed SA-A-M (2025) Md. Atiqur Rahman Sifat,Muhammad Imtiaz Ahmed,FahmidaDipty. Power Optimization Approaches in Mobile Operating Systems, International Journal of Advanced Network, Monitoring and Controls Volume 10, No.04, 2025 Sommestad T, Hallberg J, Lundholm K, Bengtsson J (2014) Variables influencing information security policy compliance: A systematic review. Inform Manage Comput Secur 22(1):42–75 Stoneburner G, Goguen A, Feringa A (2002) Risk management guide for information technology systems (NIST Special Publication 800 – 30). National Institute of Standards and Technology Sun L, Zhang Y, Li H (2022) Cloud security risk assessment in higher education: Challenges and shared responsibility models. Future Generation Comput Syst 131:220–233 Vinayak S, Kaur R (2021) IoT security risk assessment in smart campus environments. J Netw Comput Appl 182:103–120 Whitley EA, Hosein G (2017) Doing impact assessments for information security and privacy risk. Comput Law Secur Rev 33(4):540–549 Wright D, Kreissl R, De Hert P (2018) Cybersecurity governance models in higher education institutions. Policy Internet 10(4):389–408 Additional Declarations The authors declare no competing interests. Supplementary Files CybersecurityPLSSEMRawData.xlsx Cybersecurity PLS SEM Raw Data Cite Share Download PDF Status: Posted Version 1 posted You are reading this latest preprint version Research Square lets you share your work early, gain feedback from the community, and start making changes to your manuscript prior to peer review in a journal. As a division of Research Square Company, we’re committed to making research communication faster, fairer, and more useful. We do this by developing innovative software and high quality services for the global research community. Our growing team is made up of researchers and industry professionals working together to solve the most critical problems facing scientific publishing. Also discoverable on Platform About Our Team In Review Editorial Policies Advisory Board Help Center Resources Author Services Accessibility API Access RSS feed Manage Cookie Preferences © Research Square 2026 | ISSN 2693-5015 (online) Privacy Policy Terms of Service Do Not Sell My Personal Information {"props":{"pageProps":{"initialData":{"identity":"rs-9171940","acceptedTermsAndConditions":true,"allowDirectSubmit":true,"archivedVersions":[],"articleType":"Research Article","associatedPublications":[],"authors":[{"id":609055942,"identity":"deebd35f-b221-4848-950b-73ae7bb5d94c","order_by":0,"name":"Shekh Abdullah-Al-Musa Ahmed","email":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAAAyAQMAAABI0h/eAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAA30lEQVRIiWNgGAWjYLACxgYgcbyB4QCYd4CBjYGHKC1nDjAcOECalhsJDAxEadGdkf7ww88d2+T4br4xPPzhD4Mc340Etgdv8Ggxu5FjLNl75rax5O0cgwMH2xiMJW8ksBvOwa+FQYK37XbiBrCWBobEDUBbpPE5zOxG+uOff9tu12+4ecbgwIE/DPVEaEkwkwbakmBwgweohY0ByCCk5cwbM2vZttuGM8+kFRw42yYBZDxsx++X4+mPb75tuy3Pd/zw5g8Vf2yAjORjeEMMHUgwQKNpFIyCUTAKRgElAAApG13TI45vmAAAAABJRU5ErkJggg==","orcid":"https://orcid.org/0009-0008-8320-3511","institution":"University of Information Technology \u0026 Sciences (UITS)","correspondingAuthor":true,"prefix":"","firstName":"Shekh","middleName":"Abdullah-Al-Musa","lastName":"Ahmed","suffix":""},{"id":609055943,"identity":"5059f3d7-586c-45c4-a2a6-70fa3ee32de9","order_by":1,"name":"Md.Robiul Hassan","email":"","orcid":"","institution":"Information Technology \u0026 Sciences (UITS)","correspondingAuthor":false,"prefix":"","firstName":"Md.Robiul","middleName":"","lastName":"Hassan","suffix":""},{"id":609055944,"identity":"9d285037-ca98-4534-8d34-66591cc97848","order_by":2,"name":"Gazi Ruman Hasan","email":"","orcid":"","institution":"Information Technology \u0026 Sciences (UITS)","correspondingAuthor":false,"prefix":"","firstName":"Gazi","middleName":"Ruman","lastName":"Hasan","suffix":""},{"id":609055945,"identity":"1f2d6af7-89fa-45b9-a10e-cc2118e5d192","order_by":3,"name":"Rubayad Hasan","email":"","orcid":"","institution":"Information Technology \u0026 Sciences (UITS)","correspondingAuthor":false,"prefix":"","firstName":"Rubayad","middleName":"","lastName":"Hasan","suffix":""}],"badges":[],"createdAt":"2026-03-19 17:18:40","currentVersionCode":1,"declarations":{"humanSubjects":true,"vertebrateSubjects":false,"conflictsOfInterestStatement":false,"humanSubjectEthicalGuidelines":true,"humanSubjectConsent":true,"humanSubjectClinicalTrial":false,"humanSubjectCaseReport":false,"vertebrateSubjectEthicalGuidelines":false},"doi":"10.21203/rs.3.rs-9171940/v1","doiUrl":"https://doi.org/10.21203/rs.3.rs-9171940/v1","draftVersion":[],"editorialEvents":[],"editorialNote":"","failedWorkflow":false,"files":[{"id":105197465,"identity":"1baf65a5-9c31-4625-9ffc-9ecfe8171b8f","added_by":"auto","created_at":"2026-03-23 10:32:13","extension":"jpg","order_by":1,"title":"Figure 1","display":"","copyAsset":false,"role":"figure","size":72271,"visible":true,"origin":"","legend":"\u003cp\u003eConceptual PLS-SEM Model of Cybersecurity Risk Assessment in Higher Education Institutions\u003c/p\u003e","description":"","filename":"fig1.jpg","url":"https://assets-eu.researchsquare.com/files/rs-9171940/v1/54b0672be48a10ebaf7d1b21.jpg"},{"id":105197467,"identity":"18cda0fc-252c-4d3e-9ee8-de7882b78365","added_by":"auto","created_at":"2026-03-23 10:32:13","extension":"jpg","order_by":2,"title":"Figure 2","display":"","copyAsset":false,"role":"figure","size":55427,"visible":true,"origin":"","legend":"\u003cp\u003eMetrics for Cybersecurity Risk Assessment in Higher Education Institutions\u003c/p\u003e","description":"","filename":"fig2.jpg","url":"https://assets-eu.researchsquare.com/files/rs-9171940/v1/40883edee6ee66282d0e921a.jpg"},{"id":105569112,"identity":"40932f42-5919-44b6-8c2b-3d1d955c3f24","added_by":"auto","created_at":"2026-03-27 13:11:20","extension":"pdf","order_by":0,"title":"","display":"","copyAsset":false,"role":"manuscript-pdf","size":791358,"visible":true,"origin":"","legend":"","description":"","filename":"manuscript.pdf","url":"https://assets-eu.researchsquare.com/files/rs-9171940/v1/e95fdd9f-202f-44f5-afde-b209359a687c.pdf"},{"id":105564135,"identity":"c30adb66-6212-499b-9570-6a515439c51e","added_by":"auto","created_at":"2026-03-27 12:48:50","extension":"xlsx","order_by":1,"title":"","display":"","copyAsset":false,"role":"supplement","size":5544,"visible":true,"origin":"","legend":"\u003cp\u003eCybersecurity PLS SEM Raw Data\u003c/p\u003e","description":"","filename":"CybersecurityPLSSEMRawData.xlsx","url":"https://assets-eu.researchsquare.com/files/rs-9171940/v1/2d1dc73066aeb9b97f8e39e2.xlsx"}],"financialInterests":"The authors declare no competing interests.","formattedTitle":"\u003cp\u003e\u003cstrong\u003eAssessing Cybersecurity Vulnerabilities in Higher Education Institutions: A Comparative Perspective\u003c/strong\u003e\u003c/p\u003e","fulltext":[{"header":"Introduction","content":"\u003cp\u003eHigher Education Institutions (HEIs) are increasingly dependent on digital technologies to support academic, administrative, and research activities. Universities and colleges manage vast amounts of sensitive information, including student records, financial data, intellectual property, and research datasets. As a result, they have become attractive targets for cybercriminals. A comparative cybersecurity risk assessment in higher education reveals that while institutions differ in size, resources, and technological maturity, they share several common vulnerabilities and face similar security challenges.\u003c/p\u003e \u003cp\u003eOne of the most prevalent risks in higher education is phishing and social engineering attacks. Faculty members, students, and administrative staff frequently use email and online collaboration platforms, making them susceptible to deceptive messages designed to steal credentials or distribute malware. The open and collaborative culture of universities often prioritizes accessibility over strict security controls, which increases the success rate of such attacks. In comparative assessments, institutions with limited cybersecurity awareness training programs tend to experience higher rates of phishing incidents.\u003c/p\u003e \u003cp\u003eAnother significant threat is ransomware attacks. HEIs often operate complex IT environments with legacy systems, decentralized networks, and numerous endpoints. Attackers exploit unpatched vulnerabilities to encrypt critical data and demand payment for its release. Smaller institutions, in particular, may lack advanced intrusion detection systems and robust backup strategies, making recovery more difficult and costly. Comparative studies show that institutions with well-implemented incident response plans and regular data backups demonstrate greater resilience against ransomware disruptions.\u003c/p\u003e \u003cp\u003eData breaches also pose a serious risk. Universities store personally identifiable information (PII), financial records, and research data that can be monetized or misused. Unauthorized access due to weak authentication mechanisms, misconfigured cloud services, or insider threats can result in large-scale data exposure. Institutions engaged in high-value research projects may also face risks of intellectual property theft, especially in collaborative international research environments (Lee et al.,2023).The increasing adoption of cloud computing and third-party services introduces additional vulnerabilities. While cloud solutions provide scalability and cost efficiency, they also expand the attack surface. Misconfiguration of cloud storage, inadequate vendor security assessments, and lack of continuous monitoring can lead to unauthorized data access. Comparative assessments reveal that institutions with formal vendor risk management frameworks and clear data governance policies are better equipped to manage third-party risks.\u003c/p\u003e \u003cp\u003eAnother common challenge is the rapid growth of Bring Your Own Device (BYOD) practices. Students and staff connect personal laptops, smartphones, and tablets to campus networks. Without proper endpoint security controls, these devices may introduce malware or serve as entry points for attackers. Institutions with centralized device management systems and network segmentation strategies tend to experience fewer network-wide compromises.\u003c/p\u003e \u003cp\u003eFurthermore, insufficient cybersecurity awareness and training remain critical concerns. Human error is often the weakest link in the security chain. HEIs that invest in regular awareness campaigns, simulated phishing exercises, and mandatory training programs demonstrate improved security posture compared to those that rely solely on technical safeguards.\u003c/p\u003e \u003cp\u003eBudget constraints also influence cybersecurity preparedness. Public universities and smaller colleges may struggle to allocate sufficient resources for advanced security infrastructure, skilled personnel, and continuous monitoring systems. Comparative risk assessments highlight disparities between well-funded research universities and resource-limited institutions in their ability to implement comprehensive cybersecurity frameworks.\u003c/p\u003e \u003cp\u003eHence in the higher education institutions share common cybersecurity risks, including phishing, ransomware, data breaches, cloud misconfigurations, BYOD vulnerabilities, and limited user awareness. A comparative assessment underscores the importance of proactive risk management, continuous training, strong governance policies, and investment in resilient security infrastructures. Addressing these challenges is essential to safeguarding academic integrity, protecting sensitive information, and ensuring institutional continuity in an increasingly digital academic environment.\u003c/p\u003e \u003cp\u003eA comparative cybersecurity risk assessment in Higher Education Institutions (HEIs) can be effectively conducted using Partial Least Squares Structural Equation Modeling (PLS-SEM). PLS-SEM is a variance-based statistical technique widely applied in social sciences and information systems research to analyze complex relationships among latent constructs. In the context of cybersecurity, it enables researchers to model and compare multiple risk factors, organizational practices, and their impacts on institutional security performance.\u003c/p\u003e \u003cp\u003eThe key latent constructs may include Perceived Cybersecurity Threats, Technical Safeguards, Human Factors, Governance and Policy Effectiveness, andIncident Response Capability. Each construct is measured through multiple observed indicators collected via structured surveys from IT administrators, faculty members, and security officers across different institutions. PLS-SEM allows researchers to assess both the measurement model (validity and reliability of constructs) and the structural model (relationships among constructs) (Shekh et al., 2025).\u003c/p\u003e \u003cp\u003eUsing PLS-SEM for comparative analysis involves grouping HEIs based on characteristics such as size, funding level, or technological maturity. Multi-group analysis (MGA) can then be applied to examine whether structural path coefficients differ significantly between groups. For example, the impact of Human Factors on cybersecurity incidents may be stronger in smaller institutions, while Technical Safeguards may have a greater protective effect in well-funded universities .\u003c/p\u003e \u003cp\u003eThe advantages of PLS-SEM include its suitability for small to medium sample sizes, ability to handle complex models with multiple constructs, and minimal distributional assumptions. Additionally, it supports predictive modeling, which is useful for identifying high-risk areas within institutions (Otoom et al., \u003cspan citationid=\"CR17\" class=\"CitationRef\"\u003e2025\u003c/span\u003e).The implications of using PLS-SEM are substantial. It provides empirical evidence for prioritizing investments in cybersecurity controls, strengthening governance frameworks, and enhancing training programs. By identifying statistically significant relationships between risk factors and security outcomes, HEIs can adopt data-driven strategies to improve resilience against cyber threats while ensuring efficient resource allocation.\u003c/p\u003e \u003cp\u003eComparing risk levels across Higher Education Institutions (HEIs) reveals significant differences influenced by institutional size, funding capacity, technological infrastructure, and governance maturity. Large research-intensive universities typically manage extensive digital ecosystems, including research databases, cloud platforms, learning management systems, and international collaborations. While they often possess advanced security tools and dedicated cybersecurity teams, their broad attack surface increases exposure to sophisticated threats such as ransomware and intellectual property theft (Nik et al., 2025).In contrast, smaller colleges and regional institutions usually operate with limited IT budgets and fewer specialized security personnel. Although their digital infrastructure may be less complex, inadequate security controls, outdated systems, and limited monitoring capabilities can result in higher vulnerability to phishing attacks, credential compromise, and data breaches. The absence of structured risk management frameworks often amplifies these weaknesses.\u003c/p\u003e \u003cp\u003ePublic institutions may face additional bureaucratic constraints that delay technology upgrades, whereas private universities may demonstrate greater flexibility in implementing modern security solutions. Institutions with formal cybersecurity governance policies, regular risk assessments, and incident response planning consistently show lower overall risk levels compared to those relying solely on reactive measures (E.Berkiet et al., 2017) .Overall, comparative analysis indicates that cybersecurity risk is not solely determined by institutional size but by the balance between technological exposure, resource allocation, policy enforcement, and organizational awareness.\u003c/p\u003e"},{"header":"Literature Review","content":"\u003cp\u003eCybersecurity in higher education institutions (HEIs) has emerged as a critical area of concern due to the increasing frequency, sophistication, and impact of cyber threats. Unlike typical corporate environments, universities and colleges possess unique vulnerabilities arising from their open network environments, diverse user groups, and rich intellectual property, making risk assessment both complex and essential. This review synthesizes key research on cybersecurity risk assessment frameworks, institutional challenges, and broader implications for policy and practice.\u003c/p\u003e \u003cp\u003eThe literature consistently highlights the distinct characteristics of HEIs that complicate cybersecurity risk management. As pointed out by Ahmad et al. (\u003cspan citationid=\"CR1\" class=\"CitationRef\"\u003e2019\u003c/span\u003e), universities must balance openness necessary for academic collaboration with robust security controls a duality that commercial organizations do not typically face. Open access policies, extensive BYOD (Bring Your Own Device) usage, and decentralized IT governance create a broad attack surface, complicating both detection and mitigation efforts (Sommestad et al., \u003cspan citationid=\"CR23\" class=\"CitationRef\"\u003e2014\u003c/span\u003e).\u003c/p\u003e \u003cp\u003eHEIs also house disparate systems from learning management systems to research databases each with different security postures and protection requirements. Gibson \u0026amp;Warnaby (\u003cspan citationid=\"CR10\" class=\"CitationRef\"\u003e2020\u003c/span\u003e) argue that this heterogeneity undermines consolidated risk assessment, inhibiting institutions\u0026rsquo; ability to identify and prioritize vulnerabilities effectively. This complexity underscores the need for tailored risk assessment models that account for academic environments rather than adopting generic corporate methodologies.\u003c/p\u003e \u003cp\u003eSeveral frameworks exist for assessing cybersecurity risk, but their applicability varies within the context of HEIs. Traditional models such as NIST\u0026rsquo;s Risk Management Framework and ISO/IEC 27005 provide structured approaches to identifying, analyzing, and evaluating risks (Stoneburner et al., \u003cspan citationid=\"CR24\" class=\"CitationRef\"\u003e2002\u003c/span\u003e; ISO, 2018). However, these frameworks often assume centralized control and mature security infrastructures assumptions seldom valid in higher education settings.\u003c/p\u003e \u003cp\u003eResearch by Khan \u0026amp; Khan (\u003cspan citationid=\"CR11\" class=\"CitationRef\"\u003e2021\u003c/span\u003e) suggests that HEIs benefit from hybrid models that combine quantitative and qualitative assessments to capture both measurable threats and contextual nuances. For instance, quantitative scoring can evaluate system vulnerabilities and exploit likelihood, while qualitative assessments consider organizational behaviors, governance gaps, and user perceptions. The STRIDE and FAIR models, when adapted with academic-specific parameters, have shown promise in creating more nuanced risk profiles (Sharma et al., \u003cspan citationid=\"CR18\" class=\"CitationRef\"\u003e2022\u003c/span\u003e).\u003c/p\u003e \u003cp\u003eDespite these advances, scholars emphasize the challenge of data collection and accuracy within HEIs. As pointed out by Whitley \u0026amp;Hosein (\u003cspan citationid=\"CR27\" class=\"CitationRef\"\u003e2017\u003c/span\u003e), insufficient logging, fragmented data sources, and inconsistent reporting culture impede the reliability of risk assessments. Consequently, many institutions underestimate their risk exposure or misallocate resources toward lower-impact threats.\u003c/p\u003e \u003cp\u003eA recurring theme in the literature is the role of human behavior in cybersecurity risk. HEIs attract a transient population of students, faculty, and researchers, each with variable cybersecurity awareness and compliance behaviors. Research by Alqahtani et al. (\u003cspan citationid=\"CR2\" class=\"CitationRef\"\u003e2020\u003c/span\u003e) indicates that students often lack basic cybersecurity practices, such as strong password hygiene, making them susceptible to phishing attacks which are among the most common vectors in academic environments.\u003c/p\u003e \u003cp\u003eSocial engineering remains a top concern. A study by Brown \u0026amp;Gomm (\u003cspan citationid=\"CR5\" class=\"CitationRef\"\u003e2021\u003c/span\u003e) found that phishing attacks targeting HEIs increased by over 60% between 2018 and 2021, with attackers exploiting academic calendars (e.g., registration deadlines) to increase legitimacy. These findings underscore the need to integrate behavioral risk indicators into assessment frameworks, moving beyond a pure focus on technological vulnerabilities.\u003c/p\u003e \u003cp\u003eEffective cybersecurity risk assessment in HEIs cannot be decoupled from institutional governance and policy frameworks. Many institutions struggle with fragmented governance, where IT security responsibilities are distributed among departments without centralized oversight. According to Wright et al. (\u003cspan citationid=\"CR28\" class=\"CitationRef\"\u003e2018\u003c/span\u003e), this siloed approach reduces accountability and leads to inconsistent security practices.\u003c/p\u003e \u003cp\u003ePolicy gaps also undermine risk assessment. A cross-institutional study by Lee et al. (\u003cspan citationid=\"CR12\" class=\"CitationRef\"\u003e2023\u003c/span\u003e) revealed that nearly 45% of sampled universities lacked formal incident response policies, while others had outdated protocols misaligned with current threat landscapes. This lack of standardized procedures stymies timely risk identification and response coordination, amplifying potential impact.\u003c/p\u003e \u003cp\u003eCultural resistance to security policies poses another barrier. Academic freedom and autonomy core values of universities sometimes clash with stringent cybersecurity controls (Morris \u0026amp; Vines, \u003cspan citationid=\"CR13\" class=\"CitationRef\"\u003e2019\u003c/span\u003e). Faculty members may resist restrictions perceived to inhibit research integrity, while students may view security prompts as impediments to learning. This cultural dimension must be factored into any risk assessment model, as policies without buy-in cannot achieve effective implementation.\u003c/p\u003e \u003cp\u003eEmerging technologies such as artificial intelligence (AI), cloud computing, and Internet of Things (IoT) devices introduce both opportunities and risks. Cloud adoption promises adaptive security capabilities and centralized threat intelligence, yet it also shifts risk profiles and necessitates new assessment criteria. HEIs integrating cloud-based services must reassess traditional perimeters and consider shared responsibility models (Sun et al., \u003cspan citationid=\"CR25\" class=\"CitationRef\"\u003e2022\u003c/span\u003e).\u003c/p\u003e \u003cp\u003eSimilarly, the proliferation of IoT devices from smart labs to campus access controls expands the attack surface. Research by Vinayak\u0026amp; Kaur (\u003cspan citationid=\"CR26\" class=\"CitationRef\"\u003e2021\u003c/span\u003e) highlights that many institutions lack inventory systems for tracking IoT endpoints, complicating vulnerability assessments. Future risk frameworks will need dynamic asset discovery and continuous monitoring to adapt to these environments.\u003c/p\u003e \u003cp\u003eThe literature emphasizes that effective risk assessment in HEIs must be multidimensional, incorporating technological, human, and governance factors. Scholars advocate for integrated risk management strategies that combine robust technical controls with user education, centralized governance, and adaptive policy structures. Training campaigns tailored to academic audiences can reduce human-centric risk factors, while cross-departmental coordination improves visibility and accountability.\u003c/p\u003e \u003cp\u003eMoreover, collaboration across universities sharing threat intelligence and best practices is identified as a promising path forward. Consortiums like educause exemplify collective defense models that leverage shared insights to enhance risk assessment and response capabilities.\u003c/p\u003e "},{"header":"Methodology","content":"\u003cdiv id=\"Sec3\" class=\"Section2\"\u003e \u003cp\u003eThis study adopts a quantitative approach to evaluate cybersecurity risks in higher education institutions (HEIs), using Partial Least Squares Structural Equation Modeling (PLS-SEM)as the primary analytical tool. PLS-SEM is chosen for its capability to handle complex models, small-to-medium sample sizes, and non-normal data distributions, making it ideal for assessing multiple risk factors simultaneously. The methodology integrates multiple statistical techniques, including reliability and validity assessment, path analysis, and multi-group comparison (Khan et al.,2021).\u003c/p\u003e \u003c/div\u003e\n\u003ch3\u003eResearch Design and Sample\u003c/h3\u003e\n\u003cp\u003e \u003c/p\u003e\n\u003ch3\u003eInstrument Development\u003c/h3\u003e\n\u003cp\u003eThe questionnaire consisted of five key constructs influencing cybersecurity risk:\u003c/p\u003e \u003cp\u003e \u003col\u003e \u003cspan\u003e \u003cli\u003e \u003cp\u003eTechnical Vulnerability (TV)\u003c/p\u003e \u003c/li\u003e \u003c/span\u003e \u003cspan\u003e \u003cli\u003e \u003cp\u003eOrganizational Policy Effectiveness (OPE)\u003c/p\u003e \u003c/li\u003e \u003c/span\u003e \u003cspan\u003e \u003cli\u003e \u003cp\u003eUser Behavior (UB)\u003c/p\u003e \u003c/li\u003e \u003c/span\u003e \u003cspan\u003e \u003cli\u003e \u003cp\u003eIncident Response Capability (IRC)\u003c/p\u003e \u003c/li\u003e \u003c/span\u003e \u003cspan\u003e \u003cli\u003e \u003cp\u003eExternal Threat Exposure (ETE)\u003c/p\u003e \u003c/li\u003e \u003c/span\u003e \u003c/ol\u003e \u003c/p\u003e \u003cp\u003eEach construct was measured with 3\u0026ndash;5 indicators on a five-point Likert scale. For example, for TV, one indicator was: \u0026ldquo;Our institution\u0026rsquo;s IT systems are regularly updated to patch vulnerabilities,\u0026rdquo; rated from 1 (strongly disagree) to 5 (strongly agree). A pilot test with 30 participantswas conducted to ensure clarity, and reliability was evaluated using Cronbach\u0026rsquo;s alpha (\u0026gt;\u0026thinsp;0.7) and composite reliability (\u0026gt;\u0026thinsp;0.7) as shown in Fig.\u0026nbsp;\u003cspan refid=\"Fig1\" class=\"InternalRef\"\u003e1\u003c/span\u003e .\u003c/p\u003e\n\u003ch3\u003eData Preparation\u003c/h3\u003e\n\u003cp\u003eData cleaning involved removing incomplete responses and outliers. Missing values (\u0026lt;\u0026thinsp;5%) were replaced using mean imputation. Normality, linearity, and multicollinearity were checked; no violations were observed. Descriptive statistics summarized demographics and institutional characteristics (Afolalu et al., 2025).\u003c/p\u003e\n\u003ch3\u003eStep-by-Step PLS-SEM Analysis\u003c/h3\u003e\n\u003cdiv id=\"Sec8\" class=\"Section2\"\u003e \u003ch2\u003eStep 1: Measurement Model Assessment\u003c/h2\u003e \u003cp\u003eIndicator reliability and construct validity are critical components in evaluating the measurement model within Partial Least Squares Structural Equation Modeling (PLS-SEM). Indicator reliability assesses how strongly each observed variable represents its associated latent construct. In this study, indicator loadings were examined to determine the reliability of the measurement items. All indicator loadings exceeded the recommended threshold of 0.70, indicating strong correlations between the indicators and their respective constructs. For example, the indicators for Technical Vulnerability (TV) demonstrated satisfactory reliability with loadings such as TV1\u0026thinsp;=\u0026thinsp;0.82 and TV2\u0026thinsp;=\u0026thinsp;0.85. These values confirm that the indicators adequately capture the underlying concept and contribute meaningfully to the construct measurement. Hence All outer loadings exceed the recommended threshold of 0.70 and AVE values are greater than 0.50, confirming satisfactory indicator reliability and convergent validity.\u003c/p\u003e \u003cp\u003e \u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"Yes\" id=\"Tab1\" border=\"1\"\u003e \u003ccaption language=\"En\"\u003e \u003cdiv class=\"CaptionNumber\"\u003eTable 1\u003c/div\u003e \u003cdiv class=\"CaptionContent\"\u003e \u003cp\u003eIndicator Reliability and Convergent Validity\u003c/p\u003e \u003c/div\u003e \u003c/caption\u003e \u003ccolgroup cols=\"5\"\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c3\" colnum=\"3\"\u003e\u003c/div\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c4\" colnum=\"4\"\u003e\u003c/div\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c5\" colnum=\"5\"\u003e\u003c/div\u003e \u003cthead\u003e \u003ctr\u003e \u003cth align=\"left\" colname=\"c1\"\u003e \u003cp\u003eConstruct\u003c/p\u003e \u003c/th\u003e \u003cth align=\"left\" colname=\"c2\"\u003e \u003cp\u003eIndicator\u003c/p\u003e \u003c/th\u003e \u003cth align=\"left\" colname=\"c3\"\u003e \u003cp\u003eOuter Loading\u003c/p\u003e \u003c/th\u003e \u003cth align=\"left\" colname=\"c4\"\u003e \u003cp\u003eAVE\u003c/p\u003e \u003c/th\u003e \u003cth align=\"left\" colname=\"c5\"\u003e \u003cp\u003eReliability Interpretation\u003c/p\u003e \u003c/th\u003e \u003c/tr\u003e \u003c/thead\u003e \u003ctbody\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eTechnical Vulnerability (TV)\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eTV1\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003e0.82\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e \u003ctd align=\"left\" colname=\"c5\"\u003e \u003cp\u003eReliable\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eTechnical Vulnerability (TV)\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eTV2\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003e0.85\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e \u003cp\u003e0.68\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c5\"\u003e \u003cp\u003eReliable\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eTechnical Vulnerability (TV)\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eTV3\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003e0.79\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e \u003ctd align=\"left\" colname=\"c5\"\u003e \u003cp\u003eReliable\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eOrganizational Policy Effectiveness (OPE)\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eOPE1\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003e0.81\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e \u003ctd align=\"left\" colname=\"c5\"\u003e \u003cp\u003eReliable\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eOrganizational Policy Effectiveness (OPE)\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eOPE2\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003e0.84\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e \u003cp\u003e0.66\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c5\"\u003e \u003cp\u003eReliable\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eOrganizational Policy Effectiveness (OPE)\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eOPE3\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003e0.77\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e \u003ctd align=\"left\" colname=\"c5\"\u003e \u003cp\u003eReliable\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eUser Behavior (UB)\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eUB1\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003e0.80\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e \u003ctd align=\"left\" colname=\"c5\"\u003e \u003cp\u003eReliable\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eUser Behavior (UB)\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eUB2\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003e0.83\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e \u003cp\u003e0.65\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c5\"\u003e \u003cp\u003eReliable\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eUser Behavior (UB)\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eUB3\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003e0.78\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e \u003ctd align=\"left\" colname=\"c5\"\u003e \u003cp\u003eReliable\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eIncident Response Capability (IRC)\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eIRC1\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003e0.86\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e \u003ctd align=\"left\" colname=\"c5\"\u003e \u003cp\u003eReliable\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eIncident Response Capability (IRC)\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eIRC2\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003e0.84\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e \u003cp\u003e0.70\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c5\"\u003e \u003cp\u003eReliable\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eIncident Response Capability (IRC)\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eIRC3\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003e0.82\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e \u003ctd align=\"left\" colname=\"c5\"\u003e \u003cp\u003eReliable\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eExternal Threat Exposure (ETE)\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eETE1\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003e0.81\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e \u003ctd align=\"left\" colname=\"c5\"\u003e \u003cp\u003e \u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"No\" id=\"Taba\" border=\"1\"\u003e \u003ccolgroup cols=\"1\"\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e \u003ctbody\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eReliable\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003c/tbody\u003e \u003c/colgroup\u003e \u003c/table\u003e\u003c/div\u003e \u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eExternal Threat Exposure (ETE)\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eETE2\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003e \u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"No\" id=\"Tabb\" border=\"1\"\u003e \u003ccolgroup cols=\"1\"\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e \u003ctbody\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003e0.83\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003c/tbody\u003e \u003c/colgroup\u003e \u003c/table\u003e\u003c/div\u003e \u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e \u003cp\u003e \u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"No\" id=\"Tabc\" border=\"1\"\u003e \u003ccolgroup cols=\"1\"\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e \u003ctbody\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003e0.67\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003c/tbody\u003e \u003c/colgroup\u003e \u003c/table\u003e\u003c/div\u003e \u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c5\"\u003e \u003cp\u003eReliable\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eExternal Threat Exposure (ETE)\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eETE3\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003e \u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"No\" id=\"Tabd\" border=\"1\"\u003e \u003ccolgroup cols=\"1\"\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e \u003ctbody\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003e0.79\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003c/tbody\u003e \u003c/colgroup\u003e \u003c/table\u003e\u003c/div\u003e \u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e \u003ctd align=\"left\" colname=\"c5\"\u003e \u003cp\u003e \u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"No\" id=\"Tabe\" border=\"1\"\u003e \u003ccolgroup cols=\"1\"\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e \u003ctbody\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eReliable\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003c/tbody\u003e \u003c/colgroup\u003e \u003c/table\u003e\u003c/div\u003e \u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003c/tbody\u003e \u003c/colgroup\u003e \u003c/table\u003e\u003c/div\u003e \u003c/p\u003e \u003cp\u003eConvergent validity was evaluated using the Average Variance Extracted (AVE), which measures the extent to which a construct explains the variance of its indicators. An AVE value greater than 0.50 indicates that the construct explains more than half of the variance of its indicators. In this analysis, the AVE for Technical Vulnerability (TV) was 0.68, exceeding the recommended threshold and confirming strong convergent validity.\u003c/p\u003e \u003cp\u003eDiscriminant validity was assessed using the Fornell\u0026ndash;Larcker criterion to ensure that each construct is distinct from other constructs in the model. According to this criterion, the square root of the AVE for each construct must be greater than its correlations with other constructs. The results satisfied this condition, confirming that the constructs in the model are conceptually and statistically distinct.\u003c/p\u003e \u003c/div\u003e\n\u003ch3\u003eStep 2: Structural Model Assessment\u003c/h3\u003e\n\u003cp\u003eStep 2 of Structural Model Assessment focuses on evaluating the relationships among latent constructs using quantitative measures. The strength of each hypothesized relationship is represented by the standardized path coefficient (β). For example, the relationship TV \u0026rarr; ETE with β\u0026thinsp;=\u0026thinsp;0.42 indicates a positive moderate effect, meaning that a one-unit increase in TV leads to a 0.42 unit increase in ETE, assuming other variables are constant. Statistical significance is assessed through bootstrapping with 5,000 resamples, generating t-values and p-values. A path is considered significant if p\u0026thinsp;\u0026lt;\u0026thinsp;0.05 (e.g., p\u0026thinsp;\u0026lt;\u0026thinsp;0.01 confirms strong significance).\u003c/p\u003e \u003cp\u003eThe explanatory power of the model is evaluated using the coefficient of determination:\u003c/p\u003e \u003cp\u003eAn R\u0026sup2; value of 0.53 for ETE implies that 53% of the variance in ETE is explained by its predictors, indicating moderate predictive accuracy.\u003c/p\u003e \u003cp\u003eEffect size (f\u0026sup2;) measures the contribution of each exogenous construct:\u003c/p\u003e \u003cp\u003eFor instance, f\u0026sup2; = 0.12 for OPE \u0026rarr; UB suggests a small-to-moderate effect. Generally, f\u0026sup2; values of 0.02, 0.15, and 0.35 represent small, medium, and large effects respectively. Together, these metrics validate both the strength and reliability of the structural model.\u003c/p\u003e \u003cp\u003e \u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"Yes\" id=\"Tab2\" border=\"1\"\u003e \u003ccaption language=\"En\"\u003e \u003cdiv class=\"CaptionNumber\"\u003eTable 2\u003c/div\u003e \u003cdiv class=\"CaptionContent\"\u003e \u003cp\u003eStructural Model Results (Path Coefficients, R\u0026sup2;, f\u0026sup2;, and Significance)\u003c/p\u003e \u003c/div\u003e \u003c/caption\u003e \u003ccolgroup cols=\"5\"\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c3\" colnum=\"3\"\u003e\u003c/div\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c4\" colnum=\"4\"\u003e\u003c/div\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c5\" colnum=\"5\"\u003e\u003c/div\u003e \u003cthead\u003e \u003ctr\u003e \u003cth align=\"left\" colname=\"c1\"\u003e \u003cp\u003eAssessment Criteria\u003c/p\u003e \u003c/th\u003e \u003cth align=\"left\" colname=\"c2\"\u003e \u003cp\u003eRelationship / Variable\u003c/p\u003e \u003c/th\u003e \u003cth align=\"left\" colname=\"c3\"\u003e \u003cp\u003eValue\u003c/p\u003e \u003c/th\u003e \u003cth align=\"left\" colname=\"c4\"\u003e \u003cp\u003eMathematical Meaning\u003c/p\u003e \u003c/th\u003e \u003cth align=\"left\" colname=\"c5\"\u003e \u003cp\u003eInterpretation\u003c/p\u003e \u003c/th\u003e \u003c/tr\u003e \u003c/thead\u003e \u003ctbody\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003ePath Coefficient (β)\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eTV \u0026rarr; ETE\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003e0.42\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e \u003cp\u003eΔETE\u0026thinsp;=\u0026thinsp;0.42\u0026thinsp;\u0026times;\u0026thinsp;ΔTV\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c5\"\u003e \u003cp\u003eModerate positive effect\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eSignificance (p-value)\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eTV \u0026rarr; ETE\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003ep\u0026thinsp;\u0026lt;\u0026thinsp;0.01\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e \u003cp\u003eDerived via bootstrapping (5,000 resamples)\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c5\"\u003e \u003cp\u003eStatistically significant\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eBootstrapping\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eAll paths\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003e5,000 samples\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e \u003cp\u003eResampling for standard error \u0026amp; t-values\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c5\"\u003e \u003cp\u003eEnsures robustness\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eCoefficient of Determination (R\u0026sup2;)\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eETE\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003e0.53\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e \u003cp\u003eVariance explained by predictors\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c5\"\u003e \u003cp\u003eModerate explanatory power\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eEffect Size (f\u0026sup2;)\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eOPE \u0026rarr; UB\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003e0.12\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e \u003cp\u003ef\u0026sup2; = (R\u0026sup2; included\u0026thinsp;\u0026minus;\u0026thinsp;R\u0026sup2; excluded) / (1\u0026thinsp;\u0026minus;\u0026thinsp;R\u0026sup2; included)\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c5\"\u003e \u003cp\u003eSmall-to-moderate effect\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eEffect Size Thresholds\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eGeneral\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003e0.02 / 0.15 / 0.35\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e \u003cp\u003eSmall / Medium / Large effects\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c5\"\u003e \u003cp\u003eBenchmark values\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003c/tbody\u003e \u003c/colgroup\u003e \u003c/table\u003e\u003c/div\u003e \u003c/p\u003e\n\u003ch3\u003eStep 3: Multi-Group Analysis (MGA)\u003c/h3\u003e\n\u003cp\u003eStep 3 involves Multi-Group Analysis (MGA) to examine whether structural relationships differ between groups, such as public and private Higher Education Institutions (HEIs). MGA is essential for identifying group-specific variations in perceptions and behavioral patterns, particularly in risk perception. In this step, the dataset is divided into two groups (public vs. private), and the structural model is estimated separately for each group.\u003c/p\u003e \u003cp\u003eFor example, the path coefficient from UB \u0026rarr; IRC is 0.35 for public HEIs and 0.50 for private HEIs. Mathematically, this indicates that a one-unit increase in UB leads to a 0.35 unit increase in IRC in public institutions, while the same increase results in a 0.50 unit change in private institutions. The difference in coefficients (Δβ\u0026thinsp;=\u0026thinsp;0.50\u0026thinsp;\u0026minus;\u0026thinsp;0.35\u0026thinsp;=\u0026thinsp;0.15) suggests a stronger influence in private HEIs.\u003c/p\u003e \u003cp\u003eStatistical significance of this difference is typically tested using bootstrapping procedures. If the p-value of the difference is less than 0.05, the variation is considered significant. Thus, MGA helps confirm whether institutional type moderates the relationship between variables.\u003c/p\u003e \u003cdiv id=\"Sec11\" class=\"Section2\"\u003e \u003ch2\u003eExample Interpretation\u003c/h2\u003e \u003cp\u003eFor instance, if Technical Vulnerability (TV) has a significant path to External Threat Exposure (ETE) (β\u0026thinsp;=\u0026thinsp;0.42, t\u0026thinsp;=\u0026thinsp;4.1, p\u0026thinsp;\u0026lt;\u0026thinsp;0.01), it indicates that higher system vulnerabilities significantly increase exposure to cyber threats. Decision-makers can prioritize system updates and risk mitigation strategies accordingly (Whitley et al., 2017).This stepwise methodology demonstrates how PLS-SEM integrates multiple statistical techniques including reliability, validity, path analysis, bootstrapping, effect size, and multi-group comparison to produce a comprehensive assessment of cybersecurity risks in HEIs.\u003c/p\u003e \u003c/div\u003e \u003cdiv id=\"Sec12\" class=\"Section2\"\u003e \u003ch2\u003eEthical Considerations\u003c/h2\u003e \u003cp\u003eThe study strictly adhered to ethical standards, ensuring informed consent, voluntary participation, and data confidentiality. All responses were anonymized, and the research protocol received approval from the relevant institutional ethics committee (Stoneburner et al., \u003cspan citationid=\"CR24\" class=\"CitationRef\"\u003e2002\u003c/span\u003e).This methodology allows for a rigorous, multi-layered assessment of cybersecurity risks in HEIs, integrating robust statistical techniques with the flexibility and predictive power of PLS-SEM, thereby providing actionable insights for policymakers and IT administrators.\u003c/p\u003e \u003cp\u003eThe methodology employing PLS-SEM provides a rigorous, data-driven basis for identifying, evaluating, and prioritizing cybersecurity risks in higher education institutions (HEIs) (Shekh et al., 2025).The PLS-SEM analysis revealed which constructs have statistically significant impacts on cybersecurity risk. For instance, Technical Vulnerability (TV) shows a direct and significant relationship with External Threat Exposure (ETE) (β\u0026thinsp;=\u0026thinsp;0.42, p\u0026thinsp;\u0026lt;\u0026thinsp;0.01), indicating that weaknesses in system configurations and outdated software considerably increase susceptibility to cyber threats. Additionally, Organizational Policy Effectiveness (OPE) and User Behavior (UB) indirectly influence risk through their effects on Incident Response Capability (IRC) and ETE. This demonstrates that while policies and user practices may not always cause immediate exposure, they are crucial in shaping institutional resilience and the effectiveness of incident responses (Otoom et al., \u003cspan citationid=\"CR17\" class=\"CitationRef\"\u003e2025\u003c/span\u003e).\u003c/p\u003e \u003cp\u003ePath coefficients (β) and effect sizes (f\u0026sup2;) allow decision-makers to rank the influence of various risk factors. For example, Incident Response Capability (IRC) has a strong effect on mitigating external threats (β\u0026thinsp;=\u0026thinsp;0.50, p\u0026thinsp;\u0026lt;\u0026thinsp;0.01), highlighting the importance of robust response protocols, rapid detection systems, and skilled IT personnel. These insights help institutions focus their resources on the most impactful areas for cybersecurity improvement.\u003c/p\u003e \u003cp\u003e \u003c/p\u003e \u003cp\u003eThe metric\u0026rsquo;s explanatory power is supported by R\u0026sup2; values, such as R\u0026sup2; = 0.53 for ETE, indicating that over half of the variance in external threat exposure can be explained by the selected constructs. Additionally, the predictive relevance (Q\u0026sup2; = 0.36) confirms the model\u0026rsquo;s ability to generate reliable forecasts, providing a strong foundation for evidence-based decision-making that is shown in the Fig.\u0026nbsp;\u003cspan refid=\"Fig2\" class=\"InternalRef\"\u003e2\u003c/span\u003e.\u003c/p\u003e \u003cp\u003eThe analysis guides strategic interventions. Institutions with weaker technical defenses or less effective policies are at higher risk. Resource allocation can be optimized by prioritizing system upgrades, strengthening cybersecurity policies, and implementing targeted user training programs. Multi-group analysis (MGA) further highlights differences between public and private HEIs, supporting tailored strategies for each institutional context (Morris et al., 2019).\u003c/p\u003e \u003cp\u003e \u003cb\u003eStepwise Decision-Making\u003c/b\u003e \u003c/p\u003e \u003cp\u003e \u003col\u003e \u003cspan\u003e \u003cli\u003e \u003cp\u003eIdentify constructs with the strongest influence on external threats.\u003c/p\u003e \u003c/li\u003e \u003c/span\u003e \u003cspan\u003e \u003cli\u003e \u003cp\u003eDetermine which factors can be modified through policy, training, or technical improvements.\u003c/p\u003e \u003c/li\u003e \u003c/span\u003e \u003cspan\u003e \u003cli\u003e \u003cp\u003ePrioritize interventions based on significance and effect size.\u003c/p\u003e \u003c/li\u003e \u003c/span\u003e \u003cspan\u003e \u003cli\u003e \u003cp\u003eImplement actions and continuously monitor risk metrics through repeated PLS-SEM evaluations to ensure effectiveness and adaptive improvement.\u003c/p\u003e \u003c/li\u003e \u003c/span\u003e \u003c/ol\u003e \u003c/p\u003e \u003cp\u003eOverall, this methodology enables HEIs to make evidence-based, targeted, and sustainable decisions to reduce cybersecurity risks effectively.\u003c/p\u003e \u003c/div\u003e"},{"header":"Discussion","content":"\u003cp\u003eThe structural model shows that Technical Vulnerability (TV) significantly influences Incident Response Capability (IRC) (β\u0026thinsp;=\u0026thinsp;0.42, p\u0026thinsp;\u0026lt;\u0026thinsp;0.01) and indirectly affects External Threat Exposure (ETE) through organizational and behavioral pathways. Additionally, Organizational Policy Effectiveness (OPE) positively affects User Behavior (UB) (β\u0026thinsp;=\u0026thinsp;0.36, p\u0026thinsp;\u0026lt;\u0026thinsp;0.05), while IRC strongly reduces or manages ETE (β\u0026thinsp;=\u0026thinsp;0.50, p\u0026thinsp;\u0026lt;\u0026thinsp;0.01). The model explains 53% of the variance in ETE (R\u0026sup2; = 0.53), demonstrating substantial predictive power. Figure\u0026nbsp;\u003cspan refid=\"Fig2\" class=\"InternalRef\"\u003e2\u003c/span\u003e further confirms statistical robustness through path coefficients, effect sizes (f\u0026sup2;), predictive relevance (Q\u0026sup2;), and multi-group comparisons between public and private institutions.\u003c/p\u003e \u003cdiv id=\"Sec14\" class=\"Section2\"\u003e \u003ch2\u003eSocietal Impact\u003c/h2\u003e \u003cp\u003eHigher education institutions (HEIs) are central to societal development. They store sensitive student data, research findings, financial information, and intellectual property. When technical vulnerabilities remain unaddressed, external threat exposure increases, potentially leading to data breaches, identity theft, and research compromise. Such incidents undermine public trust in educational systems.\u003c/p\u003e \u003cp\u003eThe model indicates that organizational policy effectiveness improves user behavior, which in turn strengthens incident response capability. This suggests that cybersecurity awareness training, institutional policies, and governance structures directly shape how users (students, faculty, and staff) respond to cyber risks. From a societal perspective, this creates a culture of cybersecurity responsibility. Universities not only protect their own systems but also educate digitally responsible citizens who carry secure practices into society and the workforce (Lee et al.,2023).Moreover, compromised university systems may disrupt academic continuity online learning platforms, research collaborations, and administrative systems. In developing countries, where digital infrastructure is still maturing, cyber disruptions can widen the digital divide. Public institutions, often resource-constrained, may experience higher vulnerability, which could lead to inequitable educational access. The multi-group comparison in Fig.\u0026nbsp;\u003cspan refid=\"Fig2\" class=\"InternalRef\"\u003e2\u003c/span\u003e highlights institutional differences, implying that policy interventions must be context-specific (Khan et al.,2021).Cybersecurity failures can also threaten national security when university research in areas such as artificial intelligence, biotechnology, and defense-related technologies is targeted. Therefore, strengthening IRC and OPE contributes to broader societal resilience.\u003c/p\u003e \u003c/div\u003e \u003cdiv id=\"Sec15\" class=\"Section2\"\u003e \u003ch2\u003eEconomic Impact\u003c/h2\u003e \u003cp\u003eThe economic implications are substantial. HEIs contribute significantly to national economies through research output, innovation ecosystems, and skilled workforce development. Cyberattacks can result in direct financial losses, including system recovery costs, legal penalties, regulatory fines, and reputational damage (Fouad, N. S., 2021).The path coefficient results show that incident response capability has the strongest effect on external threat exposure (β\u0026thinsp;=\u0026thinsp;0.50). This implies that investment in structured response mechanisms, digital forensics, and cybersecurity infrastructure yields high economic returns by minimizing breach impact. The effect size metrics (Fig.\u0026nbsp;\u003cspan refid=\"Fig2\" class=\"InternalRef\"\u003e2\u003c/span\u003e) confirm that TV, UB, and IRC have meaningful impact strengths, justifying targeted investment decisions.\u003c/p\u003e \u003cp\u003eAdditionally, research funding agencies and international collaborators increasingly require robust cybersecurity compliance. Institutions with weak policy frameworks may lose funding opportunities. In contrast, effective organizational policy and behavioral compliance enhance institutional credibility, attracting partnerships and grants (E.Berkiet et al., 2017).There are also indirect economic consequences. Data breaches affecting student information can lead to identity fraud, financial loss for individuals, and litigation costs for institutions. If repeated incidents occur, enrollment rates may decline, reducing tuition revenue and affecting long-term financial sustainability (Cheng et al., 2022).\u003c/p\u003e \u003cp\u003eThe predictive relevance (Q\u0026sup2;) and R\u0026sup2; values shown in Fig.\u0026nbsp;\u003cspan refid=\"Fig2\" class=\"InternalRef\"\u003e2\u003c/span\u003e indicate that the model has strong explanatory and predictive capability. This supports evidence-based policymaking. Governments and regulatory bodies can use such assessment models to allocate cybersecurity funding efficiently, especially when comparing public and private HEIs (Aliyu et al., \u003cspan citationid=\"CR3\" class=\"CitationRef\"\u003e2020\u003c/span\u003e).Overall, the figures demonstrate that cybersecurity risk management in higher education is not merely a technical issue but a socio-economic imperative. Strengthening organizational policies, improving user behavior, and enhancing incident response capability reduce external threat exposure, protect public trust, safeguard economic investments, and ensure sustainable digital transformation in higher education (Brown et al., 2021).\u003c/p\u003e \u003c/div\u003e"},{"header":"Conclusion","content":"\u003cp\u003eThis study provides a comprehensive comparative cybersecurity risk assessment in Higher Education Institutions (HEIs) by integrating empirical evidence, theoretical perspectives, and quantitative modeling using Partial Least Squares Structural Equation Modeling (PLS-SEM). The findings confirm that cybersecurity risk in HEIs is multidimensional, shaped by technical vulnerabilities, organizational policies, human behavior, and institutional response capabilities. Rather than being solely a technological issue, cybersecurity in academic environments is deeply embedded within governance structures, cultural norms, and resource allocation strategies.The structural model demonstrates that Technical Vulnerability (TV) significantly increases External Threat Exposure (ETE), both directly and indirectly through Incident Response Capability (IRC). Institutions with outdated systems, weak patch management, and decentralized IT infrastructures face greater susceptibility to ransomware, phishing, and data breaches. However, the results also reveal that strong Incident Response Capability has the most substantial mitigating effect on threat exposure. This highlights the importance of proactive monitoring systems, structured response plans, regular backups, and skilled cybersecurity personnel in reducing institutional risk.\u003c/p\u003e \u003cp\u003eOrganizational Policy Effectiveness (OPE) plays a critical indirect yet crucial role. Effective governance frameworks positively influence User Behavior (UB), which in turn enhances incident response processes and overall resilience. This underscores that cybersecurity awareness training, clear policies, compliance enforcement, and leadership commitment significantly shape institutional security posture. HEIs that align governance strategies with operational cybersecurity measures demonstrate stronger resilience compared to institutions relying solely on technical safeguards (Alqahtani et al., \u003cspan citationid=\"CR2\" class=\"CitationRef\"\u003e2020\u003c/span\u003e).The model\u0026rsquo;s explanatory power (R\u0026sup2; = 0.53 for External Threat Exposure) and predictive relevance (Q\u0026sup2; = 0.36) confirm the robustness of the integrated risk framework. These results suggest that more than half of the variation in external threat exposure can be explained by the identified constructs, validating the model\u0026rsquo;s suitability for comparative institutional analysis. Furthermore, effect size analysis (f\u0026sup2;) enables prioritization of interventions by identifying the most impactful factors, ensuring efficient allocation of limited cybersecurity budgets (Sharma et al., \u003cspan citationid=\"CR18\" class=\"CitationRef\"\u003e2022\u003c/span\u003e).The comparative dimension of this study reveals notable differences between public and private HEIs. While larger and well-funded institutions may possess advanced technological infrastructure, they also face expanded attack surfaces due to complex digital ecosystems. Conversely, smaller or resource-constrained institutions may experience higher vulnerability due to limited budgets, outdated systems, and insufficient cybersecurity personnel. These findings demonstrate that cybersecurity risk is not merely a function of institutional size but of strategic governance, resource optimization, and organizational culture (Nik et al., 2025).\u003c/p\u003e \u003cp\u003eFrom a societal perspective, strengthening cybersecurity in HEIs protects sensitive student data, research outputs, and intellectual property, thereby preserving public trust in academic institutions. Universities serve as knowledge hubs and innovation drivers; disruptions caused by cyber incidents can affect national research capacity, digital learning continuity, and even economic stability. Therefore, enhancing cybersecurity resilience contributes not only to institutional sustainability but also to broader socio-economic development (Sun et al., \u003cspan citationid=\"CR25\" class=\"CitationRef\"\u003e2022\u003c/span\u003e) \u0026amp; (Nik et al., 2025).\u003c/p\u003e \u003cp\u003eEconomically, cybersecurity breaches impose direct costs, including system restoration, regulatory penalties, reputational damage, and potential litigation. Indirect costs may include loss of research funding, reduced student enrollment, and diminished stakeholder confidence. The empirical evidence suggests that investments in governance effectiveness, user training, and response capability yield measurable risk reduction outcomes. Consequently, HEIs must treat cybersecurity expenditure as a strategic investment rather than an operational cost.\u003c/p\u003e \u003cp\u003eThis study also reinforces the methodological value of PLS-SEM in cybersecurity research. The approach effectively integrates measurement validation, structural path analysis, bootstrapping, and multi-group comparison, providing data-driven insights for policymakers and administrators. The framework offers a replicable model for continuous risk monitoring and strategic evaluation across different institutional contexts (Sun et al., \u003cspan citationid=\"CR25\" class=\"CitationRef\"\u003e2022\u003c/span\u003e).\u003c/p\u003e \u003cp\u003eIn conclusion, cybersecurity risk management in higher education requires a holistic and adaptive approach that integrates technological safeguards, behavioral awareness, institutional governance, and response preparedness. HEIs must adopt evidence-based decision-making frameworks to prioritize interventions and ensure sustainable digital transformation. Future research may expand the model by incorporating emerging threats such as AI-driven attacks, IoT vulnerabilities, and evolving regulatory environments. By strengthening technical resilience, governance alignment, and user accountability, higher education institutions can safeguard academic integrity, protect critical data assets, and sustain their vital role in global knowledge advancement.\u003c/p\u003e"},{"header":"Declarations","content":"\u003cp\u003e \u003ch2\u003eCOMPETING INTEREST\u003c/h2\u003e \u003cp\u003eThe authors declare that there are no competing interests associated with this work.\u003c/p\u003e \u003c/p\u003e\u003ch2\u003eFUNDING\u003c/h2\u003e \u003cp\u003eThe authors declare that no funding was received for conducting this study.\u003c/p\u003e\u003ch2\u003eAUTHORS\u0026rsquo; CONTRIBUTIONS\u003c/h2\u003e \u003cp\u003eThe study titled \u003cem\u003e\u0026ldquo;Assessing Cybersecurity Vulnerabilities in Higher Education Institutions: A Comparative Perspective\u0026rdquo;\u003c/em\u003e was carried out with equal contributions from all authors. Responsibilities were distributed according to each author\u0026rsquo;s area of expertise. All the authors have share their thoughts in conceptualized the research topic and conducted the review of relevant literature. Then they designed the study methodology and analysis plan, performed the data analysis, and interpreted the study outcomes. In addition, they contributed substantially to the overall writing and refinement of the manuscript.\u003c/p\u003e\u003ch2\u003eACKNOWLEDGMENTS\u003c/h2\u003e \u003cp\u003eThe authors of the article titled \u003cem\u003e\u0026ldquo;Assessing Cybersecurity Vulnerabilities in Higher Education Institutions: A Comparative Perspective\u0026rdquo;\u003c/em\u003e contributed equally to this study. The authors gratefully acknowledge the anonymous sources for providing the data used in this research. Then also extend sincere appreciation to all individuals who offered support and assistance at every stage of the study.\u003c/p\u003e"},{"header":"References","content":"\u003col\u003e\u003cli\u003e\u003cspan\u003eAhmad A, Maynard SB, Park S (2019) Information security strategies: Towards an organizational multi-strategy perspective. J Intell Manuf 30(3):123\u0026ndash;145\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eAlqahtani A, Mayhew P, Alshareef A (2020) Cybersecurity awareness and phishing susceptibility in higher education institutions. Computers Secur 94:101\u0026ndash;118\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eAliyu A, Maglaras L, He Y, Yevseyeva I, Boiten E, Cook A, Janicke H (2020) A Holistic Cybersecurity Maturity Assessment Framework for Higher Education Institutions in the United Kingdom. Appl Sci 10(10):3660. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://doi.org/10.3390/app10103660\u003c/span\u003e\u003cspan address=\"10.3390/app10103660\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eAfolalu O, \u0026amp;Tsoeu MS (2025) Cybersecurity in Higher Education Institutions: A Systematic Review of Emerging Trends, Challenges and Solutions. Future Internet 17(12):575. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://doi.org/10.3390/fi17120575\u003c/span\u003e\u003cspan address=\"10.3390/fi17120575\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eBrown G, Gomm R (2021) Phishing in higher education: Trends, impacts, and mitigation strategies. Inform Comput Secur 29(4):567\u0026ndash;583\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eCheng ECK, Wang T (2022) Institutional Strategies for Cybersecurity in Higher Education Institutions. Information 13(4):192. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://doi.org/10.3390/info13040192\u003c/span\u003e\u003cspan address=\"10.3390/info13040192\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eDietich N, Peters S, Park, Chakraborty S (2017) Estimating the Limits of CPU Power Management for Mobile Games. \u003cem\u003e2017 IEEE International Conference on Computer Design (ICCD)\u003c/em\u003e, Boston, MA, USA. pp. 1\u0026ndash;8\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eBerki E, Kandel C, Zhao Y, Chaudhary S (2017) A COMPARATIVE STUDY OF CYBER-SECURITY KNOWLEDGE IN HIGHER EDUCATION INSTITUTES OF FIVE COUNTRIES, EDULEARN.17 Proceedings, pp. 2796\u0026ndash;2806\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eFouad NS (2021) Securing higher education against cyberthreats: from an institutional risk to a national policy challenge. J Cyber Policy 6(2):137\u0026ndash;154. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://doi.org/10.1080/23738871.2021.1973526\u003c/span\u003e\u003cspan address=\"10.1080/23738871.2021.1973526\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eGibson H, Warnaby G (2020) Managing cybersecurity risks in decentralized IT environments. Int J Inf Manag 54:102\u0026ndash;117\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eKhan N, Khan S (2021) Hybrid cybersecurity risk assessment models for academic institutions. J Cybersecur Technol 5(2):87\u0026ndash;104\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eLee J, Kim H, Park Y (2023) Governance gaps in cybersecurity policy implementation in universities. Computers Secur 124:102\u0026ndash;130\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eMorris T, Vines R (2019) Academic freedom versus cybersecurity compliance: A cultural dilemma. Inform Secur Journal: Global Perspective 28(6):285\u0026ndash;295\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eNik Zulkarnaen Khidzir, Shekh Abdullah-Al-Musa Ahmed (2025) Guardians of Data A Comprehensive Guide to Digital Data Protection, Taylor \u0026amp;Francis.ISBN 9781032995298\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eKhidzir NZ (2018) Shekh Abdullah-al-Musa Ahmed \u0026amp;Tan Tse Guan. (2018). Viewpoint of Probabilistic Risk Assessment in Artificial Enabled Social Engineering Attacks. BITARA Int J Civilizational Studiesand Hum Sci 1 Issue 4, : 032\u0026ndash;039\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eAhmed NZKSA-A-M, Tan Tse Guan (2019) Management Policies for the Prevention Technique of Social Engineering (SoE) Attacks in the Organization. Int J Comput Sci Netw Secur 19 Issues : 10, October, 2019, pp.71\u0026ndash;89, ISSN : 1738\u0026ndash;7906\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eOtoom AA, Atoum I, Al-Harahsheh H, Aljawarneh M, Al Refai MN, Baklizi M (2025) A collaborative cybersecurity framework for higher education. Inform Comput Secur 33(3):362\u0026ndash;389. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://doi.org/10.1108/ICS-02-2024-0048\u003c/span\u003e\u003cspan address=\"10.1108/ICS-02-2024-0048\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eSharma P, Chen L, Sheth A (2022) Comparative analysis of STRIDE and FAIR models in higher education cybersecurity risk assessment. IEEE Access 10:45678\u0026ndash;45692\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eAhmed SA-A-M, Md. Mahmudur Rahman, Shah Md. Baizid Habib, SiddikaUzra A (2024) MabiaAkondaJemi Towards the Unraveling of Zombie Effect in the [20]Linux kernel, International Journal of Global Optimization and Its Application, Vol. 3, No. 2, June 2024,pp.75\u0026ndash;80\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eAhmed SA-A-M (2018) An Investigation of AI enabled SoE Attacking Impact in Higher Learning Institute: Structural Equation Modeling (SEM)Approach. Journal of Applied \u0026amp; Computational Mathematics, Nik ZulkarnaenKhidzir, Tan Tse Guan\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eAhmed SA-A-M Nik ZulkarnaenKhidzir\u0026amp; Tan Tse Guan. (2018). Towards The Impact of Social Engineering (SoE) Attacking Risk Factors in Higher Learning Institute. J Eng Technol 6: 1\u0026ndash;5, 2018 ISSN 2231\u0026ndash;8798 \u0026copy; 2018.\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eAhmed SA-A-M (2025) Md. Atiqur Rahman Sifat,Muhammad Imtiaz Ahmed,FahmidaDipty. Power Optimization Approaches in Mobile Operating Systems, International Journal of Advanced Network, Monitoring and Controls Volume 10, No.04, 2025\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eSommestad T, Hallberg J, Lundholm K, Bengtsson J (2014) Variables influencing information security policy compliance: A systematic review. Inform Manage Comput Secur 22(1):42\u0026ndash;75\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eStoneburner G, Goguen A, Feringa A (2002) Risk management guide for information technology systems (NIST Special Publication 800\u0026thinsp;\u0026ndash;\u0026thinsp;30). National Institute of Standards and Technology\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eSun L, Zhang Y, Li H (2022) Cloud security risk assessment in higher education: Challenges and shared responsibility models. Future Generation Comput Syst 131:220\u0026ndash;233\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eVinayak S, Kaur R (2021) IoT security risk assessment in smart campus environments. J Netw Comput Appl 182:103\u0026ndash;120\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eWhitley EA, Hosein G (2017) Doing impact assessments for information security and privacy risk. Comput Law Secur Rev 33(4):540\u0026ndash;549\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eWright D, Kreissl R, De Hert P (2018) Cybersecurity governance models in higher education institutions. Policy Internet 10(4):389\u0026ndash;408\u003c/span\u003e\u003c/li\u003e\u003c/ol\u003e"}],"fulltextSource":"","fullText":"","funders":[],"hasAdminPriorityOnWorkflow":false,"hasManuscriptDocX":true,"hasOptedInToPreprint":true,"hasPassedJournalQc":"","hasAnyPriority":true,"hideJournal":true,"highlight":"","institution":"private and public intuition in Bangladesh, where data taken anonymously","isAcceptedByJournal":false,"isAuthorSuppliedPdf":false,"isDeskRejected":"","isHiddenFromSearch":false,"isInQc":false,"isInWorkflow":false,"isPdf":false,"isPdfUpToDate":true,"isWithdrawnOrRetracted":false,"journal":{"display":true,"email":"[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true},"keywords":"Cybersecurity Risk Assessment, Higher Education Institutions, PLS-SEM, Technical Vulnerability, Organizational Policy, Incident Response Capability, External Threat Exposure","lastPublishedDoi":"10.21203/rs.3.rs-9171940/v1","lastPublishedDoiUrl":"https://doi.org/10.21203/rs.3.rs-9171940/v1","license":{"name":"CC BY 4.0","url":"https://creativecommons.org/licenses/by/4.0/"},"manuscriptAbstract":"\u003cp\u003eHigher Education Institutions (HEIs) have become increasingly dependent on digital technologies to support teaching, research, administration, and global collaboration. This digital transformation, while enhancing academic productivity and accessibility, has significantly expanded institutional exposure to cybersecurity threats. Universities manage vast repositories of sensitive information, including student records, financial data, intellectual property, and high-value research outputs, making them attractive targets for cybercriminals. This study presents a comparative cybersecurity risk assessment of HEIs, examining key technological, organizational, and behavioral factors that influence institutional vulnerability and resilience.\u003c/p\u003e \u003cp\u003eThe research adopts a quantitative approach using Partial Least Squares Structural Equation Modeling (PLS-SEM) to analyze relationships among five major constructs such as Technical Vulnerability (TV), Organizational Policy Effectiveness (OPE), User Behavior (UB), Incident Response Capability (IRC), and External Threat Exposure (ETE). Data were collected through a structured survey administered to IT administrators, cybersecurity officers, and faculty members across public and private HEIs. The model evaluates both measurement reliability and structural relationships to identify statistically significant predictors of cybersecurity risk.\u003c/p\u003e \u003cp\u003eFindings reveal that Technical Vulnerability has a significant positive impact on External Threat Exposure, indicating that outdated systems, unpatched software, decentralized IT environments, and weak configuration management substantially increase susceptibility to cyberattacks such as phishing, ransomware, and data breaches. Incident Response Capability demonstrates the strongest mitigating effect on threat exposure, emphasizing the importance of proactive monitoring systems, rapid detection mechanisms, regular backups, and skilled cybersecurity personnel. Institutions with well-developed response frameworks show greater resilience and reduced operational disruption.\u003c/p\u003e \u003cp\u003eOrganizational Policy Effectiveness indirectly influences cybersecurity risk by shaping User Behavior and strengthening incident response processes. Effective governance structures, clear cybersecurity policies, leadership commitment, and continuous awareness training significantly improve compliance and responsible digital practices among students and staff. The results highlight that cybersecurity in HEIs cannot rely solely on technological safeguards it requires integrated governance, cultural alignment, and user accountability.\u003c/p\u003e \u003cp\u003eThe model explains a substantial proportion of variance in External Threat Exposure (R\u0026sup2; = 0.53), confirming moderate-to-strong explanatory power. Predictive relevance measures further validate the model\u0026rsquo;s robustness, demonstrating its suitability for institutional risk forecasting and strategic planning. Effect size analysis supports prioritization of high-impact areas, enabling evidence-based allocation of limited cybersecurity resources.\u003c/p\u003e \u003cp\u003eComparative analysis between public and private HEIs reveals structural differences influenced by funding capacity, technological infrastructure, and governance maturity. Larger research-intensive universities, while equipped with advanced security systems, face broader attack surfaces due to complex digital ecosystems and international collaborations. Conversely, smaller and resource-constrained institutions may experience higher vulnerability due to outdated infrastructure and limited specialized personnel. These findings underscore that cybersecurity risk is shaped not merely by institutional size but by strategic resource management, policy enforcement, and organizational culture.\u003c/p\u003e \u003cp\u003eThe study contributes to cybersecurity research by providing a multidimensional framework tailored to academic environments. It integrates technological, human, and governance perspectives into a unified risk assessment model and demonstrates the practical value of PLS-SEM for comparative institutional analysis. The results offer actionable insights for policymakers, institutional leaders, and IT administrators to strengthen resilience through targeted investments in technical upgrades, governance reforms, and user training initiatives.\u003c/p\u003e \u003cp\u003eOverall, this research underscores that cybersecurity risk management in higher education is a strategic and socio-economic imperative. By adopting data-driven, holistic approaches to risk assessment and mitigation, HEIs can safeguard academic integrity, protect sensitive information assets, and ensure sustainable digital transformation in an increasingly complex threat landscape.\u003c/p\u003e","manuscriptTitle":"Assessing Cybersecurity Vulnerabilities in Higher Education Institutions: A Comparative Perspective","msid":"","msnumber":"","nonDraftVersions":[{"code":1,"date":"2026-03-23 10:32:08","doi":"10.21203/rs.3.rs-9171940/v1","editorialEvents":[{"type":"communityComments","content":0}],"status":"published","journal":{"display":true,"email":"[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true}}],"origin":"","ownerIdentity":"a5cfb055-0b63-476c-91c5-53c6273cf494","owner":[],"postedDate":"March 23rd, 2026","published":true,"recentEditorialEvents":[],"rejectedJournal":[],"revision":"","amendment":"","status":"posted","subjectAreas":[],"tags":[],"updatedAt":"2026-03-23T10:32:08+00:00","versionOfRecord":[],"versionCreatedAt":"2026-03-23 10:32:08","video":"","vorDoi":"","vorDoiUrl":"","workflowStages":[]},"version":"v1","identity":"rs-9171940","journalConfig":"researchsquare"},"__N_SSP":true},"page":"/article/[identity]/[[...version]]","query":{"redirect":"/article/rs-9171940","identity":"rs-9171940","version":["v1"]},"buildId":"XKTyCvWXoU3ODBz1xrDgd","isFallback":false,"isExperimentalCompile":false,"dynamicIds":[84888],"gssp":true,"scriptLoader":[]}

Text is read by the "Ask this paper" AI Q&A widget below. Extraction quality varies by source — PMC NXML preserves structure cleanly, OA-HTML may include some navigation residue, and OA-PDF can have broken hyphenation. The publisher copy (via DOI) is the canonical version.

My notes (saved in your browser only)

Ask this paper AI returns verbatim quotes from the full text · source: preprint-html

Answers must be backed by verbatim quotes from this paper's full text. Hallucinated quotes are dropped automatically; if no verbatim passage answers the question, we say so. How this works

Outcome instruments

MUSA

Citation neighborhood (no data yet)

We don't have any in-corpus citations linked to this paper yet. This is a recent paper (2026) — citers typically take a year or two to land, and the OpenAlex reference graph may still be filling in.

Source provenance

europepmc
last seen: 2026-05-20T01:45:00.602351+00:00