ABSTRACT
Information technologies bring users much convenience as well as risks and threats. According to statistics from IBM Security in 2020, the number of data breaches in the year increased by 10% compared to that in the past five years. Universities represent a special, open environment. The Internet at universities is open and can be accessed by anyone, which is different from strict control of the Internet by enterprises. As a result, the personal data of students are likely to be exposed in this high-risk environment. In addition, universities have insufficient manpower and funds to maintain information security. Therefore, universities face greater risks in the protection of personal data. In view of the above, this study built a risk management mechanism to identify potential personal data breach risks for universities and the corresponding measures. This study sorted out common risk factors for personal data breaches in organizations through a literature review and adopted ISO 27001 and ISO 27701 to form a risk management mechanism for universities to improve their internal personal data management. This study also distributed questionnaires to experts to identify risk factors and control measures for universities. According to the research result, this study obtained 45 risk factors and the control measures corresponding to these risk factors for reference by universities in implementing personal data security protection practices.
