The security economics of EdTech: vendors’ responsibility and the cybersecurity challenge in the education sector

The education sector is increasingly targeted by malicious cyber incidents, resulting in huge financial losses, cancelation of classes and exams and large-scale breaches of students’ and staff’s data. This paper aims to investigate education technology (EdTech) vendors’ responsibility for this cyber (in)security challenge, with a particular focus on EdTech in India as a case study.

Theoretically, building on the security economics literature, the paper establishes a link between the dynamics of the EdTech market and the education sector’s cyber insecurities and investigates the various economic barriers that stand in the way of improving EdTech vendors’ security practices. Empirically, the paper analyses publicly reported cyber incidents targeting the Indian education sector and EdTech companies in the past 10 years as published in newspapers, using the LexisNexis database. It also examines existing EdTech procurement challenges in India and elsewhere and develops a number of policy recommendations to address the misaligned incentives and information asymmetries between EdTech vendors and educational institutions.

Market forces alone cannot create sufficient incentives for EdTech vendors to prioritise security in product design. Considering the infant stage of the EdTech industry, the lack of evidence about the efficacy of EdTech tools, the fragmentation in the EdTech market and the peculiarities of educational institutions as end-users, a regulatorily and policy intervention is needed to secure education through procurement processes.

This paper introduces a novel exploration to the cybersecurity challenge in the education sector, an area of research and policy analysis that remains largely understudied. By adding a cybersecurity angle, the paper also contributes to the literature using a political economy approach in scrutinising EdTech.