Information Security Statistics
Overview
The SJSU Information Security team tracks cybersecurity performance annually as part of Strategic Goal 5: Rebuild and Renew, Desired Outcome 6: fostering campus safety through a layered, multifaceted cybersecurity strategy. The metrics below reflect SJSU's ongoing commitment to protecting the data that students, faculty, and researchers create and manage every day.
Two primary indicators are made publically available: the HEISC cybersecurity assessment score, which measures the maturity of our information security program, and phishing simulation click rates, which gauge campus-wide awareness of email-based threats.
HEISC
What is HEISC?
The Higher Education Information Security Council (HEISC) is a community of higher education information security and privacy professionals within EDUCAUSE. HEISC developed a self-assessment tool that evaluates the maturity of an institution's information security program using the International Organization for Standardization framework (ISO). The assessment is conducted annually in collaboration with the CSU system and Chancellor's Office.
How HEISC Scoring Works
HEISC scores range from 0 to 5. Achieving a score of 3.00 or higher signals a "well-defined" and "repeatable" security program — the recognized benchmark for a mature information security program in higher education. Below is a further score breakdown:
- 0 - Not Performed
- 1 - Performed Internally
- 2 - Planned
- 3 - Well Defined
- 4 - Quantitatively Controlled
- 5 - Continuously Improving
| HEISC Assessment Year | Overall Campus Score |
|---|---|
| 2019 | 2.61 |
| 2020-2021 | Assessment was suspended due to COVID |
| 2022 | 3.02 |
| 2023 | 3.22 |
| 2024 | 3.38 |
| 2025 | 3.50 |
Email Security
Part of Desired Outcome 6 is to safeguard the data our students, faculty, and researchers are creating and managing. One if the largest attack methods is via phishing. To combat this, SJSU IT has implemented an email security solution, Sublime, to proactively catch malicious emails and conducts phishing simulations regularly.
Phishing Prevention via Sublime
Sublime Email Security is a phishing prevention platform that SJSU IT has deployed to a subset of accounts, with the end goal being full campus protection. It utilizes AI and rule-based detections to flag emails deemed to by phishing, and perform automated actions based on the trained criteria.
Initial Proof of Value (PoV) Metrics
- Mailboxes Protected during PoV: 2,115
- Total Flagged Emails: Over 38,942
- Malicious Messages: 9,385
- Malicious Messages not in Spam: 2,886
- Overall Spam/Graymail Missed by Google: 7,142
- User Reported Emails that were sent to sublime for review: 1,383
- 29% would have automatically been caught by Sublime, if configured to automatically take action.
- 35% were identified as malicious
- 16.2% were identified as Spam/Graymail
- 8.6% were identified as Benign
- 10.3% were identified as unknown/malicious.
Phishing Simulations
What are Phishing Simulations?
Phishing remains one of the most common attack vectors used against higher education institutions. The SJSU IT Security team conducts simulated phishing campaigns via approved software to measure how effectively the campus community identifies and avoids malicious emails. Participants who click on a simulated phishing link are guided to educational resources: no accounts are compromised and no data is collected.
Click Rate History
The click rate is the percentage of recipients who clicked on a simulated phishing link. Lower is better. Results are used to target awareness training, measure program effectiveness, and benchmark SJSU against higher education peers. The Higher Education average typically falls between 17% and 21%, depending on college size.
| Fiscal Year | Employee Avg. Click Rate | Student Avg. Click Rate |
|---|---|---|
| 2019-2020 | 11.27% | 4.84% |
| 2020-2021 | 10.35% | 12.39% |
| 2021-2022 | 31.1% | 23.04% |
| 2022-2023 | 10.75% | 12.00% |
| 2023-2024 | 1.38% | 0.92% |
| 2024-2025 | 2.81% | 2.96% |
