K-12 Cybersecurity 2018 Year in Review
Part II: K-12 Cyber Incident Data
The K-12 Cyber Incident Map was launched as an effort to build an empirical base of information about the state of cybersecurity in public K-12 schools and districts.  While other efforts exist to catalog trends in cybersecurity incidents and data breaches, including in education, none bring a lens that is reliably actionable for U.S. K-12 education policymakers, school leaders, IT practitioners, or privacy advocates.
Widely cited research studies, such as Verizon’s annual “Data Breach Investigations Report” and Ponemon Institute’s “Cost of a Data Breach Study,” define the education sector overly broadly: combining K-12 and postsecondary institutions, public and private institutions, U.S. and global institutions all as a singular category of analysis.  Other public sources of data breach incidents compiled by experts, such as DataBreaches.net, the Identify Theft Resource Center, and the Privacy Rights Clearinghouse, define their scope in ways that exclude the reporting of significant cybersecurity incidents (while including incidents that are wholly analog, such as the loss of control of paper-based records).  While there may be lessons to be drawn from each of these valuable efforts, it is time for a K-12 specific lens on the issue.
The K-12 Cyber Incident Map and underlying database captures detailed information about two inter-related issues:
- publicly disclosed cybersecurity incidents affecting public K-12 schools, districts, charter schools, and other public education agencies (such as regional and state agencies), especially those that occur on K-12 managed networks and devices, and
- the characteristics of public school districts (including charter schools) that have experienced one or more publicly disclosed cybersecurity incidents.
By associating incidents with school districts, the K-12 Cyber Incident Map can address questions both about the nature and trends of cybersecurity incidents affecting K-12 schools and districts over time, as well as the characteristics of school districts that may be more or less likely to experience an incident. Cyber incident data is categorized in a manner consistent with the Vocabulary for Event Recording and Incident Sharing (VERIS), which is a common language for describing security incidents in a structured and repeatable manner.  School district data are supplemented with select information drawn from the U.S. Department of Education’s Common Core of Data, categorized in a manner consistent with that employed by the National Center for Education Statistic’s Fast Response Survey System.  Similarly, poverty status of school districts is drawn from the U.S. Census Bureau’s Small Area Income and Poverty Estimates (SAIPE). 
Data about K-12 cyber incidents are sourced from a large variety of outlets, including state and local governments, law enforcement, press reports, other data breach reporting services, social media and online forums, self-reports, and tips offered to the K-12 Cybersecurity Resource Center.  While some reports may be ambiguous (and are often incomplete), all are screened for authenticity and relevance before being recorded.
Nonetheless, the database of K-12 cybersecurity incidents is incomplete and only captures a small fraction of incidents experienced by schools, districts, their partners and vendors. To the degree that there are mandatory cybersecurity incident reporting requirements for K-12 school districts, they vary across states. Required disclosures are often not publicly accessible and/or are limited to narrow categories of cyber incidents (such as data breaches over a certain magnitude). School districts may resist self-reporting if they believe an incident may reflect poorly on their IT management practices. Finally, given a deficit of attention paid to cybersecurity risk management in many school districts, there may also be a considerable gap between when school districts experience an incident and when (or if) they become aware of that fact.
Summary data about K-12 cybersecurity incidents are currently published on an interactive map of the United States via the soon-to-be-deprecated Google Fusion Tables service.  Incidents on the map are color-coded by ‘primary’ incident type:
- phishing attacks resulting in the disclosure of personal data (blue pins);
- other unauthorized disclosures, breaches or hacks resulting in the disclosure of personal data (purple pins);
- ransomware attacks (yellow pins);
- denial-of-service attacks (green pins); and
- other cyber incidents resulting in school disruptions and unauthorized disclosures (red pins).
Given that incident types can co-occur (e.g., malware delivery via phishing email, resulting in a data breach), reporting by primary incident type should be interpreted with some caution.
 See “Introducing the K-12 Cyber Incident Map.”
 See “Verizon Data Breach Investigations Report” and “Ponemon Institute Cost of a Data Breach Study.” Widely-cited figures on the education sector drawn from these reports are unlikely to be representative of the threats and risks facing U.S. K-12 public schools.
 The Privacy Rights Clearinghouse maintains a database of public breaches that includes some information about school incidents. Databreaches.net offers a comprehensive history of education-related incidents. The Identity Theft Resource Center tracks U.S. data breaches, including those affecting schools.
 The Common Core of Data (CCD) is the U.S. Department of Education’s primary database on public elementary and secondary education in the United States. The U.S. Department of Education’s Fast Response Survey System (FRSS) was established to collect issue-oriented data – representative at the national level – quickly and with minimum response burden.
 The U.S. Census Bureau’s Small Area Income and Poverty Estimates (SAIPE) program provides estimates of income and poverty for every state and county. SAIPE also provides estimates of the number of school-age children in poverty for all school districts.
 Incident reports may be submitted to the K-12 Cybersecurity Resource Center directly via this contact form. Note: Only publicly-disclosed incidents are eligible for inclusion on the K-12 Cyber Incident Map.
 See “Google Fusion Tables Turndown.”