Enterprise Security Risk Management (ESRM) is gaining popularity in industry circles, especially after the American Society of Industrial Security (ASIS International) elevated it as its strategic priority in 2016. However, research on its adoption has attracted little attention, especially in universities which are often characterized by outstanding variations in culture, structure, and more. In this paper, we conduct a self-assessment of ESRM maturity in Kenya’s accredited universities using process metrics of the 2019 ASIS ESRM Maturity Model and insights from university security executives. The findings reveal that more than 35% of accredited universities have achieved advanced levels of ESRM adoption, with over 57% at average or middle levels, predominantly at Level 3. Public accredited universities exhibit higher ESRM adoption levels compared to their private counterparts. The study also identifies variations in the terminology used, with 60% using “Security Risk Management (SRM),” 35% using “University Risk Management,” and a minority adopting ESRM. The discomfort with the “enterprise” term indicates a need for awareness and sensitization programs. We argue that benchmarking with optimized ESRM adopters and increasing awareness and integration of ESRM in strategic planning and institutional governance are crucial for comprehensive security risk management in higher education.

企业安全风险管理（ESRM）在工业界越来越受欢迎，特别是在美国工业安全协会（ASIS International）于2016年将其提升为战略重点之后。然而，对其采用的研究却很少引起关注，特别是在大学中。通常具有文化、结构等方面的显着差异。在本文中，我们使用 2019 年 ASIS ESRM 成熟度模型的流程指标和大学安全管理人员的见解，对肯尼亚认可大学的 ESRM 成熟度进行了自我评估。调查结果显示，超过 35% 的认可大学在 ESRM 采用方面达到了高级水平，其中超过 57% 的大学处于平均或中等水平，主要达到​​ 3 级。与私立大学相比，公立认可大学表现出更高的 ESRM 采用水平。该研究还确定了所使用术语的差异，其中 60% 使用“安全风险管理 (SRM)”，35% 使用“大学风险管理”，少数人采用 ESRM。对“企业”一词的不适表明需要开展意识和宣传计划。我们认为，与优化的 ESRM 采用者进行基准比较以及提高 ESRM 在战略规划和机构治理中的认识和整合对于高等教育中的全面安全风险管理至关重要。