Information Security Activities of College Students: An Exploratory Study

INTRODUCTION Communication, instruction, registration, advising, and administrative functions at institutions of higher education are increasingly conducted through technology-mediated communication (Allen & Seaman, 2010; Chueng & Huang, 2005; Jones, Johnson-Yale, Perez & Schuler, 2007; Salas & Alexander, 2008), including email (Jones, 2008; S. Jones, et al., 2007; Weiss & Hanson-Baldauf, 2008), blogs (Nackerud & Scaletta, 2008), learning management systems (Hawkins & Rudy, 2007; Jacob & Issac, 2008), and social media (Allen & Seaman, 2009; Ashraf, 2009; Ellison, 2007; Gilroy, 2010; Rosen & Nelson, 2008; Saeed, Yang, & Sinnappan, 2009). Traditional data centers and corporate networks administrators control the types of data permitted on their networks and the methods used to access data. Because web sites and programs use the same port as a user's Web browser, hackers and cyber criminals often attempt to bypass security controls on computer networks. Thus, corporate network administrators often ban users from accessing private email accounts, instant messenger programs, and social networking sites, such as Twitter, MySpace, and Facebook (Brodkin, 2008). High school networks also commonly block access to these sites and filter email for malware and other unwanted content (Waters, 2007). Because institutions of higher education openly share a substantial amount of information and data, web sites are rarely banned and message content is not filtered, increasing the likelihood that students will encounter hackers or identity thieves while using institutional networks (Allison & DeBlois, 2008; Ziobron, 2003). While institutions of higher education prepare students for professional careers (Cheung & Huang, 2005), effective information security awareness training has taken a back seat as prospective employers are expected to accept responsibility for training of college graduate hires (Okenyi & Owens, 2007; Turner, 2007). However, this approach is ineffective as sound IT security practices continue to fall through the cracks. Regardless of a student's vocational goals, colleges and universities must take a proactive approach to educate students about the potential risks associated with Internet usage and message security, as reported dollar losses from Internet crime have reached new highs (Internet Crime Complaint Center, 2009). The need to plan, develop and implement IT security awareness training is crucial to ensure the security of student, faculty, and institutional data and information (The Campus Computing Project, 2007). In order to adequately develop training, a profile of end-user college student security attitudes and behaviors must be determined. Do information security attitudes and behaviors of college students differ based on factors such as age, gender, ethnicity, classification level, academic major, identity theft victimization, and use of computer security tools? Also, does the effective use of computer security tools differ based on factors such as age, gender, ethnicity, classification level, academic major, identity theft victimization, installation of PC anti-virus software, or installation of PC anti-spyware software? The present study explores information security attitudes and behaviors of college students, and their use of computer security tools. The paper also highlights end-user security awareness practices to promote a better understanding of information security given the inherent dangers in the virtual world, and discusses strategies that institutions can employ to better protect personal information and data. LITERATURE REVIEW Human-caused security threats lurking in virtual spaces are ever-evolving. Under the Clery Act, university campuses are required to release yearly crime statistics on crimes including aggravated assault, burglary, theft, vandalism, and driving under the influence ("The Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act" [Clery Act], 1990). …

[1]  Waiman Cheung,et al.  Proposing a framework to assess Internet usage in university education: an empirical investigation from a student's perspective , 2005, Br. J. Educ. Technol..

[2]  Dennis Guster,et al.  Weak Password Security: An Empirical Study , 2008, Inf. Secur. J. A Glob. Perspect..

[3]  Jacob Cohen Statistical Power Analysis for the Behavioral Sciences , 1969, The SAGE Encyclopedia of Research Design.

[4]  D. Timm,et al.  Privacy and Social Networking Sites , 2008 .

[5]  Grace Salas,et al.  Technology for institutional enrollment, communication, and student success , 2008 .

[6]  Susan B. Barnes,et al.  A privacy paradox: Social networking in the United States , 2006, First Monday.

[7]  Päivi Jokela,et al.  Learning with Security , 2007, J. Inf. Technol. Educ..

[8]  L. Foley,et al.  Identity Theft: The Aftermath 2008 , 2009 .

[9]  Mark Zuckerberg Making Control Simple , 2010 .

[10]  K. Ruben Gabriel,et al.  A Simple Method of Multiple Comparisons of Means , 1978 .

[11]  Keum-Suk Lee,et al.  A mobile agent security management , 2004, 18th International Conference on Advanced Information Networking and Applications, 2004. AINA 2004..

[12]  J. M. McConnell,et al.  National Training Standard for Information Systems Security (INFOSEC) Professionals , 1994 .

[13]  Linda Price,et al.  Learners and learning in the twenty‐first century: what do we know about students’ attitudes towards and experiences of information and communication technologies that will help us design courses? , 2005 .

[14]  Steve Mansfield-Devine,et al.  Social Networking: Anti-social networking: exploiting the trusting environment of Web 2.0 , 2008 .

[15]  John S. Camp,et al.  Top 10 IT Issues, 2007 , 2007 .

[16]  Joshua Fogel,et al.  Internet social network communities: Risk taking, trust, and privacy concerns , 2009, Comput. Hum. Behav..

[17]  Charles Nelson,et al.  Web 2.0: A New Generation of Learners and Education , 2008 .

[18]  Jeffrey R. Young Top 10 Threats to Computer Systems Include Professors and Students. , 2008 .

[19]  Robert O. Weagley,et al.  College Students, Internet Use, and Protection from Online Identity Theft , 2006 .

[20]  Lorne Olfman,et al.  Improving End User Behaviour in Password Utilization: An Action Research Initiative , 2008 .

[21]  Thomas J. Owens,et al.  On the Anatomy of Human Hacking , 2007, Inf. Secur. J. A Glob. Perspect..

[22]  Brian L. Hawkins,et al.  EDUCAUSE Core Data Service: Fiscal Year 2005 Summary Report. , 2006 .

[23]  Sanjaya Mishra,et al.  Research methods in the social sciences , 2005 .

[24]  R. Darlington,et al.  Factor Analysis , 2008 .

[25]  Tracy Mitrano A Wider World: Youth, Privacy, and Social Networking Technologies. , 2006 .

[26]  D. Spence The art of deception , 2013, BMJ.

[27]  Xin Luo,et al.  Awareness Education as the Key to Ransomware Prevention , 2007, Inf. Secur. J. A Glob. Perspect..

[28]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[29]  P. Lachenbruch Statistical Power Analysis for the Behavioral Sciences (2nd ed.) , 1989 .

[30]  J. Calder Survey research methods , 1998, Medical education.

[31]  M. Weiss,et al.  E-Mail in Academia: Expectations, Use, and Instructional Impact. , 2008 .

[32]  Kelly S. Ervin,et al.  Gender and the Internet: Women Communicating and Men Searching , 2001 .

[33]  Marilyn Gilroy Higher Education Migrates to YouTube and Social Networks. , 2010 .

[34]  Fowler,et al.  Survey research methods, 2nd ed. , 2009 .

[35]  D. Elliott Bell Secure Computer Systems: A Refinement of the Mathematical Model , 1974 .

[36]  Mathieu Gorge,et al.  Security for third level education organizations and other educational bodies , 2007 .

[37]  Herbert J. Mattord,et al.  Principles of Information Security , 2004 .

[38]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[39]  Bill Ashraf,et al.  Teaching the Google–Eyed YouTube Generation , 2009 .

[40]  Charles P. Pfleeger,et al.  Security in computing , 1988 .

[41]  K J Biba,et al.  Integrity Considerations for Secure Computer Systems , 1977 .

[42]  John E. Anderson,et al.  Why users (fail to) read computer usage policies , 2008, Ind. Manag. Data Syst..

[43]  Annie I. Antón,et al.  Balancing Good Intentions : Protecting the Privacy of Electronic Health Information , 2010 .

[44]  Peter J. Denning,et al.  Protection: principles and practice , 1972, AFIPS '72 (Spring).

[45]  Steven G. Jones,et al.  The internet landscape in college , 2007 .

[46]  Biju Issac,et al.  Mobile Technologies and its Impact - An Analysis in Higher Education Context , 2008, Int. J. Interact. Mob. Technol..

[47]  Janet C. Moore,et al.  The Sloan Consortium , 2005 .

[48]  James G. Jones Issues and Concerns of Directors of Postsecondary Distance Learning Programs Regarding Online Methods and Technologies , 2008 .

[49]  Samuel C. McQuade We Must Educate Young People about Cybercrime before They Start College. , 2007 .

[50]  I. E. Allen,et al.  Learning on Demand: Online Education in the United States, 2009. , 2010 .

[51]  Richard Haas,et al.  special report. , 1975, The Physician and sportsmedicine.

[52]  Eirik Albrechtsen,et al.  The information security digital divide between information security managers and users , 2009, Comput. Secur..

[53]  J. Cooper,et al.  The digital divide: the special case of gender , 2006, J. Comput. Assist. Learn..

[54]  Shane Nackerud,et al.  Blogging in the academy , 2008 .

[55]  Michele H. Jackson Exploring Gender, Feminism and Technology from a Communication Perspective: An Introduction and Commentary , 2007 .